github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2146] Question: how can I blacklist /home for Firefox? #1455

New issue

Closed

opened 2026-05-05 08:06:55 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 08:06:55 -06:00

Owner

Originally created by @Iggy-J on GitHub (Oct 8, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2146

The aim is to make only /home/user/Downloads writeable for browser, and to deny all tries to save the file during download to another folder, especially "root" /home/user. Is it possible? I understand, that Firefox need write permission to .cache, .config and so on, but is there a way? Of course I can blacklist /Desktop, /Pictures and others, but what is with /home itself, and with folders with unpredictable names that user can create inside it? Many thanks in advance.

Originally created by @Iggy-J on GitHub (Oct 8, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2146 The aim is to make only /home/user/Downloads writeable for browser, and to deny all tries to save the file during download to another folder, especially "root" /home/user. Is it possible? I understand, that Firefox need write permission to .cache, .config and so on, but is there a way? Of course I can blacklist /Desktop, /Pictures and others, but what is with /home itself, and with folders with unpredictable names that user can create inside it? Many thanks in advance.

gitea-mirror

2026-05-05 08:06:55 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:06:57 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Oct 8, 2018):

This isn't exactly blacklisting, but if you use whitelist ${DOWNLOADS} (along with other folders that firefox needs to function), any files and folders not explicitly whitelisted will not show up in the sandbox and any files saved anywhere else will be deleted when you close the browser. In fact, that's the way I normally operate my browser these days - the only permanent folder is ~/Downloads and the profile folder (which sometimes isn't even permanent - I have a script which sets up temporary profiles, for example).

@chiraag-nataraj commented on GitHub (Oct 8, 2018): This isn't exactly blacklisting, but if you use `whitelist ${DOWNLOADS}` (along with other folders that firefox needs to function), any files and folders not explicitly whitelisted will not show up in the sandbox and any files saved anywhere else will be deleted when you close the browser. In fact, that's the way I normally operate my browser these days - the only permanent folder is `~/Downloads` and the profile folder (which sometimes isn't even permanent - I have a script which sets up temporary profiles, for example).

gitea-mirror commented

2026-05-05 08:06:58 -06:00

Author

Owner

@Iggy-J commented on GitHub (Oct 8, 2018):

Ok, let's go further. I use ordinary Firefox profile with some extra lines.
As you can see, I use a private directory work for Firefox, and blacklist rules for ~/Desktop etc. But it does not work as you say. I can still see the directory ~/Desktop, but can't write to it. Files saved to home directory next to ~/Desktop are not deleted after I close the browser. If I comment private ${HOME}/work than everything is as you say - files are deleted, and I can see only ~/Downloads, which is permanent. Is that ok or not?
After all, is there a way to make the rest of the /home directory write-protected? I mean protected at the very moment of downloading files, not just discarding changes to file system after browser is closed. And sorry for my English :) Thanks for your answer!
I use Firejail version 0.9.52

# Firejail profile for firefox
# This file is overwritten after every install/update
# Persistent local customizations
#include /etc/firejail/firefox.local
# Persistent global definitions
include /etc/firejail/globals.local

private ${HOME}/work

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.config/okularpartrc
noblacklist ${HOME}/.config/okularrc
noblacklist ${HOME}/.config/qpdfview
noblacklist ${HOME}/.kde/share/apps/kget
noblacklist ${HOME}/.kde/share/apps/okular
noblacklist ${HOME}/.kde/share/config/kgetrc
noblacklist ${HOME}/.kde/share/config/okularpartrc
noblacklist ${HOME}/.kde/share/config/okularrc
noblacklist ${HOME}/.kde4/share/apps/kget
noblacklist ${HOME}/.kde4/share/apps/okular
noblacklist ${HOME}/.kde4/share/config/kgetrc
noblacklist ${HOME}/.kde4/share/config/okularpartrc
noblacklist ${HOME}/.kde4/share/config/okularrc
# noblacklist ${HOME}/.local/share/gnome-shell/extensions
noblacklist ${HOME}/.local/share/okular
noblacklist ${HOME}/.local/share/qpdfview
noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.pki

blacklist ${HOME}/Desktop
blacklist ${HOME}/Documents
blacklist ${HOME}/Music
blacklist ${HOME}/Pictures
blacklist ${HOME}/Public
blacklist ${HOME}/Templates
blacklist ${HOME}/Videos

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc

mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/gnome-mplayer/plugin
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.config/gnome-mplayer
whitelist ${HOME}/.config/okularpartrc
whitelist ${HOME}/.config/okularrc
whitelist ${HOME}/.config/pipelight-silverlight5.1
whitelist ${HOME}/.config/pipelight-widevine
whitelist ${HOME}/.config/qpdfview
whitelist ${HOME}/.kde/share/apps/kget
whitelist ${HOME}/.kde/share/apps/okular
whitelist ${HOME}/.kde/share/config/kgetrc
whitelist ${HOME}/.kde/share/config/okularpartrc
whitelist ${HOME}/.kde/share/config/okularrc
whitelist ${HOME}/.kde4/share/apps/kget
whitelist ${HOME}/.kde4/share/apps/okular
whitelist ${HOME}/.kde4/share/config/kgetrc
whitelist ${HOME}/.kde4/share/config/okularpartrc
whitelist ${HOME}/.kde4/share/config/okularrc
whitelist ${HOME}/.keysnail.js
whitelist ${HOME}/.lastpass
whitelist ${HOME}/.local/share/gnome-shell/extensions
whitelist ${HOME}/.local/share/okular
whitelist ${HOME}/.local/share/qpdfview
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.pentadactyl
whitelist ${HOME}/.pentadactylrc
whitelist ${HOME}/.pki
whitelist ${HOME}/.vimperator
whitelist ${HOME}/.vimperatorrc
whitelist ${HOME}/.wine-pipelight
whitelist ${HOME}/.wine-pipelight64
whitelist ${HOME}/.zotero
whitelist ${HOME}/dwhelper

include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
# machine-id breaks pulse audio; it should work fine in setups where sound is not required
#machine-id
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
#seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni$
shell none
#tracelog

disable-mnt
# firefox requires a shell to launch on Arch.
# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
private-dev
# private-etc below works fine on most distributions. There are some problems on CentOS.
# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse

private-tmp
noexec ${HOME}
noexec /tmp

@Iggy-J commented on GitHub (Oct 8, 2018): Ok, let's go further. I use ordinary Firefox profile with some extra lines. As you can see, I use a private directory `work` for Firefox, and blacklist rules for `~/Desktop` etc. But it does not work as you say. I can still see the directory `~/Desktop`, but can't write to it. Files saved to home directory next to `~/Desktop` are not deleted after I close the browser. If I comment `private ${HOME}/work` than everything is as you say - files are deleted, and I can see only `~/Downloads`, which is permanent. Is that ok or not? After all, is there a way to make the rest of the `/home` directory write-protected? I mean protected at the very moment of downloading files, not just discarding changes to file system after browser is closed. And sorry for my English :) Thanks for your answer! I use Firejail version 0.9.52 ```` # Firejail profile for firefox # This file is overwritten after every install/update # Persistent local customizations #include /etc/firejail/firefox.local # Persistent global definitions include /etc/firejail/globals.local private ${HOME}/work noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.config/okularpartrc noblacklist ${HOME}/.config/okularrc noblacklist ${HOME}/.config/qpdfview noblacklist ${HOME}/.kde/share/apps/kget noblacklist ${HOME}/.kde/share/apps/okular noblacklist ${HOME}/.kde/share/config/kgetrc noblacklist ${HOME}/.kde/share/config/okularpartrc noblacklist ${HOME}/.kde/share/config/okularrc noblacklist ${HOME}/.kde4/share/apps/kget noblacklist ${HOME}/.kde4/share/apps/okular noblacklist ${HOME}/.kde4/share/config/kgetrc noblacklist ${HOME}/.kde4/share/config/okularpartrc noblacklist ${HOME}/.kde4/share/config/okularrc # noblacklist ${HOME}/.local/share/gnome-shell/extensions noblacklist ${HOME}/.local/share/okular noblacklist ${HOME}/.local/share/qpdfview noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.pki blacklist ${HOME}/Desktop blacklist ${HOME}/Documents blacklist ${HOME}/Music blacklist ${HOME}/Pictures blacklist ${HOME}/Public blacklist ${HOME}/Templates blacklist ${HOME}/Videos include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/mozilla/firefox mkdir ${HOME}/.mozilla mkdir ${HOME}/.pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/gnome-mplayer/plugin whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.config/gnome-mplayer whitelist ${HOME}/.config/okularpartrc whitelist ${HOME}/.config/okularrc whitelist ${HOME}/.config/pipelight-silverlight5.1 whitelist ${HOME}/.config/pipelight-widevine whitelist ${HOME}/.config/qpdfview whitelist ${HOME}/.kde/share/apps/kget whitelist ${HOME}/.kde/share/apps/okular whitelist ${HOME}/.kde/share/config/kgetrc whitelist ${HOME}/.kde/share/config/okularpartrc whitelist ${HOME}/.kde/share/config/okularrc whitelist ${HOME}/.kde4/share/apps/kget whitelist ${HOME}/.kde4/share/apps/okular whitelist ${HOME}/.kde4/share/config/kgetrc whitelist ${HOME}/.kde4/share/config/okularpartrc whitelist ${HOME}/.kde4/share/config/okularrc whitelist ${HOME}/.keysnail.js whitelist ${HOME}/.lastpass whitelist ${HOME}/.local/share/gnome-shell/extensions whitelist ${HOME}/.local/share/okular whitelist ${HOME}/.local/share/qpdfview whitelist ${HOME}/.mozilla whitelist ${HOME}/.pentadactyl whitelist ${HOME}/.pentadactylrc whitelist ${HOME}/.pki whitelist ${HOME}/.vimperator whitelist ${HOME}/.vimperatorrc whitelist ${HOME}/.wine-pipelight whitelist ${HOME}/.wine-pipelight64 whitelist ${HOME}/.zotero whitelist ${HOME}/dwhelper include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc caps.drop all # machine-id breaks pulse audio; it should work fine in setups where sound is not required #machine-id netfilter nodvd nogroups nonewprivs noroot notv protocol unix,inet,inet6,netlink #seccomp seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni$ shell none #tracelog disable-mnt # firefox requires a shell to launch on Arch. # private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash private-dev # private-etc below works fine on most distributions. There are some problems on CentOS. # private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-tmp noexec ${HOME} noexec /tmp

gitea-mirror commented

2026-05-05 08:06:59 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Oct 8, 2018):

But it does not work as you say. I can still see the directory ~/Desktop, but can't write to it.

Right, because that's how blacklist works. It blocks access to the directory, but the directory still exists.

blacklist is redundant when you have a whitelist, since a whitelist makes only those files and directories available (so it's much stronger than a blacklist). What is the purpose of the private directory for firefox?

Personally, I see it this way. Don't use private and don't use blacklist. Use whitelist to control exactly which files and directories are available in the sandbox. The only issue here is if you want to discard modifications to the firefox profile at the end, in which case you may be interested in my wrapper script (firefox.common) to create a temporary firefox profile (and delete it at the end).

@chiraag-nataraj commented on GitHub (Oct 8, 2018): > But it does not work as you say. I can still see the directory `~/Desktop`, but can't write to it. Right, because that's how `blacklist` works. It blocks access to the directory, but the directory still exists. `blacklist` is redundant when you have a `whitelist`, since a `whitelist` makes _only_ those files and directories available (so it's much stronger than a `blacklist`). What is the purpose of the private directory for `firefox`? Personally, I see it this way. Don't use `private` and don't use `blacklist`. Use `whitelist` to control exactly which files and directories are available in the sandbox. The only issue here is if you want to discard modifications to the `firefox` profile at the end, in which case you may be interested in my wrapper script ([firefox.common](https://github.com/chiraag-nataraj/firejail-profiles)) to create a temporary firefox profile (and delete it at the end).

gitea-mirror commented

2026-05-05 08:07:00 -06:00

Author

Owner

@Vincent43 commented on GitHub (Oct 8, 2018):

I think this is duplicate of https://github.com/netblue30/firejail/issues/1743 . whitelist and private aren't compatible.

@Vincent43 commented on GitHub (Oct 8, 2018): I think this is duplicate of https://github.com/netblue30/firejail/issues/1743 . `whitelist` and `private` aren't compatible.

gitea-mirror commented

2026-05-05 08:07:01 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Oct 8, 2018):

@Vincent43 You're right, this is a duplicate of the issue you mentioned. I guess I also basically duplicated my answer 😂

@chiraag-nataraj commented on GitHub (Oct 8, 2018): @Vincent43 You're right, this is a duplicate of the issue you mentioned. I guess I also basically duplicated my answer :joy:

gitea-mirror commented

2026-05-05 08:07:02 -06:00

Author

Owner

@Iggy-J commented on GitHub (Oct 9, 2018):

Aha, now I understand, thanks a lot! You are right, the whitelist fits best of all.
I've made a little experiment and found out, that I can add read-only ${HOME} and add lines such as read-write ${HOME}/.mozilla for each directory Firefox needs write access to. In fact I added each path with whitelist and noblacklist commands from the original profile for a quick try. Looks a bit strange, but now when I download a file I can't save it to the home directory, as I wanted. Success! But the whole construction looks redundant, and using only whitelisting is the best idea.
Now there is no purpose of a private directory for Firefox, and thanks for your wrapper script! I'll read out and try it

@Iggy-J commented on GitHub (Oct 9, 2018): Aha, now I understand, thanks a lot! You are right, the `whitelist` fits best of all. I've made a little experiment and found out, that I can add `read-only ${HOME}` and add lines such as `read-write ${HOME}/.mozilla` for each directory Firefox needs write access to. In fact I added each path with `whitelist` and `noblacklist` commands from the original profile for a quick try. Looks a bit strange, but now when I download a file I can't save it to the `home` directory, as I wanted. Success! But the whole construction looks redundant, and using only `whitelisting` is the best idea. Now there is no purpose of a private directory for Firefox, and thanks for your wrapper script! I'll read out and try it

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1455

No description provided.

Rows
Columns