[GH-ISSUE #2282] Can't access /mnt despite ignore disable-mnt and whitelists

gitea-mirror commented

2026-05-05 08:10:57 -06:00

Owner

Originally created by @seonwoolee on GitHub (Nov 29, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2282

I'm trying to set up Firejail for VLC. I have media files under /mnt/NAS that I want it to access.

Here's the profile I created:

ignore disable-mnt
whitelist /mnt/NAS
whitelist /mnt/NAS/replicate
whitelist /mnt/NAS/replicate/TV
whitelist /mnt/NAS/replicate/Movies
whitelist /mnt/NAS/local/TV
whitelist /mnt/NAS/local/Movies
whitelist /mnt/NAS/local/Plex

I get the following output when I use --debug-whitelists

Reading profile /home/seonwoo/.config/firejail/vlc.profile
Parent pid 9359, child pid 9360
Debug 405: new_name #/mnt/NAS#, whitelist
Removed whitelist/nowhitelist path: whitelist /mnt/NAS
	expanded: /mnt/NAS
	real path: (null)
	realpath: Permission denied
Debug 405: new_name #/mnt/NAS/replicate#, whitelist
Removed whitelist/nowhitelist path: whitelist /mnt/NAS/replicate
	expanded: /mnt/NAS/replicate
	real path: (null)
	realpath: Permission denied
Debug 405: new_name #/mnt/NAS/replicate/TV#, whitelist
Removed whitelist/nowhitelist path: whitelist /mnt/NAS/replicate/TV
	expanded: /mnt/NAS/replicate/TV
	real path: (null)
	realpath: Permission denied
Debug 405: new_name #/mnt/NAS/replicate/Movies#, whitelist
Removed whitelist/nowhitelist path: whitelist /mnt/NAS/replicate/Movies
	expanded: /mnt/NAS/replicate/Movies
	real path: (null)
	realpath: Permission denied
Debug 405: new_name #/mnt/NAS/local/TV#, whitelist
Removed whitelist/nowhitelist path: whitelist /mnt/NAS/local/TV
	expanded: /mnt/NAS/local/TV
	real path: (null)
	realpath: Permission denied
Debug 405: new_name #/mnt/NAS/local/Movies#, whitelist
Removed whitelist/nowhitelist path: whitelist /mnt/NAS/local/Movies
	expanded: /mnt/NAS/local/Movies
	real path: (null)
	realpath: Permission denied
Debug 405: new_name #/mnt/NAS/local/Plex#, whitelist
Removed whitelist/nowhitelist path: whitelist /mnt/NAS/local/Plex
	expanded: /mnt/NAS/local/Plex
	real path: (null)
	realpath: Permission denied
Mounting tmpfs on /mnt directory

I don't know why VLC still can't access /mnt/NAS (it can access /mnt, shown as an empty directory).

If it matters, /mnt/NAS is shared over NFS

Originally created by @seonwoolee on GitHub (Nov 29, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2282 I'm trying to set up Firejail for VLC. I have media files under /mnt/NAS that I want it to access. Here's the profile I created: ``` ignore disable-mnt whitelist /mnt/NAS whitelist /mnt/NAS/replicate whitelist /mnt/NAS/replicate/TV whitelist /mnt/NAS/replicate/Movies whitelist /mnt/NAS/local/TV whitelist /mnt/NAS/local/Movies whitelist /mnt/NAS/local/Plex ``` I get the following output when I use `--debug-whitelists` ``` Reading profile /home/seonwoo/.config/firejail/vlc.profile Parent pid 9359, child pid 9360 Debug 405: new_name #/mnt/NAS#, whitelist Removed whitelist/nowhitelist path: whitelist /mnt/NAS expanded: /mnt/NAS real path: (null) realpath: Permission denied Debug 405: new_name #/mnt/NAS/replicate#, whitelist Removed whitelist/nowhitelist path: whitelist /mnt/NAS/replicate expanded: /mnt/NAS/replicate real path: (null) realpath: Permission denied Debug 405: new_name #/mnt/NAS/replicate/TV#, whitelist Removed whitelist/nowhitelist path: whitelist /mnt/NAS/replicate/TV expanded: /mnt/NAS/replicate/TV real path: (null) realpath: Permission denied Debug 405: new_name #/mnt/NAS/replicate/Movies#, whitelist Removed whitelist/nowhitelist path: whitelist /mnt/NAS/replicate/Movies expanded: /mnt/NAS/replicate/Movies real path: (null) realpath: Permission denied Debug 405: new_name #/mnt/NAS/local/TV#, whitelist Removed whitelist/nowhitelist path: whitelist /mnt/NAS/local/TV expanded: /mnt/NAS/local/TV real path: (null) realpath: Permission denied Debug 405: new_name #/mnt/NAS/local/Movies#, whitelist Removed whitelist/nowhitelist path: whitelist /mnt/NAS/local/Movies expanded: /mnt/NAS/local/Movies real path: (null) realpath: Permission denied Debug 405: new_name #/mnt/NAS/local/Plex#, whitelist Removed whitelist/nowhitelist path: whitelist /mnt/NAS/local/Plex expanded: /mnt/NAS/local/Plex real path: (null) realpath: Permission denied Mounting tmpfs on /mnt directory ``` I don't know why VLC still can't access /mnt/NAS (it can access /mnt, shown as an empty directory). If it matters, /mnt/NAS is shared over NFS

gitea-mirror closed this issue

2026-05-05 08:10:58 -06:00

gitea-mirror commented

2026-05-05 08:11:00 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Nov 29, 2018):

Version? Distro? Full command? Full profile?

also you do not need these

whitelist /mnt/NAS
whitelist /mnt/NAS/replicate

@SkewedZeppelin commented on GitHub (Nov 29, 2018): Version? Distro? Full command? Full profile? also you do not need these ``` whitelist /mnt/NAS whitelist /mnt/NAS/replicate ```

gitea-mirror commented

2026-05-05 08:11:01 -06:00

Author

Owner

@seonwoolee commented on GitHub (Nov 29, 2018):

Firejail version 0.9.56
Arch Linux
Full command is firejail vlc --debug-whitelists

If I don't include

whitelist /mnt/NAS
whitelist /mnt/NAS/replicate

then I can't even access /mnt

@seonwoolee commented on GitHub (Nov 29, 2018): Firejail version 0.9.56 Arch Linux Full command is `firejail vlc --debug-whitelists` If I don't include ``` whitelist /mnt/NAS whitelist /mnt/NAS/replicate ``` then I can't even access /mnt

gitea-mirror commented

2026-05-05 08:11:02 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 2, 2018):

Is /mnt a mountpoint (what does mountpoint /mnt say?)

If it is, could you share some more information about it? For example something like findmnt | grep /mnt | grep -v /mnt/

@smitsohu commented on GitHub (Dec 2, 2018): Is /mnt a mountpoint (what does `mountpoint /mnt` say?) If it is, could you share some more information about it? For example something like `findmnt | grep /mnt | grep -v /mnt/`

gitea-mirror commented

2026-05-05 08:11:03 -06:00

Author

Owner

@seonwoolee commented on GitHub (Dec 2, 2018):

No it is not. /mnt/NAS is though.

Output of findmnt | grep /mnt/NAS | grep -v /mnt/NAS/

rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=14,retrans=2,sec=sys,clientaddr=192.168.1.4,local_lock=none,addr=192.168.1.2

@seonwoolee commented on GitHub (Dec 2, 2018): No it is not. `/mnt/NAS` is though. Output of `findmnt | grep /mnt/NAS | grep -v /mnt/NAS/` ``` rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=14,retrans=2,sec=sys,clientaddr=192.168.1.4,local_lock=none,addr=192.168.1.2 ```

gitea-mirror commented

2026-05-05 08:11:04 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 2, 2018):

~~Maybe related to #2114.~~
Scratch that.

@smitsohu commented on GitHub (Dec 2, 2018): ~~Maybe related to #2114.~~ Scratch that.

gitea-mirror commented

2026-05-05 08:11:04 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 2, 2018):

I don't know much about NFS, so this is kind of speculative, but if you mount the NFS with no_root_squash option, would it fix the issue?

Note however that this option has own security implications.

@smitsohu commented on GitHub (Dec 2, 2018): I don't know much about NFS, so this is kind of speculative, but if you mount the NFS with `no_root_squash` option, would it fix the issue? Note however that this option has [own security implications](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-securing_nfs-do_not_use_the_no_root_squash_option).

gitea-mirror commented

2026-05-05 08:11:05 -06:00

Author

Owner

@seonwoolee commented on GitHub (Dec 2, 2018):

Trying sudo mount 192.168.1.2:/mnt/master /mnt/NAS -t nfs4 -o no_root_squash results in mount.nfs4: an incorrect mount option was specified

@seonwoolee commented on GitHub (Dec 2, 2018): Trying `sudo mount 192.168.1.2:/mnt/master /mnt/NAS -t nfs4 -o no_root_squash` results in `mount.nfs4: an incorrect mount option was specified`

gitea-mirror commented

2026-05-05 08:11:05 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 2, 2018):

It seems it has to go into /etc/exports

@smitsohu commented on GitHub (Dec 2, 2018): [It seems](https://linux.die.net/man/5/exports) it has to go into /etc/exports

gitea-mirror commented

2026-05-05 08:11:06 -06:00

Author

Owner

@seonwoolee commented on GitHub (Dec 2, 2018):

Ahhh gotcha.

Nope, that didn't change anything.

@seonwoolee commented on GitHub (Dec 2, 2018): Ahhh gotcha. Nope, that didn't change anything.

gitea-mirror commented

2026-05-05 08:11:06 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 19, 2019):

Is this still an issue? If so, can you check if you have disable-mnt enabled in /etc/firejail/firejail.config?

@chiraag-nataraj commented on GitHub (May 19, 2019): Is this still an issue? If so, can you check if you have `disable-mnt` enabled in `/etc/firejail/firejail.config`?

gitea-mirror commented

2026-05-05 08:11:06 -06:00

Author

Owner

@seonwoolee commented on GitHub (May 21, 2019):

Yes, disable-mnt is enabled in /etc/firejail/firejail.config. But despite having ignore disable-mnt in vlc.profile, I still can't access /mnt/NAS when I open VLC with firejail.

If I disable disable-mnt in /etc/firejail/firejail.config then it works, but as I understand it ignore disable-mnt in vlc.profile should be taking care of that.

@seonwoolee commented on GitHub (May 21, 2019): Yes, `disable-mnt` is enabled in `/etc/firejail/firejail.config`. But despite having `ignore disable-mnt` in `vlc.profile`, I still can't access `/mnt/NAS` when I open VLC with firejail. If I disable `disable-mnt` in `/etc/firejail/firejail.config` then it works, but as I understand it `ignore disable-mnt` in `vlc.profile` should be taking care of that.

gitea-mirror commented

2026-05-05 08:11:07 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 21, 2019):

@seonwoolee nope, if you set this in firejail.config you can not ignore it by ignore, you need to revert this in firejail.config and add disable-mnt to your globals.local, because then you can do ignore disable-mnt in your vlc.local.

# Disable /mnt, /media, /run/mount and /run/media access. By default access
# to these directories is enabled. Unlike --disable-mnt profile option this
# cannot be overridden by --noblacklist.
# disable-mnt no

I think we should add that --ignore also didn't work.

@rusty-snake commented on GitHub (May 21, 2019): @seonwoolee nope, if you set this in firejail.config you can not ignore it by `ignore`, you need to revert this in `firejail.config` and add `disable-mnt` to your `globals.local`, because then you can do `ignore disable-mnt` in your `vlc.local`. ``` # Disable /mnt, /media, /run/mount and /run/media access. By default access # to these directories is enabled. Unlike --disable-mnt profile option this # cannot be overridden by --noblacklist. # disable-mnt no ``` I think we should add that `--ignore` also didn't work.

gitea-mirror commented

2026-05-05 08:11:07 -06:00

Author

Owner

@seonwoolee commented on GitHub (May 21, 2019):

Gotcha. Thanks.

@seonwoolee commented on GitHub (May 21, 2019): Gotcha. Thanks.

gitea-mirror commented

2026-05-05 08:11:08 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 21, 2019):

I think we should add that --ignore also didn't work.

done via 903adee.

@rusty-snake commented on GitHub (May 21, 2019): > I think we should add that --ignore also didn't work. done via 903adee.

gitea-mirror referenced this issue

2026-05-05 08:25:13 -06:00

[GH-ISSUE #2792] Wiki: Frequently Asked Questions #1747

gitea-mirror referenced this issue

2026-05-05 08:25:13 -06:00

[GH-ISSUE #2792] Wiki: Frequently Asked Questions #1747

gitea-mirror referenced this issue

2026-05-05 08:26:51 -06:00

[GH-ISSUE #2846] Wiki: Guidelines #1778

Rows
Columns

[GH-ISSUE #2282] Can't access /mnt despite ignore disable-mnt and whitelists #1521