[GH-ISSUE #2938] Allow binaries to run in ${HOME}/bin/** while having noexec ${HOME}

gitea-mirror commented

2026-05-05 08:30:16 -06:00

Owner

Originally created by @pedrib on GitHub (Aug 31, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2938

As the name says: I want to allow running binaries off ~/bin and its subdirectories, even in profiles with noexec ${HOME}.
Is there a way to achieve this? I have tried:

ignore apparmor
whitelist ${HOME}/bin
noblacklist ${HOME}/bin/torguard/torguard-bin

Example debug output:

Whitelisting /home/john/bin
732 721 259:4 /bin /home/john/bin rw,relatime master:55 - ext4 /dev/sda2 rw,attr2,inode64,noquota
mountid=732 fsname=/bin dir=/home/john/bin fstype=ext4
Mounting read-only /home/john/bin
Current directory: /home/john/bin/torguard
Child process initialized in 231.60 ms
/home/botto/bin/torguard/torguard-bin starting application
execvp argument 0: /home/john/bin/torguard/torguard-bin
Error: no suitable /home/john/bin/torguard/torguard-bin executable found

And here's the full profile:

# Persistent local customizations
include torguard.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/torguard

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-passwdmgr.inc

mkdir ${HOME}/.config/torguard
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/torguard
include whitelist-common.inc
include whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
protocol unix,inet,inet6,netlink
seccomp
shell none

disable-mnt
private-dev
private-tmp

noexec ${HOME}

Firejail version:

firejail version 0.9.58.2

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

The only thing in my /etc/firejail/globals.local is:

apparmor

Everything else is on default values.

Originally created by @pedrib on GitHub (Aug 31, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2938 As the name says: I want to allow running binaries off ~/bin and its subdirectories, even in profiles with noexec ${HOME}. Is there a way to achieve this? I have tried: ``` ignore apparmor whitelist ${HOME}/bin noblacklist ${HOME}/bin/torguard/torguard-bin ``` Example debug output: ``` Whitelisting /home/john/bin 732 721 259:4 /bin /home/john/bin rw,relatime master:55 - ext4 /dev/sda2 rw,attr2,inode64,noquota mountid=732 fsname=/bin dir=/home/john/bin fstype=ext4 Mounting read-only /home/john/bin Current directory: /home/john/bin/torguard Child process initialized in 231.60 ms /home/botto/bin/torguard/torguard-bin starting application execvp argument 0: /home/john/bin/torguard/torguard-bin Error: no suitable /home/john/bin/torguard/torguard-bin executable found ``` And here's the full profile: ``` # Persistent local customizations include torguard.local # Persistent global definitions include globals.local noblacklist ${HOME}/.config/torguard include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc include disable-passwdmgr.inc mkdir ${HOME}/.config/torguard whitelist ${DOWNLOADS} whitelist ${HOME}/.config/torguard include whitelist-common.inc include whitelist-var-common.inc caps.drop all netfilter nodvd nogroups nonewprivs noroot notv nou2f protocol unix,inet,inet6,netlink seccomp shell none disable-mnt private-dev private-tmp noexec ${HOME} ``` Firejail version: ``` firejail version 0.9.58.2 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` The only thing in my /etc/firejail/globals.local is: ``` apparmor ``` Everything else is on default values.

gitea-mirror

2026-05-05 08:30:16 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:30:19 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 31, 2019):

noexec is to disable the opportunity to run a executable in the dir and all its subdirs and subsubdirs, ... . Since there is no exec option in firejail you can't revert this for some subdirs. So you must use ignore noexec ${HOME}.

Because you have apparmor in your globals.local, I think that your system has AA.
Because AA has the more powerful globbing, you could try it with this.
e.g. noexec ${HOME}/{**^bin}
I'm not using AA, so I can't help find the full rule for AA.

@rusty-snake commented on GitHub (Aug 31, 2019): `noexec` is to disable the opportunity to run a executable in the dir and all its subdirs and subsubdirs, ... . Since there is no `exec` option in firejail you can't revert this for some subdirs. So you must use `ignore noexec ${HOME}`. Because you have `apparmor` in your `globals.local`, I think that your system has AA. Because AA has the more powerful globbing, you could try it with this. e.g. `noexec ${HOME}/{**^bin}` I'm not using AA, so I can't help find the full rule for AA.

gitea-mirror commented

2026-05-05 08:30:20 -06:00

Author

Owner

@pedrib commented on GitHub (Aug 31, 2019):

Thanks! Any plans to make this exec available? I assume I'm not the only one to need this.

And thanks a lot for your work.

@pedrib commented on GitHub (Aug 31, 2019): Thanks! Any plans to make this exec available? I assume I'm not the only one to need this. And thanks a lot for your work.

gitea-mirror commented

2026-05-05 08:30:20 -06:00

Author

Owner

@Vincent43 commented on GitHub (Aug 31, 2019):

You can achieve this with owner /{,run/firejail/mnt/oroot/}home/bin/** ix, in /etc/apparmor.d/local/firejail-local (or /etc/apparmor.d/local/firejail-default in debian).

After that run sudo apparmor_parser -r /etc/apparmor.d/firejail-default and replace ignore apparmor with ignore noexec ${HOME} in firejail profile.

I believe exec rule can't be added because user could then remount arbitrary noexec dirs in their system.

EDIT: @rusty-snake right, fixed.

@Vincent43 commented on GitHub (Aug 31, 2019): You can achieve this with `owner /{,run/firejail/mnt/oroot/}home/bin/** ix,` in `/etc/apparmor.d/local/firejail-local` (or `/etc/apparmor.d/local/firejail-default` in debian). After that run `sudo apparmor_parser -r /etc/apparmor.d/firejail-default` and replace `ignore apparmor` with `ignore noexec ${HOME}` in firejail profile. I believe `exec` rule can't be added because user could then remount arbitrary `noexec` dirs in their system. EDIT: @rusty-snake right, fixed.

gitea-mirror commented

2026-05-05 08:30:20 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 31, 2019):

Suggestion: s/ignore noexec/ignore noexec ${HOME}/g

@rusty-snake commented on GitHub (Aug 31, 2019): Suggestion: `s/ignore noexec/ignore noexec ${HOME}/g`

gitea-mirror commented

2026-05-05 08:30:21 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 10, 2019):

@pedrib I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Sep 10, 2019): @pedrib I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror commented

2026-05-05 08:30:21 -06:00

Author

Owner

@pedrib commented on GitHub (Sep 10, 2019):

@rusty-snake @Vincent43 thanks, I ended up putting the stuff in /opt so that I could leave the noexec ${HOME} in place, but might change it as you suggested.

@pedrib commented on GitHub (Sep 10, 2019): @rusty-snake @Vincent43 thanks, I ended up putting the stuff in /opt so that I could leave the noexec ${HOME} in place, but might change it as you suggested.

gitea-mirror commented

2026-05-05 08:30:22 -06:00

Author

Owner

@rieje commented on GitHub (Sep 18, 2020):

@rusty-snake I am having trouble running a script in $HOME/bin when using mpv. In mpv, I have a key bound to the script in input.conf, e.g. DEL run "/home/rieje/bin/mpv-testme". Without firejail, it runs fine. With firejail, running the script with the DEL key in mpv gives the error Running subprocess failed: initwith the default profile. I then addignore nexec ${HOME}. I commented out apparmor` (I'm using stock kernel so it's not using better integrated apparmor anyway) and it's the same.

Any ideas? I just want to allow this single script for mpv (or whatever is the best way to implement whitelisting a script in $HOME).

Additional info: I'm on latest version of Arch Linux with latest version of Firejail. With the default profile, mpv does not play any videos at all and does not show any errors in the terminal unless I disable seccomp, which I've done.

@rieje commented on GitHub (Sep 18, 2020): @rusty-snake I am having trouble running a script in $HOME/bin when using mpv. In mpv, I have a key bound to the script in input.conf, e.g. `DEL run "/home/rieje/bin/mpv-testme". Without firejail, it runs fine. With firejail, running the script with the DEL key in mpv gives the error `Running subprocess failed: init` with the default profile. I then add `ignore nexec ${HOME}`. I commented out `apparmor` (I'm using stock kernel so it's not using better integrated apparmor anyway) and it's the same. Any ideas? I just want to allow this single script for mpv (or whatever is the best way to implement whitelisting a script in $HOME). Additional info: I'm on latest version of Arch Linux with latest version of Firejail. With the default profile, mpv does not play any videos at all and does not show any errors in the terminal unless I disable seccomp, which I've done.

gitea-mirror commented

2026-05-05 08:30:22 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 18, 2020):

mpv does not play any videos at all and does not show any errors in the terminal unless I disable seccomp, which I've done.

AMD GPU? Try seccomp !kcmp (#3219).

Any ideas? I just want to allow this single script for mpv (or whatever is the best way to implement whitelisting a script in $HOME).

Is this a elf-binary or bash,perl,...-script?

If it requires a interpreter, you need to allow it, use include allow-XXX.inc and add it to private-bin. Shell scripts likely need more programs in private-bin such as ls,awk,grep,….

You maybe need to allow /bin/sh to start the script.

noblacklist ${PATH}/sh
private-bin sh

@rusty-snake commented on GitHub (Sep 18, 2020): > mpv does not play any videos at all and does not show any errors in the terminal unless I disable seccomp, which I've done. AMD GPU? Try `seccomp !kcmp` (#3219). > Any ideas? I just want to allow this single script for mpv (or whatever is the best way to implement whitelisting a script in $HOME). Is this a elf-binary or bash,perl,...-script? If it requires a interpreter, you need to allow it, use `include allow-XXX.inc` and add it to `private-bin`. Shell scripts likely need more programs in `private-bin` such as ls,awk,grep,…. You maybe need to allow /bin/sh to start the script. ``` noblacklist ${PATH}/sh private-bin sh ```

gitea-mirror commented

2026-05-05 08:30:22 -06:00

Author

Owner

@rieje commented on GitHub (Sep 18, 2020):

AMD GPU? Try seccomp !kcmp (#3219).

Yea, it's an AMD GPU and replacing seccomp with that works.

Is this a elf-binary or bash,perl,...-script?

Sorry yea, this is an sh script. It actually calls another simple sh script that uses notify-send, but for now to make things simple, I just want mpv to use /home/rieje/bin/mpv-testme which the single command notify-send testme. I now have private-bin env,mpv,python*,youtube-dl,bash,sh,notify-send,mpv-testme but the same issue occurs. I've also added:

noblacklist ${PATH}/sh
noblacklist /home/rieje/bin/mpv-testme
noblacklist /usr/bin/notify-send

but it seems to have no effect.

@rieje commented on GitHub (Sep 18, 2020): > AMD GPU? Try seccomp !kcmp (#3219). Yea, it's an AMD GPU and replacing `seccomp` with that works. > Is this a elf-binary or bash,perl,...-script? Sorry yea, this is an sh script. It actually calls another simple sh script that uses notify-send, but for now to make things simple, I just want mpv to use `/home/rieje/bin/mpv-testme` which the single command `notify-send testme`. I now have `private-bin env,mpv,python*,youtube-dl,bash,sh,notify-send,mpv-testme` but the same issue occurs. I've also added: noblacklist ${PATH}/sh noblacklist /home/rieje/bin/mpv-testme noblacklist /usr/bin/notify-send but it seems to have no effect.

gitea-mirror commented

2026-05-05 08:30:23 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 19, 2020):

Too obviously for me, but $HOME is noexec. So try this mpv.local

ignore noexec ${HOME}
private-bin bash,sh,notify-send
# and for firejail 0.9.64 also
noblacklist ${PATH}/sh
noblacklist ${PATH}/bash

EDIT: Wait, you said that you add it. weird.

@rusty-snake commented on GitHub (Sep 19, 2020): Too obviously for me, but $HOME is noexec. So try this mpv.local ``` ignore noexec ${HOME} private-bin bash,sh,notify-send # and for firejail 0.9.64 also noblacklist ${PATH}/sh noblacklist ${PATH}/bash ``` EDIT: Wait, you said that you add it. weird.

gitea-mirror referenced this issue

2026-05-05 10:13:27 -06:00

[PR #1835] [MERGED] Adding thunderbird-beta and Blender-28 #4083

Rows
Columns

[GH-ISSUE #2938] Allow binaries to run in ${HOME}/bin/** while having noexec ${HOME} #1835