[GH-ISSUE #40] Support files in current directory and paths with private.keep

gitea-mirror commented

2026-05-05 04:45:35 -06:00

Owner

Originally created by @pigmonkey on GitHub (Aug 22, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/40

I want to use firejail and --private.keep to view a PDF file within a sandbox. If my PDF reader is pdfreader and the file is in ~/, this works great:

$ cd ~/
$ firejail --private.keep=dirty.pdf pdfreader dirty.pdf

However, this fails when the file is somewhere other than ~/

$ cd ~/tmp/random/directory
$ firejail --private.keep=alsodirty.pdf pdfreader alsodirty.pdf
Error: file /home/pigmonkey/alsodirty.pdf not found.

I would like --private.keep to accept files in the current directory, as well as paths. For instance, in addition to the previous example I'd like to be able to do stuff like:

$  firejail --private.keep=~/tmp/random/directory/alsodirty.pdf ...
$  firejail --private.keep=../alsodirty.pdf ...

I understand that --private.keep was probably originally intended just to copy over dotfiles from the real home, but I think expanding it to support file paths like this would make it much more useful.

Originally created by @pigmonkey on GitHub (Aug 22, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/40 I want to use firejail and `--private.keep` to view a PDF file within a sandbox. If my PDF reader is `pdfreader` and the file is in `~/`, this works great: ``` $ cd ~/ $ firejail --private.keep=dirty.pdf pdfreader dirty.pdf ``` However, this fails when the file is somewhere other than `~/` ``` $ cd ~/tmp/random/directory $ firejail --private.keep=alsodirty.pdf pdfreader alsodirty.pdf Error: file /home/pigmonkey/alsodirty.pdf not found. ``` I would like `--private.keep` to accept files in the current directory, as well as paths. For instance, in addition to the previous example I'd like to be able to do stuff like: ``` $ firejail --private.keep=~/tmp/random/directory/alsodirty.pdf ... $ firejail --private.keep=../alsodirty.pdf ... ``` I understand that `--private.keep` was probably originally intended just to copy over dotfiles from the real home, but I think expanding it to support file paths like this would make it much more useful.

gitea-mirror

2026-05-05 04:45:35 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 04:45:42 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 22, 2015):

private.keep is being renamed to --private-home in the next version. It makes "private" only files in home directory. I have a --private-etc doing the same for /etc directory. I'll implement a --private-tmp, it shouldn't be a big deal.

I understand that --private.keep was probably originally intended just to copy over dotfiles from the real home

Some users came up with the idea to have only .mozilla directory visible. I guessthe main usage so far is "firejail --private-home=.mozilla firefox"

What is pdfreader? I could build a default profile for it. Also, use --net=none with pdf readers - the bad guys are interested in sending data back.

@netblue30 commented on GitHub (Aug 22, 2015): private.keep is being renamed to --private-home in the next version. It makes "private" only files in home directory. I have a --private-etc doing the same for /etc directory. I'll implement a --private-tmp, it shouldn't be a big deal. > I understand that --private.keep was probably originally intended just to copy over dotfiles from the real home Some users came up with the idea to have only .mozilla directory visible. I guessthe main usage so far is "firejail --private-home=.mozilla firefox" What is pdfreader? I could build a default profile for it. Also, use --net=none with pdf readers - the bad guys are interested in sending data back.

gitea-mirror commented

2026-05-05 04:45:46 -06:00

Author

Owner

@ghost commented on GitHub (Aug 22, 2015):

@netblue30 The tmp directory in his example is relative to the home directory, i.e. it's /home/user/tmp/random... - it tripped me up at first! Currently the --private-home code doesn't expand the ~ or ${HOME} at the front, and just appends it to homedir. So ~/tmp in his example expands to /home/user/~/tmp which doesn't work.

I've already been thinking of making a function called something like expand_user_supplied_path as there's several places where we expand ~ and ${HOME} using the same code. We could call that from the --private-home code and then check that the result starts with whatever's in the homedir variable. That would also take care of calling realpath and expanding out any paths like ../dir as well. Would you like me to put up a pull request for it?

@ghost commented on GitHub (Aug 22, 2015): @netblue30 The `tmp` directory in his example is relative to the home directory, i.e. it's `/home/user/tmp/random...` - it tripped me up at first! Currently the `--private-home` code doesn't expand the `~` or `${HOME}` at the front, and just appends it to `homedir`. So `~/tmp` in his example expands to `/home/user/~/tmp` which doesn't work. I've already been thinking of making a function called something like `expand_user_supplied_path` as there's several places where we expand `~` and `${HOME}` using the same code. We could call that from the `--private-home` code and then check that the result starts with whatever's in the `homedir` variable. That would also take care of calling `realpath` and expanding out any paths like `../dir` as well. Would you like me to put up a pull request for it?

gitea-mirror commented

2026-05-05 04:45:49 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 22, 2015):

yes, thanks!

@netblue30 commented on GitHub (Aug 22, 2015): yes, thanks!

gitea-mirror commented

2026-05-05 04:45:52 -06:00

Author

Owner

@pigmonkey commented on GitHub (Aug 22, 2015):

Yeah, that tmp directory was in my home dir. Sorry if that was confusing. To give another example, I want to be able to do all of the following:

$ cd ~/
$ firejail --private-home=documents/file.pdf
$ firejail --private-home=~/documents/file.pdf
$ cd ~/documents
$ firejail --private-home=file.pdf
$ cd ~/documents/notes
$ firejail --private-home=../file.pdf

The first example already works. The second example will work with expand_home. The third example is the one I care about most. I haven't actually ran into a situation where I wanted to use the fourth example, but I would expect it to work.

@pigmonkey commented on GitHub (Aug 22, 2015): Yeah, that tmp directory was in my home dir. Sorry if that was confusing. To give another example, I want to be able to do all of the following: ``` $ cd ~/ $ firejail --private-home=documents/file.pdf $ firejail --private-home=~/documents/file.pdf $ cd ~/documents $ firejail --private-home=file.pdf $ cd ~/documents/notes $ firejail --private-home=../file.pdf ``` The first example already works. The second example will work with `expand_home`. The third example is the one I care about most. I haven't actually ran into a situation where I wanted to use the fourth example, but I would expect it to work.

gitea-mirror commented

2026-05-05 04:45:55 -06:00

Author

Owner

@ghost commented on GitHub (Aug 22, 2015):

The issue with the third example is the meaning of the parameters. For example, if you have the following two files:

/home/user/notes.txt
/home/user/dir/notes.txt

...if you say firejail --private-home=notes.txt the meaning is to take /home/user/notes.txt, no matter what directory you run firejail from. That way you can say firejail --private-home=.mozilla firefox and it works correctly all the time.

It is possible to change the meaning of the --private-home option to reference against the current directory instead of the home directory, but that would break existing scripts. @netblue30 would have to be the one to make that decision.

@ghost commented on GitHub (Aug 22, 2015): The issue with the third example is the meaning of the parameters. For example, if you have the following two files: `/home/user/notes.txt` `/home/user/dir/notes.txt` ...if you say `firejail --private-home=notes.txt` the meaning is to take `/home/user/notes.txt`, no matter what directory you run firejail from. That way you can say `firejail --private-home=.mozilla firefox` and it works correctly all the time. It is possible to change the meaning of the `--private-home` option to reference against the current directory instead of the home directory, but that would break existing scripts. @netblue30 would have to be the one to make that decision.

gitea-mirror commented

2026-05-05 04:45:59 -06:00

Author

Owner

@pigmonkey commented on GitHub (Aug 22, 2015):

Good point.

With --private.keep being renamed to --private-home in the next release, this is probably as good a time as any to break stuff! The new expand_home should make it easy for users to fix any existing scripts by just dropping a ~/ in front of the path.

My goal with all of this is to be able to jail a PDF reader (or other application) without thinking about it. Currently, if I want to read ~/documents/file.pdf in a jail and I am already in ~/documents, I need to do this:

$ firejail --private.keep=documents/file.pdf pdfreader file.pdf

What I want to do is create a bash script -- called pdfjail or something -- that looks like this:

#!/bin/bash
firejail --private-home=${@: -1} pdfreader "$@"

With that script, I could accomplish the same thing in the previous example by just doing this:

$ pdfjail file.pdf

But for it to work, I need --private-home to accept any path that the PDF reader does.

I think the ability to do something like this would be super useful for a number of different applications. The PDF reader example is just my immediate need.

@pigmonkey commented on GitHub (Aug 22, 2015): Good point. With `--private.keep` being renamed to `--private-home` in the next release, this is probably as good a time as any to break stuff! The new `expand_home` should make it easy for users to fix any existing scripts by just dropping a `~/` in front of the path. My goal with all of this is to be able to jail a PDF reader (or other application) without thinking about it. Currently, if I want to read `~/documents/file.pdf` in a jail and I am already in `~/documents`, I need to do this: ``` $ firejail --private.keep=documents/file.pdf pdfreader file.pdf ``` What I want to do is create a bash script -- called `pdfjail` or something -- that looks like this: ``` #!/bin/bash firejail --private-home=${@: -1} pdfreader "$@" ``` With that script, I could accomplish the same thing in the previous example by just doing this: ``` $ pdfjail file.pdf ``` But for it to work, I need `--private-home` to accept any path that the PDF reader does. I think the ability to do something like this would be super useful for a number of different applications. The PDF reader example is just my immediate need.

gitea-mirror commented

2026-05-05 04:46:01 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 23, 2015):

If you are using a script, you can expand the path of the file in your script using "readlink -f", something like this:

#!/bin/bash
firejail --private-home=$(readlink -f $1) pdfreader $(readlink -f $1)

@netblue30 commented on GitHub (Aug 23, 2015): If you are using a script, you can expand the path of the file in your script using "readlink -f", something like this: ``` #!/bin/bash firejail --private-home=$(readlink -f $1) pdfreader $(readlink -f $1) ```

gitea-mirror commented

2026-05-05 04:46:03 -06:00

Author

Owner

@pigmonkey commented on GitHub (Aug 25, 2015):

That will address my immediate need if --private-home will accept an absolute path.

@pigmonkey commented on GitHub (Aug 25, 2015): That will address my immediate need if `--private-home` will accept an absolute path.

gitea-mirror commented

2026-05-05 04:46:05 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 25, 2015):

It does,as long as the file is in your home directory and you are the owner of the file.

@netblue30 commented on GitHub (Aug 25, 2015): It does,as long as the file is in your home directory and you are the owner of the file.

gitea-mirror commented

2026-05-05 04:46:07 -06:00

Author

Owner

@pigmonkey commented on GitHub (Aug 26, 2015):

Good enough!

@pigmonkey commented on GitHub (Aug 26, 2015): Good enough!

gitea-mirror referenced this issue

2026-05-05 10:02:45 -06:00

[PR #20] [MERGED] Create a .gitignore file for firejail #3509

Rows
Columns

[GH-ISSUE #40] Support files in current directory and paths with private.keep #20