[GH-ISSUE #3245] How to blacklist specific drive or partition #2035

New issue

Closed

opened 2026-05-05 08:42:23 -06:00 by gitea-mirror · 11 comments

gitea-mirror commented 2026-05-05 08:42:23 -06:00

Owner

Copy link

Originally created by @CodeArtisan00 on GitHub (Feb 24, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3245

I'm trying to blacklist certain partition but unable to do so. I tried to blacklist /run/media/user/partition's name , but that didn't pay off. As of now, I don't know what do. disable-mnt won't help me as I need access to other drives. Any help would be appreciated.

Spec: Manjaro (KDE), Kernel: 5.5.x, Firejail ver: 0.9.62

Originally created by @CodeArtisan00 on GitHub (Feb 24, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3245 I'm trying to blacklist certain partition but unable to do so. I tried to blacklist /run/media/user/partition's name , but that didn't pay off. As of now, I don't know what do. disable-mnt won't help me as I need access to other drives. Any help would be appreciated. Spec: Manjaro (KDE), Kernel: 5.5.x, Firejail ver: 0.9.62

gitea-mirror closed this issue 2026-05-05 08:42:24 -06:00

gitea-mirror commented 2026-05-05 08:42:26 -06:00

Author

Owner

Copy link

@arrowgent commented on GitHub (Feb 25, 2020):

where are your mounted files actually at?

in /mnt
or /media
?

<!-- gh-comment-id:591103029 --> @arrowgent commented on GitHub (Feb 25, 2020): where are your mounted files actually at? in /mnt or /media ?

gitea-mirror commented 2026-05-05 08:42:27 -06:00

Author

Owner

Copy link

@CodeArtisan00 commented on GitHub (Feb 26, 2020):

where are your mounted files actually at?

in /mnt
or /media
?

/media

<!-- gh-comment-id:591550871 --> @CodeArtisan00 commented on GitHub (Feb 26, 2020): > where are your mounted files actually at? > > in /mnt > or /media > ? /media

gitea-mirror commented 2026-05-05 08:42:28 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Feb 26, 2020):

Do you try to blacklist inside a FUSE mount?

If yes, you somehow need to add allow_root to the FUSE mount options.

<!-- gh-comment-id:591662941 --> @smitsohu commented on GitHub (Feb 26, 2020): Do you try to blacklist inside a FUSE mount? If yes, you somehow need to add `allow_root` to the FUSE mount options.

gitea-mirror commented 2026-05-05 08:42:30 -06:00

Author

Owner

Copy link

@CodeArtisan00 commented on GitHub (Feb 27, 2020):

Do you try to blacklist inside a FUSE mount?

If yes, you somehow need to add allow_root to the FUSE mount options.

not necessarily inside a FUSE mount. What I want is close to disable-mnt but for specific drives.

<!-- gh-comment-id:591982205 --> @CodeArtisan00 commented on GitHub (Feb 27, 2020): > Do you try to blacklist inside a FUSE mount? > > If yes, you somehow need to add `allow_root` to the FUSE mount options. not necessarily inside a FUSE mount. What I want is close to disable-mnt but for specific drives.

gitea-mirror commented 2026-05-05 08:42:31 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 28, 2020):

I think the issue is that blacklist/whitelist has only an effect if the directory/file is already present when the sandbox is started.

<!-- gh-comment-id:592531202 --> @rusty-snake commented on GitHub (Feb 28, 2020): I think the issue is that `blacklist`/`whitelist` has only an effect if the directory/file is already present when the sandbox is started.

gitea-mirror commented 2026-05-05 08:42:32 -06:00

Author

Owner

Copy link

@CodeArtisan00 commented on GitHub (Feb 28, 2020):

I think the issue is that blacklist/whitelist has only an effect if the directory/file is already present when the sandbox is started.

yes... is there any workaround?

<!-- gh-comment-id:592783463 --> @CodeArtisan00 commented on GitHub (Feb 28, 2020): > I think the issue is that `blacklist`/`whitelist` has only an effect if the directory/file is already present when the sandbox is started. yes... is there any workaround?

gitea-mirror commented 2026-05-05 08:42:33 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Feb 29, 2020):

Firejail first configures the sandbox and then drops all privileges in order to start the application. At this point the sandbox is basically set in stone, at least for a regular user.

Talking about workarounds, one could in theory somehow detect the mount event and then join the sandbox as root user and modify the mount namespace of the sandbox manually, but this suffers from all kinds of race conditions. This means there would be always short time spans where the sandbox has full access to the paths that you want blacklisted.

So no, unfortunately there is no workaround.

<!-- gh-comment-id:592810834 --> @smitsohu commented on GitHub (Feb 29, 2020): Firejail first configures the sandbox and then drops all privileges in order to start the application. At this point the sandbox is basically set in stone, at least for a regular user. Talking about workarounds, one could in theory somehow detect the mount event and then `join` the sandbox as root user and modify the mount namespace of the sandbox manually, but this suffers from all kinds of race conditions. This means there would be always short time spans where the sandbox has full access to the paths that you want blacklisted. So no, unfortunately there is no workaround.

gitea-mirror commented 2026-05-05 08:42:34 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 29, 2020):

IDK what your targeted workflow is but this works:

mkdir /media/foo # create mountpoint
firejail --whitelist=/media/foo --blacklist=/run/media --blacklist=/mnt … app
# mount anything to /media/bar, app can't see it
# mount anything to /media/foo, app can see it

<!-- gh-comment-id:592920834 --> @rusty-snake commented on GitHub (Feb 29, 2020): IDK what your targeted workflow is but this works: ``` mkdir /media/foo # create mountpoint firejail --whitelist=/media/foo --blacklist=/run/media --blacklist=/mnt … app # mount anything to /media/bar, app can't see it # mount anything to /media/foo, app can see it ```

gitea-mirror commented 2026-05-05 08:42:35 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Feb 29, 2020):

@rusty-snake Right, thanks!

<!-- gh-comment-id:592937304 --> @smitsohu commented on GitHub (Feb 29, 2020): @rusty-snake Right, thanks!

gitea-mirror commented 2026-05-05 08:42:36 -06:00

Author

Owner

Copy link

@CodeArtisan00 commented on GitHub (Feb 29, 2020):

IDK what your targeted workflow is but this works:

mkdir /media/foo # create mountpoint
firejail --whitelist=/media/foo --blacklist=/run/media --blacklist=/mnt … app
# mount anything to /media/bar, app can't see it
# mount anything to /media/foo, app can see it

thanks.
For some reason, it never occurs to me to mount it in different location.

<!-- gh-comment-id:592988217 --> @CodeArtisan00 commented on GitHub (Feb 29, 2020): > IDK what your targeted workflow is but this works: > > ``` > mkdir /media/foo # create mountpoint > firejail --whitelist=/media/foo --blacklist=/run/media --blacklist=/mnt … app > # mount anything to /media/bar, app can't see it > # mount anything to /media/foo, app can see it > ``` thanks. For some reason, it never occurs to me to mount it in different location.

gitea-mirror commented 2026-05-05 08:42:37 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 5, 2020):

Closing here, as a viable workaround is available. Feel free to re-open at your discretion.

<!-- gh-comment-id:609368973 --> @ghost commented on GitHub (Apr 5, 2020): Closing here, as a viable workaround is available. Feel free to re-open at your discretion.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2035

No description provided.