github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3378] ignore option and globbing #2122

New issue

Open

opened 2026-05-05 08:48:10 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:48:10 -06:00

Owner

Originally created by @smitsohu on GitHub (Apr 22, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3378

The idea was to configure the Dolphin (maybe Baloo, KWin, ...) sandbox in a more restrictive way, while avoiding to run into #1793 :

mkdir ${HOME}/.local/share/dolphin
read-only ${HOME}

read-write ${HOME}/.config
ignore read-only ${HOME}/.config/dolphinrc
read-only ${HOME}/.config/*

read-write ${HOME}/.local/share/dolphin

This snippet mounts the user home directory read-only, but keeps the ~/.config and ~/.local/share/dolphin directories writable.
All files inside ~/.config, with ~/.config/dolphinrc being the only exception, are read-only again.

Unfortunately, read-only ${HOME}/.config/* is matched only by
ignore read-only ${HOME}/.config/*
and
ignore read-only

Firejail checks for ignored commands before wildcards are expanded, and so the profile snippet above doesn't work.

Now the question is if it would be considered generally helpful to enhance the current ignore and run checks again after wildcards are expanded (adding a bit of overhead, of course).

Originally created by @smitsohu on GitHub (Apr 22, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3378 The idea was to configure the Dolphin (maybe Baloo, KWin, ...) sandbox in a more restrictive way, while avoiding to run into #1793 : ``` mkdir ${HOME}/.local/share/dolphin read-only ${HOME} read-write ${HOME}/.config ignore read-only ${HOME}/.config/dolphinrc read-only ${HOME}/.config/* read-write ${HOME}/.local/share/dolphin ``` This snippet mounts the user home directory read-only, but keeps the ~/.config and ~/.local/share/dolphin directories writable. All files inside ~/.config, with ~/.config/dolphinrc being the only exception, are read-only again. Unfortunately, `read-only ${HOME}/.config/*` is matched only by `ignore read-only ${HOME}/.config/*` and `ignore read-only` Firejail checks for `ignore`d commands _before_ wildcards are expanded, and so the profile snippet above doesn't work. Now the question is if it would be considered generally helpful to enhance the current `ignore` and run checks again after wildcards are expanded (adding a bit of overhead, of course).

gitea-mirror added the

enhancement

label 2026-05-05 08:48:10 -06:00

gitea-mirror commented

2026-05-05 08:48:11 -06:00

Author

Owner

@ghost commented on GitHub (Apr 22, 2020):

Now the question is if it would be considered generally helpful to enhance the current ignore and run checks again after wildcards are expanded (adding a bit of overhead, of course).

If this isn't too difficult/time-consuming to implement, I'd say go for it. Perhaps it can prove useful (in the future) for other sandboxes besides the Dolphin one. Firejail's overhead is actually very nice and I don't think this proposal would hurt it that much. But that will have to be tested after implementation of course.

@ghost commented on GitHub (Apr 22, 2020): > Now the question is if it would be considered generally helpful to enhance the current ignore and run checks again after wildcards are expanded (adding a bit of overhead, of course). If this isn't too difficult/time-consuming to implement, I'd say go for it. Perhaps it can prove useful (in the future) for other sandboxes besides the Dolphin one. Firejail's overhead is actually very nice and I don't think this proposal would hurt it that much. But that will have to be tested after implementation of course.

gitea-mirror commented

2026-05-05 08:48:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 22, 2020):

I would not use ignore for that, read-write is already used for ro exceptions. ~~But I often see that users are trying to add globbing exception with blacklist.~~

~noblacklist ${HOME}/foo~
~blacklist ${HOME}/*~

@rusty-snake commented on GitHub (Apr 22, 2020): I would not use ignore for that, read-write is already used for ro exceptions. ~But I often see that users are trying to add globbing exception with blacklist.~ ``` ~noblacklist ${HOME}/foo~ ~blacklist ${HOME}/*~ ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2122

No description provided.

Rows
Columns