[GH-ISSUE #3421] Whitelisted FUSE mounted directory can not be accessed

gitea-mirror commented

2026-05-05 08:49:32 -06:00

Owner

Originally created by @dlehmenk on GitHub (May 17, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3421

Bug and expected behavior

I want to add a different folder for my thunderbird profile, which should be placed inside ${HOME}/some/dir. The directory some is FUSE mounted with gocryptfs on top of my also FUSE mounted home dir.

I copied thunderbird.profile to ~/.config/firejail/ and added

noblacklist ${HOME}/some/dir
mkdir ${HOME}/some/dir
whitelist ${HOME}/some/dir

(I tried with and without noblacklist). The directory becomes then visible from inside thunderbird, but all data (aka my newly created profile) stored there is deleted when thunderbird is closed.

I think this might be somewhat expected behavior, since it's mentioned in the wiki, but I could not find any other information on what else to do.

Environment
Ubuntu 20.04 and firejail 0.9.62

Originally created by @dlehmenk on GitHub (May 17, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3421 **Bug and expected behavior** I want to add a different folder for my thunderbird profile, which should be placed inside ``${HOME}/some/dir``. The directory ``some`` is FUSE mounted with gocryptfs on top of my also FUSE mounted home dir. I copied ``thunderbird.profile`` to ``~/.config/firejail/`` and added noblacklist ${HOME}/some/dir mkdir ${HOME}/some/dir whitelist ${HOME}/some/dir (I tried with and without ``noblacklist``). The directory becomes then visible from inside thunderbird, but all data (aka my newly created profile) stored there is deleted when thunderbird is closed. I think this might be somewhat expected behavior, since it's mentioned [in the wiki](https://github.com/netblue30/firejail/wiki/Creating-Profiles#common-mistakes), but I could not find any other information on what else to do. **Environment** Ubuntu 20.04 and firejail 0.9.62

gitea-mirror

2026-05-05 08:49:33 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:49:35 -06:00

Author

Owner

@ghost commented on GitHub (May 17, 2020):

(I tried with and without noblacklist).

noblacklist only makes sense if the specified path is blacklisted in one of firejail's other files, usualy one of the disable-*.inc files. You can add blacklist ${HOME}/some/dir to a disable-programs.local file to keep the same functionality as yoy get when using the default ${HOME}/.thunderbird.

As to why your 'new' TB profile data is deleted I'm not sure. Did you start TB from the command-line (with or without the -P flag)? If you used firecfg and you have a generated thunderbird.desktop file in ${HOME}/.local/share/applications it's possible that it still uses the original TB profile. Bottom-line: we need additional info from you to get to the bottom of this.

@ghost commented on GitHub (May 17, 2020): > (I tried with and without noblacklist). noblacklist only makes sense if the specified path is blacklisted in one of firejail's other files, usualy one of the disable-*.inc files. You can add `blacklist ${HOME}/some/dir` to a disable-programs.local file to keep the same functionality as yoy get when using the default ${HOME}/.thunderbird. As to why your 'new' TB profile data is deleted I'm not sure. Did you start TB from the command-line (with or without the -P flag)? If you used firecfg and you have a generated thunderbird.desktop file in ${HOME}/.local/share/applications it's possible that it still uses the original TB profile. Bottom-line: we need additional info from you to get to the bottom of this.

gitea-mirror commented

2026-05-05 08:49:36 -06:00

Author

Owner

@dlehmenk commented on GitHub (May 17, 2020):

Sorry, I missed a very obvious and important detail: The folder I try to use is not on the same filesystem as my home. It's a FUSE mounted directory (gocryptfs) on top of my, also FUSE mounted, home directory. When using a normal folder in my home, everything works as expected. Sorry, I tried this yesterday night and forgot to check this.

Also I'm starting thunderbird from the command line, -P or not makes no difference.

@dlehmenk commented on GitHub (May 17, 2020): Sorry, I missed a very obvious and important detail: The folder I try to use is not on the same filesystem as my home. It's a FUSE mounted directory (gocryptfs) on top of my, also FUSE mounted, home directory. When using a normal folder in my home, everything works as expected. Sorry, I tried this yesterday night and forgot to check this. Also I'm starting thunderbird from the command line, ``-P`` or not makes no difference.

gitea-mirror commented

2026-05-05 08:49:37 -06:00

Author

Owner

@ghost commented on GitHub (May 17, 2020):

No apologies needed, those things happen. Can you tell us the mountpoint of that gocryptfs dir? If it is somewhere under /media or /mnt you'll need to disable disable-mnt, which stems from the included firefox-common.profile. So either use the CLI syntax --ignore=disable-mnt or comment the 'disable-mnt' option in ${HOME}/.config/firejail/thunderbird.profile. In case that still doesn't fix things, please post the --debug output here to save some time.

@ghost commented on GitHub (May 17, 2020): No apologies needed, those things happen. Can you tell us the mountpoint of that gocryptfs dir? If it is somewhere under /media or /mnt you'll need to disable `disable-mnt`, which stems from the included firefox-common.profile. So either use the CLI syntax `--ignore=disable-mnt` or **comment** the 'disable-mnt' option in ${HOME}/.config/firejail/thunderbird.profile. In case that still doesn't fix things, please post the --debug output here to save some time.

gitea-mirror commented

2026-05-05 08:49:38 -06:00

Author

Owner

@dlehmenk commented on GitHub (May 17, 2020):

Yes, the crypted directory is stored under /media, unfortunately --ignore=disable-mnt did not work. I have attached the result of firejail --ignore=disable-mnt --debug thunderbird > firejail-tb-dbg.txt
firejail-tb-dbg.txt

@dlehmenk commented on GitHub (May 17, 2020): Yes, the crypted directory is stored under /media, unfortunately ``--ignore=disable-mnt`` did not work. I have attached the result of ``firejail --ignore=disable-mnt --debug thunderbird > firejail-tb-dbg.txt`` [firejail-tb-dbg.txt](https://github.com/netblue30/firejail/files/4640914/firejail-tb-dbg.txt)

gitea-mirror commented

2026-05-05 08:49:39 -06:00

Author

Owner

@ghost commented on GitHub (May 17, 2020):

To be honest I'm a bit confused by the debug output. Lines 561-563 suggest the disable-mnt option is still functional. For the moment I can only suggest explicitly whitelisting /media and /media/the/gocryptfs/mountpoint.

@ghost commented on GitHub (May 17, 2020): To be honest I'm a bit confused by the debug output. Lines 561-563 suggest the disable-mnt option is still functional. For the moment I can only suggest explicitly whitelisting /media and /media/the/gocryptfs/mountpoint.

gitea-mirror commented

2026-05-05 08:49:39 -06:00

Author

Owner

@dlehmenk commented on GitHub (May 18, 2020):

I sepcified

ignore private-mnt
noblacklist /media
noblacklist /media/path/to/crypted/dir
whitelist /media/path/to/crypted/dir

in the profile and in the debug log the lines about disabling /media vanished and now show (beside other things)

Mounting tmpfs on /media directory
[..]
Whitelisting /media/path/to/crypted/dir

Sadly this didn't work either.

I had a closer look at the directory and I can see the path I specified with the mkdir command inside TB, but no other files which lie there. So the error happens definitively when mounting the directory at the beginning and not during some write.

I think the relevant log line may be

Removed whitelist/nowhitelist path: whitelist ${HOME}/some/dir
    expanded: /home/user/some/dir
    real path: (null)

But there is no further explanation in the log. Is it possible to get a more verbose output there?

@dlehmenk commented on GitHub (May 18, 2020): I sepcified ignore private-mnt noblacklist /media noblacklist /media/path/to/crypted/dir whitelist /media/path/to/crypted/dir in the profile and in the debug log the lines about disabling /media vanished and now show (beside other things) Mounting tmpfs on /media directory [..] Whitelisting /media/path/to/crypted/dir Sadly this didn't work either. I had a closer look at the directory and I can see the path I specified with the ``mkdir`` command inside TB, but no other files which lie there. So the error happens definitively when mounting the directory at the beginning and not during some write. I think the relevant log line may be Removed whitelist/nowhitelist path: whitelist ${HOME}/some/dir expanded: /home/user/some/dir real path: (null) But there is no further explanation in the log. Is it possible to get a more verbose output there?

gitea-mirror commented

2026-05-05 08:49:40 -06:00

Author

Owner

@ghost commented on GitHub (May 18, 2020):

Removed whitelist/nowhitelist path: whitelist ${HOME}/some/dir
expanded: /home/user/some/dir
real path: (null)

But there is no further explanation in the log. Is it possible to get a more verbose output there?

Not unless you change the source code I'm afraid. But I agree on the relevancy of that message. Might be a bug in the whitelist code, or in the mkdir command. Check ownership and permissions of those files and try without the mkdir line for ${HOME}/some/dir.

@ghost commented on GitHub (May 18, 2020): > Removed whitelist/nowhitelist path: whitelist ${HOME}/some/dir > expanded: /home/user/some/dir > real path: (null) > > But there is no further explanation in the log. Is it possible to get a more verbose output there? Not unless you change the [source code](https://github.com/netblue30/firejail/blob/master/src/firejail/fs_whitelist.c) I'm afraid. But I agree on the relevancy of that message. Might be a bug in the whitelist code, or in the mkdir command. Check ownership and permissions of those files and try without the mkdir line for ${HOME}/some/dir.

gitea-mirror commented

2026-05-05 08:49:40 -06:00

Author

Owner

@dlehmenk commented on GitHub (May 19, 2020):

Hm, the permissions are alright (owned by me, 750). If I omit the mkdir line the directory does not show up at all. I will have a look at the code, but the last time I touched C was some years ago, so I'm not too optimistic.

I noticed something entirely different though (should I create a new issue for that?): If I open Thunderbird with a TB profile which is stored in ~/.thunderbird, and ~/some is not mounted, firejail creates ~/some/dir because of the mkdir line. gocryptfs then cannot mount it the next time I want to use it because the directory is not empty. Is there a workaround for this?

@dlehmenk commented on GitHub (May 19, 2020): Hm, the permissions are alright (owned by me, 750). If I omit the ``mkdir`` line the directory does not show up at all. I will have a look at the code, but the last time I touched C was some years ago, so I'm not too optimistic. I noticed something entirely different though (should I create a new issue for that?): If I open Thunderbird with a TB profile which is stored in ~/.thunderbird, and ~/some is not mounted, firejail creates ~/some/dir because of the ``mkdir`` line. gocryptfs then cannot mount it the next time I want to use it because the directory is not empty. Is there a workaround for this?

gitea-mirror commented

2026-05-05 08:49:42 -06:00

Author

Owner

@ghost commented on GitHub (May 19, 2020):

I noticed something entirely different though (should I create a new issue for that?): If I open Thunderbird with a TB profile which is stored in ~/.thunderbird, and ~/some is not mounted, firejail creates ~/some/dir because of the mkdir line. gocryptfs then cannot mount it the next time I want to use it because the directory is not empty. Is there a workaround for this?

I use gocryptfs myself and know what you mean. Have you tried its -nonempty flag yet? It's supposed to be useful in situations like these. Tonight I have some more time to try to reproduce your issue (and #3420), which I haven't been able to yet unfortunately. As soon as I have relevant input I'll keep adding to this thread, so - for now at least - I don't think there's a need to open a seperate issue.

@ghost commented on GitHub (May 19, 2020): > I noticed something entirely different though (should I create a new issue for that?): If I open Thunderbird with a TB profile which is stored in ~/.thunderbird, and ~/some is not mounted, firejail creates ~/some/dir because of the mkdir line. gocryptfs then cannot mount it the next time I want to use it because the directory is not empty. Is there a workaround for this? I use gocryptfs myself and know what you mean. Have you tried its `-nonempty` flag yet? It's supposed to be useful in situations like these. Tonight I have some more time to try to reproduce your issue (and #3420), which I haven't been able to yet unfortunately. As soon as I have relevant input I'll keep adding to this thread, so - for now at least - I don't think there's a need to open a seperate issue.

gitea-mirror commented

2026-05-05 08:49:42 -06:00

Author

Owner

@dlehmenk commented on GitHub (May 19, 2020):

Have you tried its -nonempty flag yet?

Ah, no, I didn't know about it, that will work for me :)

One last addition before I'm also out of ideas for now: I tried mounting the crypted folder under /mnt/ and whitelistet it (to rule out the nested FUSE mounts) and it did not work either. So the problem seems to be with gocryptfs, which is very strange, because my home also uses that and TB+FJ works for profiles in ~/.thunderbird..

Anyway, thank you very much for your time and and effort looking into this!

@dlehmenk commented on GitHub (May 19, 2020): > Have you tried its -nonempty flag yet? Ah, no, I didn't know about it, that will work for me :) One last addition before I'm also out of ideas for now: I tried mounting the crypted folder under /mnt/ and whitelistet it (to rule out the nested FUSE mounts) and it did not work either. So the problem seems to be with gocryptfs, which is very strange, because my home also uses that and TB+FJ works for profiles in ~/.thunderbird.. Anyway, thank you very much for your time and and effort looking into this!

gitea-mirror commented

2026-05-05 08:49:42 -06:00

Author

Owner

@ghost commented on GitHub (May 19, 2020):

So the problem seems to be with gocryptfs, which is very strange, because my home also uses that and TB+FJ works for profiles in ~/.thunderbird..

After some more experimenting I tend to agree. Which isn't good news for what you originally wanted to achieve. The only way I could get and keep a gocryptfs-encrypted TB profile working with firejail was to FUSE mount ${HOME}/some/dir (instead of ${HOME}/some). And even then I had to cripple the thunderbird.profile so much that it stopped being useful. Not that I fully understand why exactly. Let's hope other collaborators bring in fresh eyes on this, I'm running around in circles for the moment.

@ghost commented on GitHub (May 19, 2020): > So the problem seems to be with gocryptfs, which is very strange, because my home also uses that and TB+FJ works for profiles in ~/.thunderbird.. After some more experimenting I tend to agree. Which isn't good news for what you originally wanted to achieve. The only way I could get and keep a gocryptfs-encrypted TB profile working with firejail was to FUSE mount `${HOME}/some/dir` (instead of ${HOME}/some). And even then I had to cripple the thunderbird.profile so much that it stopped being useful. Not that I fully understand **why** exactly. Let's hope other collaborators bring in fresh eyes on this, I'm running around in circles for the moment.

gitea-mirror commented

2026-05-05 08:49:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 21, 2020):

In general FUSE mounted w/o allow_root or allow_other can not work with firejail (it would hardfail then). This seems to to happen here.

You could try to create a test profile like and then start firejail --profile=test_tb_gocryptfs.profile bash.

test_tb_gocryptfs.profil:

whitelist ${HOME}/some

@rusty-snake commented on GitHub (May 21, 2020): In general FUSE mounted w/o `allow_root` or `allow_other` can not work with firejail (it would hardfail then). This seems to to happen here. You could try to create a test profile like and then start `firejail --profile=test_tb_gocryptfs.profile bash`. `test_tb_gocryptfs.profil`: ``` whitelist ${HOME}/some ```

gitea-mirror commented

2026-05-05 08:49:43 -06:00

Author

Owner

@dlehmenk commented on GitHub (May 22, 2020):

Yes, thank you! That was the mistake. I just didn't thought of the -allow_other flag, which I of course used for my home. Thank you both for your time looking at this.

@dlehmenk commented on GitHub (May 22, 2020): Yes, thank you! That was the mistake. I just didn't thought of the -allow_other flag, which I of course used for my home. Thank you both for your time looking at this.

Rows
Columns

[GH-ISSUE #3421] Whitelisted FUSE mounted directory can not be accessed #2151