[GH-ISSUE #3504] Wiki: Creating overrides

gitea-mirror commented

2026-05-05 08:53:03 -06:00

Owner

Originally created by @rusty-snake on GitHub (Jul 9, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3504

Issues for discussions about https://github.com/netblue30/firejail/wiki/Creating-overrides.

Originally created by @rusty-snake on GitHub (Jul 9, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3504 Issues for discussions about https://github.com/netblue30/firejail/wiki/Creating-overrides.

gitea-mirror

2026-05-05 08:53:03 -06:00

closed this issue
added the
wiki
label

gitea-mirror commented

2026-05-05 08:53:06 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 9, 2020):

The "Add access to a directory" section needs more work:

noblacklist foo is only needed if we have blacklist foo
the section does not cover whitelisting profiles

@rusty-snake commented on GitHub (Jul 9, 2020): The "Add access to a directory" section needs more work: - `noblacklist foo` is only needed if we have `blacklist foo` - the section does not cover whitelisting profiles

gitea-mirror commented

2026-05-05 08:53:07 -06:00

Author

Owner

@NetSysFire commented on GitHub (Jul 29, 2020):

I improved it:
554073749c...0e5d9fcd1b

@NetSysFire commented on GitHub (Jul 29, 2020): I improved it: https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/554073749ce9a39ebe509a5b0d6a3c386b32dff7...0e5d9fcd1b780a291de7d860e07d28e7454b9a7b

gitea-mirror commented

2026-05-05 08:53:08 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 29, 2020):

Good, it should be made clearer that whitelist may only be used if it is a whitelisting profile, otherwise it will break the program. whitelisting is olny supported in$HOME, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var. So whitelist /myimportant.file will throw errors.

@rusty-snake commented on GitHub (Jul 29, 2020): Good, it should be made clearer that whitelist may only be used if it is a whitelisting profile, otherwise it will break the program. `whitelist`ing is olny supported in$HOME, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var. So `whitelist /myimportant.file` will throw errors.

gitea-mirror commented

2026-05-05 08:53:09 -06:00

Author

Owner

@NetSysFire commented on GitHub (Jul 29, 2020):

I can change the path, that is no problem. The manpage is a bit unclear though, it says it could be one of those directories:
03550e94cb/src/man/firejail.txt (L2612)

I tested several profiles (firefox, bash, viewnior, remmina, exiftool) via globals.local and none of them broke when I tested whitelist and noblacklist or nowhitelist and blacklist. Bash should be a blacklisting profile, right? Or do you mean that it breaks when no whitelist is used? Many profiles have multiple includes so the profile will contain blacklist and whitelist.
Could you show me an example where it would break?

@NetSysFire commented on GitHub (Jul 29, 2020): I can change the path, that is no problem. The manpage is a bit unclear though, it says it *could* be one of those directories: https://github.com/netblue30/firejail/blob/03550e94cb007346f9f172fafd156fb2cbd2cb5e/src/man/firejail.txt#L2612 I tested several profiles (`firefox`, `bash`, `viewnior`, `remmina`, `exiftool`) via `globals.local` and none of them broke when I tested `whitelist` and `noblacklist` or `nowhitelist` and `blacklist`. Bash should be a `blacklist`ing profile, right? Or do you mean that it breaks when no `whitelist` is used? Many profiles have multiple `include`s so the profile will contain `blacklist` and `whitelist`. Could you show me an example where it would break?

gitea-mirror commented

2026-05-05 08:53:10 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 29, 2020):

site-note: bash has no profile.
If you want to allow ${DOCUMENTS} for e.g. eog and add whitelist ${DOCUMENTS}, then eog can no longer read its config. So whitelist ${HOME}/foo should only be used for whitelisting profiles (the profiles with include whitelist-common.inc).

@rusty-snake commented on GitHub (Jul 29, 2020): site-note: bash has no profile. If you want to allow `${DOCUMENTS}` for e.g. eog and add `whitelist ${DOCUMENTS}`, then eog can no longer read its config. So `whitelist ${HOME}/foo` should only be used for whitelisting profiles (the profiles with `include whitelist-common.inc`).

gitea-mirror commented

2026-05-05 08:53:11 -06:00

Author

Owner

@NetSysFire commented on GitHub (Jul 31, 2020):

I fixed the page: 0e5d9fcd1b...921131df86

@NetSysFire commented on GitHub (Jul 31, 2020): I fixed the page: https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/0e5d9fcd1b780a291de7d860e07d28e7454b9a7b...921131df86e3216d9694b856d88f3e45005138c6

gitea-mirror commented

2026-05-05 08:53:12 -06:00

Author

Owner

@NetSysFire commented on GitHub (Oct 20, 2020):

Is a profile also a whitelisting profile if it only includes whitelist-var-common.inc but not whitelist-common.inc? An example for this would be amarok.profile.

@NetSysFire commented on GitHub (Oct 20, 2020): Is a profile also a whitelisting profile if it only includes `whitelist-var-common.inc` but not `whitelist-common.inc`? An example for this would be `amarok.profile`.

gitea-mirror commented

2026-05-05 08:53:13 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 21, 2020):

yes and no. yes, because whitelisting happens (even things like private-etc do whitelisting internal). However the terms whitelisting-profile and blacklisting-profile (as they used by people) refer to the protection-level of the files in your home. Finally no, it would be more confusing if we call ever profile with any whitelist a whitelisting-profile.

@rusty-snake commented on GitHub (Oct 21, 2020): yes and no. yes, because whitelisting happens (even things like `private-etc` do whitelisting internal). However the terms whitelisting-profile and blacklisting-profile (as they used by people) refer to the protection-level of the files in your home. Finally **no**, it would be more confusing if we call ever profile with any whitelist a whitelisting-profile.

gitea-mirror commented

2026-05-05 08:53:13 -06:00

Author

Owner

@NetSysFire commented on GitHub (Oct 24, 2020):

The reason why I asked is because whitelist might break non-whitelisting profiles, right? Someone asked me this in an IRC channel (we really need a Firejail IRC channel btw) and I was not sure if it would break this particular profile.
The wiki page contains

If a profile does not contain include whitelist-common.inc, it is not a whitelisting profile and will break.

I suspect that it depends on the used paths but I am not sure yet. To quote the manual:

A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside.

Using features like private-etc seems to not be enough to "convert" it to a whitelisting profile, most likely because the whitelisting is internal, as mentioned. But whitelist seems to break the profile and does not "convert" it, in some cases.

What makes a profile a whitelisting profile except include whitelist-common.inc? I would like to improve the important note below the "Allow access to a file or directory" snippet.

@NetSysFire commented on GitHub (Oct 24, 2020): The reason why I asked is because `whitelist` might break non-whitelisting profiles, right? Someone asked me this in an IRC channel (we really need a Firejail IRC channel btw) and I was not sure if it would break this particular profile. The wiki page contains > If a profile does not contain include `whitelist-common.inc`, it is not a whitelisting profile and **will** break. I suspect that it depends on the used paths but I am not sure yet. To quote the manual: >A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Using features like `private-etc` seems to not be enough to "convert" it to a whitelisting profile, most likely because the whitelisting is internal, as mentioned. But `whitelist` seems to break the profile and does not "convert" it, in some cases. What makes a profile a whitelisting profile except `include whitelist-common.inc`? I would like to improve the important note below the "Allow access to a file or directory" snippet.

gitea-mirror commented

2026-05-05 08:53:14 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 24, 2020):

What makes a profile a whitelisting profile except include whitelist-common.inc?

If a profile (or any of it's includes) contain whitelist ${HOME}/… it's a whitelisting-profile. The note with include whitelist-common.inc looked like it is easier since some profiles only have include wc.inc, but only a few profiles have whitelist ${HOME} w/o wc.inc.

Here they are (at least gitter andstandartnotes-desktop should probably include wc)

$ grep -L "^# Redirect" $(grep -l "^whitelist \${HOME}" $(grep -L "^include whitelist-common.inc" /etc/firejail/*.profile)) 
/etc/firejail/gitter.profile
/etc/firejail/links.profile
/etc/firejail/mpDris2.profile
/etc/firejail/redshift.profile
/etc/firejail/rtv.profile
/etc/firejail/standardnotes-desktop.profile

The reason why I asked is because whitelist might break non-whitelisting profiles, right?

Yes, if you add whitelist ${HOME}/... to a blacklisting-profile the program has no longer access to it's config-files, documents, ... unless you whitelist them. Some profiles are opt-in whitelisting-profiles such as gitg, keepassxc, peek or flameshot.

@rusty-snake commented on GitHub (Oct 24, 2020): > What makes a profile a whitelisting profile except `include whitelist-common.inc`? If a profile (or any of it's includes) contain `whitelist ${HOME}/…` it's a whitelisting-profile. The note with `include whitelist-common.inc` looked like it is easier since some profiles only have `include wc.inc`, but only a few profiles have `whitelist ${HOME}` w/o wc.inc. Here they are (at least gitter andstandartnotes-desktop should probably include wc) ``` $ grep -L "^# Redirect" $(grep -l "^whitelist \${HOME}" $(grep -L "^include whitelist-common.inc" /etc/firejail/*.profile)) /etc/firejail/gitter.profile /etc/firejail/links.profile /etc/firejail/mpDris2.profile /etc/firejail/redshift.profile /etc/firejail/rtv.profile /etc/firejail/standardnotes-desktop.profile ``` > The reason why I asked is because whitelist might break non-whitelisting profiles, right? Yes, if you add `whitelist ${HOME}/...` to a blacklisting-profile the program has no longer access to it's config-files, documents, ... unless you whitelist them. Some profiles are opt-in whitelisting-profiles such as gitg, keepassxc, peek or flameshot.

gitea-mirror commented

2026-05-05 08:53:15 -06:00

Author

Owner

@NetSysFire commented on GitHub (Nov 2, 2020):

I tried to clarify this a bit: 921131df86...aa6d4f9278

@NetSysFire commented on GitHub (Nov 2, 2020): I tried to clarify this a bit: https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/921131df86e3216d9694b856d88f3e45005138c6...aa6d4f92780bce8c578406487ac87e9cc3a8a847

gitea-mirror commented

2026-05-05 08:53:16 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 4, 2021):

https://github.com/netblue30/firejail/discussions/4442

@rusty-snake commented on GitHub (Aug 4, 2021): https://github.com/netblue30/firejail/discussions/4442

Rows
Columns

[GH-ISSUE #3504] Wiki: Creating overrides #2204