mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #3580] Question: Firefox - How do i allow an external storage path? #2243
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2243
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @svc88 on GitHub (Aug 9, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3580
Using the default profile for Firefox in 0.9.62
I would like to allow Firefox access to a specific path under /media/drive/bla/bla/bla
What do i need to put under firefox.local ?
I tried noblacklist and whitelist but it doesnt work for /media/xxx
@smitsohu commented on GitHub (Aug 9, 2020):
Try
--noblacklist=/mediaor--ignore=disable-mnt@rusty-snake commented on GitHub (Aug 9, 2020):
ignore disable-mntEdit: smitsohu was 1 second faster 🤣
smitsohu: 2020-08-09T19:57:32Z
rusty-snake: 2020-08-09T19:57:33Z
@svc88 commented on GitHub (Aug 9, 2020):
Thanks guys.
If i try either only
--noblacklist=/mediaOR only--ignore=disable-mnt- this allows it but at the same time, it allows ALL drives to be accessed and obviously i dont want to allow other drives to be compromised/visible, however if i try only a complete specific path such as/media/dir1/dir2/dir3/dir4it doesnt allow it as i originally mentioned.So what i did was (as @rusty-snake also mentioned):
This allowed Firefox the specific device's dir path but at the same time disallows all other drives mounted which is great, so is this the correct way to go about this?
@svc88 commented on GitHub (Aug 9, 2020):
Is there no other way besides
ignore disable-mnt?@rusty-snake commented on GitHub (Aug 9, 2020):
#3245
@svc88 commented on GitHub (Aug 9, 2020):
@rusty-snake your comment here, i tried it, but firstly i get the error
Error: only directories in user home or /tmp are supported by mkdir@svc88 commented on GitHub (Aug 9, 2020):
It seems i cant get this to work. I dont want to blacklist specific drives. i actually want to blacklist or disable-mnt on all drives but one.
Is there another way to do this?
@svc88 commented on GitHub (Aug 9, 2020):
Basically since the below works and disallows the rest of the drives but with disable-mnt ignored, my question is, is this ok or is there a way the app could still get into the rest of the drives somehow?
@rusty-snake commented on GitHub (Aug 10, 2020):
noblacklist /media/dir1/dir2/dir3/dir4this line is redundant, since there is no suchbacklist.whitelist /media/dir1/dir2/dir3/dir4this makes/mediacontaining onlydir1or if dir1 is not present when the sandbox is started/mediaempty. However using gio/gvfs/kio over D-Bus may allow the app to see more drivers (but I don't believe that D-Bus is used to access files, this is very likely still done withopen).@svc88 commented on GitHub (Aug 17, 2020):
@rusty-snake thanks, noted.
Can you please explain what you mean its likely done with
open?@rusty-snake commented on GitHub (Aug 24, 2020):
https://www.man7.org/linux/man-pages/man2/open.2.html
@rusty-snake commented on GitHub (Oct 1, 2020):
I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.