[GH-ISSUE #3581] Blacklisting /media/ except for one folder #2246

New issue

Closed

opened 2026-05-05 08:56:21 -06:00 by gitea-mirror · 11 comments

gitea-mirror commented 2026-05-05 08:56:21 -06:00

Owner

Copy link

Originally created by @ihasaquesion on GitHub (Aug 10, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3581

When I use a profile that has noblacklist /media/directory/path followed by a later blacklist /media/ I keep getting blacklist violations in the syslog: syscall opendir, path /media. These errors only appear when I include blacklist /media/.

How to blacklist all /media/ except for one directory?

And it also doesn't work when whitelisting the directory (next to the other whitelistings in the profile).

firejail version 0.9.62

Originally created by @ihasaquesion on GitHub (Aug 10, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3581 When I use a profile that has `noblacklist /media/directory/path` followed by a later `blacklist /media/` I keep getting blacklist violations in the syslog: `syscall opendir, path /media`. These errors only appear when I include `blacklist /media/`. How to blacklist all /media/ except for one directory? And it also doesn't work when whitelisting the directory (next to the other whitelistings in the profile). firejail version 0.9.62

gitea-mirror closed this issue 2026-05-05 08:56:22 -06:00

gitea-mirror commented 2026-05-05 08:56:23 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Aug 11, 2020):

It is easy, just do --noblacklist=/media/dir --blacklist=/media/*

<!-- gh-comment-id:671871754 --> @smitsohu commented on GitHub (Aug 11, 2020): It is easy, just do `--noblacklist=/media/dir --blacklist=/media/*`

gitea-mirror commented 2026-05-05 08:56:24 -06:00

Author

Owner

Copy link

@ihasaquesion commented on GitHub (Aug 11, 2020):

Doesn't work.
I'd like to use a profile, not command-line parameters. The profile is:

...
noblacklist /media/veracrypt1/dir
...
blacklist /media/*
...

<!-- gh-comment-id:671982864 --> @ihasaquesion commented on GitHub (Aug 11, 2020): Doesn't work. I'd like to use a profile, not command-line parameters. The profile is: ``` ... noblacklist /media/veracrypt1/dir ... blacklist /media/* ... ```

gitea-mirror commented 2026-05-05 08:56:25 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Aug 11, 2020):

Ok, then it is

noblacklist /media/veracrypt
blacklist /media/*
noblacklist /media/veracrypt/dir
blacklist /media/veracrypt/*

Or just whitelist /media/veracrypt/dir.

If the latter does not work, please post the output of firejail --debug-whitelists --whitelist=/media/veracrypt/dir. Redact the name of the directory if you like.

<!-- gh-comment-id:671993511 --> @smitsohu commented on GitHub (Aug 11, 2020): Ok, then it is ``` noblacklist /media/veracrypt blacklist /media/* noblacklist /media/veracrypt/dir blacklist /media/veracrypt/* ``` Or just `whitelist /media/veracrypt/dir`. If the latter does not work, please post the output of `firejail --debug-whitelists --whitelist=/media/veracrypt/dir`. Redact the name of the directory if you like.

gitea-mirror commented 2026-05-05 08:56:26 -06:00

Author

Owner

Copy link

@ihasaquesion commented on GitHub (Aug 11, 2020):

Thanks, whitelisting beneath the profile's blacklistings worked. Previously it didn't - probably because I kept the blacklistings.

<!-- gh-comment-id:672005142 --> @ihasaquesion commented on GitHub (Aug 11, 2020): Thanks, whitelisting beneath the profile's blacklistings worked. Previously it didn't - probably because I kept the blacklistings.

gitea-mirror commented 2026-05-05 08:56:26 -06:00

Author

Owner

Copy link

@ihasaquesion commented on GitHub (Aug 11, 2020):

It worked for one profile but not the other. I also put whitelist to the bottom of the profile before caps.drop all. I tried removing the noblacklist for the same directory. It's the profile for #3579

<!-- gh-comment-id:672013155 --> @ihasaquesion commented on GitHub (Aug 11, 2020): It worked for one profile but not the other. I also put whitelist to the bottom of the profile before caps.drop all. I tried removing the noblacklist for the same directory. It's the profile for #3579

gitea-mirror commented 2026-05-05 08:56:27 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Aug 11, 2020):

Is there a disable-mnt line in that other profile?

<!-- gh-comment-id:672018630 --> @smitsohu commented on GitHub (Aug 11, 2020): Is there a `disable-mnt` line in that other profile?

gitea-mirror commented 2026-05-05 08:56:27 -06:00

Author

Owner

Copy link

@ihasaquesion commented on GitHub (Aug 11, 2020):

No, it's mostly the default JDownloader profile. I added include chromium.profile.

<!-- gh-comment-id:672025794 --> @ihasaquesion commented on GitHub (Aug 11, 2020): No, it's mostly the default JDownloader profile. I added `include chromium.profile`.

gitea-mirror commented 2026-05-05 08:56:28 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 11, 2020):

No, it's mostly the default JDownloader profile. I added include chromium.profile.

… which includes chromium-common.profile which sets disable-mnt 🙄 .

<!-- gh-comment-id:672045439 --> @rusty-snake commented on GitHub (Aug 11, 2020): > No, it's mostly the default JDownloader profile. I added include chromium.profile. … which `include`s chromium-common.profile which sets `disable-mnt` :roll_eyes: .

gitea-mirror commented 2026-05-05 08:56:28 -06:00

Author

Owner

Copy link

@ihasaquesion commented on GitHub (Aug 11, 2020):

I suspected this line to be the culprit. How to enable-mnt without having to modify this profile?

<!-- gh-comment-id:672055115 --> @ihasaquesion commented on GitHub (Aug 11, 2020): I suspected this line to be the culprit. How to enable-mnt without having to modify this profile?

gitea-mirror commented 2026-05-05 08:56:29 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 11, 2020):

Add ignore disable-mnt before you include chromium.profile.

<!-- gh-comment-id:672060193 --> @rusty-snake commented on GitHub (Aug 11, 2020): Add `ignore disable-mnt` before you `include chromium.profile`.

gitea-mirror commented 2026-05-05 08:56:29 -06:00

Author

Owner

Copy link

@ihasaquesion commented on GitHub (Aug 11, 2020):

Thank you!!

<!-- gh-comment-id:672065201 --> @ihasaquesion commented on GitHub (Aug 11, 2020): Thank you!!

gitea-mirror referenced this issue 2026-05-05 10:16:16 -06:00

[PR #2246] [MERGED] Use ${HOME} instead of ~ in dig.profile #4234

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2246

No description provided.