github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3638] Why are all the $HOME dirs and files visible in Telegram and not jailed? #2290

New issue

Closed

opened 2026-05-05 08:58:46 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 08:58:46 -06:00

Owner

Originally created by @svc88 on GitHub (Sep 20, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3638

Currently, If you open Telegram and click on the attachment (paper clip) icon to send a file, i can see all files and dirs under $HOME. Why isnt there only one folder like ${DOWNLOADS} shown and the rest blacklisted?
Im not 100% sure that Telegram is jailed properly.

firejail version 0.9.62

Originally created by @svc88 on GitHub (Sep 20, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3638 Currently, If you open Telegram and click on the attachment (paper clip) icon to send a file, i can see all files and dirs under $HOME. Why isnt there only one folder like ${DOWNLOADS} shown and the rest blacklisted? Im not 100% sure that Telegram is jailed properly. firejail version 0.9.62

gitea-mirror closed this issue

2026-05-05 08:58:48 -06:00

gitea-mirror commented

2026-05-05 08:58:49 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 21, 2020):

Does telegram process show up on "firejail --list" command?

@SkewedZeppelin commented on GitHub (Sep 21, 2020): Does telegram process show up on "firejail --list" command?

gitea-mirror commented

2026-05-05 08:58:50 -06:00

Author

Owner

@svc88 commented on GitHub (Sep 21, 2020):

Does telegram process show up on "firejail --list" command?

Yes

Is it supposed to blacklist all folders? Because i dont see "whitelist" anywhere in telegram.profile

@svc88 commented on GitHub (Sep 21, 2020): > Does telegram process show up on "firejail --list" command? Yes Is it supposed to blacklist all folders? Because i dont see "whitelist" anywhere in telegram.profile

gitea-mirror commented

2026-05-05 08:58:51 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 21, 2020):

There's a lot of options which can be added to telegram.profile.

More disable-*.inc includes (especially include disable-xdg.inc)
include whitelist-*.inc
DBus policy
Others such as nogroups, novideo, nosound, tracelog likely/obviously break

Flatpak permissions:

[Context]
shared=network;ipc;
sockets=x11;wayland;pulseaudio;
devices=all;
filesystems=xdg-download;xdg-config/kdeglobals:ro;

[Session Bus Policy]
org.freedesktop.Notifications=talk
com.canonical.indicator.application=talk
org.freedesktop.portal.Fcitx=talk
org.gnome.Mutter.IdleMonitor=talk
org.kde.StatusNotifierWatcher=talk
org.freedesktop.ScreenSaver=talk
org.ayatana.indicator.application=talk
com.canonical.AppMenu.Registrar=talk
com.canonical.Unity=talk

First draft (dbus-policy can be future hardened):

include disable-passwdmgr.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/<telegram>
whitelist ${HOME}/<telegram>
whitelist ${DOWNLOADS}
whitelist /usr/share/<telegram>
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

dbus-user filter
dbus-user.own org.telegram.desktop
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk com.canonical.indicator.application
dbus-user.talk org.gnome.Mutter.IdleMonitor
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.freedesktop.ScreenSaver
dbus-user.talk org.ayatana.indicator.application
dbus-user.talk com.canonical.Unity
dbus-system none

@rusty-snake commented on GitHub (Sep 21, 2020): There's a lot of options which can be added to telegram.profile. - More `disable-*.inc` includes (especially `include disable-xdg.inc`) - `include whitelist-*.inc` - DBus policy - Others such as nogroups, novideo, nosound, tracelog likely/obviously break Flatpak permissions: ``` [Context] shared=network;ipc; sockets=x11;wayland;pulseaudio; devices=all; filesystems=xdg-download;xdg-config/kdeglobals:ro; [Session Bus Policy] org.freedesktop.Notifications=talk com.canonical.indicator.application=talk org.freedesktop.portal.Fcitx=talk org.gnome.Mutter.IdleMonitor=talk org.kde.StatusNotifierWatcher=talk org.freedesktop.ScreenSaver=talk org.ayatana.indicator.application=talk com.canonical.AppMenu.Registrar=talk com.canonical.Unity=talk ``` First draft (dbus-policy can be future hardened): ``` include disable-passwdmgr.inc include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/<telegram> whitelist ${HOME}/<telegram> whitelist ${DOWNLOADS} whitelist /usr/share/<telegram> include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc dbus-user filter dbus-user.own org.telegram.desktop dbus-user.talk org.freedesktop.Notifications dbus-user.talk com.canonical.indicator.application dbus-user.talk org.gnome.Mutter.IdleMonitor dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.talk org.freedesktop.ScreenSaver dbus-user.talk org.ayatana.indicator.application dbus-user.talk com.canonical.Unity dbus-system none ```

gitea-mirror commented

2026-05-05 08:58:52 -06:00

Author

Owner

@FOSSONLY commented on GitHub (Sep 21, 2020):

I think there is a misunderstanding here. You should have a closer look at the profile of telegram, and especially at the entries "disable-common.inc" and "disable-programs.inc". Their contents quickly show how intensively and extensively the data under /home is protected or restricted. Just because any files or directories are visible, it does not mean that their content is visible or can be modified. Much of especially sensitive data is invisible anyway by principle, but for correct functionality of telegram certain areas must be visible. Therefore it is not practicable to make everything outside of /home/user/Downloads simply inaccessible.

@FOSSONLY commented on GitHub (Sep 21, 2020): I think there is a misunderstanding here. You should have a closer look at the profile of telegram, and especially at the entries "disable-common.inc" and "disable-programs.inc". Their contents quickly show how intensively and extensively the data under /home is protected or restricted. Just because any files or directories are visible, it does not mean that their content is visible or can be modified. Much of especially sensitive data is invisible anyway by principle, but for correct functionality of telegram certain areas must be visible. Therefore it is not practicable to make everything outside of /home/user/Downloads simply inaccessible.

gitea-mirror commented

2026-05-05 08:58:52 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Sep 29, 2020):

By my testing, the following whitelist works:

whitelist ${HOME}/.local/share/TelegramDesktop
whitelist ${DOWNLOADS}
whitelist ${HOME}/.themes
whitelist ${HOME}/.gtkrc-2.0

It only allows access to Downloads and it's own data files. @svc88, feel free to play around with that whitelist and let me know if that works well for you.

@chiraag-nataraj commented on GitHub (Sep 29, 2020): By my testing, the following whitelist works: ``` whitelist ${HOME}/.local/share/TelegramDesktop whitelist ${DOWNLOADS} whitelist ${HOME}/.themes whitelist ${HOME}/.gtkrc-2.0 ``` It only allows access to Downloads and it's own data files. @svc88, feel free to play around with that whitelist and let me know if that works well for you.

gitea-mirror commented

2026-05-05 08:58:53 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Sep 29, 2020):

Im not 100% sure that Telegram is jailed properly.

I mean, it's a question of trade-offs. A lot of the profiles provided with firejail err on the side of usability. My profiles (https://github.com/chiraag-nataraj/firejail-profiles), on the other hand, err on the side of security/privacy. You can also, of course, create your own profiles (as I do) to tailor them to your use-cases.

@chiraag-nataraj commented on GitHub (Sep 29, 2020): > Im not 100% sure that Telegram is jailed properly. I mean, it's a question of trade-offs. A lot of the profiles provided with firejail err on the side of usability. My profiles (https://github.com/chiraag-nataraj/firejail-profiles), on the other hand, err on the side of security/privacy. You can also, of course, create your own profiles (as I do) to tailor them to your use-cases.

gitea-mirror commented

2026-05-05 08:58:53 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 9, 2020):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

@rusty-snake commented on GitHub (Nov 9, 2020): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2290

No description provided.

Rows
Columns