github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #343] --blacklist=~/.mozilla warns of invalid file #241

New issue

Closed

opened 2026-05-05 05:24:21 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 05:24:21 -06:00

Owner

Originally created by @Fred-Barclay on GitHub (Mar 1, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/343

Firejail 0.9.38 on LMDE Betsy (closely related to Debian Jessie.)

I came across this while working on the profile for the Pale Moon browser. ~/.mozilla is viewable and read-write even when not whitelisted. Attempts to blacklist the directory, whether in the profile or in the startup arguments, fail with the warning that ~/.mozilla is an invalid file (which is half-way correct; it's a directory). However, blacklisting other directories, such as ~/.Downloads, succeeds.

fred@aussie ~ $ firejail --blacklist=~/.mozilla --debug palemoon | grep mozilla
Reading profile /home/fred/.config/firejail/palemoon.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
...
Debug 337: new_name #/home/fred/.themes#
Warning: /home/fred/.mozilla is an invalid file, skipping...

When I blacklist a different directory such as Downloads:
fred@aussie ~ $ firejail --blacklist=~/Downloads --debug palemoon | grep Downloads
Reading profile /home/fred/.config/firejail/palemoon.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
...
Disable /home/fred/Downloads

In case the profile is to blame:
# Pale Moon Browser profile
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
whitelist ${DOWNLOADS}

whitelist ~/.moonchild productions
whitelist ~/.cache/moonchild productions/pale moon

# Uncommented in Firefox profile. If you run into trouble you may want to enable
# (some of) them.
#whitelist ~/dwhelper
#whitelist ~/.zotero
#whitelist ~/.lastpass
#whitelist ~/.vimperatorrc
#whitelist ~/.vimperator
#whitelist ~/.pentadactylrc
#whitelist ~/.pentadactyl
#whitelist ~/.keysnail.js
#whitelist ~/.config/gnome-mplayer
#whitelist ~/.cache/gnome-mplayer/plugin

#blacklist ~/.mozilla/

include /etc/firejail/whitelist-common.inc

# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse

I'm not sure if this is actually a bug or whether I'm to blame. Hopefully someone with a better understanding of the situation can chime in. :)
Thanks!
Fred

Originally created by @Fred-Barclay on GitHub (Mar 1, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/343 Firejail 0.9.38 on LMDE Betsy (closely related to Debian Jessie.) I came across this while working on the profile for the Pale Moon browser. ~/.mozilla is viewable and read-write even when not whitelisted. Attempts to blacklist the directory, whether in the profile or in the startup arguments, fail with the warning that ~/.mozilla is an invalid file (which is half-way correct; it's a directory). However, blacklisting other directories, such as ~/.Downloads, succeeds. `fred@aussie ~ $ firejail --blacklist=~/.mozilla --debug palemoon | grep mozilla` `Reading profile /home/fred/.config/firejail/palemoon.profile` `Reading profile /etc/firejail/disable-mgmt.inc` `Reading profile /etc/firejail/disable-secret.inc` `Reading profile /etc/firejail/disable-common.inc` `Reading profile /etc/firejail/disable-devel.inc` `Reading profile /etc/firejail/whitelist-common.inc` `...` `Debug 337: new_name #/home/fred/.themes#` `Warning: /home/fred/.mozilla is an invalid file, skipping...` When I blacklist a different directory such as Downloads: `fred@aussie ~ $ firejail --blacklist=~/Downloads --debug palemoon | grep Downloads` `Reading profile /home/fred/.config/firejail/palemoon.profile` `Reading profile /etc/firejail/disable-mgmt.inc` `Reading profile /etc/firejail/disable-secret.inc` `Reading profile /etc/firejail/disable-common.inc` `Reading profile /etc/firejail/disable-devel.inc` `Reading profile /etc/firejail/whitelist-common.inc` `...` `Disable /home/fred/Downloads` In case the profile is to blame: `# Pale Moon Browser profile` `include /etc/firejail/disable-mgmt.inc` `include /etc/firejail/disable-secret.inc` `include /etc/firejail/disable-common.inc` `include /etc/firejail/disable-devel.inc` `caps.drop all` `seccomp` `protocol unix,inet,inet6,netlink` `netfilter` `tracelog` `noroot` `whitelist ${DOWNLOADS}` ` ` `whitelist ~/.moonchild productions` `whitelist ~/.cache/moonchild productions/pale moon` ` ` `# Uncommented in Firefox profile. If you run into trouble you may want to enable` `# (some of) them.` `#whitelist ~/dwhelper` `#whitelist ~/.zotero` `#whitelist ~/.lastpass` `#whitelist ~/.vimperatorrc` `#whitelist ~/.vimperator` `#whitelist ~/.pentadactylrc` `#whitelist ~/.pentadactyl` `#whitelist ~/.keysnail.js` `#whitelist ~/.config/gnome-mplayer` `#whitelist ~/.cache/gnome-mplayer/plugin` ` ` `#blacklist ~/.mozilla/` ` ` ` ` `include /etc/firejail/whitelist-common.inc` ` ` `# experimental features` `#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse` I'm not sure if this is actually a bug or whether I'm to blame. Hopefully someone with a better understanding of the situation can chime in. :) Thanks! Fred

gitea-mirror

2026-05-05 05:24:21 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:24:26 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 2, 2016):

I put in some debug code to see where the message is coming from. Give it a try, thanks!

@netblue30 commented on GitHub (Mar 2, 2016): I put in some debug code to see where the message is coming from. Give it a try, thanks!

gitea-mirror commented

2026-05-05 05:24:28 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Mar 2, 2016):

Sorry--I'm missing something. Where's the debug code? :)

EDIT: found it in src, but where do I put it (in my computer)? I had installed firejail via .deb rather than source code--should I download the code from here and compile?

@Fred-Barclay commented on GitHub (Mar 2, 2016): Sorry--I'm missing something. Where's the debug code? :) EDIT: found it in src, but where do I put it (in my computer)? I had installed firejail via .deb rather than source code--should I download the code from here and compile?

gitea-mirror commented

2026-05-05 05:24:30 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 4, 2016):

I'll have a testing release coming in about one week.

@netblue30 commented on GitHub (Mar 4, 2016): I'll have a testing release coming in about one week.

gitea-mirror commented

2026-05-05 05:24:32 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Mar 4, 2016):

Sounds good. :)

I'm going to set up a testing VM and start building firejail from source too. This will probably make it easier on all parties.
(I try to avoid compiling on my main machine. Just a personal preference.)

@Fred-Barclay commented on GitHub (Mar 4, 2016): Sounds good. :) I'm going to set up a testing VM and start building firejail from source too. This will probably make it easier on all parties. (I try to avoid compiling on my main machine. Just a personal preference.)

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#241

No description provided.

Rows
Columns