[GH-ISSUE #3877] Using firejail with private /home with a folder on /home mount point but outside of users folders

gitea-mirror commented

2026-05-05 09:07:03 -06:00

Owner

Originally created by @esp13 on GitHub (Jan 9, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3877

Hi,

I can start firejail with the private folder inside a chosen folder itself inside my home account :
firejail --noprofile --private=/home/username/thefolderIwant

I can start firejail with the private folder inside a chosen folder itself inside an other partition/drive :
firejail --noprofile --private=/mnt/otherpartitionordrive/thefolderIwant

But I don't understand why I can't start firejail with the private folder directly inside a chosen folder on /home with the right permissions :
firejail --noprofile --private=/home/thefolderIwantnotinsideuserhome

I got this error:

Error opening private directory: fs_home.c:262 fs_private_homedir: No such file or directory
Error: proc 1990 cannot sync with peer: unexpected EOF
Peer 1991 unexpectedly exited with status 1

I checked the permissions they are the same:

stat -c "%a %n" /home/username/thefolderIwant
775 /home/username/thefolderIwant

stat -c "%a %n" /mnt/otherpartitionordrive/thefolderIwant
775 /mnt/otherpartitionordrive/thefolderIwant

stat -c "%a %n" /home/thefolderIwantnotinsideuserhome
775 /home/thefolderIwantnotinsideuserhome

What am I missing?

Originally created by @esp13 on GitHub (Jan 9, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3877 Hi, I can start firejail with the private folder inside a chosen folder itself inside my home account : `firejail --noprofile --private=/home/username/thefolderIwant` I can start firejail with the private folder inside a chosen folder itself inside an other partition/drive : `firejail --noprofile --private=/mnt/otherpartitionordrive/thefolderIwant` But I don't understand why I can't start firejail with the private folder directly inside a chosen folder on /home with the right permissions : `firejail --noprofile --private=/home/thefolderIwantnotinsideuserhome` I got this error: ``` Error opening private directory: fs_home.c:262 fs_private_homedir: No such file or directory Error: proc 1990 cannot sync with peer: unexpected EOF Peer 1991 unexpectedly exited with status 1 ``` I checked the permissions they are the same: ``` stat -c "%a %n" /home/username/thefolderIwant 775 /home/username/thefolderIwant ``` ``` stat -c "%a %n" /mnt/otherpartitionordrive/thefolderIwant 775 /mnt/otherpartitionordrive/thefolderIwant ``` ``` stat -c "%a %n" /home/thefolderIwantnotinsideuserhome 775 /home/thefolderIwantnotinsideuserhome ``` What am I missing?

gitea-mirror closed this issue

2026-05-05 09:07:04 -06:00

gitea-mirror commented

2026-05-05 09:07:06 -06:00

Author

Owner

@smitsohu commented on GitHub (Jan 9, 2021):

I think it should work if you add --allusers to your options.

If it doesn't work, what is your Firejail version?

@smitsohu commented on GitHub (Jan 9, 2021): I think it should work if you add `--allusers` to your options. If it doesn't work, what is your Firejail version?

gitea-mirror commented

2026-05-05 09:07:07 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 10, 2021):

I think it should work if you add --allusers to your options.

If it doesn't work, what is your Firejail version?

Thank you much for your fast and correct answer :)
It works with the --allusers option +1:

So I guess Firejail treats the /home mount point differently from other mount points, even though permission on this specific folder is allowed for all users, good to know.

@esp13 commented on GitHub (Jan 10, 2021): > I think it should work if you add `--allusers` to your options. > > If it doesn't work, what is your Firejail version? Thank you much for your fast and correct answer :) It works with the --allusers option +1: So I guess Firejail treats the /home mount point differently from other mount points, even though permission on this specific folder is allowed for all users, good to know.

gitea-mirror commented

2026-05-05 09:07:08 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 10, 2021):

Please tell me if I shouldn't ask more question on this ticket, otherwise I have some:

Is it safe to use this --allusers option with a profile file?
Is it possible to run an app with a custom profile file AND a custom isolated home folder? Something like that ?
Inside .sh file:
cd /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome && sleep 1 && firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile --allusers bash -c "sleep 1

@esp13 commented on GitHub (Jan 10, 2021): Please tell me if I shouldn't ask more question on this ticket, otherwise I have some: 1. Is it safe to use this --allusers option with a profile file? 2. Is it possible to run an app with a custom profile file AND a custom isolated home folder? Something like that ? Inside .sh file: `cd /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome && sleep 1 && firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile --allusers bash -c "sleep 1 `

gitea-mirror commented

2026-05-05 09:07:11 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 10, 2021):

You mean to add allusers to a profile? It's the same as using it on the command-line.
Yes. In addition, you can put the private home/thefolderIwantnotinsideuserhome/FireJail/SteamHome in /home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile, so you just use firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile steam.

@rusty-snake commented on GitHub (Jan 10, 2021): 1. You mean to add `allusers` to a profile? It's the same as using it on the command-line. 2. Yes. In addition, you can put the `private home/thefolderIwantnotinsideuserhome/FireJail/SteamHome` in `/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile`, so you just use `firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile steam`.

gitea-mirror commented

2026-05-05 09:07:12 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

1. You mean to add `allusers` to a profile? It's the same as using it on the command-line.

2. Yes. In addition, you can put the `private home/thefolderIwantnotinsideuserhome/FireJail/SteamHome` in `/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile`, so you just use `firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile steam`.

Hi, thank you for your answer,

Yes. Ok it works. Is it safe to use this option ?
Nice I will do so now. But I still have something that look strange for me: I start the sandbox with a private home folder and inside the sandbox, the $HOME variable still point on the real home and not on the private folder specified. Is it normal? is there a workaround?

@esp13 commented on GitHub (Jan 16, 2021): > 1. You mean to add `allusers` to a profile? It's the same as using it on the command-line. > > 2. Yes. In addition, you can put the `private home/thefolderIwantnotinsideuserhome/FireJail/SteamHome` in `/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile`, so you just use `firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/Steam.profile steam`. Hi, thank you for your answer, 1. Yes. Ok it works. Is it safe to use this option ? 2. Nice I will do so now. But I still have something that look strange for me: I start the sandbox with a private home folder and inside the sandbox, the $HOME variable still point on the real home and not on the private folder specified. Is it normal? is there a workaround?

gitea-mirror commented

2026-05-05 09:07:13 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

It exposes all other directories in /home. However if you are the only user there is nothing to expose and if there are other users there home should be 770 or stricter (from a security perspective) so that only the presence of the other directories is exposed.
This is exactly what you want when you use private /foo/bar. /foo/bar becomes you $HOME in the sandbox.

@rusty-snake commented on GitHub (Jan 16, 2021): 1. It exposes all other directories in /home. However if you are the only user there is nothing to expose and if there are other users there home should be 770 or stricter (from a security perspective) so that only the presence of the other directories is exposed. 2. This is exactly what you want when you use private /foo/bar. /foo/bar becomes you $HOME in the sandbox.

gitea-mirror commented

2026-05-05 09:07:14 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

1. It exposes all other directories in /home. However if you are the only user there is nothing to expose and if there are other users there home should be 770 or stricter (from a security perspective) so that only the presence of the other directories is exposed.

Is there a way to authorise the access to the private folder /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome but not to all the upper folders inside firejail?

2. This is exactly what you want when you use private /foo/bar. /foo/bar becomes you $HOME in the sandbox.

Maybe my English is too bad I meant the opposite:

Before launching firejail:
echo $HOME
return
/home/myrealusername

After launching firejail:
firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers
echo $HOME
still return
/home/myrealusername

I expected 'echo $HOME' to return this inside firejail:
/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/

My firejail version:

firejail --version
firejail version 0.9.62

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

@esp13 commented on GitHub (Jan 16, 2021): > 1. It exposes all other directories in /home. However if you are the only user there is nothing to expose and if there are other users there home should be 770 or stricter (from a security perspective) so that only the presence of the other directories is exposed. Is there a way to authorise the access to the private folder /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome but not to all the upper folders inside firejail? > 2. This is exactly what you want when you use private /foo/bar. /foo/bar becomes you $HOME in the sandbox. Maybe my English is too bad I meant the opposite: Before launching firejail: `echo $HOME` return `/home/myrealusername` After launching firejail: `firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers` `echo $HOME` still return `/home/myrealusername` I expected 'echo $HOME' to return this inside firejail: `/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/` My firejail version: ``` firejail --version firejail version 0.9.62 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ```

gitea-mirror commented

2026-05-05 09:07:14 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

I'm not sure what exactly you mean (/ is a upper folder and restricting access would make sense). Maybe blacklist /home/foo/bar is what you're looking for.
It's the way private works read 1, 2, the manpage or play a bit with it. You could use --env=HOME=/home/foo/bar to set $HOME to your expected value. But this can break programs because getpw* will still return /home/user.

@rusty-snake commented on GitHub (Jan 16, 2021): 1. I'm not sure what exactly you mean (`/` is a upper folder and restricting access would make sense). Maybe `blacklist /home/foo/bar` is what you're looking for. 2. It's the way `private` works read [1](https://firejail.wordpress.com/documentation-2/firefox-guide/#work), [2](https://firejail.wordpress.com/documentation-2/basic-usage/#private), the manpage or play a bit with it. You could use `--env=HOME=/home/foo/bar` to set `$HOME` to your expected value. But this can break programs because `getpw*` will still return `/home/user`.

gitea-mirror commented

2026-05-05 09:07:15 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

1. I'm not sure what exactly you mean (`/` is a upper folder and restricting access would make sense). Maybe `blacklist /home/foo/bar` is what you're looking for.

On my /home mount point:

user1/ (my real user home)
user2/
userx/
thefolderIwantnotinsideuserhome/

On the thefolderIwantnotinsideuserhome/FireJail/:

SteamHome/ (Fake home for steam)
XxxHome/ (Other fake homes for other apps)

The Steam app shouldn't being able to see anything else than /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/

So Steam firejailed with --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers shouldn't have access to :

user1/ (anyway will not be accessible from any other user due to permissions)
user2/
userx/
thefolderIwantnotinsideuserhome/FireJail/XxxHome/

2. It's the way `private` works read [1](https://firejail.wordpress.com/documentation-2/firefox-guide/#work), [2](https://firejail.wordpress.com/documentation-2/basic-usage/#private), the manpage or play a bit with it. You could use `--env=HOME=/home/foo/bar` to set `$HOME` to your expected value. But this can break programs because `getpw*` will still return `/home/user`.

The manpage:
"[...] $ firejail --private=/home/username/work thunderbird &
$ firejail --private=/home/username/work firefox -no-remote &

Both Mozilla Thunderbird and Firefox think ~/work is the user home directory [...]"

So shouldn't echo $HOME or getpw* return /home/username/work in this case?
On this manpage example, how will firefox and thunderbird think ~/work is the home directory if echo ~ and echo $HOME return /home/username/ (it will not return /home/username/work)
I certainly missed something, sorry for the troubles :/

@esp13 commented on GitHub (Jan 16, 2021): > 1. I'm not sure what exactly you mean (`/` is a upper folder and restricting access would make sense). Maybe `blacklist /home/foo/bar` is what you're looking for. On my /home mount point: - user1/ (my real user home) - user2/ - userx/ - thefolderIwantnotinsideuserhome/ On the thefolderIwantnotinsideuserhome/FireJail/: - SteamHome/ (Fake home for steam) - XxxHome/ (Other fake homes for other apps) The Steam app shouldn't being able to see anything else than /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ So Steam firejailed with `--private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers ` shouldn't have access to : - user1/ (anyway will not be accessible from any other user due to permissions) - user2/ - userx/ - thefolderIwantnotinsideuserhome/FireJail/XxxHome/ > 2. It's the way `private` works read [1](https://firejail.wordpress.com/documentation-2/firefox-guide/#work), [2](https://firejail.wordpress.com/documentation-2/basic-usage/#private), the manpage or play a bit with it. You could use `--env=HOME=/home/foo/bar` to set `$HOME` to your expected value. But this can break programs because `getpw*` will still return `/home/user`. The manpage: "[...] `$ firejail --private=/home/username/work thunderbird &` `$ firejail --private=/home/username/work firefox -no-remote &` Both Mozilla Thunderbird and Firefox think ~/work is the user home directory [...]" So shouldn't `echo $HOME` or `getpw*` return `/home/username/work` in this case? On this manpage example, how will firefox and thunderbird think `~/work` is the home directory if `echo ~` and `echo $HOME` return `/home/username/` (it will not return `/home/username/work`) I certainly missed something, sorry for the troubles :/

gitea-mirror commented

2026-05-05 09:07:16 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

mmmm... by testing I think I'm close to understand:
inside firejailed shell with --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/

when i make :
touch ~/test.txt
the file is created inside /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/
and not inside /home/user/

When I make ls ~ I see it
So even $HOME or ~ are pointing the real user home directory it goes inside the fake one
It's Voodoo for me lol

@esp13 commented on GitHub (Jan 16, 2021): mmmm... by testing I think I'm close to understand: inside firejailed shell with --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ when i make : `touch ~/test.txt` the file is created inside /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ and not inside /home/user/ When I make `ls ~` I see it So even `$HOME` or `~` are pointing the real user home directory it goes inside the fake one It's Voodoo for me lol

gitea-mirror commented

2026-05-05 09:07:17 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

I'm progressing on the problem:
The fake home directory wasn't the cause of my troubles.
I have a permission issue.

Outside FireJail:
ls -la

drwx------ 1 myuser myuser   68 déc.  31 11:36 .
drwx------ 1 myuser myuser   10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser myuser   94 janv.  1 09:33 Aspyr
-rw------- 1 myuser myuser  218 nov.  28 20:03 recently-used.xbel
drwx------ 1 myuser myuser 1048 janv.  8 20:14 Steam
drwxrwxr-x 1 myuser myuser   32 nov.  11 13:20 vulkan

But inside FireJail for same files, some doesn't have an owner and have different rights:
ls -la

drwx------ 1 myuser   myuser     68 déc.  31 11:36 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

This result in permission rejection.

Maybe it is because I created these files on another computer and moved them after on my new fresh install.
Is there a way to fix this problem properly?

@esp13 commented on GitHub (Jan 16, 2021): I'm progressing on the problem: The fake home directory wasn't the cause of my troubles. I have a permission issue. Outside FireJail: `ls -la` ``` drwx------ 1 myuser myuser 68 déc. 31 11:36 . drwx------ 1 myuser myuser 10 nov. 11 13:02 .. drwxrwxr-x 1 myuser myuser 94 janv. 1 09:33 Aspyr -rw------- 1 myuser myuser 218 nov. 28 20:03 recently-used.xbel drwx------ 1 myuser myuser 1048 janv. 8 20:14 Steam drwxrwxr-x 1 myuser myuser 32 nov. 11 13:20 vulkan ``` But inside FireJail for same files, some doesn't have an owner and have different rights: `ls -la` ``` drwx------ 1 myuser myuser 68 déc. 31 11:36 . drwx------ 1 myuser myuser 10 nov. 11 13:02 .. drwxrwxr-x 1 myuser myuser 94 janv. 1 09:33 Aspyr -rw------- 1 myuser myuser 218 nov. 28 20:03 recently-used.xbel dr-------- 2 nobody nogroup 40 janv. 11 20:46 Steam dr-------- 2 nobody nogroup 40 janv. 11 20:46 vulkan ``` This result in permission rejection. Maybe it is because I created these files on another computer and moved them after on my new fresh install. Is there a way to fix this problem properly?

gitea-mirror commented

2026-05-05 09:07:18 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

There are two things, see the directory and see in the directory. The first, only see selected directories isn't possible. The later, see only in selected is possible using blacklist.

# Either
blacklist /home/foo1
blacklist /home/foo2
# Or
noblacklist /home/foo3
blacklist /home/*

If these directories belong to an other human user the should be inaccessible for other anyway.

Looks like these dirs are blacklisted.
f18124baa4/etc/profile-m-z/steam.profile (L18)
f18124baa4/etc/profile-m-z/steam.profile (L22)

@rusty-snake commented on GitHub (Jan 16, 2021): 1. There are two things, see the directory and see _in_ the directory. The first, only see selected directories isn't possible. The later, see only in selected is possible using `blacklist`. ``` # Either blacklist /home/foo1 blacklist /home/foo2 # Or noblacklist /home/foo3 blacklist /home/* ``` If these directories belong to an other human user the should be inaccessible for other anyway. 3. Looks like these dirs are blacklisted. https://github.com/netblue30/firejail/blob/f18124baa4290e658babc6dd0716232e9a474335/etc/profile-m-z/steam.profile#L18 https://github.com/netblue30/firejail/blob/f18124baa4290e658babc6dd0716232e9a474335/etc/profile-m-z/steam.profile#L22

gitea-mirror commented

2026-05-05 09:07:18 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

1. There are two things, see the directory and see _in_ the directory. The first, only see selected directories isn't possible. The later, see only in selected is possible using `blacklist`.

# Either
blacklist /home/foo1
blacklist /home/foo2
# Or
noblacklist /home/foo3
blacklist /home/*

If these directories belong to an other human user the should be inaccessible for other anyway.

firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers --blacklist=/home/* --noblacklist=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/
Or
firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers --noblacklist=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --blacklist=/home/*

Both result in a

Error chdir: sandbox.c:1040 sandbox: Permission denied
Error: proc 3343944 cannot sync with peer: unexpected EOF
Peer 3343945 unexpectedly exited with status 1

3. Looks like these dirs are blacklisted.
   https://github.com/netblue30/firejail/blob/f18124baa4290e658babc6dd0716232e9a474335/etc/profile-m-z/steam.profile#L18
   
   https://github.com/netblue30/firejail/blob/f18124baa4290e658babc6dd0716232e9a474335/etc/profile-m-z/steam.profile#L22

Yes I comment this cause I wanted this to stay in the fake home folder.

@esp13 commented on GitHub (Jan 16, 2021): > 1. There are two things, see the directory and see _in_ the directory. The first, only see selected directories isn't possible. The later, see only in selected is possible using `blacklist`. > > > ``` > # Either > blacklist /home/foo1 > blacklist /home/foo2 > # Or > noblacklist /home/foo3 > blacklist /home/* > ``` > > If these directories belong to an other human user the should be inaccessible for other anyway. `firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers --blacklist=/home/* --noblacklist=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/` Or `firejail --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --allusers --noblacklist=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ --blacklist=/home/* ` Both result in a ``` Error chdir: sandbox.c:1040 sandbox: Permission denied Error: proc 3343944 cannot sync with peer: unexpected EOF Peer 3343945 unexpectedly exited with status 1 ``` > 3. Looks like these dirs are blacklisted. > https://github.com/netblue30/firejail/blob/f18124baa4290e658babc6dd0716232e9a474335/etc/profile-m-z/steam.profile#L18 > > https://github.com/netblue30/firejail/blob/f18124baa4290e658babc6dd0716232e9a474335/etc/profile-m-z/steam.profile#L22 Yes I comment this cause I wanted this to stay in the fake home folder.

gitea-mirror commented

2026-05-05 09:07:19 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

Now the things become difficult … firejail --allusers --noblacklist=/home/user "--blacklist=/home/*" --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome.

@rusty-snake commented on GitHub (Jan 16, 2021): 1. Now the things become difficult … `firejail --allusers --noblacklist=/home/user "--blacklist=/home/*" --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome`.

gitea-mirror commented

2026-05-05 09:07:20 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

1. Now the things become difficult … `firejail --allusers --noblacklist=/home/user "--blacklist=/home/*" --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome`.

This worked, but I can't explain myself how, it's magic ^^
--noblacklist=/home/user I fears this will result on letting the app a full access to the real home folder... but no :)
"--blacklist=/home/*" what is the aim of the double quote? to execute this after? Can I write --blacklist="/home/*" instead?

How should I write this inside the profile file?

But inside FireJail, the permissions are still the same :
ls -la

drwx------ 1 myuser   myuser     68 déc.  31 11:36 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

If I uncomment this lines in the profile file:

#noblacklist ${HOME}/.killingfloor
#noblacklist ${HOME}/.local/share/3909/PapersPlease
#noblacklist ${HOME}/.local/share/aspyr-media
#noblacklist ${HOME}/.local/share/cdprojektred
#noblacklist ${HOME}/.local/share/feral-interactive
#noblacklist ${HOME}/.local/share/Steam
#noblacklist ${HOME}/.local/share/SuperHexagon
#noblacklist ${HOME}/.local/share/Terraria
#noblacklist ${HOME}/.local/share/vpltd
#noblacklist ${HOME}/.local/share/vulkan
#noblacklist ${HOME}/.steam
#noblacklist ${HOME}/.steampath
#noblacklist ${HOME}/.steampid

The app will still create the files inside the fake home folder?
Why do we need this?

@esp13 commented on GitHub (Jan 16, 2021): > 1. Now the things become difficult … `firejail --allusers --noblacklist=/home/user "--blacklist=/home/*" --private=/home/thefolderIwantnotinsideuserhome/FireJail/SteamHome`. This worked, but I can't explain myself how, it's magic ^^ `--noblacklist=/home/user` I fears this will result on letting the app a full access to the real home folder... but no :) `"--blacklist=/home/*"` what is the aim of the double quote? to execute this after? Can I write `--blacklist="/home/*"` instead? How should I write this inside the profile file? But inside FireJail, the permissions are still the same : `ls -la` ``` drwx------ 1 myuser myuser 68 déc. 31 11:36 . drwx------ 1 myuser myuser 10 nov. 11 13:02 .. drwxrwxr-x 1 myuser myuser 94 janv. 1 09:33 Aspyr -rw------- 1 myuser myuser 218 nov. 28 20:03 recently-used.xbel dr-------- 2 nobody nogroup 40 janv. 11 20:46 Steam dr-------- 2 nobody nogroup 40 janv. 11 20:46 vulkan ``` If I uncomment this lines in the profile file: ``` #noblacklist ${HOME}/.killingfloor #noblacklist ${HOME}/.local/share/3909/PapersPlease #noblacklist ${HOME}/.local/share/aspyr-media #noblacklist ${HOME}/.local/share/cdprojektred #noblacklist ${HOME}/.local/share/feral-interactive #noblacklist ${HOME}/.local/share/Steam #noblacklist ${HOME}/.local/share/SuperHexagon #noblacklist ${HOME}/.local/share/Terraria #noblacklist ${HOME}/.local/share/vpltd #noblacklist ${HOME}/.local/share/vulkan #noblacklist ${HOME}/.steam #noblacklist ${HOME}/.steampath #noblacklist ${HOME}/.steampid ``` The app will still create the files inside the fake home folder? Why do we need this?

gitea-mirror commented

2026-05-05 09:07:20 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

ahhh steam just put a lot of files in my real home directory... I'm sad :(

How does it do this from inside firejail?

-edit2-
Because I wasn't inside FireJail... I was testing to put --blacklist="/home/*" instead of "--blacklist=/home/*" but this result in error cause I wrote --noblacklist=home/thefolderIwantnotinsideuserhome/FireJail/SteamHome instead of --noblacklist=/home/user and I didn't see at first...

@esp13 commented on GitHub (Jan 16, 2021): ahhh steam just put a lot of files in my real home directory... I'm sad :( How does it do this from inside firejail? -edit2- Because I wasn't inside FireJail... I was testing to put `--blacklist="/home/*"` instead of `"--blacklist=/home/*"` but this result in error cause I wrote `--noblacklist=home/thefolderIwantnotinsideuserhome/FireJail/SteamHome` instead of `--noblacklist=/home/user` and I didn't see at first...

gitea-mirror commented

2026-05-05 09:07:21 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

"--blacklist=/home/*" what is the aim of the double quote?

They stop your shell from expanding the *. If you use special characters like *?!${} you need to tell your shell that it should treat they literally instead of expanding. For some characters like !$ you must use single quote.

How does it do this from inside firejail?

firejail does it, look at the mkdir and mkfile commands in the profile. There a very old bug for it: #903.

--blacklist="/home/" instead of "--blacklist=/home/"

Both should be the same.

@rusty-snake commented on GitHub (Jan 16, 2021): > "--blacklist=/home/*" what is the aim of the double quote? They stop your shell from expanding the `*`. If you use special characters like `*?!${}` you need to tell your shell that it should treat they literally instead of expanding. For some characters like `!$` you must use single quote. > How does it do this from inside firejail? firejail does it, look at the `mkdir` and `mkfile` commands in the profile. There a very old bug for it: #903. > --blacklist="/home/*" instead of "--blacklist=/home/*" Both should be the same.

gitea-mirror commented

2026-05-05 09:07:21 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

--blacklist="/home/" instead of "--blacklist=/home/"

Both should be the same.

You are right, I checked, I updated my texts before.

@esp13 commented on GitHub (Jan 16, 2021): > > --blacklist="/home/_" instead of "--blacklist=/home/_" > > Both should be the same. You are right, I checked, I updated my texts before.

gitea-mirror commented

2026-05-05 09:07:21 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

How should I write this inside the profile file?

I goes with

allusers
private /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/
noblacklist ~
blacklist /home/*

What do you think?

But inside FireJail, the permissions are still the same :
ls -la

drwx------ 1 myuser   myuser     68 déc.  31 11:36 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

If I uncomment this lines in the profile file:

#noblacklist ${HOME}/.killingfloor
#noblacklist ${HOME}/.local/share/3909/PapersPlease
#noblacklist ${HOME}/.local/share/aspyr-media
#noblacklist ${HOME}/.local/share/cdprojektred
#noblacklist ${HOME}/.local/share/feral-interactive
#noblacklist ${HOME}/.local/share/Steam
#noblacklist ${HOME}/.local/share/SuperHexagon
#noblacklist ${HOME}/.local/share/Terraria
#noblacklist ${HOME}/.local/share/vpltd
#noblacklist ${HOME}/.local/share/vulkan
#noblacklist ${HOME}/.steam
#noblacklist ${HOME}/.steampath
#noblacklist ${HOME}/.steampid

The app will still create the files inside the fake home folder?
Why do we need this?

It seems to be still necessary to unquote this with the previous profile, but why? Isn't the noblacklist ~ supposed to make the stuff?

@esp13 commented on GitHub (Jan 16, 2021): > How should I write this inside the profile file? I goes with ``` allusers private /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ noblacklist ~ blacklist /home/* ``` What do you think? > But inside FireJail, the permissions are still the same : > `ls -la` > > ``` > drwx------ 1 myuser myuser 68 déc. 31 11:36 . > drwx------ 1 myuser myuser 10 nov. 11 13:02 .. > drwxrwxr-x 1 myuser myuser 94 janv. 1 09:33 Aspyr > -rw------- 1 myuser myuser 218 nov. 28 20:03 recently-used.xbel > dr-------- 2 nobody nogroup 40 janv. 11 20:46 Steam > dr-------- 2 nobody nogroup 40 janv. 11 20:46 vulkan > ``` > > If I uncomment this lines in the profile file: > > ``` > #noblacklist ${HOME}/.killingfloor > #noblacklist ${HOME}/.local/share/3909/PapersPlease > #noblacklist ${HOME}/.local/share/aspyr-media > #noblacklist ${HOME}/.local/share/cdprojektred > #noblacklist ${HOME}/.local/share/feral-interactive > #noblacklist ${HOME}/.local/share/Steam > #noblacklist ${HOME}/.local/share/SuperHexagon > #noblacklist ${HOME}/.local/share/Terraria > #noblacklist ${HOME}/.local/share/vpltd > #noblacklist ${HOME}/.local/share/vulkan > #noblacklist ${HOME}/.steam > #noblacklist ${HOME}/.steampath > #noblacklist ${HOME}/.steampid > ``` > > The app will still create the files inside the fake home folder? > Why do we need this? It seems to be still necessary to unquote this with the previous profile, but why? Isn't the `noblacklist ~` supposed to make the stuff?

gitea-mirror commented

2026-05-05 09:07:22 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

Sorry I don't get your last question.

@rusty-snake commented on GitHub (Jan 16, 2021): Sorry I don't get your last question.

gitea-mirror commented

2026-05-05 09:07:22 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

Sorry I don't get your last question.

Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?

noblacklist ${HOME}/.killingfloor
noblacklist ${HOME}/.local/share/3909/PapersPlease
noblacklist ${HOME}/.local/share/aspyr-media
noblacklist ${HOME}/.local/share/cdprojektred
noblacklist ${HOME}/.local/share/feral-interactive
noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/SuperHexagon
noblacklist ${HOME}/.local/share/Terraria
noblacklist ${HOME}/.local/share/vpltd
noblacklist ${HOME}/.local/share/vulkan
noblacklist ${HOME}/.steam
noblacklist ${HOME}/.steampath
noblacklist ${HOME}/.steampid

@esp13 commented on GitHub (Jan 16, 2021): > Sorry I don't get your last question. Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder? ``` noblacklist ${HOME}/.killingfloor noblacklist ${HOME}/.local/share/3909/PapersPlease noblacklist ${HOME}/.local/share/aspyr-media noblacklist ${HOME}/.local/share/cdprojektred noblacklist ${HOME}/.local/share/feral-interactive noblacklist ${HOME}/.local/share/Steam noblacklist ${HOME}/.local/share/SuperHexagon noblacklist ${HOME}/.local/share/Terraria noblacklist ${HOME}/.local/share/vpltd noblacklist ${HOME}/.local/share/vulkan noblacklist ${HOME}/.steam noblacklist ${HOME}/.steampath noblacklist ${HOME}/.steampid ```

gitea-mirror commented

2026-05-05 09:07:23 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

I wanted to check graphically what the FireJailed app will be able to see on the disk so I went with firejail --profile=/home/FireJail_customsteam.profile bash -c "nemo" but I get a normal user access, did I missed something?

Maybe should I use firejail --profile=/home/FireJail_customsteam.profile bash -c "nemo-desktop" instead? But this crashed

@esp13 commented on GitHub (Jan 16, 2021): I wanted to check graphically what the FireJailed app will be able to see on the disk so I went with `firejail --profile=/home/FireJail_customsteam.profile bash -c "nemo"` but I get a normal user access, did I missed something? Maybe should I use `firejail --profile=/home/FireJail_customsteam.profile bash -c "nemo-desktop"` instead? But this crashed

gitea-mirror commented

2026-05-05 09:07:23 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

did I missed something?

nemo likely runs already (in the background) and nemo (inside the sandbox) talks to nemo (outside) which then opens a new window.

Options:

Terminate all running nemo instances. Note: this can have side effects like missing desktop icons (IDK which DE you use).
Start firejail with --dbus-user=none.

Aside: the bash -c is overkill, just nemo works too.

@rusty-snake commented on GitHub (Jan 16, 2021): > did I missed something? nemo likely runs already (in the background) and nemo (inside the sandbox) talks to nemo (outside) which then opens a new window. Options: 1. Terminate all running nemo instances. Note: this can have side effects like missing desktop icons (IDK which DE you use). 2. Start firejail with `--dbus-user=none`. Aside: the `bash -c` is overkill, just `nemo` works too.

gitea-mirror commented

2026-05-05 09:07:23 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?

On (no)blacklist and (no)whitelist the ${HOME} macro expands to the private/fake home if it's that what you hang on. (It's complicated I know)

@rusty-snake commented on GitHub (Jan 16, 2021): > Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder? On `(no)blacklist` and `(no)whitelist` the `${HOME}` macro expands to the private/fake home if it's that what you hang on. (It's complicated I know)

gitea-mirror commented

2026-05-05 09:07:24 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

2. Start firejail with `--dbus-user=none`.

Thank you it works with --nodbus option

So results:

No access to real home user folder => OK
No access to other folders on /home (only first folder name can be watched but can't be opened) => OK
Access to others disks possible (with write permissions!!) => Not OK !

@esp13 commented on GitHub (Jan 16, 2021): > 2. Start firejail with `--dbus-user=none`. Thank you it works with `--nodbus` option So results: - No access to real home user folder => OK - No access to other folders on /home (only first folder name can be watched but can't be opened) => OK - Access to others disks possible (with write permissions!!) => **Not OK !**

gitea-mirror commented

2026-05-05 09:07:24 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2021):

Access to others disks possible (with write permissions!!) => Not OK !

add disable-mnt

The problem with steam.profile is that it is a profile which should work with many different programs/games resulting in a relative weak profile to not break ugly written games.

@rusty-snake commented on GitHub (Jan 16, 2021): > Access to others disks possible (with write permissions!!) => Not OK ! add `disable-mnt` The problem with steam.profile is that it is a profile which should work with many different programs/games resulting in a relative weak profile to not break ugly written games.

gitea-mirror commented

2026-05-05 09:07:25 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?

On (no)blacklist and (no)whitelist the ${HOME} macro expands to the private/fake home if it's that what you hang on. (It's complicated I know)

As I use a fake home folder why does have I to specify each of this folders individually?
with those lines commented I get:

~/.local/share$ ls -la
total 4
drwx------ 1 myuser   myuser     76 janv. 16 20:29 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
dr-------- 2 nobody nogroup  40 janv. 11 20:46 nemo
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan

with those lines active I get

~/.local/share$ ls -la
total 4
drwx------ 1 myuser   myuser      76 janv. 16 20:29 .
drwx------ 1 myuser   myuser      10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser      94 janv.  1 09:33 Aspyr
dr-------- 2 nobody nogroup   40 janv. 11 20:46 nemo
-rw------- 1 myuser   myuser     218 nov.  28 20:03 recently-used.xbel
drwx------ 1 myuser   myuser    1048 janv.  8 20:14 Steam
drwxrwxr-x 1 myuser   myuser      32 nov.  11 13:20 vulkan

I don't understand why

I can create and modify a lot of files/folders in this fake home folder as I want.
Why for this specifics ones I need to noblacklist it?

@esp13 commented on GitHub (Jan 16, 2021): > > Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder? > > On `(no)blacklist` and `(no)whitelist` the `${HOME}` macro expands to the private/fake home if it's that what you hang on. (It's complicated I know) As I use a fake home folder why does have I to specify each of this folders individually? with those lines commented I get: ``` ~/.local/share$ ls -la total 4 drwx------ 1 myuser myuser 76 janv. 16 20:29 . drwx------ 1 myuser myuser 10 nov. 11 13:02 .. drwxrwxr-x 1 myuser myuser 94 janv. 1 09:33 Aspyr dr-------- 2 nobody nogroup 40 janv. 11 20:46 nemo -rw------- 1 myuser myuser 218 nov. 28 20:03 recently-used.xbel dr-------- 2 nobody nogroup 40 janv. 11 20:46 Steam dr-------- 2 nobody nogroup 40 janv. 11 20:46 vulkan ``` with those lines active I get ``` ~/.local/share$ ls -la total 4 drwx------ 1 myuser myuser 76 janv. 16 20:29 . drwx------ 1 myuser myuser 10 nov. 11 13:02 .. drwxrwxr-x 1 myuser myuser 94 janv. 1 09:33 Aspyr dr-------- 2 nobody nogroup 40 janv. 11 20:46 nemo -rw------- 1 myuser myuser 218 nov. 28 20:03 recently-used.xbel drwx------ 1 myuser myuser 1048 janv. 8 20:14 Steam drwxrwxr-x 1 myuser myuser 32 nov. 11 13:20 vulkan ``` I don't understand why I can create and modify a lot of files/folders in this fake home folder as I want. Why for this specifics ones I need to noblacklist it?

gitea-mirror commented

2026-05-05 09:07:25 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 16, 2021):

Access to others disks possible (with write permissions!!) => Not OK !

add disable-mnt

This worked great thank you :)

@esp13 commented on GitHub (Jan 16, 2021): > > Access to others disks possible (with write permissions!!) => Not OK ! > > add `disable-mnt` This worked great thank you :)

gitea-mirror commented

2026-05-05 09:07:25 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 17, 2021):

Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?

On (no)blacklist and (no)whitelist the ${HOME} macro expands to the private/fake home if it's that what you hang on. (It's complicated I know)

As I use a fake home folder why does have I to specify each of this folders individually?
with those lines commented I get:
~/.local/share$ ls -la
total 4
drwx------ 1 myuser   myuser     76 janv. 16 20:29 .
drwx------ 1 myuser   myuser     10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser     94 janv.  1 09:33 Aspyr
dr-------- 2 nobody nogroup  40 janv. 11 20:46 nemo
-rw------- 1 myuser   myuser    218 nov.  28 20:03 recently-used.xbel
dr-------- 2 nobody nogroup  40 janv. 11 20:46 Steam
dr-------- 2 nobody nogroup  40 janv. 11 20:46 vulkan
with those lines active I get
~/.local/share$ ls -la
total 4
drwx------ 1 myuser   myuser      76 janv. 16 20:29 .
drwx------ 1 myuser   myuser      10 nov.  11 13:02 ..
drwxrwxr-x 1 myuser   myuser      94 janv.  1 09:33 Aspyr
dr-------- 2 nobody nogroup   40 janv. 11 20:46 nemo
-rw------- 1 myuser   myuser     218 nov.  28 20:03 recently-used.xbel
drwx------ 1 myuser   myuser    1048 janv.  8 20:14 Steam
drwxrwxr-x 1 myuser   myuser      32 nov.  11 13:20 vulkan
I don't understand why

I can create and modify a lot of files/folders in this fake home folder as I want.
Why for this specifics ones I need to noblacklist it?

It is really hard to understand.
I started a fresh new installation with all this noblacklist commented in firejail steam profile,
the files created have this permissions:

ls -la ../../../.local/share/
total 0
drwx------ 1 myuser myuser  10 janv. 16 22:27 .
drwx------ 1 myuser myuser  10 janv. 16 22:27 ..
drwx------ 1 myuser myuser 842 janv. 17 10:28 Steam

I just close the sandbox and re-open it the same way, I got this:

ls -la ../../../.local/share/
total 0
drwx------ 1 myuser   myuser    10 janv. 16 22:27 .
drwx------ 1 myuser   myuser    10 janv. 16 22:27 ..
dr-------- 2 nobody nogroup 40 janv. 11 20:46 Steam

Anyway, I have an other problem : a segmentation fault (core dumped) but seems to happen to a lot of people even outside of firejail.

@esp13 commented on GitHub (Jan 17, 2021): > > > Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder? > > > > > > On `(no)blacklist` and `(no)whitelist` the `${HOME}` macro expands to the private/fake home if it's that what you hang on. (It's complicated I know) > > As I use a fake home folder why does have I to specify each of this folders individually? > with those lines commented I get: > > ``` > ~/.local/share$ ls -la > total 4 > drwx------ 1 myuser myuser 76 janv. 16 20:29 . > drwx------ 1 myuser myuser 10 nov. 11 13:02 .. > drwxrwxr-x 1 myuser myuser 94 janv. 1 09:33 Aspyr > dr-------- 2 nobody nogroup 40 janv. 11 20:46 nemo > -rw------- 1 myuser myuser 218 nov. 28 20:03 recently-used.xbel > dr-------- 2 nobody nogroup 40 janv. 11 20:46 Steam > dr-------- 2 nobody nogroup 40 janv. 11 20:46 vulkan > ``` > > with those lines active I get > > ``` > ~/.local/share$ ls -la > total 4 > drwx------ 1 myuser myuser 76 janv. 16 20:29 . > drwx------ 1 myuser myuser 10 nov. 11 13:02 .. > drwxrwxr-x 1 myuser myuser 94 janv. 1 09:33 Aspyr > dr-------- 2 nobody nogroup 40 janv. 11 20:46 nemo > -rw------- 1 myuser myuser 218 nov. 28 20:03 recently-used.xbel > drwx------ 1 myuser myuser 1048 janv. 8 20:14 Steam > drwxrwxr-x 1 myuser myuser 32 nov. 11 13:20 vulkan > ``` > > I don't understand why > > I can create and modify a lot of files/folders in this fake home folder as I want. > Why for this specifics ones I need to noblacklist it? It is really hard to understand. I started a fresh new installation with all this noblacklist commented in firejail steam profile, the files created have this permissions: ``` ls -la ../../../.local/share/ total 0 drwx------ 1 myuser myuser 10 janv. 16 22:27 . drwx------ 1 myuser myuser 10 janv. 16 22:27 .. drwx------ 1 myuser myuser 842 janv. 17 10:28 Steam ``` I just close the sandbox and re-open it the same way, I got this: ``` ls -la ../../../.local/share/ total 0 drwx------ 1 myuser myuser 10 janv. 16 22:27 . drwx------ 1 myuser myuser 10 janv. 16 22:27 .. dr-------- 2 nobody nogroup 40 janv. 11 20:46 Steam ``` Anyway, I have an other problem : a segmentation fault (core dumped) but seems to happen to a lot of people even outside of firejail.

gitea-mirror commented

2026-05-05 09:07:26 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 17, 2021):

Why for this specifics ones I need to noblacklist it?

Because these special ones have a blacklist command in disable-programs.inc

I just close the sandbox and re-open it the same way, I got this:

The blacklist only takes effect if the files are present when the sandbox is started.

@rusty-snake commented on GitHub (Jan 17, 2021): > Why for this specifics ones I need to noblacklist it? Because these special ones have a `blacklist` command in disable-programs.inc > I just close the sandbox and re-open it the same way, I got this: The `blacklist` only takes effect if the files are present when the sandbox is started.

gitea-mirror commented

2026-05-05 09:07:26 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 17, 2021):

Why for this specifics ones I need to noblacklist it?

Because these special ones have a blacklist command in disable-programs.inc

I just close the sandbox and re-open it the same way, I got this:

The blacklist only takes effect if the files are present when the sandbox is started.

Oh this is easier to understand, thank you!
As I run steam on a fake home and this file is containing at 99% home folders, I could safely comment this include disable-programs.inc line right?

@esp13 commented on GitHub (Jan 17, 2021): > > Why for this specifics ones I need to noblacklist it? > > Because these special ones have a `blacklist` command in disable-programs.inc > > > I just close the sandbox and re-open it the same way, I got this: > > The `blacklist` only takes effect if the files are present when the sandbox is started. Oh this is easier to understand, thank you! As I run steam on a fake home and this file is containing at 99% home folders, I could safely comment this ` include disable-programs.inc ` line right?

gitea-mirror commented

2026-05-05 09:07:27 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 17, 2021):

As I run steam on a fake home and this file is containing at 99% home folders,

and the remaining 1% are covered by private-tmp and include whitelist-var-common.inc.

I could safely comment this include disable-programs.inc line right?

Yes, but why? Just keep the noblacklist.

@rusty-snake commented on GitHub (Jan 17, 2021): > As I run steam on a fake home and this file is containing at 99% home folders, and the remaining 1% are covered by `private-tmp` and `include whitelist-var-common.inc`. > I could safely comment this include disable-programs.inc line right? Yes, but why? Just keep the `noblacklist`.

gitea-mirror commented

2026-05-05 09:07:27 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 17, 2021):

Yes, but why? Just keep the noblacklist.

Yes but as I use a fake home folder I find weird to remove a lot of permissions with include disable-programs.inc to put some back whit this noblacklist
If I upgrade firejail, and some new steam folders permissions are removed with disable-programs.inc as I will keep my custom profile this will result on blocking this new folders.
And maybe I will earn some execution time by avoiding removing a lot of permissions and putting some back after. Perhaps... 0.00001s earned :-D

@esp13 commented on GitHub (Jan 17, 2021): > Yes, but why? Just keep the `noblacklist`. Yes but as I use a fake home folder I find weird to remove a lot of permissions with ` include disable-programs.inc ` to put some back whit this `noblacklist` If I upgrade firejail, and some new steam folders permissions are removed with `disable-programs.inc` as I will keep my custom profile this will result on blocking this new folders. And maybe I will earn some execution time by avoiding removing a lot of permissions and putting some back after. Perhaps... 0.00001s earned :-D

gitea-mirror commented

2026-05-05 09:07:28 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 17, 2021):

I'm progressing, now I get

Gtk-Message: Failed to load module "xapp-gtk3-module" I think this comes from my distro as I get this for other app outside firejail

Gtk-Message: Failed to load module "gail"

Gtk-Message: Failed to load module "atk-bridge"

Could not connect to X session manager: None of the authentication protocols specified are supported

@esp13 commented on GitHub (Jan 17, 2021): I'm progressing, now I get `Gtk-Message: Failed to load module "xapp-gtk3-module"` I think this comes from my distro as I get this for other app outside firejail `Gtk-Message: Failed to load module "gail"` `Gtk-Message: Failed to load module "atk-bridge"` `Could not connect to X session manager: None of the authentication protocols specified are supported`

gitea-mirror commented

2026-05-05 09:07:28 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 17, 2021):

I'm progressing, now I get

Gtk-Message: Failed to load module "xapp-gtk3-module" I think this comes from my distro as I get this for other app outside firejail

Gtk-Message: Failed to load module "gail"

Gtk-Message: Failed to load module "atk-bridge"

Could not connect to X session manager: None of the authentication protocols specified are supported

It was seccomp fault. Once I commented it, no more crashing error.
Maybe it's cause I have an AMD GPU? https://github.com/netblue30/firejail/issues/3219

@esp13 commented on GitHub (Jan 17, 2021): > I'm progressing, now I get > > `Gtk-Message: Failed to load module "xapp-gtk3-module"` I think this comes from my distro as I get this for other app outside firejail > > `Gtk-Message: Failed to load module "gail"` > > `Gtk-Message: Failed to load module "atk-bridge"` > > `Could not connect to X session manager: None of the authentication protocols specified are supported` It was seccomp fault. Once I commented it, no more crashing error. Maybe it's cause I have an AMD GPU? [https://github.com/netblue30/firejail/issues/3219](url)

gitea-mirror commented

2026-05-05 09:07:28 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 17, 2021):

Try seccomp !kcmp.

@rusty-snake commented on GitHub (Jan 17, 2021): Try `seccomp !kcmp`.

gitea-mirror commented

2026-05-05 09:07:29 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 17, 2021):

Try seccomp !kcmp.

This worked, thank you :)

-Edit-
No I must have made a mistake (not saved I think)
With seccomp !kcmp it doesn't work neither

So now here his my profile file:

#ME : Custom Steam profile with fake home folder based on original firejail steam profile 
#ME : with a lot of help of rusty-snake

#ME : I give a name to be able to kill the sandbox easily with --shutdown=steam
name steam
#ME : to be able to access to the folder on /home even if the folder isn't inside personal current user's home folder 
allusers
#ME : Fake personal user home folder only for steam
private /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/
#ME : Forbidden to be able to go on other folders on /home except the fake home folder from previous line
noblacklist ~
blacklist /home/*
#ME : To disable the access to other disks
disable-mnt
#ME : For testing access rights visually with nemo (without this, nemo inside firejail can communicate with an other nemo instance outside the sandbox)
#nodbus


#ME : Don't know what it is for : I comment
# Persistent local customizations
#include default.local
# Persistent global definitions
#include globals.local

#ME : allows to restore the rights to prohibited lines in the etc/firejail/disable-programs.inc file
#ME : As I commented disable-programs.inc below I don't need this anymore
#noblacklist ${HOME}/.killingfloor
#noblacklist ${HOME}/.local/share/3909/PapersPlease
#noblacklist ${HOME}/.local/share/aspyr-media
#noblacklist ${HOME}/.local/share/cdprojektred
#noblacklist ${HOME}/.local/share/feral-interactive
#noblacklist ${HOME}/.local/share/Steam
#noblacklist ${HOME}/.local/share/SuperHexagon
#noblacklist ${HOME}/.local/share/Terraria
#noblacklist ${HOME}/.local/share/vpltd
#noblacklist ${HOME}/.local/share/vulkan
#noblacklist ${HOME}/.steam
#noblacklist ${HOME}/.steampath
#noblacklist ${HOME}/.steampid

#ME : Will not work without this
# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
noblacklist /sbin
noblacklist /usr/sbin

# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc

# Allow python (blacklisted by disable-interpreters.inc)
include	allow-python2.inc
include	allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc

#ME : This is for forbidden access to a lot of folders inside user home folder for many apps.
#ME : As I run inside a fake home folder I can comment
#include disable-programs.inc

#ME : See inside this file etc/firejail/whitelist-var-common.inc what is authorised
include whitelist-var-common.inc

# allow-debuggers needed for running some games with proton
allow-debuggers
caps.drop all
#ipc-namespace
netfilter
# nodbus disabled as it breaks appindicator support
#nodbus
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
# novideo should be commented for VR
novideo
protocol unix,inet,inet6,netlink
#ME : seccomp commented because it crash, maybe problems with AMD GPU and mesa > certain version
#ME : replaced by seccomp !kcmp. No idea how it works - NO it doesn't work with this neither => comment
# seccomp cause sometimes issues (see #2860, #2951),
# comment it or add 'ignore seccomp' to steam.local if so.
#seccomp
#seccomp !kcmp
#ME : shell none commented cause it crashed without comment. Anyway I want steam to run inside the shell to see debug messages
#shell none
# tracelog disabled as it breaks integrated browser
#tracelog

# private-bin is disabled while in testing, but has been tested working with multiple games
#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
# extra programs are available which might be needed for select games
#private-bin java,java-config,mono
# picture viewers are needed for viewing screenshots
#private-bin eog,eom,gthumb,pix,viewnior,xviewer

#ME : Don"t know what this is for, I think it is for creating temporaly private folders for dev, etc tmp. But not sure
# private-dev should be commented for controllers
private-dev
# private-etc breaks a small selection of games on some systems, comment to support those
private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
private-tmp

@esp13 commented on GitHub (Jan 17, 2021): > Try `seccomp !kcmp`. This worked, thank you :) -Edit- No I must have made a mistake (not saved I think) With `seccomp !kcmp` it doesn't work neither So now here his my profile file: ``` #ME : Custom Steam profile with fake home folder based on original firejail steam profile #ME : with a lot of help of rusty-snake #ME : I give a name to be able to kill the sandbox easily with --shutdown=steam name steam #ME : to be able to access to the folder on /home even if the folder isn't inside personal current user's home folder allusers #ME : Fake personal user home folder only for steam private /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ #ME : Forbidden to be able to go on other folders on /home except the fake home folder from previous line noblacklist ~ blacklist /home/* #ME : To disable the access to other disks disable-mnt #ME : For testing access rights visually with nemo (without this, nemo inside firejail can communicate with an other nemo instance outside the sandbox) #nodbus #ME : Don't know what it is for : I comment # Persistent local customizations #include default.local # Persistent global definitions #include globals.local #ME : allows to restore the rights to prohibited lines in the etc/firejail/disable-programs.inc file #ME : As I commented disable-programs.inc below I don't need this anymore #noblacklist ${HOME}/.killingfloor #noblacklist ${HOME}/.local/share/3909/PapersPlease #noblacklist ${HOME}/.local/share/aspyr-media #noblacklist ${HOME}/.local/share/cdprojektred #noblacklist ${HOME}/.local/share/feral-interactive #noblacklist ${HOME}/.local/share/Steam #noblacklist ${HOME}/.local/share/SuperHexagon #noblacklist ${HOME}/.local/share/Terraria #noblacklist ${HOME}/.local/share/vpltd #noblacklist ${HOME}/.local/share/vulkan #noblacklist ${HOME}/.steam #noblacklist ${HOME}/.steampath #noblacklist ${HOME}/.steampid #ME : Will not work without this # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work noblacklist /sbin noblacklist /usr/sbin # Allow java (blacklisted by disable-devel.inc) include allow-java.inc # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-passwdmgr.inc #ME : This is for forbidden access to a lot of folders inside user home folder for many apps. #ME : As I run inside a fake home folder I can comment #include disable-programs.inc #ME : See inside this file etc/firejail/whitelist-var-common.inc what is authorised include whitelist-var-common.inc # allow-debuggers needed for running some games with proton allow-debuggers caps.drop all #ipc-namespace netfilter # nodbus disabled as it breaks appindicator support #nodbus nodvd nogroups nonewprivs noroot notv nou2f # novideo should be commented for VR novideo protocol unix,inet,inet6,netlink #ME : seccomp commented because it crash, maybe problems with AMD GPU and mesa > certain version #ME : replaced by seccomp !kcmp. No idea how it works - NO it doesn't work with this neither => comment # seccomp cause sometimes issues (see #2860, #2951), # comment it or add 'ignore seccomp' to steam.local if so. #seccomp #seccomp !kcmp #ME : shell none commented cause it crashed without comment. Anyway I want steam to run inside the shell to see debug messages #shell none # tracelog disabled as it breaks integrated browser #tracelog # private-bin is disabled while in testing, but has been tested working with multiple games #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity # extra programs are available which might be needed for select games #private-bin java,java-config,mono # picture viewers are needed for viewing screenshots #private-bin eog,eom,gthumb,pix,viewnior,xviewer #ME : Don"t know what this is for, I think it is for creating temporaly private folders for dev, etc tmp. But not sure # private-dev should be commented for controllers private-dev # private-etc breaks a small selection of games on some systems, comment to support those private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl private-tmp ```

gitea-mirror commented

2026-05-05 09:07:29 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 17, 2021):

I will make a custom profile for the French application molotov.tv
As it doesn't exist in etc/firejail,
do you have an idea of a similar application were the firejail profile exist I could start with?

Molotov.tv is an application to watch tv on computer through internet (it use DRM)
It is distributed as an .Appimage file.

@esp13 commented on GitHub (Jan 17, 2021): I will make a custom profile for the French application molotov.tv As it doesn't exist in etc/firejail, do you have an idea of a similar application were the firejail profile exist I could start with? Molotov.tv is an application to watch tv on computer through internet (it use DRM) It is distributed as an .Appimage file.

gitea-mirror commented

2026-05-05 09:07:29 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 17, 2021):

do you have an idea where I could start with?

/usr/share/doc/firejail/profile.template

@rusty-snake commented on GitHub (Jan 17, 2021): > do you have an idea where I could start with? [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template)

gitea-mirror commented

2026-05-05 09:07:30 -06:00

Author

Owner

@esp13 commented on GitHub (Jan 22, 2021):

do you have an idea where I could start with?

/usr/share/doc/firejail/profile.template

Thank you, yes this is the default profile. I guess there are no already custom profile for appimage files?
As this is going far away from original issue, I opened a new one here.
Please tell me if I shouldn't

PS : for information this link from basic-usage tutorial is going nowhere

@esp13 commented on GitHub (Jan 22, 2021): > > do you have an idea where I could start with? > > [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template) Thank you, yes this is the default profile. I guess there are no already custom profile for appimage files? As this is going far away from original issue, I opened a new one [here](https://github.com/netblue30/firejail/issues/3910). Please tell me if I shouldn't PS : for information [this link](https://firejail.wordpress.com/documentation-2/building-whitelisted-profiles/) from [basic-usage tutorial](https://firejail.wordpress.com/documentation-2/basic-usage/#private) is going nowhere

gitea-mirror commented

2026-05-05 09:07:30 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 22, 2021):

PS : for information this link from basic-usage tutorial is going nowhere

@netblue30 https://firejail.wordpress.com/documentation-2/basic-usage/#profiles:
-- https://firejail.wordpress.com/documentation-2/building-whitelisted-profiles/ --
++ https://firejail.wordpress.com/documentation-2/building-custom-profiles/#whitelisted ++

@rusty-snake commented on GitHub (Jan 22, 2021): > PS : for information this link from basic-usage tutorial is going nowhere @netblue30 <https://firejail.wordpress.com/documentation-2/basic-usage/#profiles>: -- <https://firejail.wordpress.com/documentation-2/building-whitelisted-profiles/> -- ++ <https://firejail.wordpress.com/documentation-2/building-custom-profiles/#whitelisted> ++

gitea-mirror commented

2026-05-05 09:07:31 -06:00

Author

Owner

@esp13 commented on GitHub (Feb 14, 2021):

Access to others disks possible (with write permissions!!) => Not OK !

add disable-mnt

Hello,
Is it possible to use 'disable-mnt' but to allow at the same time some exceptions for some folders?
I tried this without succes:

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1

Neither with this:

noblacklist /media/user/usbkey1
noblacklist /media/user/disk1/folder1

Neither this from https://github.com/netblue30/firejail/issues/3581 :

noblacklist /media/user/
blacklist /media/*
noblacklist /media/user/usbkey1
noblacklist /media/user/disk1/folder1
blacklist /media/user/*

@esp13 commented on GitHub (Feb 14, 2021): > > Access to others disks possible (with write permissions!!) => Not OK ! > > add `disable-mnt` > Hello, Is it possible to use 'disable-mnt' but to allow at the same time some exceptions for some folders? I tried this without succes: ``` whitelist /media/user/usbkey1 whitelist /media/user/disk1/folder1 ``` Neither with this: ``` noblacklist /media/user/usbkey1 noblacklist /media/user/disk1/folder1 ``` Neither this from [https://github.com/netblue30/firejail/issues/3581](https://github.com/netblue30/firejail/issues/3581) : ``` noblacklist /media/user/ blacklist /media/* noblacklist /media/user/usbkey1 noblacklist /media/user/disk1/folder1 blacklist /media/user/* ```

gitea-mirror commented

2026-05-05 09:07:31 -06:00

Author

Owner

@esp13 commented on GitHub (Feb 14, 2021):

I finally get it by many tries :

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
blacklist /mnt/*
#disable-mnt

But I would like to understand why this worked

@esp13 commented on GitHub (Feb 14, 2021): I finally get it by many tries : ``` whitelist /media/user/usbkey1 whitelist /media/user/disk1/folder1 blacklist /mnt/* #disable-mnt ``` But I would like to understand why this worked

gitea-mirror commented

2026-05-05 09:07:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 15, 2021):

Is it possible to use 'disable-mnt' but to allow at the same time some exceptions for some folders?

No, but there are other ways to have the same effect: #3580, #3581, https://github.com/netblue30/firejail/issues/3912#issuecomment-770192450, ...

I tried this without succes:

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1

whitelist adds restriction rather removing any of them. You can only whitelist files which you can access when running with --ignore=whitelist.

Neither with this:

noblacklist /media/user/usbkey1
noblacklist /media/user/disk1/folder1

Since these paths are never blacklisted, a noblacklist has no effect.

Neither this from #3581 :

noblacklist /media/user/
blacklist /media/*
noblacklist /media/user/usbkey1
noblacklist /media/user/disk1/folder1
blacklist /media/user/*

https://github.com/netblue30/firejail/issues/3581#issuecomment-672018630 and the following

I finally get it by many tries

🎉

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
blacklist /mnt/*
#disable-mnt

You should add blacklist /run/mnt and blacklist /run/media and change blacklist /mnt/* to blacklist /mnt for better security.

But I would like to understand why this worked

Because you commented/ignoreed disable-mnt. Therefore you can start adding more selective commands.

@rusty-snake commented on GitHub (Feb 15, 2021): > Is it possible to use 'disable-mnt' but to allow at the same time some exceptions for some folders? No, but there are other ways to have the same effect: #3580, #3581, https://github.com/netblue30/firejail/issues/3912#issuecomment-770192450, ... > I tried this without succes: > ``` > whitelist /media/user/usbkey1 > whitelist /media/user/disk1/folder1 > ``` `whitelist` adds restriction rather removing any of them. You can only `whitelist` files which you can access when running with `--ignore=whitelist`. > Neither with this: > ``` > noblacklist /media/user/usbkey1 > noblacklist /media/user/disk1/folder1 > ``` Since these paths are never `blacklist`ed, a `noblacklist` has no effect. > Neither this from #3581 : > ``` > noblacklist /media/user/ > blacklist /media/* > noblacklist /media/user/usbkey1 > noblacklist /media/user/disk1/folder1 > blacklist /media/user/* > ``` https://github.com/netblue30/firejail/issues/3581#issuecomment-672018630 and the following > I finally get it by many tries :tada: > ``` > whitelist /media/user/usbkey1 > whitelist /media/user/disk1/folder1 > blacklist /mnt/* > #disable-mnt > ``` You should add `blacklist /run/mnt` and `blacklist /run/media` and change `blacklist /mnt/*` to `blacklist /mnt` for better security. > But I would like to understand why this worked Because you commented/`ignore`ed `disable-mnt`. Therefore you can start adding more selective commands.

gitea-mirror commented

2026-05-05 09:07:32 -06:00

Author

Owner

@esp13 commented on GitHub (Feb 15, 2021):

Hello,

Thank you again for your detailed answers.

whitelist adds restriction rather removing any of them. You can only whitelist files which you can access when running with --ignore=whitelist.

Yes of course I forget that a whitelist refuse all except what is expressively allowed!
In firejail this works by mount points right? ~, /dev, /media, /mnt, /opt, /srv, /var, and /tmp
So it is why I didn't had to blacklist /media in my usage cause I used whitelist inside this folder right?

You should add blacklist /run/mnt and blacklist /run/media and change blacklist /mnt/* to blacklist /mnt for better security.

so I will go with:

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

Is it possible to keep blacklist /media somewhere so if the lines whitelist /media/user/usbkey1 and whitelist /media/user/disk1/folder1 are removed, the sandbox will refuse access to /media ?

@esp13 commented on GitHub (Feb 15, 2021): Hello, Thank you again for your detailed answers. > `whitelist` adds restriction rather removing any of them. You can only `whitelist` files which you can access when running with `--ignore=whitelist`. Yes of course I forget that a whitelist refuse all except what is expressively allowed! In firejail this works by mount points right? ~, /dev, /media, /mnt, /opt, /srv, /var, and /tmp So it is why I didn't had to blacklist /media in my usage cause I used whitelist inside this folder right? > You should add `blacklist /run/mnt` and `blacklist /run/media` and change `blacklist /mnt/*` to `blacklist /mnt` for better security. so I will go with: ``` whitelist /media/user/usbkey1 whitelist /media/user/disk1/folder1 blacklist /mnt blacklist /run/mnt blacklist /run/media ``` Is it possible to keep `blacklist /media` somewhere so if the lines `whitelist /media/user/usbkey1` and `whitelist /media/user/disk1/folder1` are removed, the sandbox will refuse access to /media ?

gitea-mirror commented

2026-05-05 09:07:32 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 15, 2021):

Is it possible to keep blacklist /media somewhere so if the lines whitelist /media/user/usbkey1 and whitelist /media/user/disk1/folder1 are removed, the sandbox will refuse access to /media ?

Together with noblacklist /media:

noblacklist /media
whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
blacklist /media
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

@rusty-snake commented on GitHub (Feb 15, 2021): > Is it possible to keep blacklist /media somewhere so if the lines whitelist /media/user/usbkey1 and whitelist /media/user/disk1/folder1 are removed, the sandbox will refuse access to /media ? Together with `noblacklist /media`: ``` noblacklist /media whitelist /media/user/usbkey1 whitelist /media/user/disk1/folder1 blacklist /media blacklist /mnt blacklist /run/mnt blacklist /run/media ```

gitea-mirror commented

2026-05-05 09:07:33 -06:00

Author

Owner

@esp13 commented on GitHub (Feb 16, 2021):

Is it possible to keep blacklist /media somewhere so if the lines whitelist /media/user/usbkey1 and whitelist /media/user/disk1/folder1 are removed, the sandbox will refuse access to /media ?

Together with noblacklist /media:

It doesn't seem to work, in this case the app get full /media access:

noblacklist /media
#whitelist /media/user/usbkey1
#whitelist /media/user/disk1/folder1
blacklist /media
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

@esp13 commented on GitHub (Feb 16, 2021): > > Is it possible to keep blacklist /media somewhere so if the lines whitelist /media/user/usbkey1 and whitelist /media/user/disk1/folder1 are removed, the sandbox will refuse access to /media ? > > Together with `noblacklist /media`: It doesn't seem to work, in this case the app get full /media access: ``` noblacklist /media #whitelist /media/user/usbkey1 #whitelist /media/user/disk1/folder1 blacklist /media blacklist /mnt blacklist /run/mnt blacklist /run/media ```

gitea-mirror commented

2026-05-05 09:07:33 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 16, 2021):

Why did you comment the whitelist?

@rusty-snake commented on GitHub (Feb 16, 2021): Why did you comment the `whitelist`?

gitea-mirror commented

2026-05-05 09:07:34 -06:00

Author

Owner

@esp13 commented on GitHub (Feb 16, 2021):

Why did you comment the whitelist?

This was the aim.
My question was to find a way to blacklist /media if the whitelist are removed from the profile.
While copying to a new profile file for an other app, I fear to remove the whitelist lines (cause not needed anymore) but to forget to add the blacklist /media line.

@esp13 commented on GitHub (Feb 16, 2021): > Why did you comment the `whitelist`? This was the aim. My question was to find a way to blacklist /media if the whitelist are removed from the profile. While copying to a new profile file for an other app, I fear to remove the whitelist lines (cause not needed anymore) but to forget to add the blacklist /media line.

gitea-mirror commented

2026-05-05 09:07:34 -06:00

Author

Owner

@esp13 commented on GitHub (Feb 16, 2021):

But maybe i could just add a comment on my whitelist lines:

whitelist /media/user/usbkey1 #remember to add blacklist /media if this whitelist are removed
whitelist /media/user/disk1/folder1 #remember to add blacklist /media if this whitelist are removed
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

@esp13 commented on GitHub (Feb 16, 2021): But maybe i could just add a comment on my whitelist lines: ``` whitelist /media/user/usbkey1 #remember to add blacklist /media if this whitelist are removed whitelist /media/user/disk1/folder1 #remember to add blacklist /media if this whitelist are removed blacklist /mnt blacklist /run/mnt blacklist /run/media ```

gitea-mirror commented

2026-05-05 09:07:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 16, 2021):

You can add blacklist /media, but only if you add noblacklist /media too. As long as you keep the whitelist and the noblacklist together (maybe even mixed; whitelist noblacklist whitelist), you likely remove the noblacklist together with the whitelist and end with blacklist /media.

@rusty-snake commented on GitHub (Feb 16, 2021): You can add `blacklist /media`, but only if you add `noblacklist /media` too. As long as you keep the `whitelist` and the `noblacklist` together (maybe even mixed; whitelist noblacklist whitelist), you likely remove the noblacklist together with the whitelist and end with `blacklist /media`.

gitea-mirror commented

2026-05-05 09:07:35 -06:00

Author

Owner

@esp13 commented on GitHub (Feb 17, 2021):

You can add blacklist /media, but only if you add noblacklist /media too. As long as you keep the whitelist and the noblacklist together (maybe even mixed; whitelist noblacklist whitelist), you likely remove the noblacklist together with the whitelist and end with blacklist /media.

Is there a way to put whitelist /media/user/disk1/folder1 and noblacklist /media on the same line?

Is whitelist /media/user/disk1/folder1 putting the folder in read-only for the sandbox or does it comes from elsewhere?
Edit: I get it:

whitelist /media/user/usbkey1
whitelist /media/user/disk1/folder1
read-write /media/user/disk1/folder1
blacklist /mnt
blacklist /run/mnt
blacklist /run/media

I had to run sudo usermod -a -G vboxsf user inside the virtualbox

@esp13 commented on GitHub (Feb 17, 2021): > You can add `blacklist /media`, but only if you add `noblacklist /media` too. As long as you keep the `whitelist` and the `noblacklist` together (maybe even mixed; whitelist noblacklist whitelist), you likely remove the noblacklist together with the whitelist and end with `blacklist /media`. Is there a way to put `whitelist /media/user/disk1/folder1` and `noblacklist /media` on the same line? Is `whitelist /media/user/disk1/folder1` putting the folder in read-only for the sandbox or does it comes from elsewhere? Edit: I get it: ``` whitelist /media/user/usbkey1 whitelist /media/user/disk1/folder1 read-write /media/user/disk1/folder1 blacklist /mnt blacklist /run/mnt blacklist /run/media ``` I had to run ` sudo usermod -a -G vboxsf user` inside the virtualbox

gitea-mirror commented

2026-05-05 09:07:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 18, 2021):

Is there a way to put whitelist /media/user/disk1/folder1 and noblacklist /media on the same line?

No, one command per line.

Is whitelist /media/user/disk1/folder1 putting the folder in read-only for the sandbox or does it comes from elsewhere?

Some where else.

@rusty-snake commented on GitHub (Feb 18, 2021): > Is there a way to put `whitelist /media/user/disk1/folder1` and `noblacklist /media` on the same line? No, one command per line. > Is `whitelist /media/user/disk1/folder1` putting the folder in read-only for the sandbox or does it comes from elsewhere? Some where else.

gitea-mirror referenced this issue

2026-05-05 10:17:41 -06:00

[PR #2438] [MERGED] Add devhelp profile #4310

Rows
Columns

[GH-ISSUE #3877] Using firejail with private /home with a folder on /home mount point but outside of users folders #2438