github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #54] noblacklist #25

New issue

Closed

opened 2026-05-05 04:46:20 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 04:46:20 -06:00

Owner

Originally created by @ghost on GitHub (Sep 3, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/54

I gladly saw that noblacklist was implemented. I was looking for such a feature within firejail.
But I do not quite understand how to operate it.
Would something like this work ?

noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.Xauthority
noblacklist ${HOME}/Downloads/
blacklist ${HOME}/

Originally created by @ghost on GitHub (Sep 3, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/54 I gladly saw that noblacklist was implemented. I was looking for such a feature within firejail. But I do not quite understand how to operate it. Would something like this work ? noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.Xauthority noblacklist ${HOME}/Downloads/ blacklist ${HOME}/

gitea-mirror closed this issue

2026-05-05 04:46:22 -06:00

gitea-mirror commented

2026-05-05 04:46:24 -06:00

Author

Owner

@sarneaud commented on GitHub (Sep 4, 2015):

blacklist ${HOME}/ would blacklist the home directory itself. This stops you accessing ${HOME}/.mozilla even with the noblacklist because (at the filesystem level) you have to open ${HOME} before accessing things inside it.

In principle you want something like blacklist ${HOME}/* to blacklist all the things inside the home directory (excluding .mozilla, etc) without blacklisting the home directory itself.

Unfortunately, this doesn't really work properly right now for a few reasons I'll fix up shortly.

@sarneaud commented on GitHub (Sep 4, 2015): blacklist ${HOME}/ would blacklist the home directory itself. This stops you accessing ${HOME}/.mozilla even with the noblacklist because (at the filesystem level) you have to open ${HOME} before accessing things inside it. In principle you want something like blacklist ${HOME}/\* to blacklist all the things _inside_ the home directory (excluding .mozilla, etc) without blacklisting the home directory itself. Unfortunately, this doesn't really work properly right now for a few reasons I'll fix up shortly.

gitea-mirror commented

2026-05-05 04:46:26 -06:00

Author

Owner

@sarneaud commented on GitHub (Sep 4, 2015):

After pull request #55 is merged, the following profile should blacklist everything in home except for the noblacklisted things:

noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.Xauthority
noblacklist ${HOME}/Downloads/
blacklist ${HOME}/*
blacklist ${HOME}/.*

@sarneaud commented on GitHub (Sep 4, 2015): After pull request #55 is merged, the following profile should blacklist everything in home except for the noblacklisted things: noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.Xauthority noblacklist ${HOME}/Downloads/ blacklist ${HOME}/* blacklist ${HOME}/.*

gitea-mirror commented

2026-05-05 04:46:29 -06:00

Author

Owner

@ghost commented on GitHub (Sep 4, 2015):

This will work, but it has a security issue: the app running in firejail can see any new files created in ${HOME} while it is running. This is because firejail has to set up the blacklisting before the app is started.

It is more secure to create a special home directory for the app, and use the --private=dir option. For example, you can run firefox like this:

mkdir -p ~/homedir-firefox
firejail --private=~/homedir-firefox firefox

In this example, firefox will be unable to see the real home directory, and will instead believe that ~/homedir-firefox is the home directory. The .Xauthority file is handled automatically by firejail. The jailed firefox will therefore keep its .mozilla directory and the Downloads directory in ~/homedir-firefox. If you need to access a downloaded file from another app, just look in ~/homedir-firefox/Downloads instead.

@ghost commented on GitHub (Sep 4, 2015): This will work, but it has a security issue: the app running in firejail can see any new files created in ${HOME} while it is running. This is because firejail has to set up the blacklisting before the app is started. It is more secure to create a special home directory for the app, and use the `--private=dir` option. For example, you can run firefox like this: ``` mkdir -p ~/homedir-firefox firejail --private=~/homedir-firefox firefox ``` In this example, firefox will be unable to see the real home directory, and will instead believe that `~/homedir-firefox` is the home directory. The `.Xauthority` file is handled automatically by firejail. The jailed firefox will therefore keep its `.mozilla` directory and the Downloads directory in `~/homedir-firefox`. If you need to access a downloaded file from another app, just look in `~/homedir-firefox/Downloads` instead.

gitea-mirror commented

2026-05-05 04:46:32 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 8, 2015):

I've just added whitelist support!!! Try this out:

firejail --whitelist=~/.mozilla --whitelist=~/Downloads firefox

It mounts an empty home directory, only with the files specified. A .bashrc and .Xauthority are included by default. Modifications for .mozilla and Downloads directories are persistent. Files created outside these directories will be discarded when the sandbox is closed.

@netblue30 commented on GitHub (Sep 8, 2015): I've just added whitelist support!!! Try this out: ``` firejail --whitelist=~/.mozilla --whitelist=~/Downloads firefox ``` It mounts an empty home directory, only with the files specified. A .bashrc and .Xauthority are included by default. Modifications for .mozilla and Downloads directories are persistent. Files created outside these directories will be discarded when the sandbox is closed.

gitea-mirror commented

2026-05-05 04:46:34 -06:00

Author

Owner

@ghost commented on GitHub (Sep 11, 2015):

Thanks very much - highly appreciated. Tested it. Had problems with a plugin the cache --whitelist=~/.cache/mozilla.
Now it works very good.
Any thoughts/docs how to easiest Start it in the system without using command line ?

@ghost commented on GitHub (Sep 11, 2015): Thanks very much - highly appreciated. Tested it. Had problems with a plugin the cache --whitelist=~/.cache/mozilla. Now it works very good. Any thoughts/docs how to easiest Start it in the system without using command line ?

gitea-mirror commented

2026-05-05 04:46:36 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 13, 2015):

The easiest way is to put an icon on your desktop:

Copy the application icon in your desktop folder:

$ cp /usr/share/applications/firejail.desktop ~/Desktop/.

Modify the desktop file to start the program using firejail:

$ grep Exec ~/Desktop/firefox.desktop 
Exec=firejail firefox %u

@netblue30 commented on GitHub (Sep 13, 2015): The easiest way is to put an icon on your desktop: Copy the application icon in your desktop folder: ``` $ cp /usr/share/applications/firejail.desktop ~/Desktop/. ``` Modify the desktop file to start the program using firejail: ``` $ grep Exec ~/Desktop/firefox.desktop Exec=firejail firefox %u ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#25

No description provided.

Rows
Columns