[GH-ISSUE #4103] Can't combine private-home and whitelist for Firefox

gitea-mirror commented

2026-05-05 09:12:34 -06:00

Owner

Originally created by @BreakfastSerial on GitHub (Mar 16, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4103

I'm trying to run Firefox (/usr/bin/firefox, firefox not symlinked to firejail) in a firejail. Any changes to Firefox should be discarded, when Firefox is closed. However I need the profile from ~/.mozilla. For this I used --private-home=.mozilla.

I still want persistent Downloads from Firefox, so I added --whitelist=~/Downloads.

Downloads are not made available outside of the firejail.
I also tried to add --private-home=.mozilla,Downloads and --noprofile, with the same result.
Alternatively, I attempted the same approach with --overlay-tmpfs, but the whitelist is also ignored.

Reproduce
Steps to reproduce the behavior:

Run in bash firejail --private-home.mozilla --whitelist=~/Downloads /usr/bin/firefox
Download something to ~/Downloads
Check outside of firejail if Download is persistent

Environment

Ubuntu 20.04.2 LTS
Firejail 0.9.62

Checklist

The profile (and redirect profile if exists) hasn't already been fixed upstream.
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
I have performed a short search for similar issues (to avoid opening a duplicate).
If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

Originally created by @BreakfastSerial on GitHub (Mar 16, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4103 I'm trying to run Firefox (`/usr/bin/firefox`, firefox not symlinked to firejail) in a firejail. Any changes to Firefox should be discarded, when Firefox is closed. However I need the profile from `~/.mozilla`. For this I used `--private-home=.mozilla`. I still want persistent Downloads from Firefox, so I added `--whitelist=~/Downloads`. Downloads are not made available outside of the firejail. I also tried to add `--private-home=.mozilla,Downloads` and `--noprofile`, with the same result. Alternatively, I attempted the same approach with `--overlay-tmpfs`, but the whitelist is also ignored. **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail --private-home.mozilla --whitelist=~/Downloads /usr/bin/firefox` 2. Download something to ~/Downloads 3. Check outside of firejail if Download is persistent **Environment** - Ubuntu 20.04.2 LTS - Firejail 0.9.62 **Checklist** - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.

gitea-mirror closed this issue

2026-05-05 09:12:34 -06:00

gitea-mirror commented

2026-05-05 09:12:36 -06:00

Author

Owner

@ghost commented on GitHub (Mar 16, 2021):

--private and --private-home discard all modifications when the sandbox is closed.
The stock firefox profile already whitelists ${HOME}/Downloads (in firefox-common.profile), so there's no need to add that on the command line (or in a script). You'll need to transfer out files you'd like to keep before closing the sandbox. See section FILE TRANSFER in man firejail for details on how to do that.

Example:

$ firejail --name=ff-throwaway --private --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/firefox -no-remote &

[use the web browser]

$ firejail --ls=ff-throwaway ${HOME}/Downloads
-rw-r--r-- you you 34139 foo.pdf

$ cd ${HOME}/Downloads
$ firejail --get=ff-throwaway ${HOME}/Downloads/foo.pdf

[use the web browser]
[close the web browser]

@ghost commented on GitHub (Mar 16, 2021): --private and --private-home discard all modifications when the sandbox is closed. The stock firefox profile already whitelists ${HOME}/Downloads (in firefox-common.profile), so there's no need to add that on the command line (or in a script). You'll need to `transfer out` files you'd like to keep `before` closing the sandbox. See section FILE TRANSFER in `man firejail` for details on how to do that. Example: ``` $ firejail --name=ff-throwaway --private --dns=1.1.1.1 --dns=9.9.9.9 /usr/bin/firefox -no-remote & [use the web browser] $ firejail --ls=ff-throwaway ${HOME}/Downloads -rw-r--r-- you you 34139 foo.pdf $ cd ${HOME}/Downloads $ firejail --get=ff-throwaway ${HOME}/Downloads/foo.pdf [use the web browser] [close the web browser] ```

gitea-mirror commented

2026-05-05 09:12:37 -06:00

Author

Owner

@BreakfastSerial commented on GitHub (Mar 16, 2021):

So there's no option to have specific directories in a temporary overlay filesystem and be discarded when closing the sandbox, while other directories remain whitelisted?

I'm afraid manually transferring files is not a viable option. I've been working with the approach previously suggested, but that becomes problematic, working with different firefox/firejail profiles simultaneously.

@BreakfastSerial commented on GitHub (Mar 16, 2021): So there's no option to have specific directories in a temporary overlay filesystem and be discarded when closing the sandbox, while other directories remain whitelisted? I'm afraid manually transferring files is not a viable option. I've been working with [the approach previously suggested](https://github.com/netblue30/firejail/issues/3146#issuecomment-574721204), but that becomes problematic, working with different firefox/firejail profiles simultaneously.

gitea-mirror commented

2026-05-05 09:12:38 -06:00

Author

Owner

@ghost commented on GitHub (Mar 16, 2021):

So there's no option to have specific directories in a temporary overlay filesystem and be discarded when closing the sandbox, while other directories remain whitelisted?

None that I'm aware of. There's a fundamental difference between black/whitelisting on the one hand and a throwaway sandbox on the other. At least that's my understanding of the basics. On top of that, fixing CVE-2021-26910 implied disabling overlayfs support alltogether (which should be confirmed in the output of firejail --version on your end). Thanks to your report I've noticed that there are still a few places in the code base that mention overlayfs and that's all very confusing. I'll need to do some more testing on this, but I'm preparing a PR to rectify/unconfuse this situation.

I'm afraid manually transferring files is not a viable option. I've been working with the approach previously suggested, but that becomes problematic, working with different firefox/firejail profiles simultaneously.

I do realize this makes things more complicated, but it works. The trick is to add a different --name=foo option to all the specific firefox instances you like to set up on your system. Once you do that, things start to come together and get more manageable IMO.

@ghost commented on GitHub (Mar 16, 2021): > So there's no option to have specific directories in a temporary overlay filesystem and be discarded when closing the sandbox, while other directories remain whitelisted? None that I'm aware of. There's a fundamental difference between black/whitelisting on the one hand and a throwaway sandbox on the other. At least that's my understanding of the basics. On top of that, fixing [CVE-2021-26910](https://github.com/netblue30/firejail#security-vulnerabilities) implied [disabling overlayfs](https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b) support alltogether (which should be confirmed in the output of `firejail --version` on your end). Thanks to your report I've noticed that there are still a few places in the code base that mention overlayfs and that's all very confusing. I'll need to do some more testing on this, but I'm preparing a PR to rectify/unconfuse this situation. > I'm afraid manually transferring files is not a viable option. I've been working with the approach previously suggested, but that becomes problematic, working with different firefox/firejail profiles simultaneously. I do realize this makes things more complicated, but it works. The trick is to add a different --name=foo option to _all_ the specific firefox instances you like to set up on your system. Once you do that, things start to come together and get more manageable IMO.

gitea-mirror commented

2026-05-05 09:12:39 -06:00

Author

Owner

@BreakfastSerial commented on GitHub (Mar 16, 2021):

Thank you for bringing that CVE to my attention! On Ubuntu 20.04.2 LTS, overlayfs is still enabled.

firejail version 0.9.62

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

@BreakfastSerial commented on GitHub (Mar 16, 2021): Thank you for bringing that CVE to my attention! On `Ubuntu 20.04.2 LTS`, overlayfs is still enabled. ``` firejail version 0.9.62 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ```

gitea-mirror commented

2026-05-05 09:12:40 -06:00

Author

Owner

@ghost commented on GitHub (Mar 16, 2021):

Thank you for bringing that CVE to my attention! On Ubuntu 20.04.2 LTS, overlayfs is still enabled.

A sad but true fact of life: not all distro's get our CVE fixes out in a timely fashion... See another collaborator's view on this here. In your case, being on 20.04.2 LTS, I'd advise installing/updating firejail from this PPA, which happens to be maintained by one of our collaborators and who is involved in packaging for Debian.

@reinerh Is there a list somewhere with info on what Ubuntu edition has the fix for the latest CVE or not? just so we can assist users more correctly when this topic creeps up...

@ghost commented on GitHub (Mar 16, 2021): > Thank you for bringing that CVE to my attention! On Ubuntu 20.04.2 LTS, overlayfs is still enabled. A sad but true fact of life: not all distro's get our CVE fixes out in a timely fashion... See another collaborator's view on this [here](https://github.com/netblue30/firejail/issues/3982#issuecomment-778480897). In your case, being on 20.04.2 LTS, I'd advise installing/updating firejail from [this PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail?field.series_filter=focal), which happens to be maintained by one of our collaborators and who is involved in packaging for Debian. @reinerh Is there a list somewhere with info on what Ubuntu edition _has_ the fix for the latest CVE _or not_? just so we can assist users more correctly when this topic creeps up...

gitea-mirror commented

2026-05-05 09:12:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 16, 2021):

@glitsj16 After discussion in https://github.com/netblue30/firejail/issues/4006#issuecomment-785144480 @VorpalBlade has opened https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767. After two weeks he/she got a response (bold from me):

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Ubuntu and Mint don't get CVE fixes for packages outside of main or only very late.

If someone wants to submit a debdiff (actually IDK what this is): https://bugzilla.redhat.com/show_bug.cgi?id=1934020#c4

Uhh and if you want to know what Fedora Linux (😉) does look at https://bugzilla.redhat.com/show_bug.cgi?id=1934020 and https://bugzilla.redhat.com/show_bug.cgi?id=1934022 and https://bugzilla.redhat.com/show_bug.cgi?id=1929625.
Status: CLOSED WONTFIX

Or Alpine Linux which is still at 0.9.64 (packages has be flagged since 0.9.64.2 IIRC)

ArchLinux, Gentoo, Debian (stable and sid), OpenSUSE Leap and OpenSUSE Tumbleweed has distributed patched/backported/updated/.. version in a reasonable time according to my observation.

IIRC was Manjaro very late too, however timestamp of the packages gives the impression they very fast. But the timestamp could be kept by a testing to stable move and if it was in testing for week they were late.

@rusty-snake commented on GitHub (Mar 16, 2021): @glitsj16 After discussion in https://github.com/netblue30/firejail/issues/4006#issuecomment-785144480 @VorpalBlade has opened https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767. After two weeks he/she got a response (bold from me): > Thanks for taking the time to report this bug and helping to make Ubuntu better. Since **the package referred to in this bug is in universe** or multiverse, **it is community maintained**. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures Ubuntu and Mint don't get CVE fixes for packages outside of main or only very late. If someone wants to submit a debdiff (actually IDK what this is): https://bugzilla.redhat.com/show_bug.cgi?id=1934020#c4 Uhh and if you want to know what Fedora Linux (:wink:) does look at https://bugzilla.redhat.com/show_bug.cgi?id=1934020 and https://bugzilla.redhat.com/show_bug.cgi?id=1934022 and https://bugzilla.redhat.com/show_bug.cgi?id=1929625. Status: **CLOSED WONTFIX** Or Alpine Linux which is still at 0.9.64 (packages has be flagged since 0.9.64.2 IIRC) ArchLinux, Gentoo, Debian (stable and sid), OpenSUSE Leap and OpenSUSE Tumbleweed has distributed patched/backported/updated/.. version in a reasonable time according to my observation. IIRC was Manjaro very late too, however timestamp of the packages gives the impression they very fast. But the timestamp could be kept by a testing to stable move and if it was in testing for week they were late.

gitea-mirror commented

2026-05-05 09:12:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 16, 2021):

Back to topic

Partly a duplicate of #1743 and [cloud find this one].

@rusty-snake commented on GitHub (Mar 16, 2021): Back to topic Partly a duplicate of #1743 and [cloud find this one].

gitea-mirror commented

2026-05-05 09:12:41 -06:00

Author

Owner

@ckorder commented on GitHub (Mar 17, 2021):

@BreakfastSerial
for example: /usr/local/bin/whatever
firejail --private=/home/user/Templates/whatever/ firefox && rm -rf /home/user/Templates/whatever/noob
does only work if you close the sandbox the proper way
rm these and keep download should achieve your goal.
/home/user/Templates/test/.cache
/home/user/Templates/test/.config
/home/user/Templates/test/.mozilla
/home/user/Templates/test/.bashrc
/home/user/Templates/test/.Xauthority

ur welcome

@ckorder commented on GitHub (Mar 17, 2021): @BreakfastSerial for example: /usr/local/bin/whatever firejail --private=/home/user/Templates/whatever/ firefox && rm -rf /home/user/Templates/whatever/noob does only work if you close the sandbox the proper way rm these and keep download should achieve your goal. /home/user/Templates/test/.cache /home/user/Templates/test/.config /home/user/Templates/test/.mozilla /home/user/Templates/test/.bashrc /home/user/Templates/test/.Xauthority ur welcome

gitea-mirror commented

2026-05-05 09:12:42 -06:00

Author

Owner

@BreakfastSerial commented on GitHub (Mar 17, 2021):

Thank you for the insight and the suggestions! I see there's not proper way of implementing what I am looking for, so I'll figure out a workaround.

@BreakfastSerial commented on GitHub (Mar 17, 2021): Thank you for the insight and the suggestions! I see there's not proper way of implementing what I am looking for, so I'll figure out a workaround.

gitea-mirror commented

2026-05-05 09:12:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 17, 2021):

does only work if you close the sandbox the proper way

Replace the && with a ; and it works always.

@rusty-snake commented on GitHub (Mar 17, 2021): > does only work if you close the sandbox the proper way Replace the `&&` with a `;` and it works always.

gitea-mirror commented

2026-05-05 09:12:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 17, 2021):

Example wrapper script (UNTESTED!):

#!/bin/bash
mkdir -p "$HOME/Firefox/Downloads"
# either
sudo mount --bind "$HOME/Downloads" "$HOME/Firefox/Downloads"
# or  (FTR: bindfs always '-o allow_other' unless you '--no-allow-other')
bindfs "$HOME/Downloads" "$HOME/Firefox/Downloads"
cp -r "$HOME/Templates/Firefox" "$HOME/Firefox"
firejail --private="$HOME/Firefox" firefox
# either
sudo umount "$HOME/Firefox/Downloads"
# or
fusermount -u "$HOME/Firefox/Downloads"
rm -rf "$HOME/Firefox"

@rusty-snake commented on GitHub (Mar 17, 2021): Example wrapper script (UNTESTED!): ```bash #!/bin/bash mkdir -p "$HOME/Firefox/Downloads" # either sudo mount --bind "$HOME/Downloads" "$HOME/Firefox/Downloads" # or (FTR: bindfs always '-o allow_other' unless you '--no-allow-other') bindfs "$HOME/Downloads" "$HOME/Firefox/Downloads" cp -r "$HOME/Templates/Firefox" "$HOME/Firefox" firejail --private="$HOME/Firefox" firefox # either sudo umount "$HOME/Firefox/Downloads" # or fusermount -u "$HOME/Firefox/Downloads" rm -rf "$HOME/Firefox" ```

gitea-mirror commented

2026-05-05 09:12:43 -06:00

Author

Owner

@reinerh commented on GitHub (Mar 27, 2021):

@reinerh Is there a list somewhere with info on what Ubuntu edition has the fix for the latest CVE or not? just so we can assist users more correctly when this topic creeps up...

Ubuntu also has a security tracker: https://ubuntu.com/security/CVE-2021-26910
I have just submitted a patch to the launchpad bug to get 20.04 LTS updated. Let's see how long it takes...

@reinerh commented on GitHub (Mar 27, 2021): > @reinerh Is there a list somewhere with info on what Ubuntu edition _has_ the fix for the latest CVE _or not_? just so we can assist users more correctly when this topic creeps up... Ubuntu also has a security tracker: https://ubuntu.com/security/CVE-2021-26910 I have just submitted a patch to the launchpad bug to get 20.04 LTS updated. Let's see how long it takes...

gitea-mirror referenced this issue

2026-05-05 10:19:05 -06:00

[PR #2533] [MERGED] Add new ffmpegthumbnailer profile #4384

Rows
Columns

[GH-ISSUE #4103] Can't combine private-home and whitelist for Firefox #2533