[GH-ISSUE #50] Better control of blacklisting needed #26

New issue

Closed

opened 2026-05-05 04:46:21 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 04:46:21 -06:00

Owner

Originally created by @sarneaud on GitHub (Aug 31, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/50

As an example of how things work now, the firefox profile contains this:

include /etc/firejail/disable-common.inc .mozilla

The .mozilla makes the include skip this line:

blacklist ${HOME}/.mozilla

This approach doesn't work too well when the blacklist uses globs, so better control is needed.

The obvious thing to do would be to create a "whitelist" command that somehow does the opposite of "blacklist", but I think this could end up being being confusing. What if a directory is blacklisted and a file inside it is whitelisted? What kind of access is allowed to the directory? Different users could reasonably make different assumptions.

An alternative is a "noblacklist" command that doesn't explicitly whitelist, but blocks further explicit blacklisting of anything that matches its pattern. E.g., the firefox profile would look like this:

noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-common.inc

I'm happy to go ahead and implement this.

Originally created by @sarneaud on GitHub (Aug 31, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/50 As an example of how things work now, the firefox profile contains this: ``` include /etc/firejail/disable-common.inc .mozilla ``` The .mozilla makes the include skip this line: ``` blacklist ${HOME}/.mozilla ``` This approach doesn't work too well when the blacklist uses globs, so better control is needed. The obvious thing to do would be to create a "whitelist" command that somehow does the opposite of "blacklist", but I think this could end up being being confusing. What if a directory is blacklisted and a file inside it is whitelisted? What kind of access is allowed to the directory? Different users could reasonably make different assumptions. An alternative is a "noblacklist" command that doesn't explicitly whitelist, but blocks further explicit blacklisting of anything that matches its pattern. E.g., the firefox profile would look like this: ``` noblacklist ${HOME}/.mozilla include /etc/firejail/disable-common.inc ``` I'm happy to go ahead and implement this.

gitea-mirror

2026-05-05 04:46:21 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 04:46:25 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 31, 2015):

You are right, in this moment it looks like hack, and it doesn't handle globs. If you implement it I'll definitely merge it. Thanks!

Edit: Implement "noblacklist" command, "whitelist" will be confusing.

@netblue30 commented on GitHub (Aug 31, 2015): You are right, in this moment it looks like hack, and it doesn't handle globs. If you implement it I'll definitely merge it. Thanks! Edit: Implement "noblacklist" command, "whitelist" will be confusing.

gitea-mirror referenced this issue

2026-05-05 10:02:45 -06:00

[PR #26] [MERGED] Call realpath to resolve symlinks correctly in disable_file #3510

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#26

No description provided.

Rows
Columns