[GH-ISSUE #4280] Blacklisting directories of encrypted containers

gitea-mirror commented

2026-05-05 09:16:31 -06:00

Owner

Originally created by @MrFrank17 on GitHub (May 14, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4280

Hi all,

I am using Cryptomator and KDE's vault and mount the unencrypted container to ~/Vault/dir1, ~/Vault/dir2, ...
In globals.local these directories are blacklisted and only some programs get access by noblacklisting them in their local profiles. These works as expected until I mount the encrypted container: then other program can access these directories even without noblacklisting. I am using Kubuntu 21.04.

Thanks
Frank

Originally created by @MrFrank17 on GitHub (May 14, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4280 Hi all, I am using Cryptomator and KDE's vault and mount the unencrypted container to `~/Vault/dir1,` `~/Vault/dir2,` ... In `globals.local` these directories are blacklisted and only some programs get access by noblacklisting them in their local profiles. These works as expected until I mount the encrypted container: then other program can access these directories even without noblacklisting. I am using Kubuntu 21.04. Thanks Frank

gitea-mirror commented

2026-05-05 09:16:32 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 17, 2021):

How exactly did you the blacklist?

@rusty-snake commented on GitHub (May 17, 2021): How exactly did you the blacklist?

gitea-mirror commented

2026-05-05 09:16:34 -06:00

Author

Owner

@MrFrank17 commented on GitHub (May 17, 2021):

Hi rusty-snake,

meanwhile I renamed globals.local to disable-common.local . It looks like that:
blacklist ${HOME}/Vaults/Schlüssel
blacklist ${HOME}/Vaults/Backup
blacklist ${HOME}/Vaults/VeraCrypt
# blacklist ${HOME}/Vaults/Dokumente

On startup cryptomator opens a vault automatically and mounts it to Backup, therefore this folder is always accessible. Interestingly, if I open a shell and start a firejailed program from that folder it tells me something like that:
frank@frank-laptop:~/Vaults/Backup$ okular
Reading profile /etc/firejail/okular.profile
Error: cannot access profile file: okular.local
If I start okular, I can browse to Backup and see the content (even if I do not have a okular.local to do a noblacklisting of Backup).

Once I open the KDE vault, which mounts to Schlüssel, it shows the same behavior.

Cheers
Frank

@MrFrank17 commented on GitHub (May 17, 2021): Hi rusty-snake, meanwhile I renamed `globals.local` to `disable-common.local `. It looks like that: `blacklist ${HOME}/Vaults/Schlüssel` `blacklist ${HOME}/Vaults/Backup` `blacklist ${HOME}/Vaults/VeraCrypt` `# blacklist ${HOME}/Vaults/Dokumente` On startup cryptomator opens a vault automatically and mounts it to `Backup`, therefore this folder is always accessible. Interestingly, if I open a shell and start a firejailed program from that folder it tells me something like that: `frank@frank-laptop:~/Vaults/Backup$ okular` `Reading profile /etc/firejail/okular.profile` `Error: cannot access profile file: okular.local` If I start okular, I can browse to `Backup` and see the content (even if I do not have a `okular.local` to do a `noblacklisting` of `Backup`). Once I open the KDE vault, which mounts to `Schlüssel`, it shows the same behavior. Cheers Frank

gitea-mirror commented

2026-05-05 09:16:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 17, 2021):

Does firejail ls -l ~/Vaults show the dirs blacklisted (e..g d--------- root root)? If so does firejail --dbus-user=none okular still have access to these files?

Error: cannot access profile file: okular.local

Sounds like #3798

@rusty-snake commented on GitHub (May 17, 2021): Does `firejail ls -l ~/Vaults` show the dirs blacklisted (e..g d--------- root root)? If so does `firejail --dbus-user=none okular` still have access to these files? > Error: cannot access profile file: okular.local Sounds like #3798

gitea-mirror commented

2026-05-05 09:16:36 -06:00

Author

Owner

@MrFrank17 commented on GitHub (May 17, 2021):

That's the output:
drwxrwxrwx 1 frank frank 4096 Feb 18 18:32 Backup
drwxrwxr-x 2 frank frank 4096 Feb 19 11:21 Dokumente
dr-------- 2 nobody nogroup 40 Mai 17 19:05 Schlüssel
dr-------- 2 nobody nogroup 40 Mai 17 19:05 VeraCrypt

firejail --dbus-user=none okular does not make a difference.

In the linked issue it was mentioned that fuse mounts do not really work together with firejail. Is that the reason?

@MrFrank17 commented on GitHub (May 17, 2021): That's the output: `drwxrwxrwx 1 frank frank 4096 Feb 18 18:32 Backup` `drwxrwxr-x 2 frank frank 4096 Feb 19 11:21 Dokumente` `dr-------- 2 nobody nogroup 40 Mai 17 19:05 Schlüssel` `dr-------- 2 nobody nogroup 40 Mai 17 19:05 VeraCrypt` `firejail --dbus-user=none okular` does not make a difference. In the linked issue it was mentioned that fuse mounts do not really work together with firejail. Is that the reason?

gitea-mirror commented

2026-05-05 09:16:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 17, 2021):

In the linked issue it was mentioned that fuse mounts do not really work together with firejail. Is that the reason?

Maybe. IDK how Cryptomator and KDE Vaults work.

From your OP I saw there possible causes:

KIO
Portals
Mounts

Portals can not work with --dbus-user=none. KIO either uses D-Bus too or has it's own socket IDK. Mounts should not make any differences between ls and okular. You ls output shows they are blacklisted. Need to rethink this.

@rusty-snake commented on GitHub (May 17, 2021): > In the linked issue it was mentioned that fuse mounts do not really work together with firejail. Is that the reason? Maybe. IDK how Cryptomator and KDE Vaults work. From your OP I saw there possible causes: 1. KIO 2. Portals 3. Mounts Portals can not work with `--dbus-user=none`. KIO either uses D-Bus too or has it's own socket IDK. Mounts should not make any differences between ls and okular. You ls output shows they are blacklisted. Need to rethink this.

gitea-mirror commented

2026-05-05 09:16:38 -06:00

Author

Owner

@MrFrank17 commented on GitHub (May 17, 2021):

I checked Cryptomator: it mounts via fuse in my setup. Not sure about KDE vault though.

About my ls output: yes, the locked containers show that they are blacklisted. Once I unlock them (like Backup)m they are no longer blacklisted. So ls and okular show the same behavior. Or I misunderstood you ...

@MrFrank17 commented on GitHub (May 17, 2021): I checked Cryptomator: it mounts via fuse in my setup. Not sure about KDE vault though. About my ls output: yes, the locked containers show that they are blacklisted. Once I unlock them (like Backup)m they are no longer blacklisted. So ls and okular show the same behavior. Or I misunderstood you ...

gitea-mirror commented

2026-05-05 09:16:39 -06:00

Author

Owner

@MrFrank17 commented on GitHub (May 18, 2021):

Quick update: I added the fuse handling as described here: https://firejail.wordpress.com/documentation-2/basic-usage/?like_comment=579#encfs

Cryptomator now works as expected. Now I need to figure out how to do the same withe KDE vault, but I guess this is not a firejail issue anymore ...

@MrFrank17 commented on GitHub (May 18, 2021): Quick update: I added the fuse handling as described here: https://firejail.wordpress.com/documentation-2/basic-usage/?like_comment=579#encfs Cryptomator now works as expected. Now I need to figure out how to do the same withe KDE vault, but I guess this is not a firejail issue anymore ...

gitea-mirror commented

2026-05-05 09:16:39 -06:00

Author

Owner

@MrFrank17 commented on GitHub (May 21, 2021):

Two more observations: maybe they are related to that issue, maybe not. And maybe some can comment :-)

The file dialog of firefox shows the blacklisted entries, which are now successfully blocked, several times (see screenshot)
Is this happening due to firejail? If yes, how to get rid of all the duplicates? As they are blacklisted, they shouldn't appear in the first place...
Within Cryptomator I have the option to open a filebrowser pointing to the vault, in my case KDEs dolphin. When I want to open a document through that filebrowser by double clicking, the associated program opens and immediately closes again. If I open the same program separately, I can browse to the same folder and successfully open that file. If I open dolphin separately, not via Cryptomator, file opening works. Neither Cryptomator nor dolphin are firefailed - could it still be that firejail interferes here?

Thanks

@MrFrank17 commented on GitHub (May 21, 2021): Two more observations: maybe they are related to that issue, maybe not. And maybe some can comment :-) 1) The file dialog of firefox shows the blacklisted entries, which are now successfully blocked, several times (see screenshot) ![Screenshot_20210521_214508](https://user-images.githubusercontent.com/65424206/119191607-26d46a00-ba7f-11eb-81ad-a7c9f103c0c7.png) Is this happening due to firejail? If yes, how to get rid of all the duplicates? As they are blacklisted, they shouldn't appear in the first place... 2) Within Cryptomator I have the option to open a filebrowser pointing to the vault, in my case KDEs dolphin. When I want to open a document through that filebrowser by double clicking, the associated program opens and immediately closes again. If I open the same program separately, I can browse to the same folder and successfully open that file. If I open dolphin separately, not via Cryptomator, file opening works. Neither Cryptomator nor dolphin are firefailed - could it still be that firejail interferes here? Thanks

gitea-mirror commented

2026-05-05 09:16:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 21, 2021):

File-manager list all mounts in the sidebar. Usually this are removable driver and so on but firejail uses mounts too. Read #2406 for more info. This seems to only happen if /etc/fstab is accessible inside the sandbox (https://github.com/netblue30/firejail/issues/2406#issuecomment-528281301). https://github.com/netblue30/firejail/issues/2406#issuecomment-528281301 shows workarounds.
IIRC we create symlinks for dolphin, does firejail --tree not show it?

@rusty-snake commented on GitHub (May 21, 2021): 1. File-manager list all mounts in the sidebar. Usually this are removable driver and so on but firejail uses mounts too. Read #2406 for more info. This seems to only happen if `/etc/fstab` is accessible inside the sandbox (https://github.com/netblue30/firejail/issues/2406#issuecomment-528281301). https://github.com/netblue30/firejail/issues/2406#issuecomment-528281301 shows workarounds. 2. IIRC we create symlinks for dolphin, does `firejail --tree` not show it?

gitea-mirror commented

2026-05-05 09:16:40 -06:00

Author

Owner

@MrFrank17 commented on GitHub (May 21, 2021):

This is already an improvement, but still some (but less) duplicates. I also tried the x-gvfs-hide mount options, but Cryptomator does not like it. Anyway, I can live that
I removed dolphin from /usr/lib/x86_64-linux-gnu/firejail/firecfg.config so I can open files from dolphin without having the associated programs running under the dolphin profile.

@MrFrank17 commented on GitHub (May 21, 2021): 1) This is already an improvement, but still some (but less) duplicates. I also tried the `x-gvfs-hide` mount options, but Cryptomator does not like it. Anyway, I can live that ![Screenshot_20210521_232457](https://user-images.githubusercontent.com/65424206/119199867-242c4180-ba8c-11eb-9ccb-09e2290d5800.png) 2) I removed dolphin from `/usr/lib/x86_64-linux-gnu/firejail/firecfg.config` so I can open files from dolphin without having the associated programs running under the dolphin profile.

gitea-mirror commented

2026-05-05 09:16:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 4, 2021):

FYI 12d1de4845 (diff-af35b8a6ad30ea07f24afd1e685ff48567dd39b5ba7df80af8c601408290ffe3)

Do you still need help somewhere or can we close?

@rusty-snake commented on GitHub (Aug 4, 2021): FYI https://github.com/netblue30/firejail/commit/12d1de484556f397997f61a24ab7b1f2ef0ed9a6#diff-af35b8a6ad30ea07f24afd1e685ff48567dd39b5ba7df80af8c601408290ffe3 Do you still need help somewhere or can we close?

Rows
Columns

[GH-ISSUE #4280] Blacklisting directories of encrypted containers #2607