[GH-ISSUE #4588] Allow access to some specific file/folder while program is running inside firejail

gitea-mirror commented

2026-05-05 09:22:41 -06:00

Owner

Originally created by @danielkrajnik on GitHub (Oct 5, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4588

Is there an easy way to allow a program (firefox) to access specific file/folder while it is running?

Originally created by @danielkrajnik on GitHub (Oct 5, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4588 Is there an easy way to allow a program (firefox) to access specific file/folder while it is running?

gitea-mirror added the

runtime-permissions

label 2026-05-05 09:22:41 -06:00

gitea-mirror commented

2026-05-05 09:22:43 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Oct 5, 2021):

No.
Once created it cannot be granted access to other directories.
You can however push a file into it via get/put.

@SkewedZeppelin commented on GitHub (Oct 5, 2021): No. Once created it cannot be granted access to other directories. You can however push a file into it via get/put.

gitea-mirror commented

2026-05-05 09:22:44 -06:00

Author

Owner

@danielkrajnik commented on GitHub (Oct 5, 2021):

That sounds like the right way to do it - could you please let me know how to do it/where to find documentation/information about this method?

EDIT: get/put as in HTTP get/put? Not sure what you meant...

@danielkrajnik commented on GitHub (Oct 5, 2021): That sounds like the right way to do it - could you please let me know how to do it/where to find documentation/information about this method? EDIT: get/put as in HTTP get/put? Not sure what you meant...

gitea-mirror commented

2026-05-05 09:22:45 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Oct 5, 2021):

man firejail

FILE TRANSFER
       These  features allow the user to inspect the filesystem container of an existing sandbox and transfer files
       between the container and the host filesystem.

       --cat=name|pid filename
              Write content of a container file to standard out. The container is specified by  name  or  PID.   If
              standard  out  is a terminal, all ASCII control characters except new line and horizontal tab are re‐
              placed.

       --get=name|pid filename
              Retrieve the container file and store it on the host in the current working directory.  The container
              is specified by name or PID.

       --ls=name|pid dir_or_filename
              List container files. The container is specified by name or PID.

       --put=name|pid src-filename dest-filename
              Put src-filename in sandbox container.  The container is specified by name or PID.

       Examples:

              $ firejail --name=mybrowser --private firefox

              $ firejail --ls=mybrowser ~/Downloads
              drwxr-xr-x netblue  netblue         4096 .
              drwxr-xr-x netblue  netblue         4096 ..
              -rw-r--r-- netblue  netblue         7847 x11-x305.png
              -rw-r--r-- netblue  netblue         6800 x11-x642.png
              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png

              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png

              $ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png

              $ firejail --cat=mybrowser ~/.bashrc

@SkewedZeppelin commented on GitHub (Oct 5, 2021): `man firejail` ``` FILE TRANSFER These features allow the user to inspect the filesystem container of an existing sandbox and transfer files between the container and the host filesystem. --cat=name|pid filename Write content of a container file to standard out. The container is specified by name or PID. If standard out is a terminal, all ASCII control characters except new line and horizontal tab are re‐ placed. --get=name|pid filename Retrieve the container file and store it on the host in the current working directory. The container is specified by name or PID. --ls=name|pid dir_or_filename List container files. The container is specified by name or PID. --put=name|pid src-filename dest-filename Put src-filename in sandbox container. The container is specified by name or PID. Examples: $ firejail --name=mybrowser --private firefox $ firejail --ls=mybrowser ~/Downloads drwxr-xr-x netblue netblue 4096 . drwxr-xr-x netblue netblue 4096 .. -rw-r--r-- netblue netblue 7847 x11-x305.png -rw-r--r-- netblue netblue 6800 x11-x642.png -rw-r--r-- netblue netblue 34139 xpra-clipboard.png $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png $ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png $ firejail --cat=mybrowser ~/.bashrc ```

gitea-mirror commented

2026-05-05 09:22:46 -06:00

Author

Owner

@danielkrajnik commented on GitHub (Oct 5, 2021):

I see, thanks a lot. does it work with clipboard, as well? Just noticed that firejail also blocks (I think) pasting images to outlook (web app).

EDIT: I've deleted the previous comment out of shame, but SkewedZeppelin replied already, so the question was how to specify a running process...

@danielkrajnik commented on GitHub (Oct 5, 2021): I see, thanks a lot. does it work with clipboard, as well? Just noticed that firejail also blocks (I think) pasting images to outlook (web app). EDIT: I've deleted the previous comment out of shame, but SkewedZeppelin replied already, so the question was how to specify a running process...

gitea-mirror commented

2026-05-05 09:22:48 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Oct 5, 2021):

You use firejail --list find the process you want to put a file into, note the process ID number and pass it using --name=[the process number]

clipboard should work just fine.

@SkewedZeppelin commented on GitHub (Oct 5, 2021): You use `firejail --list` find the process you want to put a file into, note the process ID number and pass it using --name=[the process number] clipboard should work just fine.

gitea-mirror commented

2026-05-05 09:22:49 -06:00

Author

Owner

@danielkrajnik commented on GitHub (Oct 5, 2021):

thanks again, good to know that firejail does not or cannot block clipboard. that problem must have been with outlook then

@danielkrajnik commented on GitHub (Oct 5, 2021): thanks again, good to know that firejail does not or cannot block clipboard. that problem must have been with outlook then

gitea-mirror commented

2026-05-05 09:22:49 -06:00

Author

Owner

@danielkrajnik commented on GitHub (Oct 5, 2021):

On google-chrome it errors with:
Warning: cannot open destination file /home/user1/Downloads, file not copied

EDIT: this worked:
firejail --put=307114 /home/user1/Desktop/renderdoc_1.15.tar.gz renderdoc_1.15.tar.gz

EDIT2: removed "easy" from the name of this issue

@danielkrajnik commented on GitHub (Oct 5, 2021): On google-chrome it errors with: `Warning: cannot open destination file /home/user1/Downloads, file not copied` EDIT: this worked: `firejail --put=307114 /home/user1/Desktop/renderdoc_1.15.tar.gz renderdoc_1.15.tar.gz` EDIT2: removed "easy" from the name of this issue

gitea-mirror commented

2026-05-05 09:22:50 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 8, 2022):

Can we close here?

@rusty-snake commented on GitHub (Jun 8, 2022): Can we close here?

gitea-mirror commented

2026-05-05 09:22:50 -06:00

Author

Owner

@Danny3 commented on GitHub (Jun 19, 2025):

Can we close here?

I would prefer if you don't, at least until proper solution is found.
My use case is like this:
I just learned how to start games with Proton from the command line, but I don't want them to access my home partition, at all.

So I'm starting them like this:

$FIREJAIL --name=Game-name --noprofile --noroot --nonewprivs --nogroups \
  --novideo --caps.drop=all --private --private-dev --private-tmp --net=none \
"$GAMEMODE" \
"$MangoHUD" \
"$PROTON" run \
"$EXE";

All good and OpenSnitch application firewall doesn't detect any internet connection atttempt!
The problem is that some of the games have the ability to play some music from you computer, which is very nice compared to the one that the games already have.
That way you can even have your favorite songs or the songs in your native language, which is awesome.
The problem is that if I copy the music folder into Proton (WINE)'s prefix, I will waste a lot of space, which will remain less for the games and other things, it's it's a big waste of space. Updating the music folder is also a pain as I have to delete and copy the folder again to have the latest changes.
Not running the games each with each own prefix instead of one for all or not running them with FireJail is also a No-Go!
So for my use case, the best solution would be to have another parameter for Firejail, where I specify a read-only path, let's say:

--shared-read-only=~/Music/My-collection

Or:

-sro=~/Music/My-collection

Flatpak gives you the ability to share with its sandbox a folder in read-only mode, so why wouldn't FireJail be able to do the same?
I think this would be a very nice and helpful addition for my use case and probably for others too.
In my opinion a shared folder in read+write mode should be added too.
Like for example somebody wanting to sandbox a file downloader / sharing program, which must be able to write and read from a folder somewhere, but leave every other folder or file on the system untouched.

@Danny3 commented on GitHub (Jun 19, 2025): > Can we close here? I would prefer if you don't, at least until proper solution is found. My use case is like this: I just learned how to start games with Proton from the command line, but I don't want them to access my home partition, at all. So I'm starting them like this: ``` $FIREJAIL --name=Game-name --noprofile --noroot --nonewprivs --nogroups \ --novideo --caps.drop=all --private --private-dev --private-tmp --net=none \ "$GAMEMODE" \ "$MangoHUD" \ "$PROTON" run \ "$EXE"; ``` All good and OpenSnitch application firewall doesn't detect any internet connection atttempt! The problem is that some of the games have the ability to play some music from you computer, which is very nice compared to the one that the games already have. That way you can even have your favorite songs or the songs in your native language, which is awesome. The problem is that if I copy the music folder into Proton (WINE)'s prefix, I will waste a lot of space, which will remain less for the games and other things, it's it's a big waste of space. Updating the music folder is also a pain as I have to delete and copy the folder again to have the latest changes. Not running the games each with each own prefix instead of one for all or not running them with FireJail is also a No-Go! So for my use case, the best solution would be to have another parameter for Firejail, where I specify a read-only path, let's say: ``` --shared-read-only=~/Music/My-collection ``` Or: ``` -sro=~/Music/My-collection ``` Flatpak gives you the ability to share with its sandbox a folder in read-only mode, so why wouldn't FireJail be able to do the same? I think this would be a very nice and helpful addition for my use case and probably for others too. In my opinion a shared folder in read+write mode should be added too. Like for example somebody wanting to sandbox a file downloader / sharing program, which must be able to write and read from a folder somewhere, but leave every other folder or file on the system untouched.

gitea-mirror commented

2026-05-05 09:22:50 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 19, 2025):

This is already supported.
It has nothing to do with this issue.
Firejail might not be the best choice for your problem.

@rusty-snake commented on GitHub (Jun 19, 2025): 1. This is already supported. 2. It has nothing to do with this issue. 3. Firejail might not be the best choice for your problem.

gitea-mirror commented

2026-05-05 09:22:51 -06:00

Author

Owner

@kmk3 commented on GitHub (Jun 20, 2025):

So I'm starting them like this:

$FIREJAIL --name=Game-name --noprofile --noroot --nonewprivs --nogroups \
  --novideo --caps.drop=all --private --private-dev --private-tmp --net=none \
"$GAMEMODE" \
"$MangoHUD" \
"$PROTON" run \
"$EXE";

the best solution would be to have another parameter for Firejail, where I
specify a read-only path, let's say:
--shared-read-only=~/Music/My-collection

Whitelisting is incompatible with --private.

It should work when using a whitelisting profile (such as steam.profile) and
whitelist + read-only.

Example:

firejail --profile=steam \
  --noblacklist='${MUSIC}' \
  --whitelist='${HOME}/Music/My-collection' \
  --read-only='${HOME}/Music/My-collection' \
  ls "${HOME}/Music/My-collection"

As @rusty-snake said, this already exists and is unrelated to the issue, so if
the above does not work, open a new bug report:

https://github.com/netblue30/firejail/issues/new?template=bug_report.md

@kmk3 commented on GitHub (Jun 20, 2025): > So I'm starting them like this: > > ``` > $FIREJAIL --name=Game-name --noprofile --noroot --nonewprivs --nogroups \ > --novideo --caps.drop=all --private --private-dev --private-tmp --net=none \ > "$GAMEMODE" \ > "$MangoHUD" \ > "$PROTON" run \ > "$EXE"; > ``` > the best solution would be to have another parameter for Firejail, where I > specify a read-only path, let's say: > > ``` > --shared-read-only=~/Music/My-collection > ``` Whitelisting is incompatible with `--private`. It should work when using a whitelisting profile (such as steam.profile) and `whitelist` + `read-only`. Example: ```sh firejail --profile=steam \ --noblacklist='${MUSIC}' \ --whitelist='${HOME}/Music/My-collection' \ --read-only='${HOME}/Music/My-collection' \ ls "${HOME}/Music/My-collection" ``` As @rusty-snake said, this already exists and is unrelated to the issue, so if the above does not work, open a new bug report: * <https://github.com/netblue30/firejail/issues/new?template=bug_report.md>

gitea-mirror commented

2026-05-05 09:22:51 -06:00

Author

Owner

@Danny3 commented on GitHub (Jun 28, 2025):

This is already supported.

It has nothing to do with this issue.

Firejail might not be the best choice for your problem.

I'm sorry, but I do not understand what is already supported?
I already read as much as I could about configuring FireJail from various sources and that's how I came up with that long line of arguments to make sure a game doesn't access my home folder or the internet, but I haven't seen how to make an exception for a folder and with searching I found this issue, which confirms that it's indeed not possible.

So I'm starting them like this:
$FIREJAIL --name=Game-name --noprofile --noroot --nonewprivs --nogroups \
  --novideo --caps.drop=all --private --private-dev --private-tmp --net=none \
"$GAMEMODE" \
"$MangoHUD" \
"$PROTON" run \
"$EXE";
the best solution would be to have another parameter for Firejail, where I
specify a read-only path, let's say:
--shared-read-only=~/Music/My-collection
Whitelisting is incompatible with --private.

It should work when using a whitelisting profile (such as steam.profile) and whitelist + read-only.

Example:

firejail --profile=steam
--noblacklist='${MUSIC}'
--whitelist='${HOME}/Music/My-collection'
--read-only='${HOME}/Music/My-collection'
ls "${HOME}/Music/My-collection"

As @rusty-snake said, this already exists and is unrelated to the issue, so if the above does not work, open a new bug report:
* https://github.com/netblue30/firejail/issues/new?template=bug_report.md

What does already exists, the whitelisting?
Since it's not working with '--private', it's useless from what what I want to achieve.
As I definitely want to use '--private' to forbid any changes to /root and /home/user.
And I also don't want to use an already made profile, which I don't trust to have been made with the same level and principles of privacy and security that I want and I would also lose time to read the configuration of each profile.
Plus, I don't want to sandbox Steam, which is already using Flatpak and I think BubleWrap too.
I want to use my own arguments for all the games that I start directly with Proton (outside of Steam).

Anyway, for this case where the games can playback some music files and I don't want to copy all the music in its music folder, I found 2 solutions, that seems to work when the game is started with FireJail:

Move the music outside of ~/Music, like to another mounted drive and do a symlink to it from the game's music folder.
Make a read-only shortcut from the game's music folder to ~/Music before FireJail starts the game, like:
sudo mount --bind -r ~/Music .
Verify it with:
sudo mount | grep Music
And finally after the game is closed and FireJail exits, remove the mount with:
sudo umount .
For the second solution I got the inspiration from this answer:
https://askubuntu.com/a/896959
Unfortunately this requires superuser privileges and I'm not too happy about it, so I think I will try the symlink to another drive solution until FireJail will give us a way to share a folder with the sandbox even when using the '--private' argument.

Anyway, maybe I'm asking too much to forbid all access to the home partition and then also allow access to a folder from it.
So, I will not open another bug report about it.
Thanks for being nice and understanding!

@Danny3 commented on GitHub (Jun 28, 2025): > 1. This is already supported. > > 2. It has nothing to do with this issue. > > 3. Firejail might not be the best choice for your problem. I'm sorry, but I do not understand what is already supported? I already read as much as I could about configuring FireJail from various sources and that's how I came up with that long line of arguments to make sure a game doesn't access my home folder or the internet, but I haven't seen how to make an exception for a folder and with searching I found this issue, which confirms that it's indeed not possible. > > So I'm starting them like this: > > ``` > > $FIREJAIL --name=Game-name --noprofile --noroot --nonewprivs --nogroups \ > > --novideo --caps.drop=all --private --private-dev --private-tmp --net=none \ > > "$GAMEMODE" \ > > "$MangoHUD" \ > > "$PROTON" run \ > > "$EXE"; > > ``` > > > the best solution would be to have another parameter for Firejail, where I > > specify a read-only path, let's say: > > ``` > > --shared-read-only=~/Music/My-collection > > ``` > > Whitelisting is incompatible with `--private`. > > It should work when using a whitelisting profile (such as steam.profile) and `whitelist` + `read-only`. > > Example: > > firejail --profile=steam \ > --noblacklist='${MUSIC}' \ > --whitelist='${HOME}/Music/My-collection' \ > --read-only='${HOME}/Music/My-collection' \ > ls "${HOME}/Music/My-collection" > > As [@rusty-snake](https://github.com/rusty-snake) said, this already exists and is unrelated to the issue, so if the above does not work, open a new bug report: > > * https://github.com/netblue30/firejail/issues/new?template=bug_report.md What does already exists, the whitelisting? Since it's not working with '--private', it's useless from what what I want to achieve. As I definitely want to use '--private' to forbid any changes to /root and /home/user. And I also don't want to use an already made profile, which I don't trust to have been made with the same level and principles of privacy and security that I want and I would also lose time to read the configuration of each profile. Plus, I don't want to sandbox Steam, which is already using Flatpak and I think BubleWrap too. I want to use my own arguments for all the games that I start directly with Proton (outside of Steam). Anyway, for this case where the games can playback some music files and I don't want to copy all the music in its music folder, I found 2 solutions, that seems to work when the game is started with FireJail: 1. Move the music outside of ~/Music, like to another mounted drive and do a symlink to it from the game's music folder. 2. Make a read-only shortcut from the game's music folder to ~/Music before FireJail starts the game, like: sudo mount --bind -r ~/Music . Verify it with: sudo mount | grep Music And finally after the game is closed and FireJail exits, remove the mount with: sudo umount . For the second solution I got the inspiration from this answer: https://askubuntu.com/a/896959 Unfortunately this requires superuser privileges and I'm not too happy about it, so I think I will try the symlink to another drive solution until FireJail will give us a way to share a folder with the sandbox even when using the '--private' argument. Anyway, maybe I'm asking too much to forbid all access to the home partition and then also allow access to a folder from it. So, I will not open another bug report about it. Thanks for being nice and understanding!

gitea-mirror commented

2026-05-05 09:22:52 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 28, 2025):

I'm sorry, but I do not understand what is already supported?

Sharing only a subset (e.g. one folder) of $HOME.

with searching I found this issue, which confirms that it's indeed not possible.

This issues is about allowing access to a folder after the sandbox was started.

As I definitely want to use '--private' to forbid any changes to /root and /home/user.

Well, if you say you're requirement is "use '--private' to forbid any changes to /root and /home/user" rather then "forbid any changes to /root and /home/user" (i.e. you're requirement already contains part of the solution) this is hard to solve.

@rusty-snake commented on GitHub (Jun 28, 2025): > I'm sorry, but I do not understand what is already supported? Sharing only a subset (e.g. one folder) of `$HOME`. > with searching I found this issue, which confirms that it's indeed not possible. This issues is about allowing access to a folder after the sandbox was started. > As I definitely want to use '--private' to forbid any changes to /root and /home/user. Well, if you say you're requirement is "use '--private' to forbid any changes to /root and /home/user" rather then "forbid any changes to /root and /home/user" (i.e. you're requirement already contains part of the solution) this is hard to solve.

gitea-mirror referenced this issue

2026-05-05 10:21:10 -06:00

[PR #2715] [MERGED] Add deterministic-exit-code option #4496

Rows
Columns

[GH-ISSUE #4588] Allow access to some specific file/folder while program is running inside firejail #2715