github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

something`...) #2739

New issue

Closed

opened 2026-05-05 09:24:13 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:24:13 -06:00

Owner

Originally created by @nativerv on GitHub (Oct 29, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4653

The problem

Currently, we can reference XDG user dirs by variables regardless of their actual name: ${DOWNLOADS}, ${DOCUMENTS}, ${PICTURES}, ${VIDEOS}, ${MUSIC}.
Many programs use these directories only to create its own directory inside and use it for its purposes.

For example:
Telegram Desktop creates and defaults to "Telegram Desktop" directory inside ${DOWNLOADS} for its downloads
Flameshot defaults to Screenshots directory inside ${PICTURES} to save its screenshots

Ideally the profiles must only whitelist these default directories to allow default behaviour and deny everything else.
But the only way to allow these dirs and not depend on any hardcoded names is to whitelist/noblacklist the entire ${DOWNLOADS}/${PICTURES}, as currently we get an error by trying to specify paths relative to XDG user dir variable:

telegram-desktop.local:

noblacklist ${DOWNLOADS}
whitelist ${DOWNLOADS}/Telegram Desktop

Reading profile /home/nrv/.config/firejail/telegram-desktop.local
Error: "${DOWNLOADS}/Telegram Desktop" is an invalid filename: rejected character: "{"

The only way to go around that right now is to hardcode directory names relative to ${HOME} variable:
telegram-desktop.local:

noblacklist ${DOWNLOADS}
whitelist ${HOME}/dl/Telegram Desktop

/etc/firejail/keepassxc.profile:

# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local.
# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx.
#mkdir ${HOME}/Documents/KeePassXC
#whitelist ${HOME}/Documents/KeePassXC

Describe the solution you'd like

Allow specifying paths relative to XDG user dir variables as with ${HOME} variable:

whitelist ${DOWNLOADS}/Telegram Desktop
whitelist ${PICTURES}/Screenshots
whitelist ${DOCUMENTS}/KeePassXC

Additional context

Even if we consider XDG user dirs to be "public" for use by media programs by default, one can't even change that personally without hardcoding relative to ${HOME}. What if you renamed your XDG user dirs later, e.g. Downloads -> downloads?

Originally created by @nativerv on GitHub (Oct 29, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4653 ### The problem Currently, we can reference XDG user dirs by variables regardless of their actual name: `${DOWNLOADS}`, `${DOCUMENTS}`, `${PICTURES}`, `${VIDEOS}`, `${MUSIC}`. Many programs use these directories only to create its own directory inside and use it for its purposes. For example: [Telegram Desktop](https://github.com/telegramdesktop/tdesktop) creates and defaults to `"Telegram Desktop"` directory inside `${DOWNLOADS}` for its downloads [Flameshot](https://github.com/flameshot-org/flameshot) defaults to `Screenshots` directory inside `${PICTURES}` to save its screenshots Ideally the profiles must only `whitelist` these default directories to allow default behaviour and deny everything else. But the only way to allow these dirs and not depend on any hardcoded names is to `whitelist`/`noblacklist` the entire `${DOWNLOADS}`/`${PICTURES}`, as currently we get an error by trying to specify paths relative to XDG user dir variable: telegram-desktop.local: ``` noblacklist ${DOWNLOADS} whitelist ${DOWNLOADS}/Telegram Desktop ``` ``` Reading profile /home/nrv/.config/firejail/telegram-desktop.local Error: "${DOWNLOADS}/Telegram Desktop" is an invalid filename: rejected character: "{" ``` The only way to go around that right now is to hardcode directory names relative to ${HOME} variable: telegram-desktop.local: ``` noblacklist ${DOWNLOADS} whitelist ${HOME}/dl/Telegram Desktop ``` /etc/firejail/keepassxc.profile: ``` # You can enable whitelisting for keepassxc by adding the below to your keepassxc.local. # If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx. #mkdir ${HOME}/Documents/KeePassXC #whitelist ${HOME}/Documents/KeePassXC ``` ### Describe the solution you'd like Allow specifying paths relative to XDG user dir variables as with `${HOME}` variable: ```firejail whitelist ${DOWNLOADS}/Telegram Desktop whitelist ${PICTURES}/Screenshots whitelist ${DOCUMENTS}/KeePassXC ``` ### Additional context Even if we consider XDG user dirs to be "public" for use by media programs by default, one can't even change that personally without hardcoding relative to `${HOME}`. What if you renamed your XDG user dirs later, e.g. `Downloads` -> `downloads`?

gitea-mirror

2026-05-05 09:24:13 -06:00

closed this issue
added the
duplicate
label

gitea-mirror commented

2026-05-05 09:24:15 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 29, 2021):

Duplicate of #2359

@rusty-snake commented on GitHub (Oct 29, 2021): Duplicate of #2359

gitea-mirror commented

2026-05-05 09:24:16 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 29, 2021):

/etc/firejail/keepassxc.profile:

# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local.
# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx.
#mkdir ${HOME}/Documents/KeePassXC
#whitelist ${HOME}/Documents/KeePassXC

Even more important IMHO, #4006 requires this.

@rusty-snake commented on GitHub (Oct 29, 2021): > /etc/firejail/keepassxc.profile: > > ``` > # You can enable whitelisting for keepassxc by adding the below to your keepassxc.local. > # If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx. > #mkdir ${HOME}/Documents/KeePassXC > #whitelist ${HOME}/Documents/KeePassXC > ``` Even more important IMHO, #4006 requires this.

gitea-mirror referenced this issue

2026-05-05 10:21:49 -06:00

[PR #2784] [MERGED] Improve profile PRs (Related to #2739) #4528

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2739

No description provided.

Rows
Columns

[GH-ISSUE #4653] Allow specifying paths relative to XDG user dir variables (${DOWNLOADS}/something, ${PICTURES}/something...) #2739

The problem

Describe the solution you'd like

Additional context

[GH-ISSUE #4653] Allow specifying paths relative to XDG user dir variables (`${DOWNLOADS}/something`, `${PICTURES}/something`...) #2739