[GH-ISSUE #6011] whitelist ${HOME}/Documents is not working #3157

New issue

Closed

opened 2026-05-05 09:47:07 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented 2026-05-05 09:47:07 -06:00

Owner

Copy link

Originally created by @rdbeni0 on GitHub (Sep 16, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6011

hi,
i am trying to access file:

file:///home/rdbeni0/Documents/html/index.html

and i put in my ~/.config/firejail/brave.local :

whitelist ${HOME}/Documents/html
whitelist ${DOCUMENTS}/html
whitelist ${DOCUMENTS}

and nothing is working: Your file couldn’t be accessed via brave.

This is full command:

$ firejail brave
Reading profile /etc/firejail/brave.profile
Reading profile /home/rdbeni0/.config/firejail/brave.local
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 21783, child pid 21784
(...)

Please also note that when i have :

whitelist ${DOCUMENTS}/html
(or similar path with ${DOCUMENTS}/something/something )

then output is:

Reading profile /etc/firejail/brave.profile
Reading profile /home/rdbeni0/.config/firejail/brave.local
Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{"

in that case, how can I add whitelist for file:///home/rdbeni0/Documents/html/index.html?

OS: latest Arch Linux with KDE and wayland

Originally created by @rdbeni0 on GitHub (Sep 16, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/6011 hi, i am trying to access file: file:///home/rdbeni0/Documents/html/index.html and i put in my ~/.config/firejail/brave.local : ``` whitelist ${HOME}/Documents/html whitelist ${DOCUMENTS}/html whitelist ${DOCUMENTS} ``` and nothing is working: `Your file couldn’t be accessed` via brave. This is full command: ``` $ firejail brave Reading profile /etc/firejail/brave.profile Reading profile /home/rdbeni0/.config/firejail/brave.local Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 21783, child pid 21784 (...) ``` Please also note that when i have : ``` whitelist ${DOCUMENTS}/html (or similar path with ${DOCUMENTS}/something/something ) ``` then output is: ``` Reading profile /etc/firejail/brave.profile Reading profile /home/rdbeni0/.config/firejail/brave.local Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{" ``` in that case, how can I add whitelist for **file:///home/rdbeni0/Documents/html/index.html**? OS: latest Arch Linux with KDE and wayland

gitea-mirror 2026-05-05 09:47:07 -06:00

• closed this issue
• added the
  question
  label

gitea-mirror commented 2026-05-05 09:47:09 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 16, 2023):

Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{"

#2359

how can I add whitelist for file:///home/rdbeni0/Documents/html/index.html?

1. Check --debug output.
2. Check firejail --profile=brave ls ~/Documents. What does it say. ENOENT or EACCES.

==> You have to noblacklist ${DOCUMENTS}

<!-- gh-comment-id:1722222924 --> @rusty-snake commented on GitHub (Sep 16, 2023): > Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{" #2359 > how can I add whitelist for file:///home/rdbeni0/Documents/html/index.html? 1. Check `--debug` output. 2. Check `firejail --profile=brave ls ~/Documents`. What does it say. ENOENT or EACCES. ==> You have to `noblacklist ${DOCUMENTS}`

gitea-mirror commented 2026-05-05 09:47:10 -06:00

Author

Owner

Copy link

@rdbeni0 commented on GitHub (Sep 16, 2023):

Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{"

#2359

how can I add whitelist for file:///home/rdbeni0/Documents/html/index.html?

1. Check --debug output.
2. Check firejail --profile=brave ls ~/Documents. What does it say. ENOENT or EACCES.

==> You have to noblacklist ${DOCUMENTS}

i added to the ~/.config/firejail/brave.local :

noblacklist ${DOCUMENTS}

and

rdbeni0 $ firejail --profile=brave ls ~/Documents
Reading profile /etc/firejail/brave.profile
Reading profile /home/rdbeni0/.config/firejail/brave.local
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 23966, child pid 23967
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 133.78 ms
ls: cannot access '/home/rdbeni0/Documents': No such file or directory

via browser is the same - access denied.
So this is not working.
And of course the path is correct and ~/Documents exists as usual, but brave does not have access to it with firejail.

please also note that i am using apparmor (integration with apparmor is enabled).

<!-- gh-comment-id:1722223821 --> @rdbeni0 commented on GitHub (Sep 16, 2023): > > Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{" > > #2359 > > > how can I add whitelist for file:///home/rdbeni0/Documents/html/index.html? > > 1. Check `--debug` output. > 2. Check `firejail --profile=brave ls ~/Documents`. What does it say. ENOENT or EACCES. > > ==> You have to `noblacklist ${DOCUMENTS}` i added to the ~/.config/firejail/brave.local : ``` noblacklist ${DOCUMENTS} ``` and ``` rdbeni0 $ firejail --profile=brave ls ~/Documents Reading profile /etc/firejail/brave.profile Reading profile /home/rdbeni0/.config/firejail/brave.local Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 23966, child pid 23967 Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 133.78 ms ls: cannot access '/home/rdbeni0/Documents': No such file or directory ``` via browser is the same - access denied. So this is not working. And of course the path is correct and **~/Documents** exists as usual, but brave does not have access to it with firejail. please also note that i am using apparmor (integration with apparmor is enabled).

gitea-mirror commented 2026-05-05 09:47:11 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 16, 2023):

Then check --debug output or post it (using details-summary).

<!-- gh-comment-id:1722225020 --> @rusty-snake commented on GitHub (Sep 16, 2023): Then check `--debug` output or post it (using details-summary).

gitea-mirror commented 2026-05-05 09:47:11 -06:00

Author

Owner

Copy link

@rdbeni0 commented on GitHub (Sep 16, 2023):

well, output is to big. Thanks for you help

I made workaround with combination of hard/soft, something like that:

ln -f ~/Documents/html/* ~/.local/share/html/

and i added rule whitelist ${HOME}/.local/share/html
and it started working

something and somewhere is broken with ~/Documents/ and we cannot easily whitelist it (or noblacklist), but i don't have time to check it deeply.
Let me close this topic.

if someone is interested how to reproduce it:

mkdir -p ~/Documents/html
echo 'test' > ~/Documents/html/index.html

then enable AppArmor integration with firefail like described here:
https://wiki.archlinux.org/title/firejail#Enable_AppArmor_support

reboot

and then try to find correct rule to add your ~/Documents/html for your ~/.config/firejail/brave.local.
in my case it didn't work - i checked all of below:

whitelist ${HOME}/Documents/html
whitelist ${DOCUMENTS}/html
whitelist ${DOCUMENTS}
noblacklist ${DOCUMENTS}

<!-- gh-comment-id:1722276040 --> @rdbeni0 commented on GitHub (Sep 16, 2023): well, output is to big. Thanks for you help I made workaround with combination of hard/soft, something like that: ``` ln -f ~/Documents/html/* ~/.local/share/html/ ``` and i added rule **whitelist ${HOME}/.local/share/html** and it started working something and somewhere is broken with **~/Documents/<here>** and we cannot easily whitelist it (or **noblacklist**), but i don't have time to check it deeply. Let me close this topic. if someone is interested how to reproduce it: ``` mkdir -p ~/Documents/html echo 'test' > ~/Documents/html/index.html ``` then enable AppArmor integration with firefail like described here: [https://wiki.archlinux.org/title/firejail#Enable_AppArmor_support](https://wiki.archlinux.org/title/firejail#Enable_AppArmor_support) reboot and then try to find correct rule to add your **~/Documents/html** for your **~/.config/firejail/brave.local**. in my case it didn't work - i checked all of below: ``` whitelist ${HOME}/Documents/html whitelist ${DOCUMENTS}/html whitelist ${DOCUMENTS} noblacklist ${DOCUMENTS} ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3157

No description provided.