github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6046] Cannot whitelist ${RUNUSER}/gnupg #3166

New issue
Closed
opened 2026-05-05 09:47:37 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 09:47:37 -06:00
Owner
Copy link

Originally created by @OneOfOne on GitHub (Oct 9, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6046

Description

I can't whitelist ${RUNUSER}/gnupg.

Steps to Reproduce

include whitelist-run-common.inc
include whitelist-runuser-common.inc

whitelist ${HOME}/.gnupg
noblacklist ${RUNUSER}/gnupg
whitelist ${RUNUSER}/gnupg

Steps to reproduce the behavior

  1. LC_ALL=C firejail --profile=bug --whitelist=/run/user/1000/gnupg ls -lah /run/user/1000/gnupg
  2. ls: cannot open directory '/run/user/1000/gnupg': Permission denied

Expected behavior

to be able to see the contents of the dir.

Actual behavior

What actually happened

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Nothing, still shows permission denied.

Environment

  • Arch Linux
firejail version 0.9.72

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

$ LC_ALL=C firejail --noprofile --whitelist=/run/user/1000/gnupg ls -lah /run/user/1000/
Parent pid 576980, child pid 576981
Warning: not remounting /var/lib/docker/btrfs
Warning: not remounting /var/lib/docker/btrfs
Warning: not remounting /var/lib/docker/btrfs
Child process initialized in 5.20 ms
total 0
drwx------ 3 oneofone oneofone 60 Oct  9 18:54 .
drwxr-xr-x 3 root     root     60 Oct  9 18:54 ..
dr-------- 2 root     root     40 Oct  7 06:18 gnupg

Output of LC_ALL=C firejail --debug /path/to/program 

$ LC_ALL=C firejail --noprofile --whitelist=/run/user/1000/gnupg --debug ls -lah /run/user/1000/

Building quoted command line: 'ls' '-lah' '/run/user/1000/' 
Command name #ls#
DISPLAY=:1 parsed as 1
Using the local network stack
Parent pid 577084, child pid 577088
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
IBUS_ADDRESS=unix:path=/home/oneofone/.cache/ibus/dbus-uUe3KAvA,guid=918f9cab65ee8818bb39fa2e64f7b8e4
IBUS_DAEMON_PID=15659
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
891 656 0:30 /@/etc /etc ro,noatime master:1 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=372,subvol=/@
mountid=891 fsname=/@/etc dir=/etc fstype=btrfs
Mounting noexec /etc
892 891 0:30 /@/etc /etc ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=372,subvol=/@
mountid=892 fsname=/@/etc dir=/etc fstype=btrfs
Mounting read-only /var
897 893 0:30 /@varlog /var/log rw,noatime master:62 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=375,subvol=/@varlog
mountid=897 fsname=/@varlog dir=/var/log fstype=btrfs
Mounting read-only /var/lib/docker
954 898 0:30 /@varlibdocker/btrfs /var/lib/docker/btrfs rw,noatime master:56 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=376,subvol=/@varlibdocker
mountid=954 fsname=/@varlibdocker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs
Warning: not remounting /var/lib/docker/btrfs
Mounting read-only /var/tmp
955 896 0:46 / /var/tmp ro,nosuid,nodev,relatime master:58 - tmpfs tmpfs rw,inode64
mountid=955 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /var/log
956 897 0:30 /@varlog /var/log ro,noatime master:62 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=375,subvol=/@varlog
mountid=956 fsname=/@varlog dir=/var/log fstype=btrfs
Mounting noexec /var
986 985 0:30 /@varlog /var/log ro,noatime master:62 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=375,subvol=/@varlog
mountid=986 fsname=/@varlog dir=/var/log fstype=btrfs
Mounting noexec /var/lib/docker
988 987 0:30 /@varlibdocker/btrfs /var/lib/docker/btrfs rw,noatime master:56 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=376,subvol=/@varlibdocker
mountid=988 fsname=/@varlibdocker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs
Warning: not remounting /var/lib/docker/btrfs
Mounting noexec /var/tmp
989 967 0:46 / /var/tmp ro,nosuid,nodev,noexec,relatime master:58 - tmpfs tmpfs rw,inode64
mountid=989 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var/log
990 986 0:30 /@varlog /var/log ro,nosuid,nodev,noexec,noatime master:62 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=375,subvol=/@varlog
mountid=990 fsname=/@varlog dir=/var/log fstype=btrfs
Warning: not remounting /var/lib/docker/btrfs
Mounting read-only /usr
991 656 0:30 /@/usr /usr ro,noatime master:1 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=372,subvol=/@
mountid=991 fsname=/@/usr dir=/usr fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/cache/lighttpd
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/oneofone/.dotfiles/.config/firejail (requested /home/oneofone/.config/firejail)
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules/6.5.6-arch2-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Debug 588: whitelist /run/user/1000/gnupg
Debug 609: expanded: /run/user/1000/gnupg
Debug 620: new_name: /run/user/1000/gnupg
Debug 630: dir: /run/user/1000
Adding whitelist top level directory /run/user/1000
Mounting tmpfs on /run/user/1000, check owner: no
1030 1001 0:113 / /run/user/1000 rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=700,uid=1000,gid=1000,inode64
mountid=1030 fsname=/ dir=/run/user/1000 fstype=tmpfs
Whitelisting /run/user/1000/gnupg
1031 1030 0:24 /firejail/firejail.ro.dir /run/user/1000/gnupg ro,nosuid,nodev master:12 - tmpfs tmpfs rw,size=13114372k,nr_inodes=819200,mode=755,inode64
mountid=1031 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/gnupg fstype=tmpfs
Disable /sys/fs
Disable /sys/module
Current directory: /tmp/x
DISPLAY=:1 parsed as 1
Masking all X11 sockets except /tmp/.X11-unix/X1
Mounting read-only /run/firejail/mnt/seccomp
1036 888 0:105 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1036 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             160 ..
-rw-r--r-- oneofone oneofone         640 seccomp
-rw-r--r-- oneofone oneofone         432 seccomp.32
-rw-r--r-- oneofone oneofone           0 seccomp.postexec
-rw-r--r-- oneofone oneofone           0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: ls
execvp argument 1: -lah
execvp argument 2: /run/user/1000/
Child process initialized in 7.03 ms
Searching $PATH for ls
trying #/usr/local/sbin/ls#
trying #/usr/local/bin/ls#
trying #/usr/bin/ls#
total 0
drwx------ 3 oneofone oneofone 60 Oct  9 18:54 .
drwxr-xr-x 3 root     root     60 Oct  9 18:54 ..
dr-------- 2 root     root     40 Oct  7 06:18 gnupg
monitoring pid 2

Sandbox monitor: waitpid 2 retval 2 status 0

Originally created by @OneOfOne on GitHub (Oct 9, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/6046 ### Description I can't whitelist `${RUNUSER}/gnupg`. ### Steps to Reproduce ``` include whitelist-run-common.inc include whitelist-runuser-common.inc whitelist ${HOME}/.gnupg noblacklist ${RUNUSER}/gnupg whitelist ${RUNUSER}/gnupg ``` _Steps to reproduce the behavior_ 1. `LC_ALL=C firejail --profile=bug --whitelist=/run/user/1000/gnupg ls -lah /run/user/1000/gnupg` 2. `ls: cannot open directory '/run/user/1000/gnupg': Permission denied` ### Expected behavior to be able to see the contents of the dir. ### Actual behavior _What actually happened_ ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Nothing, still shows permission denied. ### Environment - Arch Linux ``` firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ```console $ LC_ALL=C firejail --noprofile --whitelist=/run/user/1000/gnupg ls -lah /run/user/1000/ Parent pid 576980, child pid 576981 Warning: not remounting /var/lib/docker/btrfs Warning: not remounting /var/lib/docker/btrfs Warning: not remounting /var/lib/docker/btrfs Child process initialized in 5.20 ms total 0 drwx------ 3 oneofone oneofone 60 Oct 9 18:54 . drwxr-xr-x 3 root root 60 Oct 9 18:54 .. dr-------- 2 root root 40 Oct 7 06:18 gnupg ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ```console $ LC_ALL=C firejail --noprofile --whitelist=/run/user/1000/gnupg --debug ls -lah /run/user/1000/ Building quoted command line: 'ls' '-lah' '/run/user/1000/' Command name #ls# DISPLAY=:1 parsed as 1 Using the local network stack Parent pid 577084, child pid 577088 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file IBUS_ADDRESS=unix:path=/home/oneofone/.cache/ibus/dbus-uUe3KAvA,guid=918f9cab65ee8818bb39fa2e64f7b8e4 IBUS_DAEMON_PID=15659 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 891 656 0:30 /@/etc /etc ro,noatime master:1 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=372,subvol=/@ mountid=891 fsname=/@/etc dir=/etc fstype=btrfs Mounting noexec /etc 892 891 0:30 /@/etc /etc ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=372,subvol=/@ mountid=892 fsname=/@/etc dir=/etc fstype=btrfs Mounting read-only /var 897 893 0:30 /@varlog /var/log rw,noatime master:62 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=375,subvol=/@varlog mountid=897 fsname=/@varlog dir=/var/log fstype=btrfs Mounting read-only /var/lib/docker 954 898 0:30 /@varlibdocker/btrfs /var/lib/docker/btrfs rw,noatime master:56 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=376,subvol=/@varlibdocker mountid=954 fsname=/@varlibdocker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs Warning: not remounting /var/lib/docker/btrfs Mounting read-only /var/tmp 955 896 0:46 / /var/tmp ro,nosuid,nodev,relatime master:58 - tmpfs tmpfs rw,inode64 mountid=955 fsname=/ dir=/var/tmp fstype=tmpfs Mounting read-only /var/log 956 897 0:30 /@varlog /var/log ro,noatime master:62 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=375,subvol=/@varlog mountid=956 fsname=/@varlog dir=/var/log fstype=btrfs Mounting noexec /var 986 985 0:30 /@varlog /var/log ro,noatime master:62 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=375,subvol=/@varlog mountid=986 fsname=/@varlog dir=/var/log fstype=btrfs Mounting noexec /var/lib/docker 988 987 0:30 /@varlibdocker/btrfs /var/lib/docker/btrfs rw,noatime master:56 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=376,subvol=/@varlibdocker mountid=988 fsname=/@varlibdocker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs Warning: not remounting /var/lib/docker/btrfs Mounting noexec /var/tmp 989 967 0:46 / /var/tmp ro,nosuid,nodev,noexec,relatime master:58 - tmpfs tmpfs rw,inode64 mountid=989 fsname=/ dir=/var/tmp fstype=tmpfs Mounting noexec /var/log 990 986 0:30 /@varlog /var/log ro,nosuid,nodev,noexec,noatime master:62 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=375,subvol=/@varlog mountid=990 fsname=/@varlog dir=/var/log fstype=btrfs Warning: not remounting /var/lib/docker/btrfs Mounting read-only /usr 991 656 0:30 /@/usr /usr ro,noatime master:1 - btrfs /dev/nvme0n1p3 rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=372,subvol=/@ mountid=991 fsname=/@/usr dir=/usr fstype=btrfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/cache/lighttpd Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/oneofone/.dotfiles/.config/firejail (requested /home/oneofone/.config/firejail) Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules/6.5.6-arch2-1/build (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Debug 588: whitelist /run/user/1000/gnupg Debug 609: expanded: /run/user/1000/gnupg Debug 620: new_name: /run/user/1000/gnupg Debug 630: dir: /run/user/1000 Adding whitelist top level directory /run/user/1000 Mounting tmpfs on /run/user/1000, check owner: no 1030 1001 0:113 / /run/user/1000 rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=700,uid=1000,gid=1000,inode64 mountid=1030 fsname=/ dir=/run/user/1000 fstype=tmpfs Whitelisting /run/user/1000/gnupg 1031 1030 0:24 /firejail/firejail.ro.dir /run/user/1000/gnupg ro,nosuid,nodev master:12 - tmpfs tmpfs rw,size=13114372k,nr_inodes=819200,mode=755,inode64 mountid=1031 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/gnupg fstype=tmpfs Disable /sys/fs Disable /sys/module Current directory: /tmp/x DISPLAY=:1 parsed as 1 Masking all X11 sockets except /tmp/.X11-unix/X1 Mounting read-only /run/firejail/mnt/seccomp 1036 888 0:105 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=1036 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 160 .. -rw-r--r-- oneofone oneofone 640 seccomp -rw-r--r-- oneofone oneofone 432 seccomp.32 -rw-r--r-- oneofone oneofone 0 seccomp.postexec -rw-r--r-- oneofone oneofone 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 Closing non-standard file descriptors Starting application LD_PRELOAD=(null) execvp argument 0: ls execvp argument 1: -lah execvp argument 2: /run/user/1000/ Child process initialized in 7.03 ms Searching $PATH for ls trying #/usr/local/sbin/ls# trying #/usr/local/bin/ls# trying #/usr/bin/ls# total 0 drwx------ 3 oneofone oneofone 60 Oct 9 18:54 . drwxr-xr-x 3 root root 60 Oct 9 18:54 .. dr-------- 2 root root 40 Oct 7 06:18 gnupg monitoring pid 2 Sandbox monitor: waitpid 2 retval 2 status 0 ``` </p> </details>
gitea-mirror 2026-05-05 09:47:37 -06:00
  • closed this issue
  • added the
    notabug
         label
gitea-mirror commented 2026-05-05 09:47:41 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 10, 2023):

noblacklist ${RUNUSER}/gnupg

That would only make sense if there was a blacklist ${RUNUSER}/gnupg, which there isn't.

${RUNUSER}/gnupg (and ${RUNUSER}/systemd) are considered special paths by Firejail. A feature (introduced in 0.9.46):

84ade11cbe/RELNOTES (L662)

You need writable-run-user:

84ade11cbe/src/man/firejail.1.in (L3116-L3117)

<!-- gh-comment-id:1754201553 --> @ghost commented on GitHub (Oct 10, 2023): > noblacklist ${RUNUSER}/gnupg That would only make sense if there was a `blacklist ${RUNUSER}/gnupg`, which there isn't. `${RUNUSER}/gnupg` (and ${RUNUSER}/systemd) are considered `special` paths by Firejail. A feature (introduced in 0.9.46): https://github.com/netblue30/firejail/blob/84ade11cbe6885932356ed20982e1b4c940d314c/RELNOTES#L662 You need `writable-run-user`: https://github.com/netblue30/firejail/blob/84ade11cbe6885932356ed20982e1b4c940d314c/src/man/firejail.1.in#L3116-L3117
gitea-mirror commented 2026-05-05 09:47:42 -06:00
Author
Owner
Copy link

@OneOfOne commented on GitHub (Oct 10, 2023):

Thank you, that worked.

<!-- gh-comment-id:1754204625 --> @OneOfOne commented on GitHub (Oct 10, 2023): Thank you, that worked.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3166
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?