[GH-ISSUE #6127] blacklist does not work for new files and folders without firejail restart #3195

New issue

Open

opened 2026-05-05 09:48:50 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 09:48:50 -06:00

Owner

Originally created by @tm4ig on GitHub (Dec 13, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6127

Description

Blacklist for [sub]folders (and files) does not work if they were created after start application.

Steps to Reproduce

Create folders structure outside firejail:

tm4ig@sinx ~ % mkdir -p ~/test/{folder1,folder2,folder3}
tm4ig@sinx ~ % tree ~/test       
/home/tm4ig/test
├── folder1
├── folder2
└── folder3

4 directories, 0 files

Run program in firejail with blacklist mode how in my example and check permissions for folders in firejail:

tm4ig@sinx ~ % LC_ALL=C firejail --noblacklist="~/test/folder1" --blacklist="~/test/*" /bin/bash
[tm4ig@sinx ~]$ ls -l ~/test
total 0
drwxr-xr-x 2 tm4ig  tm4ig   6 Dec 13 10:22 folder1
dr-------- 2 nobody nobody 40 Dec 11 20:00 folder2
dr-------- 2 nobody nobody 40 Dec 11 20:00 folder3

Create next folder how in my example outside firejail but not close current firejail program:

tm4ig@sinx ~ % mkdir ~/test/folder4
tm4ig@sinx ~ % tree ~/test
/home/tm4ig/test
├── folder1
├── folder2
├── folder3
└── folder4

5 directories, 0 files

Expected behavior

folder4 will be in blacklist without restart firejail.

Actual behavior

folder4 is not in blacklist:

[tm4ig@sinx ~]$ ls -l ~/test
total 0
drwxr-xr-x 2 tm4ig  tm4ig   6 Dec 13 10:22 folder1
dr-------- 2 nobody nobody 40 Dec 11 20:00 folder2
dr-------- 2 nobody nobody 40 Dec 11 20:00 folder3
drwxr-xr-x 2 tm4ig  tm4ig   6 Dec 13 10:49 folder4

But after restart firejail folder4 already in blacklist:

[tm4ig@sinx ~]$ ls -lh ~/test
total 0
drwxr-xr-x 2 tm4ig tm4ig  6 Dec 13 10:22 folder1
dr-------- 2 root  root  40 Dec 11 20:00 folder2
dr-------- 2 root  root  40 Dec 11 20:00 folder3
dr-------- 2 root  root  40 Dec 11 20:00 folder4

Behavior without a profile

"noprofile" doesn't change the situation.

Environment

Arch Linux
Linux 6.6.4-arch1-1
firejail 0.9.72

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

tm4ig@sinx ~ % LC_ALL=C firejail --noblacklist="~/test/folder1" --blacklist="~/test/*" /bin/bash 
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 539573, child pid 539574
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 31.66 ms

Output of LC_ALL=C firejail --debug /path/to/program

firejail.log

Originally created by @tm4ig on GitHub (Dec 13, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/6127 ### Description Blacklist for [sub]folders (and files) does not work if they were created after start application. ### Steps to Reproduce 0. Create folders structure outside firejail: ```console tm4ig@sinx ~ % mkdir -p ~/test/{folder1,folder2,folder3} tm4ig@sinx ~ % tree ~/test /home/tm4ig/test ├── folder1 ├── folder2 └── folder3 4 directories, 0 files ``` 1. Run program in firejail with blacklist mode how in my example and check permissions for folders in firejail: ```console tm4ig@sinx ~ % LC_ALL=C firejail --noblacklist="~/test/folder1" --blacklist="~/test/*" /bin/bash [tm4ig@sinx ~]$ ls -l ~/test total 0 drwxr-xr-x 2 tm4ig tm4ig 6 Dec 13 10:22 folder1 dr-------- 2 nobody nobody 40 Dec 11 20:00 folder2 dr-------- 2 nobody nobody 40 Dec 11 20:00 folder3 ``` 2. Create next folder how in my example outside firejail but not close current firejail program: ```console tm4ig@sinx ~ % mkdir ~/test/folder4 tm4ig@sinx ~ % tree ~/test /home/tm4ig/test ├── folder1 ├── folder2 ├── folder3 └── folder4 5 directories, 0 files ``` ### Expected behavior folder4 will be in blacklist without restart firejail. ### Actual behavior folder4 is not in blacklist: ```console [tm4ig@sinx ~]$ ls -l ~/test total 0 drwxr-xr-x 2 tm4ig tm4ig 6 Dec 13 10:22 folder1 dr-------- 2 nobody nobody 40 Dec 11 20:00 folder2 dr-------- 2 nobody nobody 40 Dec 11 20:00 folder3 drwxr-xr-x 2 tm4ig tm4ig 6 Dec 13 10:49 folder4 ``` But after restart firejail folder4 already in blacklist: ```console [tm4ig@sinx ~]$ ls -lh ~/test total 0 drwxr-xr-x 2 tm4ig tm4ig 6 Dec 13 10:22 folder1 dr-------- 2 root root 40 Dec 11 20:00 folder2 dr-------- 2 root root 40 Dec 11 20:00 folder3 dr-------- 2 root root 40 Dec 11 20:00 folder4 ``` ### Behavior without a profile "noprofile" doesn't change the situation. ### Environment - Arch Linux - Linux 6.6.4-arch1-1 - firejail 0.9.72 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ```console tm4ig@sinx ~ % LC_ALL=C firejail --noblacklist="~/test/folder1" --blacklist="~/test/*" /bin/bash Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 539573, child pid 539574 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 31.66 ms ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> [firejail.log](https://github.com/netblue30/firejail/files/13658144/firejail.log) </p> </details>

gitea-mirror commented

2026-05-05 09:48:51 -06:00

Author

Owner

@kmk3 commented on GitHub (Dec 13, 2023):

blacklist does not work for new files and folders without firejail restart

firejail runs before the program starts, so there is no way to blacklist
anything afterwards.

To prevent new files from appearing in the sandbox, whitelisting has to be
used.

@kmk3 commented on GitHub (Dec 13, 2023): > blacklist does not work for new files and folders without firejail restart firejail runs before the program starts, so there is no way to blacklist anything afterwards. To prevent new files from appearing in the sandbox, whitelisting has to be used.