github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6460] Multi-command syntax to reduce boilerplate #3282

New issue

Open

opened 2026-05-05 09:53:16 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:53:16 -06:00

Owner

Originally created by @ghost on GitHub (Sep 2, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6460

Not creating directories can result in security issues, so oftentimes directories need to be created and this creates a lot of boilerplate profile code.

Example from seafile-applet.profile:

mkdir ${HOME}/.ccnet
mkdir ${HOME}/.config/Seafile
mkdir ${HOME}/Seafile
whitelist ${HOME}/.ccnet
whitelist ${HOME}/.config/Seafile
whitelist ${HOME}/Seafile

It would be nice to reduce this boilerplate by combining it into one directive.

Describe the solution you'd like

I propose either one of two things:

whitelist-mkdir ${HOME}/.ccnet

whitelist+ ${HOME}/.ccnet

The + I think works better because the option blacklist-nolog would then become blacklist-mkdir-nolog. It is a bit cleaner to just have blacklist-nolog+.

Originally created by @ghost on GitHub (Sep 2, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6460 ### Is your feature request related to a problem? Please describe. Not creating directories can result in security issues, so oftentimes directories need to be created and this creates a lot of boilerplate profile code. Example from seafile-applet.profile: ``` mkdir ${HOME}/.ccnet mkdir ${HOME}/.config/Seafile mkdir ${HOME}/Seafile whitelist ${HOME}/.ccnet whitelist ${HOME}/.config/Seafile whitelist ${HOME}/Seafile ``` It would be nice to reduce this boilerplate by combining it into one directive. ### Describe the solution you'd like I propose either one of two things: ``` whitelist-mkdir ${HOME}/.ccnet ``` or ``` whitelist+ ${HOME}/.ccnet ``` The `+` I think works better because the option `blacklist-nolog` would then become `blacklist-mkdir-nolog`. It is a bit cleaner to just have `blacklist-nolog+`.

gitea-mirror added the

enhancement

label 2026-05-05 09:53:16 -06:00

gitea-mirror commented

2026-05-05 09:53:17 -06:00

Author

Owner

@ghost commented on GitHub (Sep 2, 2024):

I guess the + syntax wouldn't work because it could be a file too. So, I guess whitelist-mkdir and whitelist-mkfile would be how to combine them.

Perhaps a solution is to create a compact method of directive calling.

For example:

mkdir+whitelist ${HOME}/.ccnet

This says run mkdir with the given argument, then run whitelist with the given argument.

This is flexible so would be the same here:

mkdir+blacklist-nolog ${HOME}/.ccnet

It would not require creating a bunch new directives, but just changing how to parse them.

This seems like a small change to the syntax parser of profiles, but would reduce a lot of boilerplate.

@ghost commented on GitHub (Sep 2, 2024): I guess the `+` syntax wouldn't work because it could be a file too. So, I guess `whitelist-mkdir` and `whitelist-mkfile` would be how to combine them. Perhaps a solution is to create a compact method of directive calling. For example: ``` mkdir+whitelist ${HOME}/.ccnet ``` This says run mkdir with the given argument, then run whitelist with the given argument. This is flexible so would be the same here: ``` mkdir+blacklist-nolog ${HOME}/.ccnet ``` It would not require creating a bunch new directives, but just changing how to parse them. This seems like a small change to the syntax parser of profiles, but would reduce a lot of boilerplate.

gitea-mirror commented

2026-05-05 09:53:18 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 2, 2024):

It would not require creating a bunch new directives, but just changing how to parse them

Copy-pasta code with 20 hardcoded combination is simpler than extending parsing logic.

mkdir+whitelist

I like this, you can even noblacklist+mkdir+whitelist.

Previous discussion https://github.com/netblue30/firejail/issues/3447#issuecomment-683463663

@rusty-snake commented on GitHub (Sep 2, 2024): > It would not require creating a bunch new directives, but just changing how to parse them Copy-pasta code with 20 hardcoded combination is simpler than extending parsing logic. > mkdir+whitelist I like this, you can even `noblacklist+mkdir+whitelist`. Previous discussion https://github.com/netblue30/firejail/issues/3447#issuecomment-683463663

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3282

No description provided.

Rows
Columns