etc and optionally Wayland, X11, DRM and audio #3352

New issue

Open

opened 2026-05-05 09:56:10 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 09:56:10 -06:00

Owner

Originally created by @kolAflash on GitHub (May 6, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6742

As a software developer I regularly need a clean environment to test untrusted things (software, files to open, ...) from the WWW. Then I usually spin up this command:

firejail \
  --tab --disable-mnt --private-tmp --private-dev \
  --blacklist=/opt --blacklist=/srv --blacklist=/var \
  --noblacklist=/run/firejail --noblacklist=/run/user --blacklist='/run/*' \
  --read-only=/run/user \
  --whitelist=$HOME/Downloads/

Side note: I'd like simply use --blacklist=/run but I can't because of #6740

Assuming the then allowed directories contain only files known to the public, because I got them from my Linux distribution. So I can run software without risking information leakage.

The only exceptions I know, and which are intended, are for Wayland, X11, DRI (/dev/dri/) and audio (Pulseaudio / Pipewire).

Also no real directory should be writeable from inside the container, except $HOME/Downloads/ which I use like a "shared folder" known from the concept of virtual machines. So if I wipe Downloads afterwards, I can be sure nothing from the virtual environment is left.

Describe the solution you'd like

Have my configuration checked and if it's fine, add a profile based on it.

I'd maybe call the profile test-environment or developer.

Originally created by @kolAflash on GitHub (May 6, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6742 ### Is your feature request related to a problem? Please describe. As a software developer I regularly need a clean environment to test untrusted things _(software, files to open, ...)_ from the WWW. Then I usually spin up this command: ```bash firejail \ --tab --disable-mnt --private-tmp --private-dev \ --blacklist=/opt --blacklist=/srv --blacklist=/var \ --noblacklist=/run/firejail --noblacklist=/run/user --blacklist='/run/*' \ --read-only=/run/user \ --whitelist=$HOME/Downloads/ ``` _Side note: I'd like simply use `--blacklist=/run` but I can't because of #6740_ Assuming the then allowed directories contain only files known to the public, because I got them from my Linux distribution. So I can run software without risking information leakage. The only exceptions I know, and which are intended, are for Wayland, X11, DRI (`/dev/dri/`) and audio (Pulseaudio / Pipewire). Also no real directory should be writeable from inside the container, except `$HOME/Downloads/` which I use like a "shared folder" known from the concept of virtual machines. So if I wipe `Downloads` afterwards, I can be sure nothing from the virtual environment is left. See also my Mini Debian Conference talk on that topic: https://meetings-archive.debian.net/pub/debian-meetings/2025/MiniDebConf-Hamburg/hamburg2025-10-secure-developer-containers-dont-fear-opening-files-from-the-bugtracker.webm ### Describe the solution you'd like Have my configuration checked and if it's fine, add a profile based on it. I'd maybe call the profile `test-environment` or `developer`.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3352

No description provided.

Rows
Columns