github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #487] Question: Whitelisting devices #343

New issue
Closed
opened 2026-05-05 05:38:31 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 05:38:31 -06:00
Owner
Copy link

Originally created by @pyamsoft on GitHub (Apr 28, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/487

Forgive me if I have simply missed a part of the documentation.

Is there any current way to whitelist devices in the /dev folder? I know that the --private-dev option creates a jail with only certain devices in it. I will admit that I have no idea how this actually works. What I am wondering if there is a way to whitelist certain devices paths in the /dev folder for inclusion into this limited private /dev.

For example, lets say I have a device /dev/foo that I want to be accessible from my jail, and a /dev/bar that I want hidden. I would still like to make a private dev, as I don't want programs in the system to access /dev/bar. I am wondering if it would be feasible to create an option like --whitelist-dev which allows me to run a --private-dev that includes access to my /dev/foo

Currently it seems that in this kind of scenario, I would either have to make a jail that does not have a private dev, letting programs access my /dev/bar or I create a private dev and lose access to my /dev/foo. Forgive me if this is already possible with the current version of firejail, I have not noticed anything in the documents that would suggest so.

Originally created by @pyamsoft on GitHub (Apr 28, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/487 Forgive me if I have simply missed a part of the documentation. Is there any current way to whitelist devices in the /dev folder? I know that the `--private-dev` option creates a jail with only certain devices in it. I will admit that I have no idea how this actually works. What I am wondering if there is a way to whitelist certain devices paths in the /dev folder for inclusion into this limited private /dev. For example, lets say I have a device `/dev/foo` that I want to be accessible from my jail, and a `/dev/bar` that I want hidden. I would still like to make a private dev, as I don't want programs in the system to access `/dev/bar`. I am wondering if it would be feasible to create an option like `--whitelist-dev` which allows me to run a `--private-dev` that includes access to my `/dev/foo` Currently it seems that in this kind of scenario, I would either have to make a jail that does not have a private dev, letting programs access my `/dev/bar` or I create a private dev and lose access to my `/dev/foo`. Forgive me if this is already possible with the current version of firejail, I have not noticed anything in the documents that would suggest so.
gitea-mirror 2026-05-05 05:38:31 -06:00
gitea-mirror commented 2026-05-05 05:38:40 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 28, 2016):

You can whitelist files and directories in /dev, and only the whitelisted files will be visible under /dev/ Example:

firejail --whitelist=/dev/null --whitelist=/dev/dvd
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 15763, child pid 15764

Child process initialized
$ ls -l /dev
total 4
drwxr-xr-x   2 65534   65534   100 Apr 28 14:18 .
drwxr-xr-x  26 65534   65534  4096 Apr  6 15:45 ..
lrwxrwxrwx   1 65534 netblue     8 Apr 28 14:18 dvd -> /dev/sr0
crw-rw-rw-   1 65534   65534  1, 3 Apr 24 10:31 null
brw-rw----+  1 65534   65534 11, 0 Apr 24 10:31 sr0
<!-- gh-comment-id:215516579 --> @netblue30 commented on GitHub (Apr 28, 2016): You can whitelist files and directories in /dev, and only the whitelisted files will be visible under /dev/ Example: ``` firejail --whitelist=/dev/null --whitelist=/dev/dvd Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 15763, child pid 15764 Child process initialized $ ls -l /dev total 4 drwxr-xr-x 2 65534 65534 100 Apr 28 14:18 . drwxr-xr-x 26 65534 65534 4096 Apr 6 15:45 .. lrwxrwxrwx 1 65534 netblue 8 Apr 28 14:18 dvd -> /dev/sr0 crw-rw-rw- 1 65534 65534 1, 3 Apr 24 10:31 null brw-rw----+ 1 65534 65534 11, 0 Apr 24 10:31 sr0 ```
gitea-mirror commented 2026-05-05 05:38:44 -06:00
Author
Owner
Copy link

@pyamsoft commented on GitHub (Apr 28, 2016):

Thank you for your response.
This was a mistake on my part then as I did not read the documentation closely enough.

<!-- gh-comment-id:215547184 --> @pyamsoft commented on GitHub (Apr 28, 2016): Thank you for your response. This was a mistake on my part then as I did not read the documentation closely enough.
gitea-mirror commented 2026-05-05 05:38:47 -06:00
Author
Owner
Copy link

@pyamsoft commented on GitHub (Apr 28, 2016):

A follow up question:

ArchLinux firejail 9.40-rc1
The following command will create a private dev as expected in the jail

$ /usr/bin/firejail --profile=/etc/firejail/generic.profile --private-dev bash
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Warning: user namespaces not available in the current kernel.
Parent pid 8883, child pid 8886
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted

Child process initialized

$ ls /dev
dri  full  log  null  ptmx  pts  random  shm  tty  urandom  zero

What is the expected behavior in the following case then?

~ $ /usr/bin/firejail --profile=/etc/firejail/generic.profile --private-dev --whitelist=/dev/null bash
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Warning: user namespaces not available in the current kernel.
Parent pid 10373, child pid 10374
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted

Child process initialized

 ~ $ ls /dev
null

Should one expect, because of the whitelist call that /dev only has null as shown? Or should private-dev still populate a dev folder and then link /dev/null into it?

<!-- gh-comment-id:215551790 --> @pyamsoft commented on GitHub (Apr 28, 2016): A follow up question: ArchLinux firejail 9.40-rc1 The following command will create a private dev as expected in the jail ``` $ /usr/bin/firejail --profile=/etc/firejail/generic.profile --private-dev bash Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc Warning: user namespaces not available in the current kernel. Parent pid 8883, child pid 8886 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized $ ls /dev dri full log null ptmx pts random shm tty urandom zero ``` What is the expected behavior in the following case then? ``` ~ $ /usr/bin/firejail --profile=/etc/firejail/generic.profile --private-dev --whitelist=/dev/null bash Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc Warning: user namespaces not available in the current kernel. Parent pid 10373, child pid 10374 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized ~ $ ls /dev null ``` Should one expect, because of the whitelist call that /dev only has null as shown? Or should private-dev still populate a dev folder and then link `/dev/null` into it?
gitea-mirror commented 2026-05-05 05:38:49 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 28, 2016):

Looking through the code, first private-dev is applied, than whitelist. You'll end up only with a /dev/null inside /dev.

<!-- gh-comment-id:215596096 --> @netblue30 commented on GitHub (Apr 28, 2016): Looking through the code, first private-dev is applied, than whitelist. You'll end up only with a /dev/null inside /dev.
gitea-mirror commented 2026-05-05 05:38:51 -06:00
Author
Owner
Copy link

@pyamsoft commented on GitHub (Apr 29, 2016):

Thank you for that clarification. Do you believe the current implementation is the best way of handling that kind of use case where a whitelist and private-dev or private-tmp is specified in the command line?

I personally would expect the private-dev call to guarantee the presence of null and shm and the like, and then change or add to with my whitelisted devices, but I am curious to hear your thoughts about this.

<!-- gh-comment-id:215605225 --> @pyamsoft commented on GitHub (Apr 29, 2016): Thank you for that clarification. Do you believe the current implementation is the best way of handling that kind of use case where a whitelist and private-dev or private-tmp is specified in the command line? I personally would expect the private-dev call to guarantee the presence of null and shm and the like, and then change or add to with my whitelisted devices, but I am curious to hear your thoughts about this.
gitea-mirror commented 2026-05-05 05:38:54 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 30, 2016):

The idea is that --private-* creates a new tmpfs directory and copies files over from the real filesystem, while --whitelist creates a new tmpfs and links to the real files in the filesystem. As a result, private-* will discard modifications when you exit the sandbox, while --whitelist will preserve modifications.

<!-- gh-comment-id:215956588 --> @netblue30 commented on GitHub (Apr 30, 2016): The idea is that --private-\* creates a new tmpfs directory and copies files over from the real filesystem, while --whitelist creates a new tmpfs and links to the real files in the filesystem. As a result, private-\* will discard modifications when you exit the sandbox, while --whitelist will preserve modifications.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#343
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?