[GH-ISSUE #833] read-only behaves inconsistently #565

New issue

Closed

opened 2026-05-05 06:09:49 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 06:09:49 -06:00

Owner

Originally created by @nick75e on GitHub (Oct 3, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/833

Hi!

firejail --whitelist=${HOME}/foo --read-only=${HOME}/foo works as expected,
firejail --whitelist=${HOME}/foo --read-only=${HOME} only locks /home/$USER,
firejail --whitelist=${HOME}/foo --read-only=${HOME}/* does nothing while e.g. --read-only=/media/$USER/* locks all subdirectories.

Is it possible to make --read-only=${HOME}/* lock all files and subdirectories?

Originally created by @nick75e on GitHub (Oct 3, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/833 Hi! - `firejail --whitelist=${HOME}/foo --read-only=${HOME}/foo` works as expected, - `firejail --whitelist=${HOME}/foo --read-only=${HOME}` only locks /home/$USER, - `firejail --whitelist=${HOME}/foo --read-only=${HOME}/*` does nothing while e.g. `--read-only=/media/$USER/*` locks all subdirectories. Is it possible to make `--read-only=${HOME}/*` lock all files and subdirectories?

gitea-mirror

2026-05-05 06:09:49 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:09:57 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 5, 2016):

It is a known issue. It has something to do with the way the order directory mounts are stacked one on top of another - both whitelist and read-only are implemented as filesystem mounts. This is why in "man firejail" we have this description:

      --read-only=dirname_or_filename
              Set directory or file read-only.

              Example:
              $ firejail --read-only=~/.mozilla firefox

              A  short  note about mixing --whitelist and --read-only options.
              Whitelisted directories should be made read-only  independently.
              Making a parent directory read-only, will not make the whitelist
              read-only. Example:

              $ firejail --whitelist=~/work --read-only=~ --read-only=~/work

@netblue30 commented on GitHub (Oct 5, 2016): It is a known issue. It has something to do with the way the order directory mounts are stacked one on top of another - both whitelist and read-only are implemented as filesystem mounts. This is why in "man firejail" we have this description: ``` --read-only=dirname_or_filename Set directory or file read-only. Example: $ firejail --read-only=~/.mozilla firefox A short note about mixing --whitelist and --read-only options. Whitelisted directories should be made read-only independently. Making a parent directory read-only, will not make the whitelist read-only. Example: $ firejail --whitelist=~/work --read-only=~ --read-only=~/work ```

gitea-mirror commented

2026-05-05 06:09:59 -06:00

Author

Owner

@nick75e commented on GitHub (Oct 5, 2016):

Sorry, I didn't notice the warning.
Closing...

@nick75e commented on GitHub (Oct 5, 2016): Sorry, I didn't notice the warning. _Closing..._

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#565

No description provided.

Rows
Columns