github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #103] Firejail documentation a bit unclear/inconsistent #63

New issue

Closed

opened 2026-05-05 04:55:51 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 04:55:51 -06:00

Owner

Originally created by @curiosity-seeker on GitHub (Oct 27, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/103

In the supplied profiles the noblacklist command is widely used - but it's completely undocumented in man firejail. And man firejail-profile only says:

Note: exclude-token is deprecated, use noblacklist command instead.

On the other hand, the whitelist command is mentioned in both man pages. However, it remains unclear, IMO, how whitelist differs exactly from noblacklist. I think it would be great if this were clarified in the documentation. Thanks!

Originally created by @curiosity-seeker on GitHub (Oct 27, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/103 In the supplied profiles the `noblacklist` command is widely used - but it's completely undocumented in `man firejail`. And `man firejail-profile` only says: > Note: exclude-token is deprecated, use noblacklist command instead. On the other hand, the `whitelist` command is mentioned in both man pages. However, it remains unclear, IMO, how `whitelist` differs exactly from `noblacklist`. I think it would be great if this were clarified in the documentation. Thanks!

gitea-mirror closed this issue

2026-05-05 04:55:55 -06:00

gitea-mirror commented

2026-05-05 04:56:00 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 27, 2015):

In the latest version, in man firejail-profile I have:

Scripting
       Scripting commands:

       # this is a comment

       include other.profile exclude-token
              Include  other.profile  file.  exclude-token disables blacklist
              commands in other.profile if exclude-token word is found in the
              name section of blacklist command.  exclude-token is optional.

              Example:  "include /etc/firejail/disable-common.inc .filezilla"
              loads    disable-common.inc    file     disables     "blacklist
              ${HOME}/.filezilla" command in this file.

              other.profile file name can be prefixed with ${HOME}. This will
              force Firejail to look for the file in user home directory.

              Example:  "include   ${HOME}/myprofiles/profile1"   will   load
              "~/myprofiles/profile1" file.

              Note:  exclude-token  is  deprecated,  use  noblacklist command
              instead.

       blacklist file_name
              If the file name matches file_name, the file will not be black‐
              listed in any blacklist commands that follow.

              Example: "noblacklist ${HOME}/.mozilla"

       ignore command
              Ignore command.

              Example: "ignore seccomp"

The exclude-token thing will disappear in the next release.

@netblue30 commented on GitHub (Oct 27, 2015): In the latest version, in man firejail-profile I have: ``` Scripting Scripting commands: # this is a comment include other.profile exclude-token Include other.profile file. exclude-token disables blacklist commands in other.profile if exclude-token word is found in the name section of blacklist command. exclude-token is optional. Example: "include /etc/firejail/disable-common.inc .filezilla" loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file. other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the file in user home directory. Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. Note: exclude-token is deprecated, use noblacklist command instead. blacklist file_name If the file name matches file_name, the file will not be black‐ listed in any blacklist commands that follow. Example: "noblacklist ${HOME}/.mozilla" ignore command Ignore command. Example: "ignore seccomp" ``` The exclude-token thing will disappear in the next release.

gitea-mirror commented

2026-05-05 04:56:03 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Oct 27, 2015):

Thanks, I was referring to the 0.9.32 versions.

@curiosity-seeker commented on GitHub (Oct 27, 2015): Thanks, I was referring to the 0.9.32 versions.

gitea-mirror commented

2026-05-05 04:56:04 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Nov 11, 2015):

netblue30, I'm sorry to appear stubborn - but I still think those aspects are not well documented. E.g, the default Firefox profile in v. 0.9.34 contains both

noblacklist ${HOME}/.mozilla
whitelist ~/.mozilla

How do both rules differ from each other? I'm afraid that most users have difficulties to understand that. Well, at least I don't.

@curiosity-seeker commented on GitHub (Nov 11, 2015): netblue30, I'm sorry to appear stubborn - but I still think those aspects are not well documented. E.g, the default Firefox profile in v. 0.9.34 contains both ``` noblacklist ${HOME}/.mozilla whitelist ~/.mozilla ``` How do both rules differ from each other? I'm afraid that most users have difficulties to understand that. Well, at least I don't.

gitea-mirror commented

2026-05-05 04:56:07 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 11, 2015):

In this case noblacklist ends up doing nothing, because whitelist erases everything in home directory. I'll clean it up at some point.

@netblue30 commented on GitHub (Nov 11, 2015): In this case noblacklist ends up doing nothing, because whitelist erases everything in home directory. I'll clean it up at some point.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#63

No description provided.

Rows
Columns