github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #954] Questions regarding inheritance #647

New issue

Closed

opened 2026-05-05 06:20:43 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 06:20:43 -06:00

Owner

Originally created by @0xBRM on GitHub (Dec 4, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/954

When you spawn a firejailed process like firefox, what happens when you spawn a child process from within it, like mpv? I tried to add ~/.config/mpv to the firefox.profile whitelist but mpv still cannot read mpv.conf and the scripts inside its configuration folder.

So my questions are:

Do the children of the main process have access to the firejail profiles?
When you spawn a process from within a sandbox, does that project inherit the profile of the parent process?
If not, what profile does it use?

Originally created by @0xBRM on GitHub (Dec 4, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/954 When you spawn a firejailed process like firefox, what happens when you spawn a child process from within it, like mpv? I tried to add ~/.config/mpv to the firefox.profile whitelist but mpv still cannot read mpv.conf and the scripts inside its configuration folder. So my questions are: - Do the children of the main process have access to the firejail profiles? - When you spawn a process from within a sandbox, does that project inherit the profile of the parent process? - If not, what profile does it use?

gitea-mirror

2026-05-05 06:20:43 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:20:52 -06:00

Author

Owner

@valoq commented on GitHub (Dec 4, 2016):

The profiles define the permissions of the jail that are applied before the actual process is started.
All child processes have the same constrains as the parent process.

So by adding e.g. "include /etc/firejail/mpv.profile" in your firefox profile, it should be possible to start mpv within the firefox jail.

@valoq commented on GitHub (Dec 4, 2016): The profiles define the permissions of the jail that are applied before the actual process is started. All child processes have the same constrains as the parent process. So by adding e.g. "include /etc/firejail/mpv.profile" in your firefox profile, it should be possible to start mpv within the firefox jail.

gitea-mirror commented

2026-05-05 06:20:55 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 4, 2016):

So by adding e.g. "include /etc/firejail/mpv.profile" in your firefox profile, it should be possible to start mpv within the firefox jail.

It would work if both profiles were whitelisted profiles. In this case, mpv is a blacklisted profile, so you wold have to copy /etc/firejail/firefox.profile in ~/.config/firejail ("cp /etc/firejail/firefox.profile ~/.config/firejail) and edit it. Add a "noblacklist ~/.config/mpv" at the beginning of the file, and a "whitelist ~/.config/mpv" statement at the end of the file.

@netblue30 commented on GitHub (Dec 4, 2016): > So by adding e.g. "include /etc/firejail/mpv.profile" in your firefox profile, it should be possible to start mpv within the firefox jail. It would work if both profiles were whitelisted profiles. In this case, mpv is a blacklisted profile, so you wold have to copy /etc/firejail/firefox.profile in ~/.config/firejail ("cp /etc/firejail/firefox.profile ~/.config/firejail) and edit it. Add a "noblacklist ~/.config/mpv" at the beginning of the file, and a "whitelist ~/.config/mpv" statement at the end of the file.

gitea-mirror commented

2026-05-05 06:20:57 -06:00

Author

Owner

@valoq commented on GitHub (Dec 4, 2016):

Shouldn't "noblacklist ~/.config/mpv" as in the mpv.profile file do the trick as well?

@valoq commented on GitHub (Dec 4, 2016): Shouldn't "noblacklist ~/.config/mpv" as in the mpv.profile file do the trick as well?

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#647

No description provided.

Rows
Columns