github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #995] Thunderbird accesses ~/.mozilla even when blacklisted #678

New issue

Closed

opened 2026-05-05 06:25:24 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 06:25:24 -06:00

Owner

Originally created by @acrobat1 on GitHub (Dec 21, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/995

I'd like Thunderbird to leave alone the .mozilla directory (since I don't directly click on links in email), so I've added blacklist ~/.mozilla to my thunderbird profile, but it doesn't work :

blacklist violation - sandbox 22475, exe thunderbird, syscall access, path /home/debian/.mozilla

is there any workaround for this?

As I've said, I don't think Thunderbird absolutely needs to access the .mozilla directory, at least not in the way I use Thunderbird: since the purpose of sandboxing is to isolate processes as much as possible, I'd really like to cut access to .mozilla in this case.

Originally created by @acrobat1 on GitHub (Dec 21, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/995 I'd like Thunderbird to leave alone the .mozilla directory (since I don't directly click on links in email), so I've added `blacklist ~/.mozilla` to my thunderbird profile, but it doesn't work : >blacklist violation - sandbox 22475, exe thunderbird, syscall access, path /home/debian/.mozilla is there any workaround for this? As I've said, I don't think Thunderbird absolutely needs to access the .mozilla directory, at least not in the way I use Thunderbird: since the purpose of sandboxing is to isolate processes as much as possible, I'd really like to cut access to .mozilla in this case.

gitea-mirror

2026-05-05 06:25:24 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:25:29 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 21, 2016):

You need to add the following two lines at the top of /etc/firejail/thunderbird.profile:

blacklist ~/.mozilla
blacklist ~/.cache/mozilla

If you add them at the end, it will have no effect. Also, take a look at the whitelists in /etc/firejail/firefox.profile, you might want to blacklist some other directories. The default Firefox and Thunderbird profiles are quite generic, good for all kind of use cases, such as reading PDF files, playing audio files etc.

@netblue30 commented on GitHub (Dec 21, 2016): You need to add the following two lines at the top of /etc/firejail/thunderbird.profile: ````` blacklist ~/.mozilla blacklist ~/.cache/mozilla ````` If you add them at the end, it will have no effect. Also, take a look at the whitelists in /etc/firejail/firefox.profile, you might want to blacklist some other directories. The default Firefox and Thunderbird profiles are quite generic, good for all kind of use cases, such as reading PDF files, playing audio files etc.

gitea-mirror commented

2026-05-05 06:25:30 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Dec 23, 2016):

As I've said, I don't think Thunderbird absolutely needs to access the .mozilla directory

Neither do I. I'm using a customized thunderbird.profile that doesn't include firefox.profile. And Firefox still opens when I click links in emails.

However, I remember that I had problems until it worked as it should. After some trial and error I finally deleted mimeTypes.rdf in ~./thunderbird/, and when Thunderbird asked me the next time which application to use (for links, pdf files, xls files, etc.) I always pointed it to /usr/bin/xdg-open.

@curiosity-seeker commented on GitHub (Dec 23, 2016): > As I've said, I don't think Thunderbird absolutely needs to access the .mozilla directory Neither do I. I'm using a customized thunderbird.profile that doesn't include firefox.profile. And Firefox still opens when I click links in emails. However, I remember that I had problems until it worked as it should. After some trial and error I finally deleted `mimeTypes.rdf` in ~./thunderbird/<profile>, and when Thunderbird asked me the next time which application to use (for links, pdf files, xls files, etc.) I always pointed it to `/usr/bin/xdg-open`.

gitea-mirror commented

2026-05-05 06:25:32 -06:00

Author

Owner

@acrobat1 commented on GitHub (Dec 27, 2016):

You need to add the following two lines at the top of /etc/firejail/thunderbird.profile:

blacklist ~/.mozilla                                                            
blacklist ~/.cache/mozilla

If you add them at the end, it will have no effect.

Thanks a lot, I really wasn't aware of that. So my understanding would be that arguments in a profile will be processed in order, kinda like firewall rules?

Also, take a look at the whitelists in /etc/firejail/firefox.profile, you might want to blacklist some other directories. The default Firefox and Thunderbird profiles are quite generic, good for all kind of use cases, such as reading PDF files, playing audio files etc.

Yes, I thought so : therefore I wrote my own (kinda restricted) profile for Thunderbird

#Firejail profile for Mozilla Thunderbird

#blacklist .mozilla
blacklist ~/.mozilla

#blacklist fonts
blacklist ~/.cache/fontconfig

#blacklist AMD
blacklist ~/.AMD

noblacklist ~/.thunderbird
mkdir ~/.thunderbird
whitelist ~/.thunderbird

noblacklist ~/.cache/thunderbird
mkdir ~/.cache/thunderbird
whitelist ~/.cache/thunderbird

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

caps.drop all 
netfilter
nonewprivs
noroot
nogroups
no3d
protocol unix,inet,inet6,netlink
seccomp
tracelog

#private-dev
private-dev

noblacklist ~/.gnupg
mkdir ~/.gnupg
whitelist ~/.gnupg

#include /etc/firejail/firefox.profile

After trying with the --audit option, I get this

INFO: starting /usr/lib/x86_64-linux-gnu/firejail/faudit.
GOOD: process 2 is running in a PID namespace.
INFO: container/sandbox firejail.

GOOD: seccomp BPF enabled.
checking syscalls: mount... umount2... ptrace... swapon... swapoff... init_module... delete_module... chroot... pivot_root... iopl... ioperm... 

GOOD: all capabilities are disabled.

GOOD: I cannot access files in /home/user/.ssh directory.
GOOD: I cannot access files in /home/user/.gnupg directory.
GOOD: I cannot access files in /home/user/.mozilla directory.
GOOD: I cannot access files in /home/user/.config/chromium directory.
GOOD: I cannot access files in /home/user/.icedove directory.
UGLY: I can access files in /home/user/.thunderbird directory. Use "firejail --blacklist=/home/debian8/.thunderbird" to block it.

GOOD: SSH server not available on localhost.
GOOD: HTTP server not available on localhost.
MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. You can use "--protocol" to disable the socket.

MAYBE: D-Bus socket @/tmp/dbus-BPVnDCl3PG is available

MAYBE: X11 socket /tmp/.X11-unix/X0 is available
MAYBE: X11 socket @/tmp/.X11-unix/X0 is available

INFO: files visible in /dev directory: ptmx, pts, tty, urandom, random, full, null, zero, shm, log, snd, 
GOOD: Access to /dev directory is restricted.

which looks kinda OK for my needs, the only issue being that if clicking on a link, it will still be opened in the predefined browser, although in a private temporary sandbox : is there any way to avoid this completely?

@acrobat1 commented on GitHub (Dec 27, 2016): >You need to add the following two lines at the top of /etc/firejail/thunderbird.profile: blacklist ~/.mozilla blacklist ~/.cache/mozilla >If you add them at the end, it will have no effect. Thanks a lot, I really wasn't aware of that. So my understanding would be that arguments in a profile will be processed in order, kinda like firewall rules? >Also, take a look at the whitelists in /etc/firejail/firefox.profile, you might want to blacklist some other directories. The default Firefox and Thunderbird profiles are quite generic, good for all kind of use cases, such as reading PDF files, playing audio files etc. Yes, I thought so : therefore I wrote my own (kinda restricted) profile for Thunderbird ``` #Firejail profile for Mozilla Thunderbird #blacklist .mozilla blacklist ~/.mozilla #blacklist fonts blacklist ~/.cache/fontconfig #blacklist AMD blacklist ~/.AMD noblacklist ~/.thunderbird mkdir ~/.thunderbird whitelist ~/.thunderbird noblacklist ~/.cache/thunderbird mkdir ~/.cache/thunderbird whitelist ~/.cache/thunderbird include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter nonewprivs noroot nogroups no3d protocol unix,inet,inet6,netlink seccomp tracelog #private-dev private-dev noblacklist ~/.gnupg mkdir ~/.gnupg whitelist ~/.gnupg #include /etc/firejail/firefox.profile ``` After trying with the --audit option, I get this ```---------------- Firejail Audit: the GOOD, the BAD and the UGLY ---------------- INFO: starting /usr/lib/x86_64-linux-gnu/firejail/faudit. GOOD: process 2 is running in a PID namespace. INFO: container/sandbox firejail. GOOD: seccomp BPF enabled. checking syscalls: mount... umount2... ptrace... swapon... swapoff... init_module... delete_module... chroot... pivot_root... iopl... ioperm... GOOD: all capabilities are disabled. GOOD: I cannot access files in /home/user/.ssh directory. GOOD: I cannot access files in /home/user/.gnupg directory. GOOD: I cannot access files in /home/user/.mozilla directory. GOOD: I cannot access files in /home/user/.config/chromium directory. GOOD: I cannot access files in /home/user/.icedove directory. UGLY: I can access files in /home/user/.thunderbird directory. Use "firejail --blacklist=/home/debian8/.thunderbird" to block it. GOOD: SSH server not available on localhost. GOOD: HTTP server not available on localhost. MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. You can use "--protocol" to disable the socket. MAYBE: D-Bus socket @/tmp/dbus-BPVnDCl3PG is available MAYBE: X11 socket /tmp/.X11-unix/X0 is available MAYBE: X11 socket @/tmp/.X11-unix/X0 is available INFO: files visible in /dev directory: ptmx, pts, tty, urandom, random, full, null, zero, shm, log, snd, GOOD: Access to /dev directory is restricted. ``` which looks kinda OK for my needs, the only issue being that if clicking on a link, it will still be opened in the predefined browser, although in a private temporary sandbox : is there any way to avoid this completely?

gitea-mirror commented

2026-05-05 06:25:33 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 29, 2016):

Thanks a lot, I really wasn't aware of that. So my understanding would be that arguments in a profile will be processed in order, kinda like firewall rules?

You are right, in some cases you can later undo what you did before.

if clicking on a link, it will still be opened in the predefined browser

For various reasons, both Firefox and Chromium keep only one instance of the program running. When you click on a link in Thunderbird, if another instance of the browser is running, it will open a new tab (or window) into the existing browser. The way I use it, I start Firefox in a separate sandbox before starting Thunderbird - the two sandboxes manage to communicate somehow!

@netblue30 commented on GitHub (Dec 29, 2016): > Thanks a lot, I really wasn't aware of that. So my understanding would be that arguments in a profile will be processed in order, kinda like firewall rules? You are right, in some cases you can later undo what you did before. > if clicking on a link, it will still be opened in the predefined browser For various reasons, both Firefox and Chromium keep only one instance of the program running. When you click on a link in Thunderbird, if another instance of the browser is running, it will open a new tab (or window) into the existing browser. The way I use it, I start Firefox in a separate sandbox before starting Thunderbird - the two sandboxes manage to communicate somehow!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#678

No description provided.

Rows
Columns