github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1018] Issue with --noblacklist having no effect #695

New issue
Closed
opened 2026-05-05 06:27:53 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 06:27:53 -06:00
Owner
Copy link

Originally created by @kyonifer on GitHub (Jan 2, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1018

I'm on arch linux with firejail-git on master (410602c). Following the manpage example:

$ firejail --noblacklist=/bin/nc
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Warning: noroot option is not available

** Note: you can use --noprofile to disable default.profile **

Parent pid 5584, child pid 5585
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized
$ nc
bash: /usr/bin/nc: Permission denied

Trying to access nc with some other combinations:

  1. Copying default.profile somewhere and adding noblacklist lines -> permission denied
  2. Copying default.profile somewhere and commenting out the include /etc/firejail/disable-common.inc line -> granted
  3. Running with --noprofile -> granted
  4. Running with --noprofile --blacklist=/bin/nc -> permission denied
  5. Running with --noprofile --blacklist=/bin/nc --noblacklist=/bin/nc -> permission denied
Originally created by @kyonifer on GitHub (Jan 2, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1018 I'm on arch linux with firejail-git on master (410602c). Following the manpage example: ``` $ firejail --noblacklist=/bin/nc Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc Warning: noroot option is not available ** Note: you can use --noprofile to disable default.profile ** Parent pid 5584, child pid 5585 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized $ nc bash: /usr/bin/nc: Permission denied ``` Trying to access `nc` with some other combinations: 1. Copying default.profile somewhere and adding noblacklist lines -> permission denied 2. Copying default.profile somewhere and commenting out the `include /etc/firejail/disable-common.inc` line -> granted 3. Running with `--noprofile` -> granted 4. Running with `--noprofile --blacklist=/bin/nc` -> permission denied 5. Running with `--noprofile --blacklist=/bin/nc --noblacklist=/bin/nc` -> permission denied
gitea-mirror 2026-05-05 06:27:53 -06:00
gitea-mirror commented 2026-05-05 06:27:59 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Jan 2, 2017):

$ firejail --noblacklist=/bin/nc
...
$ nc
bash: /usr/bin/nc: Permission denied

You are noblacklisting /bin/nc, but your nc is in /usr/bin.

<!-- gh-comment-id:269955905 --> @reinerh commented on GitHub (Jan 2, 2017): > $ firejail --noblacklist=**/bin/nc** > ... > $ nc > bash: **/usr/bin/nc**: Permission denied You are noblacklisting /bin/nc, but your nc is in /usr/bin.
gitea-mirror commented 2026-05-05 06:28:02 -06:00
Author
Owner
Copy link

@kyonifer commented on GitHub (Jan 2, 2017):

/bin is a symlink to /usr/bin on arch. I've tried with firejail --noblacklist=/usr/bin/nc --noblacklist=/bin/nc to make sure it wasnt an issue with following the symlink. Sorry I should have included those in the original ticket.

It seems like --blacklist follows syms since it blocks nc with --noprofile --blacklist=/bin/nc.

<!-- gh-comment-id:269981193 --> @kyonifer commented on GitHub (Jan 2, 2017): /bin is a symlink to /usr/bin on arch. I've tried with `firejail --noblacklist=/usr/bin/nc --noblacklist=/bin/nc` to make sure it wasnt an issue with following the symlink. Sorry I should have included those in the original ticket. It seems like `--blacklist` follows syms since it blocks `nc` with `--noprofile --blacklist=/bin/nc`.
gitea-mirror commented 2026-05-05 06:28:05 -06:00
Author
Owner
Copy link

@viking777 commented on GitHub (Jan 3, 2017):

I have been having a similar issue to this on Manjaro when using Keepassx (actually keepassx2 - but I am sure that makes no difference).

keepassx.profile file contains the line 'noblacklist ${HOME}/.kdbx' which should override the 'disable-common.inc' line 'blacklist ${HOME}/.kdbx' but it doesn't.
The result is a permission denied message when trying to open keepassx.
If I run with the --noprofile option then keepassx works.
Similarly if I comment out 'blacklist ${HOME}/*.kdbx' from disable-common.inc keepassx will work.

I conclude, as the OP states in the title that 'noblacklist' lines are being ignored in some cases.

<!-- gh-comment-id:270104651 --> @viking777 commented on GitHub (Jan 3, 2017): I have been having a similar issue to this on Manjaro when using Keepassx (actually keepassx2 - but I am sure that makes no difference). keepassx.profile file contains the line 'noblacklist ${HOME}/*.kdbx' which should override the 'disable-common.inc' line 'blacklist ${HOME}/*.kdbx' but it doesn't. The result is a permission denied message when trying to open keepassx. If I run with the --noprofile option then keepassx works. Similarly if I comment out 'blacklist ${HOME}/*.kdbx' from disable-common.inc keepassx will work. I conclude, as the OP states in the title that 'noblacklist' lines are being ignored in some cases.
gitea-mirror commented 2026-05-05 06:28:08 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 24, 2018):

The problem is that the noblacklist lines have to go before the blacklist lines. So any noblacklists that you want to override built-in blacklist commands need to go in a custom profile and can't be done on the command-line. @netblue30 I don't know if this is fixable, given that we parse and apply things in order (rather than parsing everything first and then applying (no)blacklist directives). I'm going to change this to information for now, and we should probably document this in the man pages if nothing else.

<!-- gh-comment-id:415754040 --> @chiraag-nataraj commented on GitHub (Aug 24, 2018): The problem is that the `noblacklist` lines have to go _before_ the `blacklist` lines. So any `noblacklist`s that you want to override built-in `blacklist` commands _need_ to go in a custom profile and can't be done on the command-line. @netblue30 I don't know if this is fixable, given that we parse and apply things in order (rather than parsing everything first and _then_ applying `(no)blacklist` directives). I'm going to change this to `information` for now, and we should probably document this in the man pages if nothing else.
gitea-mirror commented 2026-05-05 06:28:11 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 1, 2020):

Any progress here?

<!-- gh-comment-id:607325731 --> @rusty-snake commented on GitHub (Apr 1, 2020): Any progress here?
gitea-mirror commented 2026-05-05 06:28:13 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 1, 2020):

--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1253,6 +1253,10 @@ $ firejail \-\-noautopulse firefox
 .TP
 \fB\-\-noblacklist=dirname_or_filename
 Disable blacklist for this directory or file.
+
+Two conditions must be met to make noblacklist work:
+1. The noblacklist statement must come before the corresponding blacklist statement
+2. The path to be noblacklisted must match the path of the blacklist statement
 .br
 
 .br
<!-- gh-comment-id:607328524 --> @rusty-snake commented on GitHub (Apr 1, 2020): ```patch --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1253,6 +1253,10 @@ $ firejail \-\-noautopulse firefox .TP \fB\-\-noblacklist=dirname_or_filename Disable blacklist for this directory or file. + +Two conditions must be met to make noblacklist work: +1. The noblacklist statement must come before the corresponding blacklist statement +2. The path to be noblacklisted must match the path of the blacklist statement .br .br ```
gitea-mirror commented 2026-05-05 06:28:15 -06:00
Author
Owner
Copy link

@fenuks commented on GitHub (Apr 23, 2021):

I have somewhat related issue that is present for me in both stable version and latest git.

Stable version doesn't have fixes for changes in Jetbains IDE configuration paths yet.

I thought I'd add 'noblacklist ${HOME}/.config/Google/to~/.config/firejail/android-studio.local. My local configuration is read, but it doesn't work, there is no access to that directory inside firejail sandbox, BUT if I add that very line to /etc/firejail/android-studio.profile` instead, it works as expected. Local profile is read before any blacklists, so I suspect a bug.

Just in case, I'm running Arch Linux with 5.11.16 kernel.

<!-- gh-comment-id:825946628 --> @fenuks commented on GitHub (Apr 23, 2021): I have somewhat related issue that is present for me in both stable version and latest git. Stable version doesn't have fixes for changes in Jetbains IDE configuration paths yet. I thought I'd add 'noblacklist ${HOME}/.config/Google/` to `~/.config/firejail/android-studio.local`. My local configuration is read, but it doesn't work, there is no access to that directory inside firejail sandbox, BUT if I add that very line to `/etc/firejail/android-studio.profile` instead, it works as expected. Local profile is read before any blacklists, so I suspect a bug. Just in case, I'm running Arch Linux with 5.11.16 kernel.
gitea-mirror commented 2026-05-05 06:28:16 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 23, 2021):

@fenuks Does it change anything if you drop the last / and use noblacklist ${HOME}/.config/Google? Or is this a typo?

<!-- gh-comment-id:825990649 --> @ghost commented on GitHub (Apr 23, 2021): @fenuks Does it change anything if you drop the last / and use `noblacklist ${HOME}/.config/Google`? Or is this a typo?
gitea-mirror commented 2026-05-05 06:28:17 -06:00
Author
Owner
Copy link

@fenuks commented on GitHub (Apr 24, 2021):

Thank you! That was it. I'd copied path without trailing slash into /etc/firejail/android-studio.profile from my local file without noticing. I didn't know that trailing slash makes difference here.

<!-- gh-comment-id:826009558 --> @fenuks commented on GitHub (Apr 24, 2021): Thank you! That was it. I'd copied path without trailing slash into `/etc/firejail/android-studio.profile` from my local file without noticing. I didn't know that trailing slash makes difference here.
gitea-mirror commented 2026-05-05 06:28:19 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 24, 2021):

@fenuks You're welcome. Firejail is very picky on these things.

@rusty-snake I'm closing this for now. This stuff is old and known quirks are documented. Anyone still encountering this can reopen.

<!-- gh-comment-id:826064403 --> @ghost commented on GitHub (Apr 24, 2021): @fenuks You're welcome. Firejail is very picky on these things. @rusty-snake I'm closing this for now. This stuff is old and known quirks are documented. Anyone still encountering this can reopen.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#695
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?