github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1119] overiding disable-common.local in selected profiles? #767

New issue

Closed

opened 2026-05-05 06:36:55 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 06:36:55 -06:00

Owner

Originally created by @testbird on GitHub (Feb 28, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1119

Hi, is there a way to have a default blocking policy for the network and override it in selected profiles?

What I tried was adding "net none" to the disable-common.local, but profiles that explicitly configured networking stopped working. Firejail printing: Error: --net and --net=none are mutually exclusive

For this particular networking setting the error seems fine to me, for cases where the option was given as a command line parameter by an unprivileged user (as explained in #1117) but it does not seem to appear according to that permission reasoning.
Is there a way that the root-owned firejail profiles can be read in a cascading way? Later options overriding previous ones in the profiles?

Originally created by @testbird on GitHub (Feb 28, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1119 Hi, is there a way to have a default blocking policy for the network and override it in selected profiles? What I tried was adding "net none" to the disable-common.local, but profiles that explicitly configured networking stopped working. Firejail printing: Error: --net and --net=none are mutually exclusive For this particular networking setting the error seems fine to me, for cases where the option was given as a command line parameter by an unprivileged user (as explained in #1117) but it does not seem to appear according to that permission reasoning. Is there a way that the root-owned firejail profiles can be read in a cascading way? Later options overriding previous ones *in the profiles*?

gitea-mirror

2026-05-05 06:36:55 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:37:03 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 3, 2017):

Mainline version in git allows you to do it. It has .local file entries defined in each profile file. You can go in /etc/firejail and add "net none" in the local profile for that specific application.

@netblue30 commented on GitHub (Mar 3, 2017): Mainline version in git allows you to do it. It has .local file entries defined in each profile file. You can go in /etc/firejail and add "net none" in the local profile for that specific application.

gitea-mirror commented

2026-05-05 06:37:05 -06:00

Author

Owner

@testbird commented on GitHub (Mar 5, 2017):

Great to hear that it is already implemented!

Firejail ships with default .profile files for many applications. The defaults can be overridden with .local files in /etc/firejail/ .

May I suggest to move the default .profiles into /etc/firejail/defaults, so that the basic configuation and local adjustments sit niceley in /etc/firejail without clutter?
Not sure about this, I see the includes at the top of the profiles, will this allow to override the later settings in the .profile file from the .local file, or does it work the other way around?

@testbird commented on GitHub (Mar 5, 2017): Great to hear that it is already implemented! ``` Firejail ships with default .profile files for many applications. The defaults can be overridden with .local files in /etc/firejail/ . ``` * May I suggest to move the default .profiles into /etc/firejail/defaults, so that the basic configuation and local adjustments sit niceley in /etc/firejail without clutter? * Not sure about this, I see the includes at the top of the profiles, will this allow to override the later settings in the .profile file from the .local file, or does it work the other way around?

gitea-mirror commented

2026-05-05 06:37:07 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 5, 2017):

In .local files you mainly use "noblacklist" to disable blacklists coming in later in .profile file. You can also add new commands there.

@netblue30 commented on GitHub (Mar 5, 2017): In .local files you mainly use "noblacklist" to disable blacklists coming in later in .profile file. You can also add new commands there.

gitea-mirror commented

2026-05-05 06:37:09 -06:00

Author

Owner

@testbird commented on GitHub (Mar 5, 2017):

Ok, so for the high level documentation:

In the new version the later options will take precedence (if allowed for the user), exept if this has been explicitly prevented before with ignore or no-blacklist options, or things have already been removed from the sandbox with whitelist or the private- (aka isolating/filtering/confinement) options.

Command line options come before .profile options?

@testbird commented on GitHub (Mar 5, 2017): Ok, so for the high level documentation: In the new version the later options will take precedence (if allowed for the user), exept if this has been explicitly prevented before with `ignore` or `no-blacklist` options, or things have already been removed from the sandbox with `whitelist` or the private- (aka isolating/filtering/confinement) options. Command line options come before .profile options?

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#767

No description provided.

Rows
Columns