[GH-ISSUE #119] Private /tmp #77

New issue

Closed

opened 2026-05-05 04:59:29 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented 2026-05-05 04:59:29 -06:00

Owner

Copy link

Originally created by @xmikos on GitHub (Nov 6, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/119

It would be great if you can add --private-tmp option (to make /tmp private). There could be many information leaks and sensitive files in /tmp (like /tmp/xauth* files, unix sockets for many apps running outside of sandbox, etc.).

It would also need option to make some files/directories in /tmp shared with host (bind-mounted). Btw. is there similar option for --private (shared directory inside $HOME using bind-mount)? I didn't find it, --private-home=something seems to only copy files/directories inside private home. And --bind=src,dst isn't useful because it needs root.

Originally created by @xmikos on GitHub (Nov 6, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/119 It would be great if you can add `--private-tmp` option (to make `/tmp` private). There could be many information leaks and sensitive files in /tmp (like /tmp/xauth\* files, unix sockets for many apps running outside of sandbox, etc.). It would also need option to make some files/directories in /tmp shared with host (bind-mounted). Btw. is there similar option for `--private` (shared directory inside $HOME using bind-mount)? I didn't find it, `--private-home=something` seems to only copy files/directories inside private home. And `--bind=src,dst` isn't useful because it needs root.

gitea-mirror 2026-05-05 04:59:29 -06:00

• closed this issue
• added the
  enhancement
  label

gitea-mirror commented 2026-05-05 04:59:37 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Nov 12, 2015):

All done.

Mount an empty, temporary filesystem on top of /tmp:

$ firejail --tmpfs=/tmp
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 18390, child pid 18391
Child process initialized
$ ls -l /tmp
total 0

Whitelist support for /tmp directory (similar to home directory whitelisting):

$ firejail --whitelist=/tmp/.ICE-unix --whitelist=/tmp/pulse-PKdhtXMmr18
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 18407, child pid 18408
Child process initialized
]$ ls -al /tmp
total 12
drwxrwxrwx  4 nobody nogroup   80 Nov 12 08:50 .
drwxr-xr-x 26 nobody nogroup 4096 Oct 31 10:30 ..
drwxrwxrwt  2 nobody nogroup 4096 Nov 11 16:01 .ICE-unix
drwx------  2 nobody nogroup 4096 Nov 11 16:01 pulse-PKdhtXMmr18n

You can add as many --whitelist commands as you need, you can also mix them with home directory whitelists (--whitelist=~/.mozilla).

I intend to add support for whitelisting /etc and /dev. If you need anything else, let me know.

<!-- gh-comment-id:156107284 --> @netblue30 commented on GitHub (Nov 12, 2015): All done. Mount an empty, temporary filesystem on top of /tmp: ``` $ firejail --tmpfs=/tmp Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 18390, child pid 18391 Child process initialized $ ls -l /tmp total 0 ``` Whitelist support for /tmp directory (similar to home directory whitelisting): ``` $ firejail --whitelist=/tmp/.ICE-unix --whitelist=/tmp/pulse-PKdhtXMmr18 Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 18407, child pid 18408 Child process initialized ]$ ls -al /tmp total 12 drwxrwxrwx 4 nobody nogroup 80 Nov 12 08:50 . drwxr-xr-x 26 nobody nogroup 4096 Oct 31 10:30 .. drwxrwxrwt 2 nobody nogroup 4096 Nov 11 16:01 .ICE-unix drwx------ 2 nobody nogroup 4096 Nov 11 16:01 pulse-PKdhtXMmr18n ``` You can add as many --whitelist commands as you need, you can also mix them with home directory whitelists (--whitelist=~/.mozilla). I intend to add support for whitelisting /etc and /dev. If you need anything else, let me know.

gitea-mirror referenced this issue 2026-05-05 10:03:11 -06:00

[PR #77] [MERGED] use configure options in Makefile #3532

gitea-mirror referenced this issue 2026-05-05 10:03:11 -06:00

[PR #78] [CLOSED] standalone rpm spec #3533

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#77

No description provided.