github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1125] default-policy.conf to select whitelisting (isolated operation) or blacklisting (integated operation) #774

New issue

Closed

opened 2026-05-05 06:37:54 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 06:37:54 -06:00

Owner

Originally created by @testbird on GitHub (Mar 5, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1125

Currently, the default firejail session seems to be based on blacklisting, while some profiles configure whitelisting.

For example, executing firejail produces a shell that has access to $HOME, the network, and X input, which may not be a desired default behavior in all cases.

The .inc files inspired me to suggest a central default-policy.conf file.
Let that file get included by all default profiles (instead of directly including disable-*.inc), and thus allow to configure the default policy by (un)commenting the inclusion of rules. (The rules file then loads the appropriate disable-*.inc files.)

## /etc/firejail/default-policy.conf
## Configure the default policy by un-commenting the include line that is desired,
## and commenting out the non-desired include line:

## whitelisting (sandox allows only isolated operation, with additional rules that allow access)
include /etc/firejail/defaults/whitelisting-rules.inc

## blacklisting (sandox allows access to resources, with additional rules that deny access)
#include /etc/firejail/defaults/blacklisting-rules.inc

Originally created by @testbird on GitHub (Mar 5, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1125 Currently, the default firejail session seems to be based on blacklisting, while some profiles configure whitelisting. For example, executing firejail produces a shell that has access to $HOME, the network, and X input, which may not be a desired default behavior in all cases. The .inc files inspired me to suggest a central `default-policy.conf` file. Let that file get included by all default profiles (instead of directly including `disable-*.inc`), and thus allow to configure the default policy by (un)commenting the inclusion of rules. (The rules file then loads the appropriate `disable-*.inc` files.) ``` ## /etc/firejail/default-policy.conf ## Configure the default policy by un-commenting the include line that is desired, ## and commenting out the non-desired include line: ## whitelisting (sandox allows only isolated operation, with additional rules that allow access) include /etc/firejail/defaults/whitelisting-rules.inc ## blacklisting (sandox allows access to resources, with additional rules that deny access) #include /etc/firejail/defaults/blacklisting-rules.inc ```

gitea-mirror

2026-05-05 06:37:54 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 06:37:59 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 7, 2017):

Currently, the default firejail session seems to be based on blacklisting, while some profiles configure whitelisting.

Yes, mostly browsers are whitelisted, everything else is blacklisted. I'll bring in a default-policy.conf or similar, thanks.

@netblue30 commented on GitHub (Mar 7, 2017): > Currently, the default firejail session seems to be based on blacklisting, while some profiles configure whitelisting. Yes, mostly browsers are whitelisted, everything else is blacklisted. I'll bring in a default-policy.conf or similar, thanks.

gitea-mirror commented

2026-05-05 06:38:02 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Sep 30, 2018):

@netblue30 This isn't really done at this point. Is this something we actually want to do?

@chiraag-nataraj commented on GitHub (Sep 30, 2018): @netblue30 This isn't really done at this point. Is this something we actually want to do?

gitea-mirror commented

2026-05-05 06:38:05 -06:00

Author

Owner

@testbird commented on GitHub (Sep 30, 2018):

A configurable default policy also seems to be important to allow the root administrator to ensure this for regular users.

@testbird commented on GitHub (Sep 30, 2018): A configurable default policy also seems to be important to allow the root administrator to ensure this for regular users.

gitea-mirror commented

2026-05-05 06:38:07 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 30, 2018):

Most profiles that can be whitelisted already are. And nothing prevents users from locally overriding profiles.

@SkewedZeppelin commented on GitHub (Sep 30, 2018): Most profiles that can be whitelisted already are. And nothing prevents users from locally overriding profiles.

gitea-mirror commented

2026-05-05 06:38:09 -06:00

Author

Owner

@Vincent43 commented on GitHub (Sep 30, 2018):

There is also /etc/firejail/globals.local for local administration used by all profiles.

@Vincent43 commented on GitHub (Sep 30, 2018): There is also `/etc/firejail/globals.local` for local administration used by all profiles.

gitea-mirror commented

2026-05-05 06:38:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 25, 2020):

IMHO here is nothing to do, should we close?

@rusty-snake commented on GitHub (Jan 25, 2020): IMHO here is nothing to do, should we close?

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#774

No description provided.

Rows
Columns