github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1180] Whitelists not working? #813

New issue
Closed
opened 2026-05-05 06:53:31 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 06:53:31 -06:00
Owner
Copy link

Originally created by @rieje on GitHub (Mar 30, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1180

I make the folder ~/hey. In ~/.config/firejail/firejail.profile, I add the line whitelist ~/hey . Then, I use the following command to launch Firefox using firejail: firejail --seccomp --profile="${HOME}"/.config/firejail/firefox.profile --private="${HOME}"/.firejail/firefox-firejail/ --debug-whitelists firefox -no-remote "$@".

When I open a file on Firefox, it does not detect ~/hey. The debugging shows:

Removed whitelist path: whitelist ~/hey
    expanded: /home/rieje/hey
    real path: (null)
    realpath: No such file or directory

Does it have to do with the --private= option used? Can I not whitelist a directory with that option used?

Originally created by @rieje on GitHub (Mar 30, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1180 I make the folder `~/hey`. In `~/.config/firejail/firejail.profile`, I add the line `whitelist ~/hey `. Then, I use the following command to launch Firefox using firejail: `firejail --seccomp --profile="${HOME}"/.config/firejail/firefox.profile --private="${HOME}"/.firejail/firefox-firejail/ --debug-whitelists firefox -no-remote "$@"`. When I open a file on Firefox, it does not detect `~/hey`. The debugging shows: Removed whitelist path: whitelist ~/hey expanded: /home/rieje/hey real path: (null) realpath: No such file or directory Does it have to do with the `--private=` option used? Can I not whitelist a directory with that option used?
gitea-mirror 2026-05-05 06:53:31 -06:00
gitea-mirror commented 2026-05-05 06:53:37 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Mar 30, 2017):

Well...you can. You just have to move everything inside the new home directory. This includes config files and whatnot. This also means that ~/hey should actually be ~/.firejail/firefox-firejail/hey in order for the whitelist to work. It's far easier not to use private and just whitelist the files/directories the program needs access to.

<!-- gh-comment-id:290474395 --> @chiraag-nataraj commented on GitHub (Mar 30, 2017): Well...you can. You just have to move _everything_ inside the new home directory. This includes config files and whatnot. This also means that `~/hey` should actually be `~/.firejail/firefox-firejail/hey` in order for the whitelist to work. It's far easier not to use `private` and just whitelist the files/directories the program needs access to.
gitea-mirror commented 2026-05-05 06:53:39 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Mar 30, 2017):

@chiraag-nataraj

I use --private=<directory> because I have multiple profiles, each I want sandboxed. I wanted to whitelist certain directories for all profiles to use; otherwise, I would have to access different ~/download and ~/hey directories for each profile (<directory>), for example.

So what you're recommending is just remove this option and instead have Firefox whitelist ~/hey and then use Firefox's option -P "profile_name" to refer to different profiles? How do they compare in terms of the directories what Firefox is allowed to access?

EDIT: Actually, this is not ideal because the profiles will have access to the same ~/.cache and ~/.mozilla files, kind of defeating the purpose of using multiple profiles to isolate their data, but I suppose it's more of a practical solution.

So if I'm understanding correctly, I guess firejail would benefit from an option to whitelist directories even accounting for the fact that --private=<directory> is used to accommodate for the situation I've described.

<!-- gh-comment-id:290487973 --> @rieje commented on GitHub (Mar 30, 2017): @chiraag-nataraj I use `--private=<directory>` because I have multiple profiles, each I want sandboxed. I wanted to whitelist certain directories for all profiles to use; otherwise, I would have to access different `~/download` and `~/hey` directories for each profile (`<directory>`), for example. So what you're recommending is just remove this option and instead have Firefox whitelist `~/hey` and then use Firefox's option `-P "profile_name"` to refer to different profiles? How do they compare in terms of the directories what Firefox is allowed to access? EDIT: Actually, this is not ideal because the profiles will have access to the same ~/.cache and ~/.mozilla files, kind of defeating the purpose of using multiple profiles to isolate their data, but I suppose it's more of a practical solution. So if I'm understanding correctly, I guess firejail would benefit from an option to whitelist directories even accounting for the fact that `--private=<directory>` is used to accommodate for the situation I've described.
gitea-mirror commented 2026-05-05 06:53:41 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Mar 30, 2017):

Hmmm...I see what you're trying to do. I never really cared about isolating different Firefox profiles as long as Firefox itself was strongly isolated. Are you trying to allow different profiles to access different sets of directories?

If you actually want to do what you're saying, then you can use a bind-mount of ~/hey to ~/.firejail/firefox-firejail/hey - I would do it in a separate setup script, maybe when you log in, so that you don't have to run firejail as root.

<!-- gh-comment-id:290509145 --> @chiraag-nataraj commented on GitHub (Mar 30, 2017): Hmmm...I see what you're trying to do. I never really cared about isolating different Firefox profiles as long as Firefox itself was strongly isolated. Are you trying to allow different profiles to access different sets of directories? If you actually want to do what you're saying, then you can use a bind-mount of `~/hey` to `~/.firejail/firefox-firejail/hey` - I would do it in a separate setup script, maybe when you log in, so that you don't have to run firejail as root.
gitea-mirror commented 2026-05-05 06:53:44 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Mar 30, 2017):

@chiraag-nataraj

Are you trying to allow different profiles to access different sets of directories?

Yes, but not for directories I specifically whitelist, like ~/downloads and ~/hey. So each profile should have their own set of directories for profile-related data like ~/.cache and ~/.mozilla, but I want them to also share the certain directories like ~/downloads and ~/hey on the local filesystem to avoid the problem of needing to copy an offline webpage or pdf file that I want Firefox to open to a particular ~/downloads of one profile and only being able to open that file on that specific profile. I want to just copy to a white-listed ~/downloads directory on the local file system and anyone of these profiles can access the file, yet still have their own set of ~/.cache and ~/.mozilla.

I never used bind-mounts before but it seems like I can't bind mount each profile's ~/download folder (~/.firejail/profileA/Downloads, ~/.firejail/profileB/Downloads, etc.) to the ~/downloads on my local filesystem. I'm assuming symlinks won't work either since sandboxing revolves around mounting over things. I guess I can do something like bind mounting ~/downloads/profileA, ~/downloads/profileB, etc to ~/.firejail/profileA/Downloads, ~/.firejail/profileB/Downloads, etc. but again, not ideal. It is more secure than what I'm looking for because I can still use --private=<directory> and each profile doesn't see other files in ~/Downloads, but that's what I'm willing to trade off because dealing with separate Downloads folder for each profile is annoying when I utilize multiple profiles and I don't mind them seeing the entire Downloads folder as long as their profile-related data like ~/.mozilla and ~/.cache are isolated from each other, which is what is important.

<!-- gh-comment-id:290526980 --> @rieje commented on GitHub (Mar 30, 2017): @chiraag-nataraj > Are you trying to allow different profiles to access different sets of directories? Yes, but not for directories I specifically whitelist, like `~/downloads` and `~/hey`. So each profile should have their own set of directories for profile-related data like `~/.cache` and `~/.mozilla`, but I want them to also share the certain directories like `~/downloads` and `~/hey` on the local filesystem to avoid the problem of needing to copy an offline webpage or pdf file that I want Firefox to open to a particular `~/downloads` of one profile and only being able to open that file on that specific profile. I want to just copy to a white-listed ~/downloads directory on the local file system and anyone of these profiles can access the file, yet still have their own set of `~/.cache` and `~/.mozilla`. I never used bind-mounts before but it seems like I can't bind mount each profile's ~/download folder (`~/.firejail/profileA/Downloads`, `~/.firejail/profileB/Downloads`, etc.) to the ~/downloads on my local filesystem. I'm assuming symlinks won't work either since sandboxing revolves around mounting over things. I guess I can do something like bind mounting `~/downloads/profileA`, `~/downloads/profileB`, etc to `~/.firejail/profileA/Downloads`, `~/.firejail/profileB/Downloads`, etc. but again, not ideal. It is more secure than what I'm looking for because I can still use `--private=<directory>` and each profile doesn't see other files in `~/Downloads`, but that's what I'm willing to trade off because dealing with separate Downloads folder for each profile is annoying when I utilize multiple profiles and I don't mind them seeing the entire Downloads folder as long as their profile-related data like `~/.mozilla` and `~/.cache` are isolated from each other, which is what is important.
gitea-mirror commented 2026-05-05 06:53:45 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Mar 30, 2017):

You'd want to bind-mount in the opposite direction. That is, you want to bind-mount ~/Downloads to ~/.firejail/firefox-firejail/profile{A,B,C}/Downloads. Same with ~/hey.

<!-- gh-comment-id:290535756 --> @chiraag-nataraj commented on GitHub (Mar 30, 2017): You'd want to bind-mount in the opposite direction. That is, you want to bind-mount `~/Downloads` to `~/.firejail/firefox-firejail/profile{A,B,C}/Downloads`. Same with `~/hey`.
gitea-mirror commented 2026-05-05 06:53:48 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 31, 2017):

I had to disable whitelists in home directory if --private was requested by the user. I don't remember exactly what was breaking. I added a warning on mainline git, if you try whitelist+private you'll get it on the console.

<!-- gh-comment-id:290775057 --> @netblue30 commented on GitHub (Mar 31, 2017): I had to disable whitelists in home directory if --private was requested by the user. I don't remember exactly what was breaking. I added a warning on mainline git, if you try whitelist+private you'll get it on the console.
gitea-mirror commented 2026-05-05 06:53:49 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Apr 6, 2017):

I added /home/rieje/downloads /home/rieje/.firejail/firefox-firejail/profileA/Downloads none bind 0 0 to my /etc/fstab as you've suggested and it solves the issue; however, for some reason I'm getting an error prompt every time I boot my machine:

home-sunshine-.firejail-firefox-Downloads.mount: Mount process exited, code=exited status=32
Failed to mount /home/sunshine/.firejail/firefox-main/Downloads.
-- Unit home-sunshine-.firejail-firefox-Downloads.mount has failed.

and has to do with local-fs.target failing. It tells me to login as root for maintenance or enter CTRL+D to continue. I do the latter and the system finishes booting successfully and the bind mount is mounted properly.

<!-- gh-comment-id:292076682 --> @rieje commented on GitHub (Apr 6, 2017): I added `/home/rieje/downloads /home/rieje/.firejail/firefox-firejail/profileA/Downloads none bind 0 0` to my /etc/fstab as you've suggested and it solves the issue; however, for some reason I'm getting an error prompt every time I boot my machine: home-sunshine-.firejail-firefox-Downloads.mount: Mount process exited, code=exited status=32 Failed to mount /home/sunshine/.firejail/firefox-main/Downloads. -- Unit home-sunshine-.firejail-firefox-Downloads.mount has failed. and has to do with local-fs.target failing. It tells me to login as root for maintenance or enter CTRL+D to continue. I do the latter and the system finishes booting successfully and the bind mount is mounted properly.
gitea-mirror commented 2026-05-05 06:53:50 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Apr 6, 2017):

Hmmm okay. I remember that back when I was doing this, I'd just run a script in my .profile. The script looked something like this:

#!/bin/bash
if [ -z "$(mount | grep Music)" ]
then
    sudo mount --bind /home/chiraag/Music /home/chiraag/mpd-home/Music
    sudo mount -o remount,ro,noexec,nodev,bind /home/chiraag/mpd-home/Music
fi
if [ -z "$(mount | grep Documents)" ]
then
    sudo mount --bind /home/chiraag/Documents /home/chiraag/libreoffice-home/Documents
fi
<!-- gh-comment-id:292197494 --> @chiraag-nataraj commented on GitHub (Apr 6, 2017): Hmmm okay. I remember that back when I was doing this, I'd just run a script in my `.profile`. The script looked something like this: ```` #!/bin/bash if [ -z "$(mount | grep Music)" ] then sudo mount --bind /home/chiraag/Music /home/chiraag/mpd-home/Music sudo mount -o remount,ro,noexec,nodev,bind /home/chiraag/mpd-home/Music fi if [ -z "$(mount | grep Documents)" ] then sudo mount --bind /home/chiraag/Documents /home/chiraag/libreoffice-home/Documents fi ````
gitea-mirror commented 2026-05-05 06:53:51 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Apr 6, 2017):

I fixed it--the problem was my ~/downloads was symlinked to /hdd/downloads so I can't mount it there. Now my fstab entry is /hdd/downloads /home/rieje/.firejail/firefox-firejail/profileA/Downloads none bind 0 0 and everything I've been looking for is solved. Thanks a lot chiraag-nataraj for telling me about bind mounts.

I'll close this and it can be re-opened in the future if --private should include whitelisting for home directory in the scenario I've described (I think it should but at least there's a workaround).

<!-- gh-comment-id:292350992 --> @rieje commented on GitHub (Apr 6, 2017): I fixed it--the problem was my ~/downloads was symlinked to /hdd/downloads so I can't mount it there. Now my fstab entry is `/hdd/downloads /home/rieje/.firejail/firefox-firejail/profileA/Downloads none bind 0 0` and everything I've been looking for is solved. Thanks a lot chiraag-nataraj for telling me about bind mounts. I'll close this and it can be re-opened in the future if --private should include whitelisting for home directory in the scenario I've described (I think it should but at least there's a workaround).
gitea-mirror commented 2026-05-05 06:53:54 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Apr 7, 2017):

Yeah, no problem @rieje! 😄 Glad to see it worked out!

<!-- gh-comment-id:292402040 --> @chiraag-nataraj commented on GitHub (Apr 7, 2017): Yeah, no problem @rieje! 😄 Glad to see it worked out!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#813
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?