github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #128] Whitelisting symbolic links whitelists the source file but not the symlink #85

New issue

Closed

opened 2026-05-05 05:00:42 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 05:00:42 -06:00

Owner

Originally created by @0nse on GitHub (Nov 10, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/128

I'm currently running Firejail 0.9.34 from the AUR. Whenever there is a whitelist entry in a profile, the program will basically not be able to access anything.

For example, Firefox will load with the default GTK theme and not have access to my vimperator configuration, when there is any whitelist entry. This sounds reasonable at first, but adding the relevant files—which is now done in the upstream configuration— does not change this behaviour (~/.vimperator, ~/.vimperatorrc, ~/.gtkrc-2.0, ~/..config/gtk-3.0/settings.ini). When navigating in Firefox browsing my local disk using file:///, I see the file names but cannot access them.

This happens for all programs I have tested so far: Firefox, Chromium and Pidgin. The browsers are still able to load their profiles, probably because these folders are added as noblacklist.

Originally created by @0nse on GitHub (Nov 10, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/128 I'm currently running Firejail 0.9.34 from the [AUR](https://aur4.archlinux.org/packages/firejail/). Whenever there is a `whitelist` entry in a profile, the program will basically not be able to access anything. For example, Firefox will load with the default GTK theme and not have access to my vimperator configuration, when there is _any_ whitelist entry. This sounds reasonable at first, but adding the relevant files—which is now done in the upstream configuration— does not change this behaviour (`~/.vimperator`, `~/.vimperatorrc`, `~/.gtkrc-2.0`, `~/..config/gtk-3.0/settings.ini`). When navigating in Firefox browsing my local disk using `file:///`, I see the file names but cannot access them. This happens for all programs I have tested so far: Firefox, Chromium and Pidgin. The browsers are still able to load their profiles, probably because these folders are added as `noblacklist`.

gitea-mirror

2026-05-05 05:00:42 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:00:49 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 10, 2015):

I keep on the main page of the project here on github the current whitelist for Firefox. Only these files/directories are visible in your /home/user directory.

.config/gtk-03 directory was added yesterday in the development version.

Files and dirs in the rest of the system are still visible, most of them are read-only, other are empty files and cannot be opened (blacklist).

@netblue30 commented on GitHub (Nov 10, 2015): I keep on the main page of the project here on github the current whitelist for Firefox. Only these files/directories are visible in your /home/user directory. .config/gtk-03 directory was added yesterday in the development version. Files and dirs in the rest of the system are still visible, most of them are read-only, other are empty files and cannot be opened (blacklist).

gitea-mirror commented

2026-05-05 05:00:51 -06:00

Author

Owner

@0nse commented on GitHub (Nov 10, 2015):

Regarding GTK3: Yes, that's correct and I am aware of that. I had manipulated the profile files myself to whitelist it. However, entries that I have put on whitelist (or that already have been, like ~/.vimperatorrc) are not accessible in Firefox. They are missing in file:/// and only if I remove all whitelist entries, they become readable again.

~~I get and like the idea of mounting a new home with fewer contents. But whitelisting anything will not lead to those entries appearing in my program-specific new home directory.~~

~~Edit: Actually some whitelist entries seem to work. It looks quite random. With the default configuration from 0.9.34 I have in my new home .zotero but e.g. not .vimperatorrc.~~

Further inspections make me believe that symbolic links are a problem with whitelists. I have .gtkrc-2.0 and other files as a symlink under ~. What Firejail now does is, it whitelists the source file but removes the symbolic link. Thus, Firefox won't find ~/.gtkrc-2.0 but instead will show ~/Documents/dotfiles/gtk/.gtkrc-2.0.

@0nse commented on GitHub (Nov 10, 2015): ~~Regarding GTK3: Yes, that's correct and I am aware of that. I had manipulated the profile files myself to whitelist it. However, entries that I have put on whitelist (or that already have been, like `~/.vimperatorrc`) are not accessible in Firefox. They are missing in `file:///` and only if I remove _all_ whitelist entries, they become readable again.~~ ~~I get and like the idea of mounting a new home with fewer contents. But whitelisting anything will not lead to those entries appearing in my program-specific new home directory.~~ ~~Edit: Actually some whitelist entries seem to work. It looks quite random. With the default configuration from `0.9.34` I have in my new home `.zotero` but e.g. not `.vimperatorrc`.~~ Further inspections make me believe that symbolic links are a problem with whitelists. I have `.gtkrc-2.0` and other files as a symlink under `~`. What Firejail now does is, it whitelists the source file but removes the symbolic link. Thus, Firefox won't find `~/.gtkrc-2.0` but instead will show `~/Documents/dotfiles/gtk/.gtkrc-2.0`.

gitea-mirror commented

2026-05-05 05:00:52 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 10, 2015):

OK, that's a bug, I'll have to fix it, thanks.

@netblue30 commented on GitHub (Nov 10, 2015): OK, that's a bug, I'll have to fix it, thanks.

gitea-mirror commented

2026-05-05 05:00:54 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 11, 2015):

Fixed.

@netblue30 commented on GitHub (Nov 11, 2015): Fixed.

gitea-mirror commented

2026-05-05 05:00:56 -06:00

Author

Owner

@0nse commented on GitHub (Feb 7, 2016):

I experience this behaviour again in 0.9.38.

@0nse commented on GitHub (Feb 7, 2016): I experience this behaviour again in 0.9.38.

gitea-mirror commented

2026-05-05 05:00:57 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 8, 2016):

What are you trying to do?

@netblue30 commented on GitHub (Feb 8, 2016): What are you trying to do?

gitea-mirror commented

2026-05-05 05:00:59 -06:00

Author

Owner

@0nse commented on GitHub (Feb 8, 2016):

I found that I have to whitelist a parent directory in my home directory in which the files are located whose symlinks are whitelisted by the default config. Imagine the following symlink:

~/.gtkrc-2.0 -> ~/dotfiles/gtk/.gtkrc-2.0

If I don't whitelist ~/dotfiles, ~/.gtkrc-2.0 cannot be read.

On a sidenote: when that happens, Firefox often removes all contents from that file while starting. Anyways, I could solve my own problem and thus close this ticket. Thanks!

@0nse commented on GitHub (Feb 8, 2016): I found that I have to whitelist a parent directory in my home directory in which the files are located whose symlinks are whitelisted by the default config. Imagine the following symlink: ``` ~/.gtkrc-2.0 -> ~/dotfiles/gtk/.gtkrc-2.0 ``` If I don't whitelist `~/dotfiles`, `~/.gtkrc-2.0` cannot be read. On a sidenote: when that happens, Firefox often removes all contents from that file while starting. Anyways, I could solve my own problem and thus close this ticket. Thanks!

gitea-mirror referenced this issue

2026-05-05 10:03:18 -06:00

[PR #85] [MERGED] Correct typo #3541

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#85

No description provided.

Rows
Columns