github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1353] Whitelist not working? #932

New issue
Closed
opened 2026-05-05 07:10:49 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 07:10:49 -06:00
Owner
Copy link

Originally created by @rieje on GitHub (Jun 27, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1353

I run firefox in firejail sandbox and when I play videos using mpv from it, it's not using my mpv config. So I guess I have to whitelist my mpv config files. I have the ~/.config/mpv folder but in it contains all my configs that are symlinked from my git repo, so this may be the problem.

In my firefox.profile, I have:

noblacklist ~/.config/mpv

Is this not enough?

Originally created by @rieje on GitHub (Jun 27, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1353 I run firefox in firejail sandbox and when I play videos using mpv from it, it's not using my mpv config. So I guess I have to whitelist my mpv config files. I have the `~/.config/mpv` folder but in it contains all my configs that are symlinked from my git repo, so this may be the problem. In my firefox.profile, I have: noblacklist ~/.config/mpv Is this not enough?
gitea-mirror 2026-05-05 07:10:49 -06:00
gitea-mirror commented 2026-05-05 07:10:55 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 28, 2017):

You would also add a whitelist in your firefox.profile for mpv config:

whitelist ~/.config/mpv

but in it contains all my configs that are symlinked from my git repo

It shouldn't be a problem.

<!-- gh-comment-id:311706476 --> @netblue30 commented on GitHub (Jun 28, 2017): You would also add a whitelist in your firefox.profile for mpv config: ````` whitelist ~/.config/mpv ````` > but in it contains all my configs that are symlinked from my git repo It shouldn't be a problem.
gitea-mirror commented 2026-05-05 07:10:56 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Jul 2, 2017):

@netblue30 It doesn't appear to be working--when I download a video and run it from Firefox, it's using default mpv settings instead of my customized ones. To be clear, here's what my config structure looks like. ~/.config/mpv is an actual folder, while all the config files inside are symlinked to under that folder, as you can see.

In my ~/.config/firejail/firefox.profile I have the following (my attempted settings are in the 2 blocks of text from the start of the config). It's probably excessive, but I wasn't sure if recursion is applied for a directory and whatnot.

Let me know what other information may be needed.

<!-- gh-comment-id:312519862 --> @rieje commented on GitHub (Jul 2, 2017): @netblue30 It doesn't appear to be working--when I download a video and run it from Firefox, it's using default mpv settings instead of my customized ones. To be clear, here's what my config structure [looks like](https://ptpb.pw/ACh-CZr_60X1o9tP1BjiR6KTR0Ny.png). `~/.config/mpv` is an actual folder, while all the config files inside are symlinked to under that folder, as you can see. In my `~/.config/firejail/firefox.profile` I have the [following](https://ptpb.pw/AA4bZBd4Sj9ktuAeoOvUmZvqLnae.profile) (my attempted settings are in the 2 blocks of text from the start of the config). It's probably excessive, but I wasn't sure if recursion is applied for a directory and whatnot. Let me know what other information may be needed.
gitea-mirror commented 2026-05-05 07:10:57 -06:00
Author
Owner
Copy link

@liloman commented on GitHub (Jul 16, 2017):

Hi rieje,

I can't see your images but I hope it helps you.

I've just fixed a similar very long standing issue with my .mplayer/ dir. I don't use mpv but a custom Bash script that uses youtube-dl but I think It's related. ;)

The issue was:

  1. I need the .mplayer/ folder be accessible from firefox (it's really a symlink to ~/dotfiles/mplayer/.mplayer in my settings but firejail whitelistes the target dir automatically)

  2. I enabled it with:
    whitelist ~/.mplayer
    read-only ~/.mplayer

  3. But I couldn't get to the target dir and when I launched mplayer from firefox It couldn't parse the config files and It was really annoying cause I disable the screensaver while playing from my mplayer config among other things.

What I did:

  1. Launching a ls from vimperator console I realized that:
    !ls ~/dotfiles/mplayer permissions were:
    /home/user/dotfiles/mplayer:
    total 4
    dr---------. 2 nfsnobody nfsnobody 4096 mar 5 19:15 .mplayer

  2. I fixed then with:
    noblacklist ~/.mplayer

  3. Now:
    !ls ~/dotfiles/mplayer permissions are:
    /home/user/dotfiles/mplayer:
    total 4
    drwxrwxr-x. 2 user user 4096 mar 5 19:15 .mplayer

Cheers

<!-- gh-comment-id:315616047 --> @liloman commented on GitHub (Jul 16, 2017): Hi rieje, I can't see your images but I hope it helps you. I've just fixed a similar very long standing issue with my .mplayer/ dir. I don't use mpv [but a custom Bash script that uses youtube-dl](https://github.com/liloman/dotfiles/blob/master/Scripts/Scripts/descarga.sh) but I think It's related. ;) The issue was: 1. I need the .mplayer/ folder be accessible from firefox (it's really a symlink to ~/dotfiles/mplayer/.mplayer in my settings but firejail whitelistes the target dir automatically) 2. I enabled it with: whitelist ~/.mplayer read-only ~/.mplayer 3. But I couldn't get to the target dir and when I launched mplayer from firefox It couldn't parse the config files and It was really annoying cause I disable the screensaver while playing from my mplayer config among other things. What I did: 1. Launching a ls from vimperator console I realized that: !ls ~/dotfiles/mplayer permissions were: /home/user/dotfiles/mplayer: total 4 dr---------. 2 nfsnobody nfsnobody 4096 mar 5 19:15 .mplayer 2. I fixed then with: noblacklist ~/.mplayer 3. Now: !ls ~/dotfiles/mplayer permissions are: /home/user/dotfiles/mplayer: total 4 drwxrwxr-x. 2 user user 4096 mar 5 19:15 .mplayer Cheers
gitea-mirror commented 2026-05-05 07:10:58 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Jul 24, 2017):

@liloman Thanks for the detailed response. Do you use --private or --private <dir> for your firefox profile? In my particular scenario I'm using --private <dir> for my Firefox profile and when I launch firejail, I get Warning: "whitelist ~/.config/mpv" disabled by --private so maybe --private <dir> is not supported by firejail for some reason.

To be clear, my ~/.config/mpv symlink structure looks like this:

$ ls ~/.config/mpv
drwx------ 1 rieje rieje ?  64 May 22 09:36 watch_later
lrwxrwxrwx 1 rieje rieje ?  45 May 23 22:17 lua-settings -> ../../.dotfiles/arch/.config/mpv/lua-settings
lrwxrwxrwx 1 rieje rieje ?  40 May 23 22:17 scripts -> ../../.dotfiles/arch/.config/mpv/scripts
lrwxrwxrwx 1 rieje rieje ?  43 Apr 25 01:25 input.conf -> ../../.dotfiles/arch/.config/mpv/input.conf
lrwxrwxrwx 1 rieje rieje ?  41 Mar 10 12:37 mpv.conf -> ../../.dotfiles/vega/.config/mpv/mpv.conf

, which according to what I've read it doesn't matter because firejail should follow the symlinks appropriately. In my firefox.profile I have the following:

whitelist ~/.config/mpv
read-only ~/.config/mpv
noblacklist ~/.config/mpv
<!-- gh-comment-id:317321540 --> @rieje commented on GitHub (Jul 24, 2017): @liloman Thanks for the detailed response. Do you use `--private` or `--private <dir>` for your firefox profile? In my particular scenario I'm using `--private <dir>` for my Firefox profile and when I launch firejail, I get `Warning: "whitelist ~/.config/mpv" disabled by --private` so maybe `--private <dir>` is not supported by firejail for some reason. To be clear, my `~/.config/mpv` symlink structure looks like this: $ ls ~/.config/mpv drwx------ 1 rieje rieje ? 64 May 22 09:36 watch_later lrwxrwxrwx 1 rieje rieje ? 45 May 23 22:17 lua-settings -> ../../.dotfiles/arch/.config/mpv/lua-settings lrwxrwxrwx 1 rieje rieje ? 40 May 23 22:17 scripts -> ../../.dotfiles/arch/.config/mpv/scripts lrwxrwxrwx 1 rieje rieje ? 43 Apr 25 01:25 input.conf -> ../../.dotfiles/arch/.config/mpv/input.conf lrwxrwxrwx 1 rieje rieje ? 41 Mar 10 12:37 mpv.conf -> ../../.dotfiles/vega/.config/mpv/mpv.conf , which according to what I've read it doesn't matter because firejail should follow the symlinks appropriately. In my firefox.profile I have the following: whitelist ~/.config/mpv read-only ~/.config/mpv noblacklist ~/.config/mpv
gitea-mirror commented 2026-05-05 07:11:00 -06:00
Author
Owner
Copy link

@liloman commented on GitHub (Jul 25, 2017):

No, I don't. I'm using this:

firejail --name=firefox firefox -P default

Maybe with:

firejail --debug firefox

you could get help.

Anyway for this kind of issues you can debug with 3 methods:

  1. Using file:///home in the browser and seeing what looks like.

  2. If you are using vimperator/X you can spawn a terminal inside the firejailed firefox with:
    :!youterminal-name

  3. I think you can also join a terminal inside a firefjail process with --join. :)

See if your files are there, obviously they aren't, and see what it really looks like and find out why. I will test with different scenarios from the more basic to the more restricted, kind git bisect. ;)

Cheers

<!-- gh-comment-id:317742507 --> @liloman commented on GitHub (Jul 25, 2017): No, I don't. I'm using this: ```bash firejail --name=firefox firefox -P default ``` Maybe with: ```bash firejail --debug firefox ``` you could get help. Anyway for this kind of issues you can debug with 3 methods: 1. Using file:///home in the browser and seeing what looks like. 2. If you are using vimperator/X you can spawn a terminal inside the firejailed firefox with: :!youterminal-name 3. I think you can also join a terminal inside a firefjail process with --join. :) See if your files are there, obviously they aren't, and see what it really looks like and find out why. I will test with different scenarios from the more basic to the more restricted, kind git bisect. ;) Cheers
gitea-mirror commented 2026-05-05 07:11:02 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 30, 2018):

@rieje Is this still an issue?

<!-- gh-comment-id:425686495 --> @chiraag-nataraj commented on GitHub (Sep 30, 2018): @rieje Is this still an issue?
gitea-mirror commented 2026-05-05 07:11:04 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Oct 2, 2018):

Unfortunately yes. I am using the latest version of firejail and removed any custom profile settings. Here's the contents of /etc/firejail/firefox.profile, the only file I've touched. The only custom settings are:

noblacklist ~/.config/mpv
whitelist ~/.config/mpv
read-only ~/.config/mpv

I use firejail like so: firejail --seccomp --private=<path> /usr/bin/firefox -no-remote. Can anyone reproduce?

<!-- gh-comment-id:426107699 --> @rieje commented on GitHub (Oct 2, 2018): Unfortunately yes. I am using the latest version of firejail and removed any custom profile settings. [Here's](https://ptpb.pw/AA2A5It1oEw_UHl_UC52W3NsAmsl.profile) the contents of `/etc/firejail/firefox.profile`, the only file I've touched. The only custom settings are: noblacklist ~/.config/mpv whitelist ~/.config/mpv read-only ~/.config/mpv I use firejail like so: `firejail --seccomp --private=<path> /usr/bin/firefox -no-remote`. Can anyone reproduce?
gitea-mirror commented 2026-05-05 07:11:06 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 26, 2019):

@rieje can you do what @liloman say to look if the files are there?

<!-- gh-comment-id:505815000 --> @rusty-snake commented on GitHub (Jun 26, 2019): @rieje can you do what @liloman say to look if the files are there?
gitea-mirror commented 2026-05-05 07:11:07 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Jun 26, 2019):

@rusty-snake They are not there. On Arch Linux, firejail version 0.9.60. My firefox.profile.

<!-- gh-comment-id:506061434 --> @rieje commented on GitHub (Jun 26, 2019): @rusty-snake They are not there. On Arch Linux, firejail version 0.9.60. My [firefox.profile](https://pastebin.com/GyAA59vK).
gitea-mirror commented 2026-05-05 07:11:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 27, 2019):

@rahiel confirming that --private + --whitelist didn't work (as it should), but why do you use --private.

<!-- gh-comment-id:506209220 --> @rusty-snake commented on GitHub (Jun 27, 2019): @rahiel confirming that `--private` + `--whitelist` didn't work (as it should), but why do you use `--private`.
gitea-mirror commented 2026-05-05 07:11:09 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 7, 2020):

I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

<!-- gh-comment-id:640266612 --> @rusty-snake commented on GitHub (Jun 7, 2020): I'm closing here due to inactivity, please fell free to reopen if you still have this issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#932
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?