Cannot whitelist directory in user home with --private

[pjhfggij]

I'm trying to run firefox (librewolf) without access to user home directory except for one folder that will be used to share specific files. I though that this command will do that, but it doesn't work firejail --private --whitelist=/home/user/share firefox folder is still inaccessible. I've tried adding --noblacklist to the command as well, but still to no avail.

Does anyone know if --private allows whitelisting any folders in home directory?

Relates to:

• Can't combine --private with --whitelist #1743

[rusty-snake]

Does anyone know if --private allows whitelisting any folders in home directory?

No. It's a i intentional decision that was discussed before.

[rusty-snake]

You can use whitelisting instead of private. Create a profile/local-override for librewolf so that the only whitelist ${HOME}/... is for ${HOME}/share.

[pjhfggij]

sorry @rusty-snake but doesn't --private provide other protections besides whitelisting directories? It is correct that profile/local-overrides will be overriden by --private options, that is --private will always take precedence over any --whitelist?

Perhaps I just don't understand what --private is doing? Is there an equivalent command to --private by using combinations of whitelist, blacklist and tmpfs?

I've just hit a roadblock today unable to download files that were stuck from firejail firefox instance. Had to resort to socat to slowly one by one push them through to the host. Understanding of this limitation would help me a lot.

Perhaps you one could use xdg desktop portals instead?

[pjhfggij]

After looking through the code in sandbox.c fs_private() appears to only mount tmpfs over user home directory.

however when I try to run firefox this way it doesn't start: firejail --tmpfs=/home/user firefox

Firefox is already running, but is not responding. To use Firefox, you must first close the existing Firefox process, restart your device, or use a different profile.

I'm just trying to replicate firejail --private firefox, so --whitelist option could be enabled.

Could you point me by any chance to the discussion where --private --whitelist was discussed? I would like to at least understand why this idea was rejected.

[rusty-snake]

doesn't --private provide other protections besides whitelisting directories?

No

It is correct that profile/local-overrides will be overriden by --private options, that is --private will always take precedence over any --whitelist?

private takes precedence over whitelist ${HOME}/.... Others like whitelist /usr/share/... are not affected.

Perhaps I just don't understand what --private is doing? Is there an equivalent command to --private by using combinations of whitelist, blacklist and tmpfs?

It just whitelist's an empty list. So if the only whitelist command you have is whitelist ${HOME}/does_not_exist, the more or less do exactly the same.

I've just hit a roadblock today unable to download files that were stuck from firejail firefox instance. Had to resort to socat to slowly one by one push them through to the host. Understanding of this limitation would help me a lot.

See file transfer (#6516 and all the other discussions around file-transfer).

Perhaps you one could use xdg desktop portals instead?

• The sandboxed program must use them.
• x-d-p need firejail support, or better just some generic sandbox interface that can be attached to without adding code to x-d-p. x-d-p has code specific to flatpak and snap.

--tmpfs=

IDK how it behaves, it is an uncommon low-level thing.

Could you point me by any chance to the discussion where --private --whitelist was discussed? I would like to at least understand why this idea was rejected.

Search for it. But the TL;DR is that --private always meant private (i.e. firejail /usr/bin/firefox does whitelisting and adding --private gives you an empty home). So changing this would break a lot of user setups.

The general idea of a --private-with-whitelisting is useless because whitelist already hides everything else. The only feature that makes sense would be --private-with-whitelisting=SOME_PATH which is likely to get included if somebody implements it.

[hvhaugwitz]

Could you point me by any chance to the discussion where --private --whitelist was discussed? I would like to at least understand why this idea was rejected.

see #1743

[pjhfggij]

thanks @hvhaugwitz , I can see use for --private-with-whitelisting=SOME_PATH

[pjhfggij]

doesn't --private provide other protections besides whitelisting directories?

No

oh thanks, that's a relief then

x-d-p need firejail support, or better just some generic sandbox interface that can be attached to without adding code to x-d-p. x-d-p has code specific to flatpak and snap.

I see, that makes sense. Fingers crossed support for x-d-p will come to firejail as well.

The general idea of a --private-with-whitelisting is useless because whitelist already hides everything else. The only feature that makes sense would be --private-with-whitelisting=SOME_PATH which is likely to get included if somebody implements it.

cool, I agree --private-with-whitelisting=SOME_PATH is what I've been looking for, shame it's not been implemented yet, fingers crossed it will get some attention soon

[pjhfggij]

I've ended up biting the bullet and disabling options in librewolf (version of firefox I'm using) one by one by trial and error - ended up with this command to launch it:

firejail --nowhitelist=$HOME/.librewolf librewolf & disown; exit

and this in $HOME/.config/firejail/librewolf.profile

nowhitelist ${HOME}/.kde/share/config/kdeglobals
tmpfs ${HOME}/.kde
tmpfs ${HOME}/.cache
nowhitelist ${HOME}/.themes
tmpfs ${HOME}/.themes
nowhitelist ${HOME}/.pki
nowhitelist ${HOME}/.fonts.conf
nowhitelist ${HOME}/.fonts
nowhitelist ${HOME}/.gnome2
nowhitelist ${HOME}/.gtkrc-2.0
tmpfs ${HOME}/.config
tmpfs ${HOME}/.local
blacklist ${HOME}/.Xauthority

I still don't know if there is anything else that I missed that --private was providing