Firejail Blacklist/Whitelist Priorities

Question

I have defined the following:

whitelist /home/user/.mozilla/firefox/
noblacklist /home/user/.mozilla/firefox/
blacklist /home

However I get: ls: cannot access '/home/user/.mozilla/firefox': Permission denied

If I try

blacklist /home
whitelist /home/user/.mozilla/firefox/

I get the same message: permission denied.

A similar issue occurs with the /etc folder. The entire /etc folder is accessible under the jail. And yes I am aware of the '--private-etc' option, but this is not what I am testing right now ...

If I try to whitelist just one folder, I get:

Error: invalid whitelist path /etc/subfolder
Error: cannot establish communication with the parent, exiting...

I can succesfully blacklist for example /etc/subfolder. If I try ls -lA /etc/subfolder, I get:

ls: cannot open directory '/etc/bind': Permission denied

However, when I try "ls -lA /etc/", /etc/bind is still listed in the output. Also, I don't seem to be able to blacklist the entire /etc folder and then whitelist some subfolders within /etc.

With firejail, how can I restrict access to a folder but allow access to selected subforders, i.e :

restrict access to /home except the ~/.mozilla/firefox subfolder?
restrict access to /etc except the /etc/abc subfolder?

By "restrict access", I mean all non-whitelisted folders and files being made "invisible" within the jail.

How have you restricted your access to `/home`? What permissions do you need for `~/.Mozilla/firefox/`? — Samuel Philipp, Jun 27 '19 at 23:42
You can use `chmod` to change read, write permissions for user, group or others. — Samuel Philipp, Jun 27 '19 at 23:43

balia · Answer 1 · 2019-07-02T03:07:35.930

It is not a permission problem. It seems that firejail handles blacklists automatically as soon as a single whitelist statement is issued.

For example: If I don't issue any blacklist/whitelist, then all the /home/user folder is accessible in the jail. If I whitelist /home/user/subfolder, then all subfolders in /home/user except ~/.bashrc, ~/.config, ~/subfolder and .Xauthority are automatically blacklisted. This behavior was certainly not obvious from the man page.

In addition: If I whitelist /home/abc, then /home/abc is still not accessible in the jail. Only If I mount bind /home/abc within /home/user, it becomes accessible under the jail. So any /home folder outside /home/user seems inaccessible even when whitelisted. Again it is not very clear why firejail doesn't allow overriding the default blacklists.

Firejail Blacklist/Whitelist Priorities

1 Answers1