When I start firejail, i see my complete home directory. When I start firejail --whitelist=~/something, i see only something in my home. Now i would like to restrict more access to the system. I can for example add --blacklist=/media and it works as expected.

But how does the default behaviour determine that /home/OTHERUSER and /home/* except the whitelisted files is hidden? I do not see a matching rule in /etc/firejail/*.

And are allowed subdirectories possible? For example --blacklist=/media --whitelist=/media/data does not work as expected, even when the manpage tells, that whitelist overrides other options like --read-only.

Are these rules hardcoded in the binary? If not, which rule does these things?

An example what i would like to have. Basic rules:

1. Home empty, except for the things listed in the profile
2. Blacklist /media/data
3. Allow symlink ~/apps ->/media/data/apps read-only.
4. Allow /media/data/apps (if neccesary) read-only.

1, 2 are working, 3 is only working with 4 (probably okay), but overriding read-access for a subdirectory of a forbidden directory does not work.

It seems a bit counter intuitive that it should work, but on the filesystem layer mkdir -p foo/bar;chmod 111 foo;ls foo/bar/ (where 111 means, that there is no read (dir-listing) permission on foo, but only the executable bit (entering subdirectories) works, even when ls foo/ fails.

The extended scenario would disallow all but a whitelist (profile + /usr, /bin, /lib, etc.). Another thing which doesn't seem possible without root (and then the app itself runs as root) is to replace i.e. /etc/passwd with one which doesn't contain users, which should not be known in the jail. /etc contains quite a lot of readable data, which should be hidden from untrusted applications.

But possibly the extended scenario would really justify a full chroot + userspace-lxc container.