Firejail: Can't combine --private with --whitelist

I started adding support for it. So far I have: private-dev, private-tmp and whitelist support for --overlay and --chroot sandboxes. You can try it out.

Support for --private=dir and --private-home is coming soon.

whitelist support for --overlay and --chroot sandboxes. You can try it out.

Do I need the latest master because it doesn't seem to work.

Yes, it is only in master. Also, there are some more general fixes related to overlay there. It will go into the next release.

What's the status for whitelist support for --private now?

Also hoping for this feature!
I use firejail as a Firefox profile template engine. For each of my customers the customer-template jail from a fully configured Firefox is copied to "customer-n", which then should be used for customer stuff (--private=customer-n). However I'd like to access e.g. downloads with other applications and this leads to problems as I cannot whitelist paths outside of the jail. Also copying from within the jailed Firefox is not possible as long as I can't whitelist my home/x/Desktop path.

Perhaps it's not complete solution for you but it's possible to transfer files from/to --private sandbox with --get/--put options. See FILE TRANSFER section in manpage.

Thank you for your suggestion, I read through it!

I know that's not really the point of a private "jail", but I'd like to be able to download something in the jailed Firefox and then move it to a folder that's shared with the jail via drag and drop. This is the most comforty option. Put and get are demanding to much effort as I could also then just open Nemo and dragNdrop the files or folders from the jail home/downloads folder.

@H8to I actually have a similar system for so-called "ephemeral profiles". The script is in my Firejail Profiles repo and is called firefox.common. If you don't want firefox to be able to access other profiles, you can just use a --whitelist command to whitelist only that specific profile instead of whitelisting ~/.mozilla/firefox [edit: the script does this by default now!]. You could probably adapt a simpler version of the script for your use.

Also making --whitelist compatible with --private is not that easy. Currently --private can be used on top of any existent profile and it always give you separated and temporary $HOME regardless of what rules specific profile contains. If we make it compatible then suddenly all --whitelist rules existent in profile will take effect which make --private not effective. Perhaps separated option like --private-whitelist may be used if anything to no break existing usage.

To add to that, more fundamentally, a "private" jail is not _meant_ to share data with other jails or the host. That's the whole point of a private jail. It's basically meant to act as a chroot for your home directory (which can be set-up by a regular user). If you want to share data, you're probably better off figuring out a solution with whitelist and scripts (such as the firefox.common script I alluded to in my previous reply).

Yeah, I fully agree. Should we close this as wontfix? :smile:

@Vincent43 Let's close it for now. If it seems like there is a legimate reason to reconsider it, we'll re-open it.

I'm not sure I understand the reasoning for the wontfix here.

In my case, I'm using a firejailed Firefox browser profile for my work. Using --private=~/work is super useful, as it allows me to have a persistent Firefox browser profile setup, while isolating the browser from everything outside the work directory. However, I have a large number of media files in a directory on a separate HDD that I'd like to be able to regularly access from this Firefox profile. Being able to simply whitelist the desired media directory so I could access it would be enormously useful.

Please consider somehow adding this functionality.

To follow up on my last post; it turns out it actually is possible to do this by whitelisting the media directory in a custom firejail profile. But whitelisting the same directory with --whitelist does not work.

So including whitelist /media/<username>/work_media in a custom firejail profile works, even when launching with --private=~/work
But launching with --whitelist=/media/<username>/work_media does not.

Is there a reason for this inconsistency, or is this a bug?

@modelfe --private "breaks" whitelisting only in $HOME.

Is there a reason for this inconsistency, or is this a bug?

If you for example run firejail --whitelist=/media/<username>/work_media firefox, firejail will load the firejail profile which contains disable-mnt. disable-mnt blacklists /mnt, /media, ... .You can try adding --noprofile or --ignore=disable-mnt.