Firejail: How to blacklist specific drive or partition

Created on 24 Feb 2020  Â·  11Comments  Â·  Source: netblue30/firejail

I'm trying to blacklist certain partition but unable to do so. I tried to blacklist /run/media/user/partition's name , but that didn't pay off. As of now, I don't know what do. disable-mnt won't help me as I need access to other drives. Any help would be appreciated.

Spec: Manjaro (KDE), Kernel: 5.5.x, Firejail ver: 0.9.62

picture Neo00001

Most helpful comment

IDK what your targeted workflow is but this works:

mkdir /media/foo # create mountpoint
firejail --whitelist=/media/foo --blacklist=/run/media --blacklist=/mnt … app
# mount anything to /media/bar, app can't see it
# mount anything to /media/foo, app can see it
picture rusty-snake on 29 Feb 2020
👍21

All 11 comments

where are your mounted files actually at?

in /mnt
or /media
?

arrowgent picture arrowgent on 25 Feb 2020

where are your mounted files actually at?

in /mnt
or /media
?

/media

Neo00001 picture Neo00001 on 26 Feb 2020

Do you try to blacklist inside a FUSE mount?

If yes, you somehow need to add allow_root to the FUSE mount options.

smitsohu picture smitsohu on 26 Feb 2020

Do you try to blacklist inside a FUSE mount?

If yes, you somehow need to add allow_root to the FUSE mount options.

not necessarily inside a FUSE mount. What I want is close to disable-mnt but for specific drives.

Neo00001 picture Neo00001 on 27 Feb 2020

I think the issue is that blacklist/whitelist has only an effect if the directory/file is already present when the sandbox is started.

rusty-snake picture rusty-snake on 28 Feb 2020
👍2

I think the issue is that blacklist/whitelist has only an effect if the directory/file is already present when the sandbox is started.

yes... is there any workaround?

Neo00001 picture Neo00001 on 29 Feb 2020

Firejail first configures the sandbox and then drops all privileges in order to start the application. At this point the sandbox is basically set in stone, at least for a regular user.

Talking about workarounds, one could in theory somehow detect the mount event and then join the sandbox as root user and modify the mount namespace of the sandbox manually, but this suffers from all kinds of race conditions. This means there would be always short time spans where the sandbox has full access to the paths that you want blacklisted.

So no, unfortunately there is no workaround.

smitsohu picture smitsohu on 29 Feb 2020

IDK what your targeted workflow is but this works:

mkdir /media/foo # create mountpoint
firejail --whitelist=/media/foo --blacklist=/run/media --blacklist=/mnt … app
# mount anything to /media/bar, app can't see it
# mount anything to /media/foo, app can see it
rusty-snake picture rusty-snake on 29 Feb 2020
👍21

@rusty-snake Right, thanks!

smitsohu picture smitsohu on 29 Feb 2020

IDK what your targeted workflow is but this works:

mkdir /media/foo # create mountpoint
firejail --whitelist=/media/foo --blacklist=/run/media --blacklist=/mnt … app
# mount anything to /media/bar, app can't see it
# mount anything to /media/foo, app can see it

thanks.
For some reason, it never occurs to me to mount it in different location.

Neo00001 picture Neo00001 on 29 Feb 2020

Closing here, as a viable workaround is available. Feel free to re-open at your discretion.

glitsj16 picture glitsj16 on 5 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

polyzen picture polyzen  Â·  4Comments
HulaHoopWhonix picture HulaHoopWhonix  Â·  4Comments
ericschdt picture ericschdt  Â·  3Comments
ghost picture ghost  Â·  3Comments
nuxwin picture nuxwin  Â·  3Comments