Firejail: Question: Firefox - How do i allow an external storage path?

Created on 9 Aug 2020  路  12Comments  路  Source: netblue30/firejail

Using the default profile for Firefox in 0.9.62

I would like to allow Firefox access to a specific path under /media/drive/bla/bla/bla
What do i need to put under firefox.local ?

I tried noblacklist and whitelist but it doesnt work for /media/xxx

picture svc88

Most helpful comment

ignore disable-mnt

Edit: smitsohu was 1 second faster :rofl:

smitsohu: 2020-08-09T19:57:32Z
rusty-snake: 2020-08-09T19:57:33Z

picture rusty-snake on 9 Aug 2020
😄3

All 12 comments

Try --noblacklist=/media or --ignore=disable-mnt

smitsohu picture smitsohu on 9 Aug 2020

ignore disable-mnt

Edit: smitsohu was 1 second faster :rofl:

smitsohu: 2020-08-09T19:57:32Z
rusty-snake: 2020-08-09T19:57:33Z

rusty-snake picture rusty-snake on 9 Aug 2020
😄3

Thanks guys.

Try --noblacklist=/media or --ignore=disable-mnt

If i try either only --noblacklist=/media OR only --ignore=disable-mnt - this allows it but at the same time, it allows ALL drives to be accessed and obviously i dont want to allow other drives to be compromised/visible, however if i try only a complete specific path such as /media/dir1/dir2/dir3/dir4 it doesnt allow it as i originally mentioned.

So what i did was (as @rusty-snake also mentioned):

ignore disable-mnt
noblacklist /media/dir1/dir2/dir3/dir4
whitelist /media/dir1/dir2/dir3/dir4

This allowed Firefox the specific device's dir path but at the same time disallows all other drives mounted which is great, so is this the correct way to go about this?

svc88 picture svc88 on 9 Aug 2020

Is there no other way besides ignore disable-mnt ?

svc88 picture svc88 on 9 Aug 2020

3245

rusty-snake picture rusty-snake on 9 Aug 2020

@rusty-snake your comment here, i tried it, but firstly i get the error Error: only directories in user home or /tmp are supported by mkdir

svc88 picture svc88 on 10 Aug 2020

It seems i cant get this to work. I dont want to blacklist specific drives. i actually want to blacklist or disable-mnt on all drives but one.
Is there another way to do this?

svc88 picture svc88 on 10 Aug 2020

Basically since the below works and disallows the rest of the drives but with disable-mnt ignored, my question is, is this ok or is there a way the app could still get into the rest of the drives somehow?

ignore disable-mnt
noblacklist /media/dir1/dir2/dir3/dir4
whitelist /media/dir1/dir2/dir3/dir4
svc88 picture svc88 on 10 Aug 2020

is there a way the app could still get into the rest of the drives somehow

noblacklist /media/dir1/dir2/dir3/dir4 this line is redundant, since there is no such backlist.
whitelist /media/dir1/dir2/dir3/dir4 this makes /media containing only dir1 or if dir1 is not present when the sandbox is started /media empty. However using gio/gvfs/kio over D-Bus may allow the app to see more drivers (but I don't believe that D-Bus is used to access files, this is very likely still done with open).

rusty-snake picture rusty-snake on 10 Aug 2020

@rusty-snake thanks, noted.
Can you please explain what you mean its likely done with open ?

svc88 picture svc88 on 17 Aug 2020

https://www.man7.org/linux/man-pages/man2/open.2.html

rusty-snake picture rusty-snake on 25 Aug 2020

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

rusty-snake picture rusty-snake on 1 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

HulaHoopWhonix picture HulaHoopWhonix  路  4Comments
Fincer picture Fincer  路  4Comments
Vincent43 picture Vincent43  路  3Comments
yourcelf picture yourcelf  路  4Comments
ghost picture ghost  路  3Comments