Firejail: Why are all the $HOME dirs and files visible in Telegram and not jailed?

Does telegram process show up on "firejail --list" command?

Does telegram process show up on "firejail --list" command?

Yes

Is it supposed to blacklist all folders? Because i dont see "whitelist" anywhere in telegram.profile

There's a lot of options which can be added to telegram.profile.

• More disable-*.inc includes (especially include disable-xdg.inc)
• include whitelist-*.inc
• DBus policy
• Others such as nogroups, novideo, nosound, tracelog likely/obviously break

Flatpak permissions:

[Context]
shared=network;ipc;
sockets=x11;wayland;pulseaudio;
devices=all;
filesystems=xdg-download;xdg-config/kdeglobals:ro;

[Session Bus Policy]
org.freedesktop.Notifications=talk
com.canonical.indicator.application=talk
org.freedesktop.portal.Fcitx=talk
org.gnome.Mutter.IdleMonitor=talk
org.kde.StatusNotifierWatcher=talk
org.freedesktop.ScreenSaver=talk
org.ayatana.indicator.application=talk
com.canonical.AppMenu.Registrar=talk
com.canonical.Unity=talk

First draft (dbus-policy can be future hardened):

include disable-passwdmgr.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/<telegram>
whitelist ${HOME}/<telegram>
whitelist ${DOWNLOADS}
whitelist /usr/share/<telegram>
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

dbus-user filter
dbus-user.own org.telegram.desktop
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk com.canonical.indicator.application
dbus-user.talk org.gnome.Mutter.IdleMonitor
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.freedesktop.ScreenSaver
dbus-user.talk org.ayatana.indicator.application
dbus-user.talk com.canonical.Unity
dbus-system none

I think there is a misunderstanding here. You should have a closer look at the profile of telegram, and especially at the entries "disable-common.inc" and "disable-programs.inc". Their contents quickly show how intensively and extensively the data under /home is protected or restricted. Just because any files or directories are visible, it does not mean that their content is visible or can be modified. Much of especially sensitive data is invisible anyway by principle, but for correct functionality of telegram certain areas must be visible. Therefore it is not practicable to make everything outside of /home/user/Downloads simply inaccessible.

By my testing, the following whitelist works:

whitelist ${HOME}/.local/share/TelegramDesktop
whitelist ${DOWNLOADS}
whitelist ${HOME}/.themes
whitelist ${HOME}/.gtkrc-2.0

It only allows access to Downloads and it's own data files. @svc88, feel free to play around with that whitelist and let me know if that works well for you.

Im not 100% sure that Telegram is jailed properly.

I mean, it's a question of trade-offs. A lot of the profiles provided with firejail err on the side of usability. My profiles (https://github.com/chiraag-nataraj/firejail-profiles), on the other hand, err on the side of security/privacy. You can also, of course, create your own profiles (as I do) to tailor them to your use-cases.

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.