How to configure exceptions for blacklists in firejail

[zhangvv123]

There are many folders user1, user2, user3... in my directory /data/debug/sandbox/.

Users can enter any python script in the front end. I hope that the user's script can only access files in his own user directory, and not allow access to other directories.

I see that the official document does not support blacklist+noblacklist. Firejail Profiles

noblacklist ~/Documents/presentations blacklist ~/Documents: does not work

How can I use firejail to implement my feature?

Ubuntu 20.04.5 LTS, The back end Service uses the same linux user to execute scripts. If the user executes /data/debug/sandbox/user1/a.py, I hope that a.py can only read and write /data/debug/sandbox/user1 and /data/debug/sandbox/script, and other folders are not accessible

I have use blacklist+noblacklist, but not work

• /data/debug/sandbox/wei/wei.profile

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc

blacklist /data/debug/sandbox

noblacklist /data/debug/sandbox/wei
noblacklist /data/debug/sandbox/script

• /data/debug/sandbox/wei/start.sh

#!/bin/bash

export USER_NAME=wei
python3 py01.py

• start execute program

cd /data/debug/sandbox/wei
firejail --profile=wei.profile /bin/bash start.sh

• and error

Reading profile sh01.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 3889931, child pid 3889932
Child process initialized in 19.92 ms
/bin/bash: wei.sh: No such file or directory

Parent is shutting down, bye...

[rusty-snake]

noblacklist ~/Documents/presentations > blacklist ~/Documents: does not work

How can I use firejail to implement my feature?

Either use whitelist or

noblacklist ~/Documents/presentations
blacklist ~/Documents/*

Both do not fit 100%