Blacklisting /media/ except for one folder

[ihasaquesion]

When I use a profile that has noblacklist /media/directory/path followed by a later blacklist /media/ I keep getting blacklist violations in the syslog: syscall opendir, path /media. These errors only appear when I include blacklist /media/.

How to blacklist all /media/ except for one directory?

And it also doesn't work when whitelisting the directory (next to the other whitelistings in the profile).

firejail version 0.9.62

[smitsohu]

It is easy, just do --noblacklist=/media/dir --blacklist=/media/*

[ihasaquesion]

Doesn't work.
I'd like to use a profile, not command-line parameters. The profile is:

...
noblacklist /media/veracrypt1/dir
...
blacklist /media/*
...

[smitsohu]

Ok, then it is

noblacklist /media/veracrypt
blacklist /media/*
noblacklist /media/veracrypt/dir
blacklist /media/veracrypt/*

Or just whitelist /media/veracrypt/dir.

If the latter does not work, please post the output of firejail --debug-whitelists --whitelist=/media/veracrypt/dir. Redact the name of the directory if you like.

[ihasaquesion]

Thanks, whitelisting beneath the profile's blacklistings worked. Previously it didn't - probably because I kept the blacklistings.

[ihasaquesion]

It worked for one profile but not the other. I also put whitelist to the bottom of the profile before caps.drop all. I tried removing the noblacklist for the same directory. It's the profile for #3579

[smitsohu]

Is there a disable-mnt line in that other profile?

[ihasaquesion]

No, it's mostly the default JDownloader profile. I added include chromium.profile.

[rusty-snake]

No, it's mostly the default JDownloader profile. I added include chromium.profile.

… which includes chromium-common.profile which sets disable-mnt 🙄 .

[ihasaquesion]

I suspected this line to be the culprit. How to enable-mnt without having to modify this profile?

[rusty-snake]

Add ignore disable-mnt before you include chromium.profile.

[ihasaquesion]

Thank you!!