whitelist ${HOME}/Documents is not working

[rdbeni0]

hi,
i am trying to access file:

file:https:///home/rdbeni0/Documents/html/index.html

and i put in my ~/.config/firejail/brave.local :

whitelist ${HOME}/Documents/html
whitelist ${DOCUMENTS}/html
whitelist ${DOCUMENTS}

and nothing is working: Your file couldn’t be accessed via brave.

This is full command:

$ firejail brave
Reading profile /etc/firejail/brave.profile
Reading profile /home/rdbeni0/.config/firejail/brave.local
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 21783, child pid 21784
(...)

Please also note that when i have :

whitelist ${DOCUMENTS}/html
(or similar path with ${DOCUMENTS}/something/something )

then output is:

Reading profile /etc/firejail/brave.profile
Reading profile /home/rdbeni0/.config/firejail/brave.local
Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{"

in that case, how can I add whitelist for file:https:///home/rdbeni0/Documents/html/index.html?

OS: latest Arch Linux with KDE and wayland

[rusty-snake]

Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{"

#2359

how can I add whitelist for file:https:///home/rdbeni0/Documents/html/index.html?

1. Check --debug output.
2. Check firejail --profile=brave ls ~/Documents. What does it say. ENOENT or EACCES.

==> You have to noblacklist ${DOCUMENTS}

[rdbeni0]

Error: "${DOCUMENTS}/html" is an invalid filename: rejected character: "{"

#2359

how can I add whitelist for file:https:///home/rdbeni0/Documents/html/index.html?

1. Check --debug output.
2. Check firejail --profile=brave ls ~/Documents. What does it say. ENOENT or EACCES.

==> You have to noblacklist ${DOCUMENTS}

i added to the ~/.config/firejail/brave.local :

noblacklist ${DOCUMENTS}

and

rdbeni0 $ firejail --profile=brave ls ~/Documents
Reading profile /etc/firejail/brave.profile
Reading profile /home/rdbeni0/.config/firejail/brave.local
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 23966, child pid 23967
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 133.78 ms
ls: cannot access '/home/rdbeni0/Documents': No such file or directory

via browser is the same - access denied.
So this is not working.
And of course the path is correct and ~/Documents exists as usual, but brave does not have access to it with firejail.

please also note that i am using apparmor (integration with apparmor is enabled).

[rusty-snake]

Then check --debug output or post it (using details-summary).

[rdbeni0]

well, output is to big. Thanks for you help

I made workaround with combination of hard/soft, something like that:

ln -f ~/Documents/html/* ~/.local/share/html/

and i added rule whitelist ${HOME}/.local/share/html
and it started working

something and somewhere is broken with ~/Documents/ and we cannot easily whitelist it (or noblacklist), but i don't have time to check it deeply.
Let me close this topic.

if someone is interested how to reproduce it:

mkdir -p ~/Documents/html
echo 'test' > ~/Documents/html/index.html

then enable AppArmor integration with firefail like described here:
https://wiki.archlinux.org/title/firejail#Enable_AppArmor_support

reboot

and then try to find correct rule to add your ~/Documents/html for your ~/.config/firejail/brave.local.
in my case it didn't work - i checked all of below:

whitelist ${HOME}/Documents/html
whitelist ${DOCUMENTS}/html
whitelist ${DOCUMENTS}
noblacklist ${DOCUMENTS}