private-bin, yet /bin is fully populated and executable?

[PhysicsIsAwesome]

Hey,

I have the following profile and run it with firejail --appimage --profile=joplin /opt/joplin/Joplin.AppImage it contains a private-bin statement, so only the ls binary (as an example) is intended to be visible. Yet when I join via firejail --join=id and run ls /bin, all the binaries of the host's /bin are still there and executable from within the sandbox. Is there anyone who can explain why this does not work?

joplin Profile:

# Save this file as "application.profile" (change "application" with the
# program name) in ~/.config/firejail directory. Firejail will find it
# automatically every time you sandbox your application.
#
# Run "firejail application" to test it. In the file there are
# some other commands you can try. Enable them by removing the "#".

# Firejail profile for /opt/joplin/Joplin.AppImage
# Persistent local customizations
#include /opt/joplin/Joplin.AppImage.local
# Persistent global definitions
#include globals.local

### Basic Blacklisting ###
### Enable as many of them as you can! A very important one is
### "disable-exec.inc". This will make among other things your home
### and /tmp directories non-executable.
include disable-common.inc      # dangerous directories like ~/.ssh and ~/.gnupg
include disable-devel.inc      # development tools such as gcc and gdb
ignore noexec /tmp
include disable-exec.inc       # non-executable directories such as /var, /tmp, and /home
include disable-interpreters.inc       # perl, python, lua etc.
include disable-programs.inc    # user configuration for programs such as firefox, vlc etc.
include disable-shell.inc      # sh, bash, zsh etc.
include disable-xdg.inc        # standard user directories: Documents, Pictures, Videos, Music

### Home Directory Whitelisting ###
### If something goes wrong, this section is the first one to comment out.
### Instead, you'll have to relay on the basic blacklisting above.
whitelist ${HOME}/JoplinBackup
whitelist ${HOME}/package.json
whitelist ${HOME}/.cache/radv_builtin_shaders
whitelist ${HOME}/.cache/mesa_shader_cache_db
whitelist ${HOME}/.local/share/vulkan
whitelist ${HOME}/.config/vulkan
whitelist ${HOME}/.local/share/vulkan/loader_settings.d
whitelist ${HOME}/.config/kdedefaults
whitelist ${HOME}/.config/kdedefaults/gtk-3.0
whitelist ${HOME}/.config/Joplin
whitelist ${HOME}/.config/joplin-desktop
include whitelist-common.inc

### Filesystem Whitelisting ###
whitelist /run/systemd/resolve/io.systemd.Resolve
whitelist /run/udev/control
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc

#apparmor       # if you have AppArmor running, try this one!
caps.drop all
ipc-namespace
netfilter
#no3d   # disable 3D acceleration
nodvd  # disable DVD and CD devices
nogroups       # disable supplementary user groups
#noinput        # disable input devices
nonewprivs
noroot
notv   # disable DVB TV devices
nou2f  # disable U2F devices
novideo        # disable video capture devices
protocol unix,inet,inet6,netlink,
#net eth0
netfilter
seccomp !chroot # allowing chroot, just in case this is an Electron app
#tracelog       # send blacklist violations to syslog

#disable-mnt    # no access to /mnt, /media, /run/mount and /run/media
private-cache  # run with an empty ~/.cache directory
private-dev
# This is the list of devices accessed on top of regular private-dev devices:
# /dev/udmabuf,
private-etc libva.conf,drirc,vulkan,ati,hosts,fonts,xdg,gtk-3.0,svc.conf,netsvc.conf,nsswitch.conf,resolv.conf,crypto-policies,system-fips,selinux,
private-lib
private-tmp
private-bin ls

dbus-user none
dbus-system none

#memory-deny-write-execute

blacklist /boot
blacklist /mnt
blacklist /media
blacklist /root
blacklist /srv

[osevan]

You looked already inside these files ?

include whitelist-common.inc

Filesystem Whitelisting

whitelist /run/systemd/resolve/io.systemd.Resolve
whitelist /run/udev/control
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc

?

[osevan]

I suspect , you can't execute other binarys then ls , example : uptime