mkdir command works even when the path is blacklisted

[elde-n]

The mkdir command in a profile file bypasses nowhitelist and blacklist override

Example:
test.local

nowhitelist ${HOME}/test
blacklist ${HOME}/test

test.profile

mkdir ${HOME}/test

[rusty-snake]

It does not bypass them because it can not "bypass" them. You can not protect firejail from firejail with firejail.

So what's going on

nowhitelist ${HOME}/test
mkdir ${HOME}/test

Firejail sees two commands, one asking to ignore any following whitelist ${HOME}/test command. And one command asking to create a directory at ${HOME}/test.
One could say mkdir should respect a nowhitelist like it should for --private= (which has a bug and does not respect --private=). But see the next.

blacklist ${HOME}/test
mkdir ${HOME}/test

Firejail sees two commands, one asking to blackist ${HOME}/test if it exists. And one command asking to create a directory at ${HOME}/test.
While this order isn't very useful, flipping these two lines can make a different between a sandbox escape and blocking it.

[elde-n]

Well how would I avoid calling mkdir in a default profile?
For example the default neomutt profile creates 6 trash directories in the home directory that are never used on my system

[rusty-snake]

Add ignore mkdir <PATH> to your neomutt.local.

[elde-n]

Thank you it's exactly what I was looking for!