mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2606
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @rusty-snake on GitHub (May 18, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4285
File-system layout:
Before #4229
firejail --shell=none --whitelist=~/baz --private=~/foo ~/barhad executed~/foo/barwith~/fooas private $HOME and the--whitelist=~/bazwas ignored (meaning whitelisting wasn't enabled).After #4229 you need to add
--whitelist=~/bar. Otherwise you getError: no suitable ~/bar executable found.That's what I found out so far. I'm not 100% sure if this are the right STR. I'm also not sure if this behaviour is maybe better then the old, as it seems
whitelistwas ignored previously.@smitsohu commented on GitHub (May 18, 2021):
I thought nobody would notice 😄
It was a conscious decision to keep things a bit more simple, but of course the old behaviour can be added back.
@smitsohu commented on GitHub (May 18, 2021):
IIRC another reason why I did it like this is because it avoids creating a special case for the user home directory. All other private options can be combined freely with whitelist, also before #4229. It seemed advantageous to me to keep it like that because it enabled a workaround for missing subdirectory support in
private-etc(now implemented),private-home, and so on.That said,
privateandprivate=do something different than the other private options, and combining them with whitelist doesn't really make much sense.@smitsohu commented on GitHub (May 19, 2021):
@rusty-snake Nevermind, I'll add it back so it behaves as before.
@rusty-snake commented on GitHub (May 19, 2021):
I create this issues because I'm wasn't sure if this was intentionally or a mistake. Maybe it's better to have
whitelistworking in--private=shared_private_home. Some complex setups maybe need to be adjusted, however users with such setups can do this IMHO if we add it to the RELONTES:@rusty-snake commented on GitHub (May 26, 2021):
4909fa7efc (diff-6698244f9a67e5c8ae5c03806df74f6d9f1ae1b31ad6176eb09e136f07f3dad9)whitelists all files in $HOME by default (you canignorethisprofile_addIIRC). This still means that a program can not save files (e.g. documents/pictures or configs/caches) in files/dirs that don't exists when the sandbox is started (andmkdirstill don't work withprivate).@netblue30 commented on GitHub (May 29, 2021):
I was looking for a quick and dirty fix for tor browser, and somehow it got checked in with something else. I took it out, and put the disable whitelist functionality back.
a2b81da0f3