Firejail: Using both noblacklist and read-only on the same folder
I had always thought that noblacklist ~/Documents simply prevented any blacklist directives from applying to ~/Documents. Nothing more, nothing less. But that can't be quite accurate, because noblacklist seems to prevent read-only from taking effect.
To see what I mean -
1) Create ~/Documents/sdfsdf.profile -
noblacklist ~/Documents
noblacklist ~/.config
noblacklist ~/.cache
noblacklist ~/.bashrc
blacklist ${HOME}/*
read-only ~/Documents
2) Run firejail with that profile -
firejail --profile=~/Documents/sdfsdf.profile
3) In the sandbox, run these commands
cd ~/Documents
touch Foo
... and there appears a file named Foo in ~/Documents.
Commenting out the lines noblacklist ~/Documents and blacklist ${HOME}/* in the profile, results in the touch command giving the expected "Read-only file system" error.
So what does noblacklist do exactly, and why does it seem to disable read-only?
Thanks for any insight.
laniakea64
All 6 comments
Seems to be fixed in the latest version, so I'll close the bug. @laniakea64, please re-open if you still have this issue.
[Edit] Never mind, I seem to be having the same issue.
chiraag-nataraj
on 30 Jul 2018
@chiraag-nataraj What did you want to run on that profile? Another shell?
I am not sure, if using the same folder as the profile is the best example (since profiles should be in .config/firejail).
Check #2735 and #1569.
If I am not mistaken, your blacklist overwrites the noblacklist from before resulting in no access besides the HOME and seeing folder structure below.
matu3ba
on 22 Jun 2019
(@matu3ba although I'm not @chiraag-nataraj , I am the original reporter and the author of the profile in the original description, so I'll reply to your comment anyway.)
What did you want to run on that profile?
Memory is a bit fuzzy now but I believe it stemmed from a generic attempt to work around https://github.com/netblue30/firejail/issues/1234 (now fixed).
I am not sure, if using the same folder as the profile is the best example (since profiles should be in
.config/firejail).
Location of the profile file is immaterial. Same issue occurs on latest firejail with putting the profile in ~/.config/firejail.
If I am not mistaken, your blacklist overwrites the noblacklist from before resulting in no access besides the HOME and seeing folder structure below.
It doesn't for me, and I don't see how that's relevant? To be clear, the issue here is that noblacklist is overriding both blacklist and read-only, but it is only supposed to override blacklist.
laniakea64
on 22 Jun 2019
Works (but should not work):firejail --noblacklist="~/Bilder" --read-only="~/Bilder" touch Bilder/test2
rusty-snake
on 22 Jun 2019
Thanks! It should work now, you can give it a try.
smitsohu
on 29 Jun 2019
It does work now. Thanks @smitsohu for fixing this!
laniakea64
on 29 Jun 2019
Related issues
reinerh
路
3Comments
semente
路
4Comments
SkewedZeppelin
路
3Comments
fl-chris
路
4Comments
ghost
路
3Comments
Most helpful comment
Thanks! It should work now, you can give it a try.