Firejail: firefox profile leaking filesystem access

G'day Boruch-Baum,
The firefox profile limits any access in your home directory to Downloads and a few necessary config files. It also strictly limits or prevents access to select other directories like /boot, /dev, /root, and /tmp.
Also, it prevents lots of potential attacks thanks to the seccomp filter and noroot/nonewprivs filters.

Other system files, such as those in /etc or /lib, are visible, though read-only, inside the sandbox. This is by design.

@netblue30 or some other contributors can certainly explain it better than I can, but in the meantime these links may be of interest to you. 😄
https://github.com/netblue30/firejail/issues/1352
https://github.com/netblue30/firejail/issues/354
https://github.com/netblue30/firejail/issues/970

Cheers!
Fred

@Fred-Barclay: G'day. Your comment doesn't reflect my experience and seems to ignore what I actually reported, so I should be more specific.

1] Open an instance of firefox using firejail.
2] Open any URL, local or remote.
3] Type C-s (Control-s).
4] Within the save dialog that appears, click on the "Other Locations" line at the bottom of the bookmark bar on the left-hand side of the dialog.
5] Notice that you can now view all mount-points system-wide, including other unmounted partitions, USB drives, network connections, etc.

Nothing to do with access to /etc or /lib, as you commented, and in fact I don't see that I actually have access to those directories at all.

@Boruch-Baum if you want to block access to other drives you can run this command as root:
echo "disable-mnt" >> /etc/firejail/firefox.local

@Boruch-Baum for clarification: Is this issue about information leaking?

I tried to reproduce and I can _see_ some forbidden fruit, but I am not able to actually _access_ it.

@SpotComms: That did it! Thanks. Should this be made standard? Or has it been, and my version (0.9.50) is just not bleeding edge?

@smitsohu: Yes. Before @SpotComms tip, I was able to drill down past the initial display of mount points and access to everything that my user account had access. After the tip, the behavior is as I think you are reporting - able to see the initial list of mount points, but not able to drill down.

Ideally, the mount points themselves should be hidden, no?

@Boruch-Baum I actually added it in https://github.com/netblue30/firejail/commit/5354f20012b488c50cd556e315b78ad351ae0f9d#diff-e1a5f71d78072f938239e39011f8bd73, but removed it in 9e3ba319be6b9546d7e8f450ca419ee2f3f4040b, it was never enabled however.

I left it disabled for the browsers for the few users that might keep their Downloads directory on another drive.

@SpotComms : OK. On your judgement, close the issue. My vote is to enable the protection for the many, and force the few to make the manual change.

Also in favor of enabling the protection by default is that the minority who have their ~/Downloads directory on another mount point can still temporarily save data to their $HOME directory, which the firejail profile also allows by default.

I agree that we may want to consider using disable-mnt more liberally.

Mount points have been disabled for browsers in 19f9beca3287ae2ebfdc81cf40c7b686655223b5. 🎉

Thanks, @Fred-Barclay.