Firejail: How to allow kate to edit files in .config ?

You can run kate without firejail for something like that: /bin/kate or /usr/bin/kate depending on your distro.

or by noblacklisting everything in .config: firejail --noblacklist="${HOME}/.config/*" kate

Already did noblacklist everything but it still doesnt work :S

@Utini2000 With or without the ${HOME}.

Don't work: firejail --noblacklist=".config/*" kate
Should work: firejail --noblacklist="${HOME}/.config/*" kate

In my kate.local

noblacklist ${HOME}/.config/*

When I open some in .config it is just an empty file and kate says "New file".
When running kate with your command I get "permission denied" when opening e.g. ./config/firejail/

Maybe .config/firejail is special.

Lol that is weird,

The folder for firejail,mpv,vlc in /.config/... wont work.
cantana for example does work.

.config/firejail will be always blacklisted in firejail. For others you have to disable include disable-common.inc, include disable-passwdmgr.inc and include disable-programs.inc in kate.profile.

@Utini2000 So I've actually run into this issue because I sandbox emacs (my editor of choice). My personal favorite solution has been to whitelist a specific directory (in my case, ~/.config/emacs/emacs_tmp) and write a wrapper script which hardlinks the file into that directory, opens emacs for editing the file, and deletes the hardlink when I close the file. It's definitely a kludgy solution, but has the advantage that I can, for example, even edit firejail profiles in emacs using this method _even if_ emacs is jailed.

I'd also like to note that my emacs profile is a _whitelist_ profile which only whitelists ${DOCUMENTS} and ${DOWNLOADS}, which means I need the script to edit any file outside of those directories (aka config files, scripts in ~/.local/bin, etc).

Hmm but what is the logic behind disabling the whole .config folder for kate but not for other editors e.g. nano?

@Utini2000 look here.

or with words: nano doesn't have a firejail profile.

Link doesnt work.

But if nano doesn't have a profile, why does kate? :D

@Utini2000 the broken link was intentional, otherwise you would find there the nano-profile there.

But if nano doesn't have a profile, why does kate?

Because someone has writte a profile for kate, but nobody for nano. ;)

Some time ago I proposed relaxed config for app like kate or dolphin but the consensus was against this change: https://github.com/netblue30/firejail/pull/1806

Its not just about beeing relaxed, its about beeing unmatching between apps of the same type.

Kate and nano are both very common text editors. One is handled so strict that is basically cripples th usage of the app while the other one isn't handlet by firejail at all.

We have dedicated issue for requesting new profiles. You can also create new profile yourself. Creating app profiles is a collaborative work, everyone can contribute to it. We add many new profiles in each release but you can't expect that we provide a profile for every app in universe.

just copy the kate.profile to home .config/firejail/ and comment the superfluous lines, the kate profile and some other are too restricted

Oh so the .profile in .config/firejail overwrites the .profile in /etc/firejail?
And the .local simply adds stuff to the .profile of /etc/firejail?

Ye I guess I will do that and check every now and then if the kate/nano profiles were updated :)

I dont want to give them too much access,just enough to also edit config files in .config

@Utini2000 #2422

So we have a nano profile now and the original question has been aswered with several workarounds. I'm going to go ahead and close this, but @Utini2000, feel free to reopen if you have more questions.