Firejail: Yet another symlink question

Created on 17 Feb 2020 · 7Comments · Source: netblue30/firejail

Hello,
this is about creating a sandbox for an application (i.e. qutebrowser) which has its configuration files (i.e. ~/.config/qutebrowser/config.py) as symlinks to other files (~/code/dotfiles/qutebrowser/config.py).

I'm sorry about asking 'Yet another symlink question'. I do so because I have seem lots of threads about it and although the workarounds are there (i.e. #2329 and #2617), I could not find a thread that handles the real solution or even concentrates the ideas for a PR, so maybe I can help somehow/subscribe to.

information

Source

aleprovencio

👍1

All 7 comments

whitelist ~/.config/qutebrowser
whitelist ~/code/dotfiles/qutebrowser

Doesn't that work (add to your existing profile)?

smitsohu on 17 Feb 2020

THANK YOU! I'm really ashamed it was that easy..

As I like to use the original profiles, using whitelist ${HOME}/code on a globals.local file, felt like a neat solution to this problem.

Maybe there's room for improvement on the docs on this or am I blind again?

aleprovencio on 17 Feb 2020

As I like to use the original profiles, using whitelist ${HOME}/code on a globals.local file, felt like a neat solution to this problem.

This will break any non whitelisting profiles for you. You need to add it to all PROFILE.local files for whitelisting profiles.

rusty-snake on 17 Feb 2020

👍1

Untested code snipped:

for file in /usr/local/bin/*; do
    if [ $(readlink $file) == "/usr/bin/firejail"]; then
        if grep --quite "^include whitelist-common.inc$" /etc/firejail/$(basename $file).profile; then
            echo "whitelist \${HOME}/code" >> ~/.config/firejail/$(basename $file).local
        fi
    fi
done

Does not work with profiles like firefox.profile because wc is in firefox-common.profile.

rusty-snake on 17 Feb 2020

👍1

Got it, thank you.

aleprovencio on 17 Feb 2020

@rusty-snake ,