Wiki: Creating overrides

[rusty-snake]

Issues for discussions about https://github.com/netblue30/firejail/wiki/Creating-overrides.

[rusty-snake]

The "Add access to a directory" section needs more work:

• noblacklist foo is only needed if we have blacklist foo
• the section does not cover whitelisting profiles

[NetSysFire]

I improved it:
https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/554073749ce9a39ebe509a5b0d6a3c386b32dff7...0e5d9fcd1b780a291de7d860e07d28e7454b9a7b

[rusty-snake]

Good, it should be made clearer that whitelist may only be used if it is a whitelisting profile, otherwise it will break the program. whitelisting is olny supported in$HOME, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var. So whitelist /myimportant.file will throw errors.

[NetSysFire]

I can change the path, that is no problem. The manpage is a bit unclear though, it says it could be one of those directories:

firejail/src/man/firejail.txt

Line 2612 in 03550e9

everything else is discarded when the sandbox is closed. The top directory could be

I tested several profiles (firefox, bash, viewnior, remmina, exiftool) via globals.local and none of them broke when I tested whitelist and noblacklist or nowhitelist and blacklist. Bash should be a blacklisting profile, right? Or do you mean that it breaks when no whitelist is used? Many profiles have multiple includes so the profile will contain blacklist and whitelist.
Could you show me an example where it would break?

[rusty-snake]

site-note: bash has no profile.
If you want to allow ${DOCUMENTS} for e.g. eog and add whitelist ${DOCUMENTS}, then eog can no longer read its config. So whitelist ${HOME}/foo should only be used for whitelisting profiles (the profiles with include whitelist-common.inc).

[NetSysFire]

I fixed the page: https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/0e5d9fcd1b780a291de7d860e07d28e7454b9a7b...921131df86e3216d9694b856d88f3e45005138c6

[NetSysFire]

Is a profile also a whitelisting profile if it only includes whitelist-var-common.inc but not whitelist-common.inc? An example for this would be amarok.profile.

[rusty-snake]

yes and no. yes, because whitelisting happens (even things like private-etc do whitelisting internal). However the terms whitelisting-profile and blacklisting-profile (as they used by people) refer to the protection-level of the files in your home. Finally no, it would be more confusing if we call ever profile with any whitelist a whitelisting-profile.

[NetSysFire]

The reason why I asked is because whitelist might break non-whitelisting profiles, right? Someone asked me this in an IRC channel (we really need a Firejail IRC channel btw) and I was not sure if it would break this particular profile.
The wiki page contains

If a profile does not contain include whitelist-common.inc, it is not a whitelisting profile and will break.

I suspect that it depends on the used paths but I am not sure yet. To quote the manual:

A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside.

Using features like private-etc seems to not be enough to "convert" it to a whitelisting profile, most likely because the whitelisting is internal, as mentioned. But whitelist seems to break the profile and does not "convert" it, in some cases.

What makes a profile a whitelisting profile except include whitelist-common.inc? I would like to improve the important note below the "Allow access to a file or directory" snippet.

[rusty-snake]

What makes a profile a whitelisting profile except include whitelist-common.inc?

If a profile (or any of it's includes) contain whitelist ${HOME}/… it's a whitelisting-profile. The note with include whitelist-common.inc looked like it is easier since some profiles only have include wc.inc, but only a few profiles have whitelist ${HOME} w/o wc.inc.

Here they are (at least gitter andstandartnotes-desktop should probably include wc)

$ grep -L "^# Redirect" $(grep -l "^whitelist \${HOME}" $(grep -L "^include whitelist-common.inc" /etc/firejail/*.profile)) 
/etc/firejail/gitter.profile
/etc/firejail/links.profile
/etc/firejail/mpDris2.profile
/etc/firejail/redshift.profile
/etc/firejail/rtv.profile
/etc/firejail/standardnotes-desktop.profile

The reason why I asked is because whitelist might break non-whitelisting profiles, right?

Yes, if you add whitelist ${HOME}/... to a blacklisting-profile the program has no longer access to it's config-files, documents, ... unless you whitelist them. Some profiles are opt-in whitelisting-profiles such as gitg, keepassxc, peek or flameshot.

[NetSysFire]

I tried to clarify this a bit: https://github.com/netblue30/firejail/wiki/Creating-overrides/_compare/921131df86e3216d9694b856d88f3e45005138c6...aa6d4f92780bce8c578406487ac87e9cc3a8a847

[rusty-snake]

#4442