-
Notifications
You must be signed in to change notification settings - Fork 570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using firejail with private /home with a folder on /home mount point but outside of users folders #3877
Comments
I think it should work if you add If it doesn't work, what is your Firejail version? |
Thank you much for your fast and correct answer :) So I guess Firejail treats the /home mount point differently from other mount points, even though permission on this specific folder is allowed for all users, good to know. |
Please tell me if I shouldn't ask more question on this ticket, otherwise I have some:
|
|
Hi, thank you for your answer,
|
|
Is there a way to authorise the access to the private folder /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome but not to all the upper folders inside firejail?
Maybe my English is too bad I meant the opposite: Before launching firejail: After launching firejail: I expected 'echo $HOME' to return this inside firejail: My firejail version:
|
|
On my /home mount point:
On the thefolderIwantnotinsideuserhome/FireJail/:
The Steam app shouldn't being able to see anything else than /home/thefolderIwantnotinsideuserhome/FireJail/SteamHome/ So Steam firejailed with
The manpage: Both Mozilla Thunderbird and Firefox think ~/work is the user home directory [...]" So shouldn't |
mmmm... by testing I think I'm close to understand: when i make : When I make |
I'm progressing on the problem: Outside FireJail:
But inside FireJail for same files, some doesn't have an owner and have different rights:
This result in permission rejection. Maybe it is because I created these files on another computer and moved them after on my new fresh install. |
If these directories belong to an other human user the should be inaccessible for other anyway.
|
Both result in a
Yes I comment this cause I wanted this to stay in the fake home folder. |
|
This worked, but I can't explain myself how, it's magic ^^ How should I write this inside the profile file? But inside FireJail, the permissions are still the same :
If I uncomment this lines in the profile file:
The app will still create the files inside the fake home folder? |
ahhh steam just put a lot of files in my real home directory... I'm sad :( How does it do this from inside firejail? -edit2- |
They stop your shell from expanding the
firejail does it, look at the
Both should be the same. |
You are right, I checked, I updated my texts before. |
I goes with
What do you think?
It seems to be still necessary to unquote this with the previous profile, but why? Isn't the |
Sorry I don't get your last question. |
Why in the standard steam profile file, do we need to do the noblacklist for folders already inside the fake home folder?
|
I wanted to check graphically what the FireJailed app will be able to see on the disk so I went with Maybe should I use |
nemo likely runs already (in the background) and nemo (inside the sandbox) talks to nemo (outside) which then opens a new window. Options:
Aside: the |
On |
Thank you it works with So results:
|
add The problem with steam.profile is that it is a profile which should work with many different programs/games resulting in a relative weak profile to not break ugly written games. |
As I use a fake home folder why does have I to specify each of this folders individually?
with those lines active I get
I don't understand why I can create and modify a lot of files/folders in this fake home folder as I want. |
This worked great thank you :) |
It is really hard to understand.
I just close the sandbox and re-open it the same way, I got this:
Anyway, I have an other problem : a segmentation fault (core dumped) but seems to happen to a lot of people even outside of firejail. |
Because these special ones have a
The |
Oh this is easier to understand, thank you! |
and the remaining 1% are covered by
Yes, but why? Just keep the |
Yes but as I use a fake home folder I find weird to remove a lot of permissions with |
I'm progressing, now I get
|
It was seccomp fault. Once I commented it, no more crashing error. |
Try |
This worked, thank you :) -Edit- So now here his my profile file:
|
I will make a custom profile for the French application molotov.tv Molotov.tv is an application to watch tv on computer through internet (it use DRM) |
|
Thank you, yes this is the default profile. I guess there are no already custom profile for appimage files? PS : for information this link from basic-usage tutorial is going nowhere |
@netblue30 https://firejail.wordpress.com/documentation-2/basic-usage/#profiles: |
Hello,
Neither with this:
Neither this from #3581 :
|
I finally get it by many tries :
But I would like to understand why this worked |
No, but there are other ways to have the same effect: #3580, #3581, #3912 (comment), ...
Since these paths are never
#3581 (comment) and the following
🎉
You should add
Because you commented/ |
Hello, Thank you again for your detailed answers.
Yes of course I forget that a whitelist refuse all except what is expressively allowed!
so I will go with:
Is it possible to keep |
Together with
|
It doesn't seem to work, in this case the app get full /media access:
|
Why did you comment the |
This was the aim. |
But maybe i could just add a comment on my whitelist lines:
|
You can add |
Is there a way to put Is
I had to run |
No, one command per line.
Some where else. |
Hi,
I can start firejail with the private folder inside a chosen folder itself inside my home account :
firejail --noprofile --private=/home/username/thefolderIwant
I can start firejail with the private folder inside a chosen folder itself inside an other partition/drive :
firejail --noprofile --private=/mnt/otherpartitionordrive/thefolderIwant
But I don't understand why I can't start firejail with the private folder directly inside a chosen folder on /home with the right permissions :
firejail --noprofile --private=/home/thefolderIwantnotinsideuserhome
I got this error:
I checked the permissions they are the same:
What am I missing?
The text was updated successfully, but these errors were encountered: