zoom: profile bypasses --private (mkdir/mkfile)

[vinc17fr]

Description

When I use --private with the zoom profile, files and directories are created in my real home directory.

Steps to Reproduce

1. Run firejail --private=some_directory --profile=/etc/firejail/zoom.profile
2. In an another terminal (or after quitting firejail), from the home directory, run:
   ls -ld .zoom .cache/zoom .config/zoomus.conf

Expected behavior

These files/directories should not exist (if they didn't exist initially).

Actual behavior

I get in my real home directory:

drwx------ 2 vinc17 vinc17 4096 2024-04-15 12:52:59 .cache/zoom
-rw------- 1 vinc17 vinc17    0 2024-04-15 12:52:59 .config/zoomus.conf
drwx------ 2 vinc17 vinc17 4096 2024-04-15 12:52:59 .zoom

Behavior without a profile

N/A. The issue is due to the zoom profile, which does

mkdir ${HOME}/.cache/zoom
mkfile ${HOME}/.config/zoomus.conf
mkdir ${HOME}/.zoom

Since Zoom will run from the private directory, these files/directories should be created in the private directory.

Environment

• Linux distribution and version: Debian/unstable
• Firejail version (firejail --version): 0.9.72

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/zoom.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 577596, child pid 577600
Child process initialized in 70.73 ms

[vinc17fr]

I forgot about it, but this seems to be the more general bug #903 (I thought that this was specific to the zoom profile and was looking for Zoom-related bugs).

[glitsj16]

Yep, this is a duplicate of #903. Until there's a proper fix, use the workaround mentioned in the man page:

firejail/src/man/firejail.1.in

Lines 2064 to 2070 in 27cd032

	Bug: Even with this enabled, some commands (such as mkdir, mkfile and
	private-cache) will still operate on the original home directory.
	Workaround: Disable the incompatible commands, such as by using "ignore mkdir"
	and "ignore mkfile".
	For details, see
	.UR https://github.com/netblue30/firejail/issues/903
	#903