docs: add precedence info to manpage & fix noblacklist example #6359
Conversation
src/man/firejail.1.in
Outdated
| @@ -1729,6 +1736,10 @@ See --keep-config-pulse. | |||
| Disable blacklist for this directory or file. | |||
| .br | |||
|
|
|||
| Note that this only applies to the path as written when it was blacklisted, | |||
| including unexpanded variables and wildcards. | |||
There was a problem hiding this comment.
Not sure this is correct.
If somebody wants to test, here are the test cases to construct the test matrix:
- "simple" paths
- macros w/o subpaths (e.g.
${PICTURES},${DOCUMENTS}, ...) - macros w/ subpaths (e.g.
${HOME}) - macros with multiple maths (
${PATH}- the handling of this macro is more special than the other ones) - wildcards (
*, ...) in only (no)blacklist and both.
Or read the code to find out whether it is a sting comparison or and inode comparison (no it's not, it's just the other extreme) or anything in between.
There was a problem hiding this comment.
You're right, the behavior is different for wildcards, in that wildcard blacklists can be partially unblacklisted by --noblacklisting individual expansions instead of only the whole wildcard.
As for variables, I only tested it for ${PATH} - didn't realize this was a special case, but in retrospect it makes sense that it is 🤦
UPDATE Also tested it for ${HOME} now and the behavior is more similar to wildcards than ${PATH}, i.e. it's possible to unblacklist by giving the expanded path. Super confusing...
There was a problem hiding this comment.
All right, I tested the ${PATH} situation again with another executable I created myself just to be sure that it isn't specific to nc for some reason, and yes, ${PATH} really does behave differently than all other expansions (variables & wildcards).
I'm inclined to say that this is probably a bug and hence shouldn't be documented but rather get an issue? I'll create one.
There was a problem hiding this comment.
The reason ${PATH} is special is because it can expand into multiple paths while ${HOME} and the like are only substituted in the path.
src/man/firejail.1.in
Outdated
| command line, or both) or conflicts with a related option, the | ||
| precedence/behavior is option-specific and usually documented in the | ||
| \fBOPTIONS\fR section below. Note that any option specified in a profile can be | ||
| disabled on the command line using \fB--ignore\fR. |
There was a problem hiding this comment.
FTR: --profile=firefox --ignore='net none' does not work. It works if you flip the order. Nevermind I think it makes things to complicated to explain every detail here.
There was a problem hiding this comment.
I've made the statement a bit weaker by adding "generally", so a more detailed explanation can be given in --ignore's own section.
smheidrich
force-pushed
the
improve-manpage-precedence-an-noblacklist-explanation
branch
from
3ea5ec5 to
05eb2d5
Compare
smheidrich
force-pushed
the
improve-manpage-precedence-an-noblacklist-explanation
branch
from
05eb2d5 to
f502359
Compare
kmk3
changed the title
kmk3
added
the
documentation
kmk3
force-pushed
the
improve-manpage-precedence-an-noblacklist-explanation
branch
from
f502359 to
5eab578
Compare
This should resolve or at least begin to resolve issues mentioned in #6358.
Fixes #6358.