When I start firejail, i see my complete home directory. When I start firejail --whitelist=~/something, i see only something in my home.
Now i would like to restrict more access to the system. I can for example add --blacklist=/media and it works as expected.
But how does the default behaviour determine that /home/OTHERUSER and /home/* except the whitelisted files is hidden?
I do not see a matching rule in /etc/firejail/*.
And are allowed subdirectories possible? For example --blacklist=/media --whitelist=/media/data does not work as expected, even when the manpage tells, that whitelist overrides other options like --read-only.
Are these rules hardcoded in the binary? If not, which rule does these things?
An example what i would like to have. Basic rules:
- Home empty, except for the things listed in the profile
- Blacklist
/media/data - Allow symlink
~/apps ->/media/data/appsread-only. - Allow
/media/data/apps(if neccesary) read-only.
1, 2 are working, 3 is only working with 4 (probably okay), but overriding read-access for a subdirectory of a forbidden directory does not work.
It seems a bit counter intuitive that it should work, but on the filesystem layer mkdir -p foo/bar;chmod 111 foo;ls foo/bar/ (where 111 means, that there is no read (dir-listing) permission on foo, but only the executable bit (entering subdirectories) works, even when ls foo/ fails.
The extended scenario would disallow all but a whitelist (profile + /usr, /bin, /lib, etc.). Another thing which doesn't seem possible without root (and then the app itself runs as root) is to replace i.e. /etc/passwd with one which doesn't contain users, which should not be known in the jail. /etc contains quite a lot of readable data, which should be hidden from untrusted applications.
But possibly the extended scenario would really justify a full chroot + userspace-lxc container.
