Control: severity -1 normal Control: tags -1 + unreproducible Hi,
On Mon, Jul 25, 2022 at 12:31:56PM +0200, anonymous coward wrote: > The command tootle was first executed outside firejail to establish a > working config file. This was motivated to work around bug > 1015816. After tootle proved to function outside of firejail, it was > relaunched within firejail as follows: > > $ firejail --net=vnet0 --dns="$(ip address show dev vnet0 | awk > '/inet\>/{gsub(/[/].*/,""); print $2 }')"\ > --env=XDG_CONFIG_HOME="$HOME"/my_config_files\ > --whitelist="$(readlink > $HOME/.config)"com.github.bleakgrey.tootle/accounts.json\ > --noblacklist="$(readlink > $HOME/.config)"com.github.bleakgrey.tootle/accounts.json\ > --read-write="$(readlink > $HOME/.config)"com.github.bleakgrey.tootle/accounts.json\ > tootle > > $HOME/.config is a symblic link to "$HOME"/my_config_files, and the > above configuration is crafted to ensure that firejail receives no > references to a symbolic file or directory. > > Tootle was able to read the config file and make use of it within > firejail. Tootle was also able to update the config file during that > session, proven by its ability to add new accounts and interact with > them. But when the session ended, the config file updates were not > persistent and new accounts were lost. I just tried to reproduce it with firejail from bullseye (0.9.64.4), but could not reproduce your problem. I used a bit simplified approach: > (outside) $ mkdir -p my_config_files/com.github.bleakgrey.tootle > (outside) $ echo "from outside" > > my_config_files/com.github.bleakgrey.tootle/accounts.json > (outside) $ firejail > --whitelist="/home/reiner/my_config_files/com.github.bleakgrey.tootle/accounts.json" > > --noblacklist="/home/reiner/my_config_files/com.github.bleakgrey.tootle/accounts.json" > > --read-write="/home/reiner/my_config_files/com.github.bleakgrey.tootle/accounts.json" > ... > (inside) $ cat my_config_files/com.github.bleakgrey.tootle/accounts.json > from outside > (inside) $ echo "from inside" >> > my_config_files/com.github.bleakgrey.tootle/accounts.json > (inside) $ cat my_config_files/com.github.bleakgrey.tootle/accounts.json > from outside > from inside > (inside) $ exit > > Parent is shutting down, bye... > (outside) $ cat my_config_files/com.github.bleakgrey.tootle/accounts.json > from outside > from inside > (outside) $ As you can see, firejail does not prevent something inside the jail from modifying the file, and the modifications persist after the jail is closed. I think something else is happening on your system. Were you using the --private= option by chance, which creates a temporary home directory? Please provide an example that is easier to reproduce and debug. Kind regards, Reiner