Control: severity -1 normal
Control: tags -1 + unreproducible
Hi,
On Mon, Jul 25, 2022 at 12:31:56PM +0200, anonymous coward wrote:
> The command tootle was first executed outside firejail to establish a
> working config file. This was motivated to work around bug
> 1015816. After tootle proved to function outside of firejail, it was
> relaunched within firejail as follows:
>
> $ firejail --net=vnet0 --dns="$(ip address show dev vnet0 | awk
> '/inet\>/{gsub(/[/].*/,""); print $2 }')"\
> --env=XDG_CONFIG_HOME="$HOME"/my_config_files\
> --whitelist="$(readlink
> $HOME/.config)"com.github.bleakgrey.tootle/accounts.json\
> --noblacklist="$(readlink
> $HOME/.config)"com.github.bleakgrey.tootle/accounts.json\
> --read-write="$(readlink
> $HOME/.config)"com.github.bleakgrey.tootle/accounts.json\
> tootle
>
> $HOME/.config is a symblic link to "$HOME"/my_config_files, and the
> above configuration is crafted to ensure that firejail receives no
> references to a symbolic file or directory.
>
> Tootle was able to read the config file and make use of it within
> firejail. Tootle was also able to update the config file during that
> session, proven by its ability to add new accounts and interact with
> them. But when the session ended, the config file updates were not
> persistent and new accounts were lost.
I just tried to reproduce it with firejail from bullseye (0.9.64.4), but
could not reproduce your problem.
I used a bit simplified approach:
> (outside) $ mkdir -p my_config_files/com.github.bleakgrey.tootle
> (outside) $ echo "from outside" >
> my_config_files/com.github.bleakgrey.tootle/accounts.json
> (outside) $ firejail
> --whitelist="/home/reiner/my_config_files/com.github.bleakgrey.tootle/accounts.json"
>
> --noblacklist="/home/reiner/my_config_files/com.github.bleakgrey.tootle/accounts.json"
>
> --read-write="/home/reiner/my_config_files/com.github.bleakgrey.tootle/accounts.json"
> ...
> (inside) $ cat my_config_files/com.github.bleakgrey.tootle/accounts.json
> from outside
> (inside) $ echo "from inside" >>
> my_config_files/com.github.bleakgrey.tootle/accounts.json
> (inside) $ cat my_config_files/com.github.bleakgrey.tootle/accounts.json
> from outside
> from inside
> (inside) $ exit
>
> Parent is shutting down, bye...
> (outside) $ cat my_config_files/com.github.bleakgrey.tootle/accounts.json
> from outside
> from inside
> (outside) $
As you can see, firejail does not prevent something inside the jail from
modifying the file, and the modifications persist after the jail is
closed.
I think something else is happening on your system. Were you using the
--private= option by chance, which creates a temporary home directory?
Please provide an example that is easier to reproduce and debug.
Kind regards,
Reiner
