whitelist globbing
curiosity-seeker opened this issue · comments
I was trying to rewrite/streamline my Firejail profile for LibreOffice. One rule which I tried was
whitelist ~/*.odt
but that doesn't work. It does work, though, in the form
whitelist ~/Example.odt
So it seems that placeholders are not supported. This would be a very useful enhancement in Firejail, indeed!
I'll implement it, thanks for the idea!
Great - thank you very much in advance!
BTW, it would be nice if one could add several file suffixes in one line if possible. Something like
whitelist ~/*.odt, *.doc, *.docx
or
whitelist ~/*.odt | *.doc | *.docx
just to keep the profile more readable.
I'll try that one also.
Maybe in Bash syntax:
whitelist ~/*.{odt,doc,docx}
several similar requests to follow:
And []
Any updates on this?
I'm currently working on enhancing the Thunderbird profile, so that Thunderbird can set itself as the default mail-program (and other things).
Thunderbird needs to modify the ~/.config/mimeapps.list-file for that. It does that by first creating a file named ~/.config/mimeapps.list.randomBit (where randomBit are 6 random characters [a-zA-Z0-9]) and then renaming this temporary file to ~/.config/mimeapps.list to make the change.
For that enhancement to be done, whitelist globbing would be needed (I think).
EDIT:
whitelist globbing would be needed (I think)
To whitelist a file/dir it must be exists in the "normal" fs, thats why mkdir/mkfile is in the profiles.
@rusty-snake Thanks for the link! That's really an unfortunate issue.
thanks, is it possible to use it resursively, that is all *.mp4 files in a directory and its subdirectories?
man 7 glob:
Globbing is applied on each of the components of a pathname separately. A '/' in a pathname cannot be matched by a '?' or '*' wildcard
I see, so glibc doesn't provide a way to do it? Is there no other way to whitelist all files of specific format (e.g. *.mp4) in all subdirectories?
If the (sub)directory structure isn't to deep, you can
whitelist ${HOME}/Downloads/*.mp4
whitelist ${HOME}/Downloads/*/*.mp4
whitelist ${HOME}/Downloads/*/*/*.mp4
Thanks, it is quite deep unfortunately (network mount). Ideally there would be a way to whitelist only certain files in such large directories rather than all of it.
@danielkrajnik Maybe you could write a shell script from where you pre-select the (*.mp4) files you want to whitelist and bind mount them in a specific location. That way you can blacklist your network mount and only whitelist the new mount path. Have you tried that yet?
You can use find+xargs:
find ~/Videos -type f -name "*.mp4" -printf "--whitelist=%p\0" | xargs -0 -x -s 65536 /bin/sh -c 'firejail "$@" /usr/bin/totem'I'm not sure if you can perform injections with this command (spaces in filenames work), but if this is an untrusted network mount, you should check this.