zoom profile bypasses --private (mkdir/mkfile)
vinc17fr opened this issue · comments
Description
When I use --private
with the zoom
profile, files and directories are created in my real home directory.
Steps to Reproduce
- Run
firejail --private=some_directory --profile=/etc/firejail/zoom.profile
- In an another terminal (or after quitting firejail), from the home directory, run:
ls -ld .zoom .cache/zoom .config/zoomus.conf
Expected behavior
These files/directories should not exist (if they didn't exist initially).
Actual behavior
I get in my real home directory:
drwx------ 2 vinc17 vinc17 4096 2024-04-15 12:52:59 .cache/zoom
-rw------- 1 vinc17 vinc17 0 2024-04-15 12:52:59 .config/zoomus.conf
drwx------ 2 vinc17 vinc17 4096 2024-04-15 12:52:59 .zoom
Behavior without a profile
N/A. The issue is due to the zoom
profile, which does
mkdir ${HOME}/.cache/zoom
mkfile ${HOME}/.config/zoomus.conf
mkdir ${HOME}/.zoom
Since Zoom will run from the private directory, these files/directories should be created in the private directory.
Environment
- Linux distribution and version: Debian/unstable
- Firejail version (
firejail --version
): 0.9.72
Checklist
- The issues is caused by firejail (i.e. running the program by path (e.g.
/usr/bin/vlc
) "fixes" it). - I can reproduce the issue without custom modifications (e.g. globals.local).
- The program has a profile. (If not, request one in
https://github.com/netblue30/firejail/issues/1139
) - The profile (and redirect profile if exists) hasn't already been fixed upstream.
- I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of
browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.
- I'm aware of
- I used
--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)
Log
Output of LC_ALL=C firejail /path/to/program
Reading profile /etc/firejail/zoom.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 577596, child pid 577600
Child process initialized in 70.73 ms
I forgot about it, but this seems to be the more general bug #903 (I thought that this was specific to the zoom
profile and was looking for Zoom-related bugs).
Yep, this is a duplicate of #903. Until there's a proper fix, use the workaround mentioned in the man page:
firejail/src/man/firejail.1.in
Lines 2064 to 2070 in 27cd032