using --private=homedir and --private-cache, doesn't do --private-cache #2968
Comments
|
More on this: the failure of --private-cache to take hold only happens when there was initially no .cache folder present in somedir. If I create an empty somedir/.cache, then --private=somedir --private-cache work together properly. OK - I will keep an empty .cache around in each such somedir. But, should firejail print out an error if there is no .cache directory in home when --private-cache is used? If not, this is perhaps a security issue, allowing info to escape the firejail into .cache when that was supposed to be prevented by --private-cache? |
|
|
|
Unfortunately @rusty-snake, using mkdir in a profile only works in ~ or in /tmp. The somedir I'm using in --private=somedir is on a separate volume entirely (and even after "private somedir" appears in the profile, somedir isn't considered by mkdir to be adequate). I will just have to ensure somedir has a .cache in it via a script check outside of the firejail profile. |
You should see a warning, and if there is none that's a bug I would say. |
|
Making the warning an error is a bit problematic, iirc some people are putting this in their /etc/firejail/globals.local, and it would break their setup. But I've updated the warning message, I think it is more clear now there is something going wrong with the Closing for now. |
In firejail version 0.9.61 on Debian 10.
The combination of using --private=somedir with --private-cache doesn't work: the --private-cache setting doesn't prevent somedir/.cache from being used.
Tested using:
firejail --private=somedir --private-cache firefox
I haven't checked previous versions of firejail. My use case is that I'm placing somedir in a small encrypted volume (possibly on a usb stick): so somedir/.cache is superfluous, uses up precious space in the encrypted volume, and slows things down as it encrypts/decrypts.
The text was updated successfully, but these errors were encountered: