whitelist globbing

[curiosity-seeker]

I was trying to rewrite/streamline my Firejail profile for LibreOffice. One rule which I tried was

whitelist ~/*.odt

but that doesn't work. It does work, though, in the form

whitelist ~/Example.odt

So it seems that placeholders are not supported. This would be a very useful enhancement in Firejail, indeed!

[netblue30]

I'll implement it, thanks for the idea!

[curiosity-seeker]

Great - thank you very much in advance!

BTW, it would be nice if one could add several file suffixes in one line if possible. Something like

whitelist ~/*.odt, *.doc, *.docx

or

whitelist ~/*.odt | *.doc | *.docx

just to keep the profile more readable.

[netblue30]

I'll try that one also.

[ghost]

Maybe in Bash syntax:
whitelist ~/*.{odt,doc,docx}

[netblue30]

several similar requests to follow:

[netblue30]

Also allow {}

[vn971]

And []

[msva]

Any updates on this?

[june128]

I'm currently working on enhancing the Thunderbird profile, so that Thunderbird can set itself as the default mail-program (and other things).
Thunderbird needs to modify the ~/.config/mimeapps.list-file for that. It does that by first creating a file named ~/.config/mimeapps.list.randomBit (where randomBit are 6 random characters [a-zA-Z0-9]) and then renaming this temporary file to ~/.config/mimeapps.list to make the change.

For that enhancement to be done, whitelist globbing would be needed (I think).

[rusty-snake]

@julianschacher #2874

EDIT:

whitelist globbing would be needed (I think)

To whitelist a file/dir it must be exists in the "normal" fs, thats why mkdir/mkfile is in the profiles.

[june128]

@julianschacher #2874

@rusty-snake Thanks for the link! That's really an unfortunate issue.

[rusty-snake]

601df2f

[danielkrajnik]

thanks, is it possible to use it resursively, that is all *.mp4 files in a directory and its subdirectories?

[rusty-snake]

man 7 glob:

Globbing is applied on each of the components of a pathname separately. A '/' in a pathname cannot be matched by a '?' or '*' wildcard

[danielkrajnik]

I see, so glibc doesn't provide a way to do it? Is there no other way to whitelist all files of specific format (e.g. *.mp4) in all subdirectories?

[rusty-snake]

If the (sub)directory structure isn't to deep, you can

whitelist ${HOME}/Downloads/*.mp4
whitelist ${HOME}/Downloads/*/*.mp4
whitelist ${HOME}/Downloads/*/*/*.mp4

[danielkrajnik]

Thanks, it is quite deep unfortunately (network mount). Ideally there would be a way to whitelist only certain files in such large directories rather than all of it.

[glitsj16]

@danielkrajnik Maybe you could write a shell script from where you pre-select the (*.mp4) files you want to whitelist and bind mount them in a specific location. That way you can blacklist your network mount and only whitelist the new mount path. Have you tried that yet?

[rusty-snake]

You can use find+xargs:

find ~/Videos -type f -name "*.mp4" -printf "--whitelist=%p\0" | xargs -0 -x -s 65536 /bin/sh -c 'firejail "$@" /usr/bin/totem'

I'm not sure if you can perform injections with this command (spaces in filenames work), but if this is an untrusted network mount, you should check this.