Blacklist doesnt apply to non existing files. Bug or intention?

[slowpeek]

The issue is starting with an empty dir (either ~ or --private=...) a firejailed app can create any blacklisted file and write to it. Here is a demo with .config/kritarc.

$ cd ~
$ mkdir test1 # <==== just created, the dir is empty
$ firejail --x11=none --noautopulse --private=test1 # <==== first entry
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 15846, child pid 15847
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 19.38 ms
$ find . # <==== examine ~ contents
.
./.bashrc
$ mkdir .config
$ touch .config/kritarc # <==== this one is blacklisted in disable-programs.inc
$ find . -ls # <==== watch out for .config/kritarc ownership and perms
   672587      4 drwxrwxr-x   3 user  user      4096 May 26 18:08 .
   672588      4 -rw-r--r--   1 user  user      3771 May 26 18:08 ./.bashrc
   672589      4 drwxrwxr-x   2 user  user      4096 May 26 18:08 ./.config
   672590      0 -rw-rw-r--   1 user  user         0 May 26 18:08 ./.config/kritarc
$ exit
exit

Parent is shutting down, bye...
$ firejail --x11=none --noautopulse --private=test1 # <==== second entry
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 15901, child pid 15902
Warning: cleaning all supplementary groups
Child process initialized in 20.79 ms
$ find . -ls # <==== watch out for .config/kritarc ownership and perms
   672587      4 drwxrwxr-x   3 user  user      4096 May 26 18:09 .
   672588      4 -rw-r--r--   1 user  user      3771 May 26 18:08 ./.bashrc
   672589      4 drwxrwxr-x   2 user  user      4096 May 26 18:08 ./.config
      973      0 -r--------   1 nobody   nogroup         0 May 26 10:58 ./.config/kritarc
      973      0 -r--------   1 nobody   nogroup         0 May 26 10:58 ./.bash_history
$ touch .config/kritarc 
touch: cannot touch '.config/kritarc': Permission denied

I noticed this while trying to run krita appimage with --private=some-dir without --profile=krita. On first run it was OK, on second run with the same some-dir krita complained about .config/kritarc being not writable.

[smitsohu]

See #1011
To my knowledge there is still no obvious solution.

When using --private= you can avoid most/all security implications by using separate home directories per application. It is possible that in the future --private= and --whitelist can be combined (#4285), which could help in isolating apps and instances from each other.

[rusty-snake]

#3942 is the only solution I know.

[smitsohu]

I forgot about #3942.

But now that you mentioned it there is also this new Landlock thing. Maybe it is possible to create Landlock rules based on Firejail's blacklist rules?