On 2021-03-01 19:25:22 +0100, Reiner Herrmann wrote:
> Hi Vincent,
>
> On Mon, Mar 01, 2021 at 02:49:32AM +0100, Vincent Lefevre wrote:
> > When using --private=<DIR>, an existing "bin" directory in <DIR>
> > is read-only. This is silly: this means that one cannot restart
> > a firejail session:
> >
> [...]
> >
> > I don't see the point to have "bin" read-only in this case, as the
> > purpose of "--private=" is that this "bin" directory is specific to
> > the firejail session.
>
> The reason why the bin directory is mounted read-only is the
> disable-common.inc file that is included in the default and many other
> profiles:
> read-only ${HOME}/bin
AFAIK, the goal of this line is to make bin from the user's home
directory read-only. This is useful as a general rule, where the
user's home directory in the jail is the same as the normal one
(it seems that disable-common.inc is included by all profiles).
This is misused in the case of a private home directory. This rule
should apply against the original home directory, not the private
home directory.
The same should apply to all the other "read-only ${HOME}/..." rules
as well.
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
