How to whitelist the current directory?

[tredondo]

From the command prompt, in the /home/someotheruser directory, I'm executing head file.txt. Since all home directories but the one of the current user are not visible in the jail, head fails to find the file.

Is there a way to whitelist the current directory, whatever it happens to be at the time of the execution? These still failed with the same error:

$ pwd
/home/someotheruser
$ head file.txt  # works
$ /usr/bin/head file.txt  # works
$ firejail --whitelist=$(pwd) /usr/bin/head file.txt  # /usr/bin/head: cannot open 'file.txt'
$ firejail --whitelist=/home/someotheruser /usr/bin/head file.txt  # /usr/bin/head: cannot open 'file.txt'

[rusty-snake]

Since all home directories but the one of the current user are not visible in the jail

If you need the home directories of other users, pass --allusers.

Is there a way to whitelist the current directory, whatever it happens to be at the time of the execution?

No, because whitelisting is restricted to $HOME, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var.

[rusty-snake]

@tredondo Anything working for you? If so Mark the comment as an answer.

[tredondo]

I've put this problem aside for a while by noblacklisting a bit more directories than I'd like.

The problem is worse for creating profiles for "portable" applications that ship binaries intended to be unpacked and run from a given directory.

[glitsj16]

Is there a way to whitelist the current directory, whatever it happens to be at the time of the execution?

Have you tried the --private-cwd or --private-cwd=directory options yet?

[tredondo]

I've tried firejail --private-cwd=~/apps/LosslessCut-linux/ ./losslesscut with LosslessCut but the jail exits immediately:

~/apps/LosslessCut-linux$ firejail --private-cwd=~/apps/LosslessCut-linux/ ./losslesscut
Reading profile /etc/firejail/default.profile
Reading profile /home/tredondo/.config/firejail/default.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /home/tredondo/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /home/tredondo/.config/firejail/disable-passwdmgr.local
Reading profile /home/tredondo/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /home/tredondo/.config/firejail/disable-programs.local
Reading profile /home/tredondo/.config/firejail/disable-common.local

** Note: you can use --noprofile to disable default.profile **

Parent pid 1214763, child pid 1214764
Warning: cleaning all supplementary groups
Child process initialized in 89.12 ms

Parent is shutting down, bye...

This is a pretty common use case, running applications that ship with binaries and some libraries. What is the recommended process to create a custom profile for them? The whitelisting one from the link (firejail --private) doesn't work because the current directory becomes inaccessible. For example, I've unpacked LosslessCut in ~/apps/LosslessCut-linux. How do I run it in a firejail from there?

~/apps/LosslessCut-linux$ find
.
./libEGL.so
./losslesscut
./v8_context_snapshot.bin
./resources
./resources/node_modules
./resources/node_modules/ffmpeg-ffprobe-static
./resources/node_modules/ffmpeg-ffprobe-static/ffprobe
./resources/node_modules/ffmpeg-ffprobe-static/ffmpeg
./resources/app.asar
./crashpad_handler
./LICENSE.electron.txt
./locales
./locales/en-US.pak
./LICENSES.chromium.html
./snapshot_blob.bin
./resources.pak
./chrome-sandbox
./libffmpeg.so
./libGLESv2.so
./libvk_swiftshader.so
./chrome_200_percent.pak
./icudtl.dat
./swiftshader
./swiftshader/libEGL.so
./swiftshader/libGLESv2.so
./vk_swiftshader_icd.json
./chrome_100_percent.pak

[glitsj16]

I've tried firejail --private-cwd=~/apps/LosslessCut-linux/ ./losslesscut with LosslessCut but the jail exits immediately

As you mentioned LosslessCut is electron based. It will never work with the seccomp from default.profile because electron needs seccomp !chroot. It's things like this that complicates creating custom profiles that work for all apps regardless of location and - for the time being - will take a hands-on trial & error approach.

What did surprise me though is that I couldn't get the --build / --build=foo.profile options working with LosslessCut either. Will have to do more digging to see if this can be fixed somehow.

[rusty-snake]

FWIW: --build does not work for chromium if unprivileged userns clone is disabled.

[kmk3]

$ pwd
/home/someotheruser
$ head file.txt  # works
$ /usr/bin/head file.txt  # works
$ firejail --whitelist=$(pwd) /usr/bin/head file.txt  # /usr/bin/head: cannot open 'file.txt'
$ firejail --whitelist=/home/someotheruser /usr/bin/head file.txt  # /usr/bin/head: cannot open 'file.txt'

~/apps/LosslessCut-linux$ firejail --private-cwd=~/apps/LosslessCut-linux/ ./losslesscut
Reading profile /etc/firejail/default.profile

The underlying problem here seems to be trying to use firejail with programs
that do not have a profile, which results in default.profile being used.

Programs are unlikely to work properly in firejail without a dedicated profile.

As for the original question (whitelisting the current directory), closing as a
duplicate of:

• Add a macro for the current working directory #5713