How to disable noexec for a /var/-subdir?

[TheOneric]

Problem:
I need to mount two subdirectories of /var/, which are themselves mountpoints for different partitons, as executeable. Using ${SD} as a placeholder for a couple of application specific directories, I tried adding the rules below to steam.local to no avail:

Contents of /etc/firejail/steam.local

ignore noexec /var
ignore noexec /var/games/hdd
ignore noexec /var/games/ssd
ignore noexec /var/games/hdd/${SD}
ignore noexec /var/games/ssd/${SD} 
# I also tried moving the 'ignore noexec' statements but it didn't seem to make a difference
read-write /var/games/hdd

read-write /var/games/ssd
noblacklist /var/games/hdd

noblacklist /var/games/hdd/${SD}

noblacklist /var/games/ssd

noblacklist /var/games/ssd/${SD}
whitelist /var/games/hdd

whitelist /var/games/hdd/${SD}

whitelist /var/games/ssd

whitelist /var/games/ssd/${SD}
blacklist /var/games/hdd/${SD_a_different_one}
# For completeness  some more unrelated additions

# Needed for controllers to work

ignore private-dev
# Some Game-saves

noblacklist ~/.config/${SD}

whitelist ~/.config/${SD}

Testing the overly permissive invokation:

STEAM_COMPAT_MOUNTS=/var/games/hdd:/var/games/ssd firejail --noprofile --ignore=noexec --debug steam 2>&1 | grep '/var/games'

also doesn't work and the log shows that firejail does indeed still set noexec:

Log output matching the regex:

1101 1099 8:33 / /var/games/hdd rw,relatime master:50 - ext4 /dev/sdc1 rw
mountid=1101 fsname=/ dir=/var/games/hdd fstype=ext4
Mounting read-only /var/games/ssd
1102 1100 259:4 / /var/games/ssd ro,noatime master:39 - ext4 /dev/nvme0n1p4 rw
mountid=1102 fsname=/ dir=/var/games/ssd fstype=ext4
Mounting read-only /var/games/hdd
1103 1101 8:33 / /var/games/hdd ro,relatime master:50 - ext4 /dev/sdc1 rw
mountid=1103 fsname=/ dir=/var/games/hdd fstype=ext4
1108 1107 8:33 / /var/games/hdd ro,relatime master:50 - ext4 /dev/sdc1 rw
mountid=1108 fsname=/ dir=/var/games/hdd fstype=ext4
Mounting noexec /var/games/ssd
1109 1106 259:4 / /var/games/ssd ro,nosuid,nodev,noexec,noatime master:39 - ext4 /dev/nvme0n1p4 rw
mountid=1109 fsname=/ dir=/var/games/ssd fstype=ext4
Mounting noexec /var/games/hdd
1110 1108 8:33 / /var/games/hdd ro,nosuid,nodev,noexec,relatime master:50 - ext4 /dev/sdc1 rw
mountid=1110 fsname=/ dir=/var/games/hdd fstype=ext4
  

Question:
How can I get the directories to mount as executable filesystems? If it was at all impossible, are there more places I should avoid when moving the library-mountpoints (again), or what would be a good place? I briefly considered /opt/… and /srv/… but there were also firejail-unrelated issues with those. Would /var/lib/…, /media/games/… or /gamelibs/… work better, or are there also pitfalls?

Background:
I'm running into this problem with steam; since the Games take up too much space for the root-partition I have two partitions (almost) only for storing the Games, one on an SSD one on a HDD; they can be added in steam as new paths for storage. I used to put them under /usr/games/… (which worked), but I had to move it to /var/games/… as newer versions of Proton use a bubblewrap-based setup, which doesn't allow STEAM_COMPAT_MOUNTs to be in /usr/… (and additional library-paths need to be set as STEAM_COMPAT_MOUNTS to work with the relevant Proton-versions). Now I'm having trouble with the executability instead.

[rusty-snake]

Try

STEAM_COMPAT_MOUNTS=/var/games/hdd:/var/games/ssd firejail --writable-var --noprofile --ignore=noexec --debug steam 2>&1 | grep '/var/games'
                                                           **************

I think it should work, if so set writable-var in your steam.local.

---

ignore noexec /var/games/hdd
ignore noexec /var/games/ssd
ignore noexec /var/games/hdd/${SD}
ignore noexec /var/games/ssd/${SD} 

Never noexeced except you did.

noblacklist /var/games/hdd
noblacklist /var/games/hdd/${SD}
noblacklist /var/games/ssd
noblacklist /var/games/ssd/${SD}

Never blacklisted except you did.

ignore private-dev

If you use firejail 0.9.66 it should work without this line.

[TheOneric]

Thanks! writable-var did indeed solve it. And yes, controllers now seem work without ignore dev-private :)

From the library chooser dialog it also appears steam still not see the full /var/, which is good — but does writable-var mean a misbehaved game could eg install its own SSL root-cert in /var/lib/ca-certificates? If yes, is there a concise way to avoid this, other than read-onlying all visible /var-subdirs except /var/games?

[rusty-snake]

but does writable-var mean a misbehaved game could eg install its own SSL root-cert in /var/lib/ca-certificates?

writable-var has an effect on the mount option (i.e. ro/rw). Writing in /var/lib/ca-certificates requires that it is mounted rw. But also that the process has write permission. So as long as ls -ld /var/lib/ca-certificates looks like drwxr-xr-x. root root it can not install it's own TLS certs

is there a concise way to avoid this, other than read-onlying all visible /var-subdirs except /var/games?

read-only /var
read-write /var/games

should work

[TheOneric]

Right, ofc writable-var doesn't change the ownership. Adding the suggested as an extra precaution also works :)
Thanks a bunch for your help!