ignore option and globbing

[smitsohu]

The idea was to configure the Dolphin (maybe Baloo, KWin, ...) sandbox in a more restrictive way, while avoiding to run into #1793 :

mkdir ${HOME}/.local/share/dolphin
read-only ${HOME}

read-write ${HOME}/.config
ignore read-only ${HOME}/.config/dolphinrc
read-only ${HOME}/.config/*

read-write ${HOME}/.local/share/dolphin

This snippet mounts the user home directory read-only, but keeps the ~/.config and ~/.local/share/dolphin directories writable. All files inside ~/.config, with ~/.config/dolphinrc being the only exception, are read-only again.

Unfortunately, read-only ${HOME}/.config/* is matched only by ignore read-only ${HOME}/.config/* and ignore read-only

Firejail checks for ignored commands before wildcards are expanded, and so the profile snippet above doesn't work.

Now the question is if it would be considered generally helpful to enhance the current ignore and run checks again after wildcards are expanded (adding a bit of overhead, of course).

[glitsj16]

Now the question is if it would be considered generally helpful to enhance the current ignore and run checks again after wildcards are expanded (adding a bit of overhead, of course).

If this isn't too difficult/time-consuming to implement, I'd say go for it. Perhaps it can prove useful (in the future) for other sandboxes besides the Dolphin one. Firejail's overhead is actually very nice and I don't think this proposal would hurt it that much. But that will have to be tested after implementation of course.

[rusty-snake]

I would not use ignore for that, read-write is already used for ro exceptions. ~But I often see that users are trying to add globbing exception with blacklist.~

~noblacklist ${HOME}/foo~
~blacklist ${HOME}/*~