Open smitsohu opened 4 years ago
Now the question is if it would be considered generally helpful to enhance the current ignore and run checks again after wildcards are expanded (adding a bit of overhead, of course).
If this isn't too difficult/time-consuming to implement, I'd say go for it. Perhaps it can prove useful (in the future) for other sandboxes besides the Dolphin one. Firejail's overhead is actually very nice and I don't think this proposal would hurt it that much. But that will have to be tested after implementation of course.
I would not use ignore for that, read-write is already used for ro exceptions. ~But I often see that users are trying to add globbing exception with blacklist.~
~noblacklist ${HOME}/foo~
~blacklist ${HOME}/*~
The idea was to configure the Dolphin (maybe Baloo, KWin, ...) sandbox in a more restrictive way, while avoiding to run into #1793 :
This snippet mounts the user home directory read-only, but keeps the ~/.config and ~/.local/share/dolphin directories writable. All files inside ~/.config, with ~/.config/dolphinrc being the only exception, are read-only again.
Unfortunately,
read-only ${HOME}/.config/*
is matched only byignore read-only ${HOME}/.config/*
andignore read-only
Firejail checks for
ignore
d commands before wildcards are expanded, and so the profile snippet above doesn't work.Now the question is if it would be considered generally helpful to enhance the current
ignore
and run checks again after wildcards are expanded (adding a bit of overhead, of course).