Kate - Read/Write problems in /home/ (ignores overrides?)

[Utini2000]

Bug and expected behavior Kate can't write into .zshrc or access most of the files/folders in /.config/ I also made a file /home/username/.config/firejail/kate.local: noblacklist ${HOME}/.config noblacklist ${HOME}/.config/ noblacklist ${HOME}/.zshrc

No profile and disabling firejail

• What changed calling firejail --noprofile /path/to/program in a terminal? Then everything works just fine
• What changed calling the program by path (check which <program> or firejail --list while the sandbox is running)? /usr/local/bin/kate

Reproduce Steps to reproduce the behavior:

1. sudo firecfg
2. Srun kate
3. Try to write into .zshrc or open /.config/mpv/

Environment

• Arch Linux - x86_64 Linux 5.8.16.a-1-hardened
• firejail version 0.9.64

Additional context Basically I want to have kate to run under all the standard rules from /etc/firejail/kate.profile while adding 2-3 rules by myself that override the stock profile (e.g. allowing to edit anything in /home/user/.config/)

Checklist

• [ x ] The upstream profile (and redirect profile if exists) have no changes fixing it.
• [ x ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [ x ] Programs needed for interaction are listed in the profile.
• [ x ] A short search for duplicates was performed.
• [ x ] If it is a AppImage, --profile=PROFILENAME is used to set the right profile.

debug output

``` Autoselecting /bin/zsh as shell Building quoted command line: 'kate' Command name #kate# Found kate.profile profile in /etc/firejail directory Reading profile /etc/firejail/kate.profile Found kate.local profile in /home/username_replaced/.config/firejail directory Reading profile /home/username_replaced/.config/firejail/kate.local Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found whitelist-var-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-var-common.inc DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 67581, child pid 67582 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix sbox run: /run/firejail/lib/fseccomp protocol build unix /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 985, nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 2705 1164 254:1 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2705 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 2706 2705 254:1 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2706 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 2707 1164 254:1 /var /var ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2707 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 2708 2707 254:1 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2708 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 2709 1164 254:1 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2709 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/username_replaced/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/dri directory Process /dev/shm directory Generate private-tmp whitelist commands blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kallsyms Disable /usr/lib/modules/5.9.1-arch1-1/build (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Debug 456: new_name #/var/lib/ca-certificates#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/ca-certificates expanded: /var/lib/ca-certificates real path: (null) realpath: No such file or directory Debug 456: new_name #/var/lib/dbus#, whitelist Debug 456: new_name #/var/lib/menu-xdg#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg expanded: /var/lib/menu-xdg real path: (null) realpath: No such file or directory Debug 456: new_name #/var/lib/uim#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/uim expanded: /var/lib/uim real path: (null) realpath: No such file or directory Debug 456: new_name #/var/cache/fontconfig#, whitelist Debug 456: new_name #/var/tmp#, whitelist Debug 456: new_name #/var/run#, whitelist Replaced whitelist path: whitelist /run Debug 456: new_name #/var/lock#, whitelist Replaced whitelist path: whitelist /run/lock Debug 456: new_name #/tmp/.X11-unix#, whitelist Mounting tmpfs on /tmp directory Mounting tmpfs on /var directory Whitelisting /var/lib/dbus 2750 2749 254:1 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2750 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=ext4 Whitelisting /var/cache/fontconfig 2751 2749 254:1 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2751 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4 Whitelisting /var/tmp 2752 2749 0:136 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw mountid=2752 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Whitelisting /tmp/.X11-unix 2753 2693 0:47 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:31 - tmpfs tmpfs rw,size=16145976k,nr_inodes=409600 mountid=2753 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /home/username_replaced/.local/share/Trash Disable /home/username_replaced/.bash_history Disable /home/username_replaced/.zsh_history Disable /home/username_replaced/.histfile Disable /home/username_replaced/.local/share/klipper Disable /home/username_replaced/.config/autostart Disable /home/username_replaced/.config/autostart-scripts Disable /home/username_replaced/.config/plasma-workspace Disable /home/username_replaced/.config/startupconfig Disable /home/username_replaced/.config/startupconfigkeys Disable /home/username_replaced/.xinitrc Disable /home/username_replaced/.xprofile Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Mounting read-only /home/username_replaced/.Xauthority 2770 2716 254:1 /home/username_replaced/.Xauthority /home/username_replaced/.Xauthority ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2770 fsname=/home/username_replaced/.Xauthority dir=/home/username_replaced/.Xauthority fstype=ext4 Disable /home/username_replaced/.config/khotkeysrc Disable /home/username_replaced/.config/krunnerrc Disable /home/username_replaced/.config/kscreenlockerrc Disable /home/username_replaced/.config/kwalletrc Disable /home/username_replaced/.config/kwinrc Disable /home/username_replaced/.config/kwinrulesrc Disable /home/username_replaced/.config/plasma-org.kde.plasma.desktop-appletsrc Disable /home/username_replaced/.config/plasmashellrc Disable /home/username_replaced/.local/share/kglobalaccel Mounting read-only /home/username_replaced/.cache/ksycoca5_en_tV1a5zszZ0x3oFFJAB9SUeSPnDs= 2780 2716 254:1 /home/username_replaced/.cache/ksycoca5_en_tV1a5zszZ0x3oFFJAB9SUeSPnDs= /home/username_replaced/.cache/ksycoca5_en_tV1a5zszZ0x3oFFJAB9SUeSPnDs= ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2780 fsname=/home/username_replaced/.cache/ksycoca5_en_tV1a5zszZ0x3oFFJAB9SUeSPnDs= dir=/home/username_replaced/.cache/ksycoca5_en_tV1a5zszZ0x3oFFJAB9SUeSPnDs= fstype=ext4 Mounting read-only /home/username_replaced/.cache/ksycoca5_en-AT_mGdAOnAFisCWihcBi_AAXuqsM6g= 2781 2716 254:1 /home/username_replaced/.cache/ksycoca5_en-AT_mGdAOnAFisCWihcBi_AAXuqsM6g= /home/username_replaced/.cache/ksycoca5_en-AT_mGdAOnAFisCWihcBi_AAXuqsM6g= ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2781 fsname=/home/username_replaced/.cache/ksycoca5_en-AT_mGdAOnAFisCWihcBi_AAXuqsM6g= dir=/home/username_replaced/.cache/ksycoca5_en-AT_mGdAOnAFisCWihcBi_AAXuqsM6g= fstype=ext4 Mounting read-only /home/username_replaced/.cache/ksycoca5_en_mGdAOnAFisCWihcBi_AAXuqsM6g= 2782 2716 254:1 /home/username_replaced/.cache/ksycoca5_en_mGdAOnAFisCWihcBi_AAXuqsM6g= /home/username_replaced/.cache/ksycoca5_en_mGdAOnAFisCWihcBi_AAXuqsM6g= ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2782 fsname=/home/username_replaced/.cache/ksycoca5_en_mGdAOnAFisCWihcBi_AAXuqsM6g= dir=/home/username_replaced/.cache/ksycoca5_en_mGdAOnAFisCWihcBi_AAXuqsM6g= fstype=ext4 Mounting read-only /home/username_replaced/.config/kcm_touchpad.notifyrc 2783 2716 254:1 /home/username_replaced/.config/kcm_touchpad.notifyrc /home/username_replaced/.config/kcm_touchpad.notifyrc ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2783 fsname=/home/username_replaced/.config/kcm_touchpad.notifyrc dir=/home/username_replaced/.config/kcm_touchpad.notifyrc fstype=ext4 Mounting read-only /home/username_replaced/.config/plasmanotifyrc 2784 2716 254:1 /home/username_replaced/.config/plasmanotifyrc /home/username_replaced/.config/plasmanotifyrc ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2784 fsname=/home/username_replaced/.config/plasmanotifyrc dir=/home/username_replaced/.config/plasmanotifyrc fstype=ext4 Mounting read-only /home/username_replaced/.config/kdeglobals 2785 2716 254:1 /home/username_replaced/.config/kdeglobals /home/username_replaced/.config/kdeglobals ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2785 fsname=/home/username_replaced/.config/kdeglobals dir=/home/username_replaced/.config/kdeglobals fstype=ext4 Mounting read-only /home/username_replaced/.config/kio_httprc 2786 2716 254:1 /home/username_replaced/.config/kio_httprc /home/username_replaced/.config/kio_httprc ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2786 fsname=/home/username_replaced/.config/kio_httprc dir=/home/username_replaced/.config/kio_httprc fstype=ext4 Mounting read-only /home/username_replaced/.config/kiorc 2787 2716 254:1 /home/username_replaced/.config/kiorc /home/username_replaced/.config/kiorc ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2787 fsname=/home/username_replaced/.config/kiorc dir=/home/username_replaced/.config/kiorc fstype=ext4 Mounting read-only /home/username_replaced/.kde4/share/config/kdeglobals 2788 2716 254:1 /home/username_replaced/.kde4/share/config/kdeglobals /home/username_replaced/.kde4/share/config/kdeglobals ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2788 fsname=/home/username_replaced/.kde4/share/config/kdeglobals dir=/home/username_replaced/.kde4/share/config/kdeglobals fstype=ext4 Mounting read-only /home/username_replaced/.local/share/konsole 2789 2716 254:1 /home/username_replaced/.local/share/konsole /home/username_replaced/.local/share/konsole ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2789 fsname=/home/username_replaced/.local/share/konsole dir=/home/username_replaced/.local/share/konsole fstype=ext4 Disable /run/user/1000/klauncherflujTc.1.slave-socket Disable /run/user/1000/kdeinit5__0 Mounting read-only /home/username_replaced/.config/dconf 2792 2716 254:1 /home/username_replaced/.config/dconf /home/username_replaced/.config/dconf ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2792 fsname=/home/username_replaced/.config/dconf dir=/home/username_replaced/.config/dconf fstype=ext4 Disable /home/username_replaced/.config/systemd Disable /usr/bin/systemd-run Disable /run/user/1000/systemd Disable /home/username_replaced/.config/VirtualBox Disable /home/username_replaced/VirtualBox VMs Disable /home/username_replaced/.cache/libvirt Disable /home/username_replaced/.config/libvirt Disable /usr/bin/veracrypt Disable /usr/share/applications/veracrypt.desktop Disable /usr/share/pixmaps/veracrypt.xpm Disable /etc/profile.d Disable /etc/kernel Disable /etc/grub.d Disable /etc/dkms Disable /etc/apparmor Disable /etc/apparmor.d Disable /etc/modules-load.d Disable /etc/logrotate.d Disable /etc/logrotate.conf Mounting read-only /home/username_replaced/.bash_logout 2812 2716 254:1 /home/username_replaced/.bash_logout /home/username_replaced/.bash_logout ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2812 fsname=/home/username_replaced/.bash_logout dir=/home/username_replaced/.bash_logout fstype=ext4 Mounting read-only /home/username_replaced/.bash_profile 2813 2716 254:1 /home/username_replaced/.bash_profile /home/username_replaced/.bash_profile ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2813 fsname=/home/username_replaced/.bash_profile dir=/home/username_replaced/.bash_profile fstype=ext4 Mounting read-only /home/username_replaced/.bashrc 2814 2716 254:1 /home/username_replaced/.bashrc /home/username_replaced/.bashrc ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2814 fsname=/home/username_replaced/.bashrc dir=/home/username_replaced/.bashrc fstype=ext4 Mounting read-only /home/username_replaced/.zshrc 2815 2716 254:1 /home/username_replaced/.zshrc /home/username_replaced/.zshrc ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2815 fsname=/home/username_replaced/.zshrc dir=/home/username_replaced/.zshrc fstype=ext4 Mounting read-only /home/username_replaced/bin 2816 2716 254:1 /home/username_replaced/bin /home/username_replaced/bin ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2816 fsname=/home/username_replaced/bin dir=/home/username_replaced/bin fstype=ext4 Mounting read-only /home/username_replaced/.config/menus 2817 2716 254:1 /home/username_replaced/.config/menus /home/username_replaced/.config/menus ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2817 fsname=/home/username_replaced/.config/menus dir=/home/username_replaced/.config/menus fstype=ext4 Mounting read-only /home/username_replaced/.local/share/applications 2818 2716 254:1 /home/username_replaced/.local/share/applications /home/username_replaced/.local/share/applications ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2818 fsname=/home/username_replaced/.local/share/applications dir=/home/username_replaced/.local/share/applications fstype=ext4 Mounting read-only /home/username_replaced/.config/mimeapps.list 2819 2716 254:1 /home/username_replaced/.config/mimeapps.list /home/username_replaced/.config/mimeapps.list ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2819 fsname=/home/username_replaced/.config/mimeapps.list dir=/home/username_replaced/.config/mimeapps.list fstype=ext4 Mounting read-only /home/username_replaced/.config/user-dirs.dirs 2820 2716 254:1 /home/username_replaced/.config/user-dirs.dirs /home/username_replaced/.config/user-dirs.dirs ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2820 fsname=/home/username_replaced/.config/user-dirs.dirs dir=/home/username_replaced/.config/user-dirs.dirs fstype=ext4 Mounting read-only /home/username_replaced/.config/user-dirs.locale 2821 2716 254:1 /home/username_replaced/.config/user-dirs.locale /home/username_replaced/.config/user-dirs.locale ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2821 fsname=/home/username_replaced/.config/user-dirs.locale dir=/home/username_replaced/.config/user-dirs.locale fstype=ext4 Mounting read-only /home/username_replaced/.local/share/mime 2822 2716 254:1 /home/username_replaced/.local/share/mime /home/username_replaced/.local/share/mime ro,relatime master:1 - ext4 /dev/mapper/MyVolumeGroups-root rw mountid=2822 fsname=/home/username_replaced/.local/share/mime dir=/home/username_replaced/.local/share/mime fstype=ext4 Disable /home/username_replaced/.gnupg Disable /home/username_replaced/.local/share/keyrings Disable /home/username_replaced/.local/share/kwalletd Disable /home/username_replaced/.netrc Disable /home/username_replaced/.pki Disable /home/username_replaced/.local/share/pki Disable /home/username_replaced/.ssh Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Warning: /sbin directory link was not blacklisted Disable /usr/local/sbin Warning: /usr/sbin directory link was not blacklisted Disable /usr/bin/chage Disable /usr/bin/chfn Disable /usr/bin/chsh Disable /usr/bin/expiry Disable /usr/bin/fusermount Disable /usr/bin/gpasswd Disable /usr/bin/ksu Disable /usr/bin/mount Disable /usr/bin/netcat (requested /usr/bin/nc) Disable /usr/bin/newgidmap Disable /usr/bin/newgrp Disable /usr/bin/newuidmap Disable /usr/bin/ntfs-3g Disable /usr/bin/pkexec Disable /usr/bin/sg Disable /usr/bin/su Disable /usr/bin/sudo Disable /usr/bin/umount Disable /usr/bin/unix_chkpwd Disable /usr/bin/xev Disable /usr/bin/xinput Disable /usr/bin/bwrap Disable /proc/config.gz Disable /usr/bin/dig Disable /usr/bin/nslookup Disable /usr/bin/host Disable /usr/bin/resolvectl Mounting noexec /run/user/1000 2871 2865 0:23 /firejail/firejail.ro.file /run/user/1000/kdeinit5__0 rw,nosuid,nodev,relatime master:14 - tmpfs run rw,mode=755 mountid=2871 fsname=/firejail/firejail.ro.file dir=/run/user/1000/kdeinit5__0 fstype=tmpfs Warning: not remounting /run/user/1000/gvfs Mounting noexec /dev/shm 2872 2738 0:142 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=2872 fsname=/shm dir=/dev/shm fstype=tmpfs Mounting noexec /tmp 2874 2873 0:47 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:31 - tmpfs tmpfs rw,size=16145976k,nr_inodes=409600 mountid=2874 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /tmp/.X11-unix 2875 2874 0:47 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec master:31 - tmpfs tmpfs rw,size=16145976k,nr_inodes=409600 mountid=2875 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /var 2879 2876 0:136 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw mountid=2879 fsname=/ dir=/var/tmp fstype=tmpfs Disable /home/username_replaced/.config/keepassxc Disable /home/username_replaced/.PlayOnLinux Disable /home/username_replaced/.android Disable /home/username_replaced/.config/GIMP Disable /home/username_replaced/.config/Thunar Disable /home/username_replaced/.config/VirtualBox Disable /home/username_replaced/.config/akonadi Disable /home/username_replaced/.config/akregatorrc Disable /home/username_replaced/.config/baloofilerc Disable /home/username_replaced/.config/blender Disable /home/username_replaced/.config/cantata Disable /home/username_replaced/.config/catfish Disable /home/username_replaced/.config/discord Disable /home/username_replaced/.config/dolphinrc Disable /home/username_replaced/.config/emaildefaults Disable /home/username_replaced/.config/emailidentities Disable /home/username_replaced/.config/enchant Disable /home/username_replaced/.config/gconf Disable /home/username_replaced/.config/hexchat Not blacklist /home/username_replaced/.config/katemetainfos Not blacklist /home/username_replaced/.config/katepartrc Not blacklist /home/username_replaced/.config/katerc Not blacklist /home/username_replaced/.config/kateschemarc Not blacklist /home/username_replaced/.config/katesyntaxhighlightingrc Not blacklist /home/username_replaced/.config/katevirc Disable /home/username_replaced/.config/kdenliverc Disable /home/username_replaced/.config/kfindrc Disable /home/username_replaced/.config/klipperrc Disable /home/username_replaced/.config/kmail2rc Disable /home/username_replaced/.config/kmailsearchindexingrc Disable /home/username_replaced/.config/libreoffice Disable /home/username_replaced/.config/mpd Disable /home/username_replaced/.config/mpv Disable /home/username_replaced/.config/obs-studio Disable /home/username_replaced/.config/okularpartrc Disable /home/username_replaced/.config/okularrc Disable /home/username_replaced/.config/pavucontrol.ini Disable /home/username_replaced/.config/qBittorrent Disable /home/username_replaced/.config/qBittorrentrc Disable /home/username_replaced/.config/skypeforlinux Disable /home/username_replaced/.config/smplayer Disable /home/username_replaced/.config/viewnior Disable /home/username_replaced/.config/vlc Disable /home/username_replaced/.config/youtube-dl Disable /home/username_replaced/.local/share/Steam Disable /home/username_replaced/.local/share/TelegramDesktop Disable /home/username_replaced/.local/share/akonadi Disable /home/username_replaced/.local/share/baloo Disable /home/username_replaced/.local/share/cantata Disable /home/username_replaced/.local/share/data/qBittorrent Disable /home/username_replaced/.local/share/dolphin Not blacklist /home/username_replaced/.local/share/kate Disable /home/username_replaced/.local/share/kdenlive Disable /home/username_replaced/.local/share/kmail2 Disable /home/username_replaced/.local/share/kxmlgui5/dolphin Disable /home/username_replaced/.local/share/kxmlgui5/filelight Disable /home/username_replaced/.local/share/kxmlgui5/partitionmanager Disable /home/username_replaced/.local/share/kxmlgui5/kmail Disable /home/username_replaced/.local/share/kxmlgui5/konsole Disable /home/username_replaced/.local/share/kxmlgui5/kmenuedit Disable /home/username_replaced/.local/share/meld Disable /home/username_replaced/.local/share/okular Disable /home/username_replaced/.local/share/plasma_notes Disable /home/username_replaced/.local/share/vlc Disable /home/username_replaced/.local/share/vulkan Disable /home/username_replaced/.mozilla Disable /home/username_replaced/.nanorc Disable /home/username_replaced/.nv Disable /home/username_replaced/.purple Disable /home/username_replaced/.ssr Disable /home/username_replaced/.steam Disable /home/username_replaced/.thunderbird Disable /home/username_replaced/.wget-hsts Disable /home/username_replaced/.wine Disable /home/username_replaced/.cache/cantata Disable /home/username_replaced/.cache/keepassxc Disable /home/username_replaced/.cache/kinfocenter Disable /home/username_replaced/.cache/kscreenlocker_greet Disable /home/username_replaced/.cache/ksmserver-logout-greeter Disable /home/username_replaced/.cache/ksplashqml Disable /home/username_replaced/.cache/kwin Disable /home/username_replaced/.cache/mozilla Disable /home/username_replaced/.cache/plasmashell Disable /home/username_replaced/.cache/systemsettings Disable /home/username_replaced/.cache/vlc Mounting read-only /tmp/.X11-unix 2958 2875 0:47 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec master:31 - tmpfs tmpfs rw,size=16145976k,nr_inodes=409600 mountid=2958 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /sys/fs Disable /sys/module disable pulseaudio blacklist /home/username_replaced/.config/pulse blacklist /run/user/1000/pulse/native blacklist /run/user/1000/pulse Create the new ld.so.preload file Blacklist violations are logged to syslog Mount the new ld.so.preload file Current directory: /home/username_replaced DISPLAY=:0 parsed as 0 Install protocol filter: unix configuring 16 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 3, uid 1000, gid 985, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000006 jmp 000c 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 15 01 00 00000029 jeq socket 000c (false 000b) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 20 00 00 00000010 ld data.args[0] 000d: 15 00 01 00000001 jeq 1 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 06 00 00 0005005f ret ERRNO(95) configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dropping all capabilities Drop privileges: pid 4, uid 1000, gid 985, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 01 00000015 jeq 15 0005 (false 0006) 0005: 06 00 00 00000001 ret KILL 0006: 15 00 01 00000034 jeq 34 0007 (false 0008) 0007: 06 00 00 00000001 ret KILL 0008: 15 00 01 0000001a jeq 1a 0009 (false 000a) 0009: 06 00 00 00000001 ret KILL 000a: 15 00 01 0000011b jeq 11b 000b (false 000c) 000b: 06 00 00 00000001 ret KILL 000c: 15 00 01 00000155 jeq 155 000d (false 000e) 000d: 06 00 00 00000001 ret KILL 000e: 15 00 01 00000156 jeq 156 000f (false 0010) 000f: 06 00 00 00000001 ret KILL 0010: 15 00 01 0000007f jeq 7f 0011 (false 0012) 0011: 06 00 00 00000001 ret KILL 0012: 15 00 01 00000080 jeq 80 0013 (false 0014) 0013: 06 00 00 00000001 ret KILL 0014: 15 00 01 0000015e jeq 15e 0015 (false 0016) 0015: 06 00 00 00000001 ret KILL 0016: 15 00 01 00000081 jeq 81 0017 (false 0018) 0017: 06 00 00 00000001 ret KILL 0018: 15 00 01 0000006e jeq 6e 0019 (false 001a) 0019: 06 00 00 00000001 ret KILL 001a: 15 00 01 00000065 jeq 65 001b (false 001c) 001b: 06 00 00 00000001 ret KILL 001c: 15 00 01 00000121 jeq 121 001d (false 001e) 001d: 06 00 00 00000001 ret KILL 001e: 15 00 01 00000057 jeq 57 001f (false 0020) 001f: 06 00 00 00000001 ret KILL 0020: 15 00 01 00000073 jeq 73 0021 (false 0022) 0021: 06 00 00 00000001 ret KILL 0022: 15 00 01 00000067 jeq 67 0023 (false 0024) 0023: 06 00 00 00000001 ret KILL 0024: 15 00 01 0000015b jeq 15b 0025 (false 0026) 0025: 06 00 00 00000001 ret KILL 0026: 15 00 01 0000015c jeq 15c 0027 (false 0028) 0027: 06 00 00 00000001 ret KILL 0028: 15 00 01 00000087 jeq 87 0029 (false 002a) 0029: 06 00 00 00000001 ret KILL 002a: 15 00 01 00000095 jeq 95 002b (false 002c) 002b: 06 00 00 00000001 ret KILL 002c: 15 00 01 0000007c jeq 7c 002d (false 002e) 002d: 06 00 00 00000001 ret KILL 002e: 15 00 01 00000157 jeq 157 002f (false 0030) 002f: 06 00 00 00000001 ret KILL 0030: 15 00 01 000000fd jeq fd 0031 (false 0032) 0031: 06 00 00 00000001 ret KILL 0032: 15 00 01 00000150 jeq 150 0033 (false 0034) 0033: 06 00 00 00000001 ret KILL 0034: 15 00 01 00000152 jeq 152 0035 (false 0036) 0035: 06 00 00 00000001 ret KILL 0036: 15 00 01 0000015d jeq 15d 0037 (false 0038) 0037: 06 00 00 00000001 ret KILL 0038: 15 00 01 0000011e jeq 11e 0039 (false 003a) 0039: 06 00 00 00000001 ret KILL 003a: 15 00 01 0000011f jeq 11f 003b (false 003c) 003b: 06 00 00 00000001 ret KILL 003c: 15 00 01 00000120 jeq 120 003d (false 003e) 003d: 06 00 00 00000001 ret KILL 003e: 15 00 01 00000056 jeq 56 003f (false 0040) 003f: 06 00 00 00000001 ret KILL 0040: 15 00 01 00000033 jeq 33 0041 (false 0042) 0041: 06 00 00 00000001 ret KILL 0042: 15 00 01 0000007b jeq 7b 0043 (false 0044) 0043: 06 00 00 00000001 ret KILL 0044: 15 00 01 000000d9 jeq d9 0045 (false 0046) 0045: 06 00 00 00000001 ret KILL 0046: 15 00 01 000000f5 jeq f5 0047 (false 0048) 0047: 06 00 00 00000001 ret KILL 0048: 15 00 01 000000f6 jeq f6 0049 (false 004a) 0049: 06 00 00 00000001 ret KILL 004a: 15 00 01 000000f7 jeq f7 004b (false 004c) 004b: 06 00 00 00000001 ret KILL 004c: 15 00 01 000000f8 jeq f8 004d (false 004e) 004d: 06 00 00 00000001 ret KILL 004e: 15 00 01 000000f9 jeq f9 004f (false 0050) 004f: 06 00 00 00000001 ret KILL 0050: 15 00 01 00000101 jeq 101 0051 (false 0052) 0051: 06 00 00 00000001 ret KILL 0052: 15 00 01 00000112 jeq 112 0053 (false 0054) 0053: 06 00 00 00000001 ret KILL 0054: 15 00 01 00000114 jeq 114 0055 (false 0056) 0055: 06 00 00 00000001 ret KILL 0056: 15 00 01 00000126 jeq 126 0057 (false 0058) 0057: 06 00 00 00000001 ret KILL 0058: 15 00 01 0000013d jeq 13d 0059 (false 005a) 0059: 06 00 00 00000001 ret KILL 005a: 15 00 01 0000013c jeq 13c 005b (false 005c) 005b: 06 00 00 00000001 ret KILL 005c: 15 00 01 0000003d jeq 3d 005d (false 005e) 005d: 06 00 00 00000001 ret KILL 005e: 15 00 01 00000058 jeq 58 005f (false 0060) 005f: 06 00 00 00000001 ret KILL 0060: 15 00 01 000000a9 jeq a9 0061 (false 0062) 0061: 06 00 00 00000001 ret KILL 0062: 15 00 01 00000082 jeq 82 0063 (false 0064) 0063: 06 00 00 00000001 ret KILL 0064: 06 00 00 7fff0000 ret ALLOW Dual 32/64 bit seccomp filter configured configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 5, uid 1000, gid 985, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 0000009f jeq adjtimex 0008 (false 0009) 0008: 06 00 00 00000001 ret KILL 0009: 15 00 01 00000131 jeq clock_adjtime 000a (false 000b) 000a: 06 00 00 00000001 ret KILL 000b: 15 00 01 000000e3 jeq clock_settime 000c (false 000d) 000c: 06 00 00 00000001 ret KILL 000d: 15 00 01 000000a4 jeq settimeofday 000e (false 000f) 000e: 06 00 00 00000001 ret KILL 000f: 15 00 01 0000009a jeq modify_ldt 0010 (false 0011) 0010: 06 00 00 00000001 ret KILL 0011: 15 00 01 000000d4 jeq lookup_dcookie 0012 (false 0013) 0012: 06 00 00 00000001 ret KILL 0013: 15 00 01 0000012a jeq perf_event_open 0014 (false 0015) 0014: 06 00 00 00000001 ret KILL 0015: 15 00 01 00000137 jeq process_vm_writev 0016 (false 0017) 0016: 06 00 00 00000001 ret KILL 0017: 15 00 01 000000b0 jeq delete_module 0018 (false 0019) 0018: 06 00 00 00000001 ret KILL 0019: 15 00 01 00000139 jeq finit_module 001a (false 001b) 001a: 06 00 00 00000001 ret KILL 001b: 15 00 01 000000af jeq init_module 001c (false 001d) 001c: 06 00 00 00000001 ret KILL 001d: 15 00 01 000000a1 jeq chroot 001e (false 001f) 001e: 06 00 00 00000001 ret KILL 001f: 15 00 01 000000a5 jeq mount 0020 (false 0021) 0020: 06 00 00 00000001 ret KILL 0021: 15 00 01 0000009b jeq pivot_root 0022 (false 0023) 0022: 06 00 00 00000001 ret KILL 0023: 15 00 01 000000a6 jeq umount2 0024 (false 0025) 0024: 06 00 00 00000001 ret KILL 0025: 15 00 01 0000009c jeq _sysctl 0026 (false 0027) 0026: 06 00 00 00000001 ret KILL 0027: 15 00 01 000000b7 jeq afs_syscall 0028 (false 0029) 0028: 06 00 00 00000001 ret KILL 0029: 15 00 01 000000ae jeq create_module 002a (false 002b) 002a: 06 00 00 00000001 ret KILL 002b: 15 00 01 000000b1 jeq get_kernel_syms 002c (false 002d) 002c: 06 00 00 00000001 ret KILL 002d: 15 00 01 000000b5 jeq getpmsg 002e (false 002f) 002e: 06 00 00 00000001 ret KILL 002f: 15 00 01 000000b6 jeq putpmsg 0030 (false 0031) 0030: 06 00 00 00000001 ret KILL 0031: 15 00 01 000000b2 jeq query_module 0032 (false 0033) 0032: 06 00 00 00000001 ret KILL 0033: 15 00 01 000000b9 jeq security 0034 (false 0035) 0034: 06 00 00 00000001 ret KILL 0035: 15 00 01 0000008b jeq sysfs 0036 (false 0037) 0036: 06 00 00 00000001 ret KILL 0037: 15 00 01 000000b8 jeq tuxcall 0038 (false 0039) 0038: 06 00 00 00000001 ret KILL 0039: 15 00 01 00000086 jeq uselib 003a (false 003b) 003a: 06 00 00 00000001 ret KILL 003b: 15 00 01 00000088 jeq ustat 003c (false 003d) 003c: 06 00 00 00000001 ret KILL 003d: 15 00 01 000000ec jeq vserver 003e (false 003f) 003e: 06 00 00 00000001 ret KILL 003f: 15 00 01 000000ad jeq ioperm 0040 (false 0041) 0040: 06 00 00 00000001 ret KILL 0041: 15 00 01 000000ac jeq iopl 0042 (false 0043) 0042: 06 00 00 00000001 ret KILL 0043: 15 00 01 000000f6 jeq kexec_load 0044 (false 0045) 0044: 06 00 00 00000001 ret KILL 0045: 15 00 01 00000140 jeq kexec_file_load 0046 (false 0047) 0046: 06 00 00 00000001 ret KILL 0047: 15 00 01 000000a9 jeq reboot 0048 (false 0049) 0048: 06 00 00 00000001 ret KILL 0049: 15 00 01 000000a7 jeq swapon 004a (false 004b) 004a: 06 00 00 00000001 ret KILL 004b: 15 00 01 000000a8 jeq swapoff 004c (false 004d) 004c: 06 00 00 00000001 ret KILL 004d: 15 00 01 00000130 jeq open_by_handle_at 004e (false 004f) 004e: 06 00 00 00000001 ret KILL 004f: 15 00 01 0000012f jeq name_to_handle_at 0050 (false 0051) 0050: 06 00 00 00000001 ret KILL 0051: 15 00 01 000000fb jeq ioprio_set 0052 (false 0053) 0052: 06 00 00 00000001 ret KILL 0053: 15 00 01 00000067 jeq syslog 0054 (false 0055) 0054: 06 00 00 00000001 ret KILL 0055: 15 00 01 0000012c jeq fanotify_init 0056 (false 0057) 0056: 06 00 00 00000001 ret KILL 0057: 15 00 01 00000138 jeq kcmp 0058 (false 0059) 0058: 06 00 00 00000001 ret KILL 0059: 15 00 01 000000f8 jeq add_key 005a (false 005b) 005a: 06 00 00 00000001 ret KILL 005b: 15 00 01 000000f9 jeq request_key 005c (false 005d) 005c: 06 00 00 00000001 ret KILL 005d: 15 00 01 000000ed jeq mbind 005e (false 005f) 005e: 06 00 00 00000001 ret KILL 005f: 15 00 01 00000100 jeq migrate_pages 0060 (false 0061) 0060: 06 00 00 00000001 ret KILL 0061: 15 00 01 00000117 jeq move_pages 0062 (false 0063) 0062: 06 00 00 00000001 ret KILL 0063: 15 00 01 000000fa jeq keyctl 0064 (false 0065) 0064: 06 00 00 00000001 ret KILL 0065: 15 00 01 000000ce jeq io_setup 0066 (false 0067) 0066: 06 00 00 00000001 ret KILL 0067: 15 00 01 000000cf jeq io_destroy 0068 (false 0069) 0068: 06 00 00 00000001 ret KILL 0069: 15 00 01 000000d0 jeq io_getevents 006a (false 006b) 006a: 06 00 00 00000001 ret KILL 006b: 15 00 01 000000d1 jeq io_submit 006c (false 006d) 006c: 06 00 00 00000001 ret KILL 006d: 15 00 01 000000d2 jeq io_cancel 006e (false 006f) 006e: 06 00 00 00000001 ret KILL 006f: 15 00 01 000000d8 jeq remap_file_pages 0070 (false 0071) 0070: 06 00 00 00000001 ret KILL 0071: 15 00 01 00000143 jeq userfaultfd 0072 (false 0073) 0072: 06 00 00 00000001 ret KILL 0073: 15 00 01 000000a3 jeq acct 0074 (false 0075) 0074: 06 00 00 00000001 ret KILL 0075: 15 00 01 00000141 jeq bpf 0076 (false 0077) 0076: 06 00 00 00000001 ret KILL 0077: 15 00 01 000000b4 jeq nfsservctl 0078 (false 0079) 0078: 06 00 00 00000001 ret KILL 0079: 15 00 01 000000ab jeq setdomainname 007a (false 007b) 007a: 06 00 00 00000001 ret KILL 007b: 15 00 01 000000aa jeq sethostname 007c (false 007d) 007c: 06 00 00 00000001 ret KILL 007d: 15 00 01 00000099 jeq vhangup 007e (false 007f) 007e: 06 00 00 00000001 ret KILL 007f: 15 00 01 00000065 jeq ptrace 0080 (false 0081) 0080: 06 00 00 00000001 ret KILL 0081: 15 00 01 00000087 jeq personality 0082 (false 0083) 0082: 06 00 00 00000001 ret KILL 0083: 15 00 01 00000136 jeq process_vm_readv 0084 (false 0085) 0084: 06 00 00 00000001 ret KILL 0085: 06 00 00 7fff0000 ret ALLOW seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 2965 2702 0:133 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=2965 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 340 .. -rw-r--r-- username_replaced users 1072 seccomp -rw-r--r-- username_replaced users 808 seccomp.32 -rw-r--r-- username_replaced users 114 seccomp.list -rw-r--r-- username_replaced users 0 seccomp.postexec -rw-r--r-- username_replaced users 0 seccomp.postexec32 -rw-r--r-- username_replaced users 128 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 985, nogroups 1 No supplementary groups starting application LD_PRELOAD=(null) execvp argument 0: kate Child process initialized in 54.62 ms Searching $PATH for kate trying #/usr/local/sbin/kate# trying #/usr/local/bin/kate# Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter Warning: an existing sandbox was detected. /usr/bin/kate will run without any additional sandboxing features monitoring pid 6 UdevQt: unable to create udev monitor connection kf.kio.slaves.tags: tag fetch failed: "Failed to open the database" kf.kio.slaves.tags: "tags:/" list() invalid url kf.kio.core: We got some errors while running testparm "Weak crypto is allowed\nERROR: lock directory /var/cache/samba does not exist\n\nERROR: state directory /var/lib/samba does not exist\n\nERROR: cache directory /var/cache/samba does not exist" kf.kio.core: We got some errors while running 'net usershare info' kf.kio.core: "ERROR: Could not determine network interfaces, you must use a interfaces config line\n" kf.kio.core: "Could not enter folder tags:/." Qt: Session management error: networkIdsList argument is NULL kf.notifications: Audio notification requested, but sound file from notifyrc file was not found, aborting audio notification kf.notifications: Audio notification requested, but sound file from notifyrc file was not found, aborting audio notification Sandbox monitor: waitpid 6 retval 6 status 0 Parent is shutting down, bye... ```

[rusty-snake]

Basically I want to have kate to run under all the standard rules from /etc/firejail/kate.profile while adding 2-3 rules by myself that override the stock profile (e.g. allowing to edit anything in /home/user/.config/)

It is not possible to add a noblacklist ${HOME}/.config. noblacklist must match the blacklist path.

You can (1) add a noblacklist ${HOME}/… for all the things you need or (2) ignore include disable-programs.inc (or comment it). If you want to edit .zshrc you need to do the same for disable-common.inc. The blacklist for $HOME/.config/firejail is hardcoded and can not be overriden.

[Utini2000]

Thank you a lot @rusty-snake

putting "ignore include disable-programs.inc" into my "/.config/firejail/kate.local" worked fine. How ever, I would rather no do the same with the whole "disable-common.inc" just to enable .zshrc editing. Is there really no other way to enable only .zshrc but keep the rest of "disable-common.inc" in place?

[rusty-snake]

Is there really no other way to enable only .zshrc but keep the rest of "disable-common.inc" in place?

You can always add a noblacklist ${HOME}/some/blacklisted/path. I pointed you to ignore because you would need to add noblacklist ${HOME}/.config/kritarc, noblacklist ${HOME}/.config/konversationrc, noblacklist ${HOME}/.config/kritarc and so on for all every blacklist. That's more selective, but not usable when allowing maybe paths. .zshrc (and .bashrc) are not blacklisted because programs may need to read it (if they start a shell), but they are made read-only. TL;TR: Just add read-write ${HOME}/.zshrc.

Maybe you need aldo ignore read-only ${HOME}/.zshrc because the read-only is processed later.

[Utini2000]

Thank you so much... that also fixed my .zshrc problem. The solution seems so simple but I really tried several hours and days to fix it on my own :S

[rusty-snake]

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.