zoom: profile bypasses --private (mkdir/mkfile)

vinc17fr commented 7 months ago

Description

When I use --private with the zoom profile, files and directories are created in my real home directory.

Steps to Reproduce

Run firejail --private=some_directory --profile=/etc/firejail/zoom.profile
In an another terminal (or after quitting firejail), from the home directory, run: ls -ld .zoom .cache/zoom .config/zoomus.conf

Expected behavior

These files/directories should not exist (if they didn't exist initially).

Actual behavior

I get in my real home directory:

drwx------ 2 vinc17 vinc17 4096 2024-04-15 12:52:59 .cache/zoom
-rw------- 1 vinc17 vinc17    0 2024-04-15 12:52:59 .config/zoomus.conf
drwx------ 2 vinc17 vinc17 4096 2024-04-15 12:52:59 .zoom

Behavior without a profile

N/A. The issue is due to the zoom profile, which does

mkdir ${HOME}/.cache/zoom
mkfile ${HOME}/.config/zoomus.conf
mkdir ${HOME}/.zoom

Since Zoom will run from the private directory, these files/directories should be created in the private directory.

Environment

Linux distribution and version: Debian/unstable
Firejail version (firejail --version): 0.9.72

Checklist

[x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
[x] I can reproduce the issue without custom modifications (e.g. globals.local).
[x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
[x] I have performed a short search for similar issues (to avoid opening a duplicate).
- [x] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
[x] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

``` Reading profile /etc/firejail/zoom.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 577596, child pid 577600 Child process initialized in 70.73 ms ```

vinc17fr commented 7 months ago

I forgot about it, but this seems to be the more general bug #903 (I thought that this was specific to the zoom profile and was looking for Zoom-related bugs).

glitsj16 commented 7 months ago

Yep, this is a duplicate of #903. Until there's a proper fix, use the workaround mentioned in the man page: https://github.com/netblue30/firejail/blob/27cd032bed923d01edd859bcebe79b33c3ee18fd/src/man/firejail.1.in#L2064-L2070

netblue30 / firejail