Multi-command syntax to reduce boilerplate

[QUser534]

Is your feature request related to a problem? Please describe.

Not creating directories can result in security issues, so oftentimes directories need to be created and this creates a lot of boilerplate profile code.

Example from seafile-applet.profile:

mkdir ${HOME}/.ccnet
mkdir ${HOME}/.config/Seafile
mkdir ${HOME}/Seafile
whitelist ${HOME}/.ccnet
whitelist ${HOME}/.config/Seafile
whitelist ${HOME}/Seafile

It would be nice to reduce this boilerplate by combining it into one directive.

Describe the solution you'd like

I propose either one of two things:

whitelist-mkdir ${HOME}/.ccnet

or

whitelist+ ${HOME}/.ccnet

The + I think works better because the option blacklist-nolog would then become blacklist-mkdir-nolog. It is a bit cleaner to just have blacklist-nolog+.

[QUser534]

I guess the + syntax wouldn't work because it could be a file too. So, I guess whitelist-mkdir and whitelist-mkfile would be how to combine them.

Perhaps a solution is to create a compact method of directive calling.

For example:

mkdir+whitelist ${HOME}/.ccnet

This says run mkdir with the given argument, then run whitelist with the given argument.

This is flexible so would be the same here:

mkdir+blacklist-nolog ${HOME}/.ccnet

It would not require creating a bunch new directives, but just changing how to parse them.

This seems like a small change to the syntax parser of profiles, but would reduce a lot of boilerplate.

[rusty-snake]

It would not require creating a bunch new directives, but just changing how to parse them

Copy-pasta code with 20 hardcoded combination is simpler than extending parsing logic.

mkdir+whitelist

I like this, you can even noblacklist+mkdir+whitelist.

Previous discussion https://github.com/netblue30/firejail/issues/3447#issuecomment-683463663