allowing fscrypt files

[reinerh]

A Debian user reported probems with whitelisting and accessing fscrypt-related files from within firejail.
Especially /home/.fscrypt seems to be a problem, because only the user's home directory is available in /home, not any other directories/files.

Does anyone have an idea how this could be fixed?

[rusty-snake]

unsure whether helpful

--allusers
All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.

[reinerh]

Thanks, that works for me. I'll forward your suggestion and ask if that solves their problem.

[reinerh]

It looks like they are also using --private, and it's currently not possible to combine this with --allusers (Warning: allusers option disabled by private or whitelist option).
Do you know of any workaround for that?

[rusty-snake]

• firejail --allusers --private -> Warning: allusers option disabled by private or whitelist option
• firejail --allusers --private=/some/where -> works

#!/bin/bash
private_home="$(mktemp -dt private-firejail-home.XXXXXX)"
firejail --allusers --private="$private_home" <program>
rm -rf "$private_home"

NOTE: $private_home is visible for other programs (except firejail --private-tmp).

[reinerh]

Looks like the problem is actually with --whitelist, not with --private:

$ firejail --profile=/etc/firejail/firefox.profile /bin/bash

With --allusers its not possible to see the hidden files in /home.
Do you have another idea how to get access there with e.g. the firefox profile?