Chrome not working due to symlink.

[panbroggi]

Hi everyone!
I am using firejail version 0.9.64 with google-chrome-unstable with KaOS.
While the simple firejail --noprofile google-chrome-unstable works, the default command

firejail google-chrome-unstable

fails. The output is

Reading profile /etc/firejail/google-chrome-unstable.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 29605, child pid 29606
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Error: invalid whitelist path /home/panbroggi/Scaricati
Error: proc 29605 cannot sync with peer: unexpected EOF
Peer 29606 unexpectedly exited with status 1

The problem is that /home/panbroggi/Scaricati (which is the italian Download folder) is a symbolic link to /mnt/Storage/Scaricati. I've tried to edit the profile and if I replace
whitelist ${DOWNLOADS} with mkdir ${HOME}/Scaricati it starts, obviously without keeping the download folder.

I've tried using firetools and this configuration works:
https://imgur.com/a/GOHsh5Z

while this does not:
https://imgur.com/a/9hxYJjd

What should I do to set it up correctly?

[smitsohu]

/etc/firejail/firejail.config has a setting

# Follow symlink as user. While using --whitelist feature,
# symlinks pointing outside home directory are followed only
# if both the link and the real file are owned by the user.
# Enabled by default
# follow-symlink-as-user yes

Could that be the reason?

[panbroggi]

This is the case. Changing the owner solves the problem.
Thank You!

[glitsj16]

Closing here as the issue is fixed.

[panbroggi]

Updating to 0.9.64.2 broke the configuration. I tried to comment disable-mnt in the profile, but the browser sees the symlink (a 0 B file) and the content is no more accessible. Is it possible to adjust the settings or a downgrade is the only solution?

EDIT: commenting disable-mnt actually worked; I then manually blacklisted all the folders in /mnt/Storage except for the linked one.

[rusty-snake]

commenting disable-mnt actually worked; I then manually blacklisted all the folders in /mnt/Storage except for the linked one.

Then you can add one of the following to your google-chrome-unstable.local.

ignore disable-mnt
noblacklist /mnt/Storage
noblacklist /mnt/Storage/Scaricati
blacklist /media
blacklist /mnt/*
blacklist /mnt/Storage/*
blacklist /run/mnt
blacklist /run/media

ignore disable-mnt
blacklist /media
blacklist /run/mnt
blacklist /run/media
whitelist /mnt/Storage/Scaricati

EDIT: fixed typo

[panbroggi]

Oh, thanks! Adding the lines before including chromium-common.profile is actually the proper way.

In case someone needs to copy paste the code, there's a small typo: balcklist /media/ instead of blacklist /media/.