Blacklisting directories of encrypted containers

[MrFrank17]

Hi all,

I am using Cryptomator and KDE's vault and mount the unencrypted container to ~/Vault/dir1, ~/Vault/dir2, ...
In globals.local these directories are blacklisted and only some programs get access by noblacklisting them in their local profiles. These works as expected until I mount the encrypted container: then other program can access these directories even without noblacklisting. I am using Kubuntu 21.04.

Thanks
Frank

[rusty-snake]

How exactly did you the blacklist?

[MrFrank17]

Hi rusty-snake,

meanwhile I renamed globals.local to disable-common.local . It looks like that:
blacklist ${HOME}/Vaults/Schlüssel
blacklist ${HOME}/Vaults/Backup
blacklist ${HOME}/Vaults/VeraCrypt
# blacklist ${HOME}/Vaults/Dokumente

On startup cryptomator opens a vault automatically and mounts it to Backup, therefore this folder is always accessible. Interestingly, if I open a shell and start a firejailed program from that folder it tells me something like that:
frank@frank-laptop:~/Vaults/Backup$ okular
Reading profile /etc/firejail/okular.profile
Error: cannot access profile file: okular.local
If I start okular, I can browse to Backup and see the content (even if I do not have a okular.local to do a noblacklisting of Backup).

Once I open the KDE vault, which mounts to Schlüssel, it shows the same behavior.

Cheers
Frank

[rusty-snake]

Does firejail ls -l ~/Vaults show the dirs blacklisted (e..g d--------- root root)? If so does firejail --dbus-user=none okular still have access to these files?

Error: cannot access profile file: okular.local

Sounds like #3798

[MrFrank17]

That's the output:
drwxrwxrwx 1 frank frank 4096 Feb 18 18:32 Backup
drwxrwxr-x 2 frank frank 4096 Feb 19 11:21 Dokumente
dr-------- 2 nobody nogroup 40 Mai 17 19:05 Schlüssel
dr-------- 2 nobody nogroup 40 Mai 17 19:05 VeraCrypt

firejail --dbus-user=none okular does not make a difference.

In the linked issue it was mentioned that fuse mounts do not really work together with firejail. Is that the reason?

[rusty-snake]

In the linked issue it was mentioned that fuse mounts do not really work together with firejail. Is that the reason?

Maybe. IDK how Cryptomator and KDE Vaults work.

From your OP I saw there possible causes:

1. KIO
2. Portals
3. Mounts

Portals can not work with --dbus-user=none. KIO either uses D-Bus too or has it's own socket IDK. Mounts should not make any differences between ls and okular. You ls output shows they are blacklisted. Need to rethink this.

[MrFrank17]

I checked Cryptomator: it mounts via fuse in my setup. Not sure about KDE vault though.

About my ls output: yes, the locked containers show that they are blacklisted. Once I unlock them (like Backup)m they are no longer blacklisted. So ls and okular show the same behavior. Or I misunderstood you ...

[MrFrank17]

Quick update: I added the fuse handling as described here: https://firejail.wordpress.com/documentation-2/basic-usage/?like_comment=579#encfs

Cryptomator now works as expected. Now I need to figure out how to do the same withe KDE vault, but I guess this is not a firejail issue anymore ...

[MrFrank17]

Two more observations: maybe they are related to that issue, maybe not. And maybe some can comment :-)

1. The file dialog of firefox shows the blacklisted entries, which are now successfully blocked, several times (see screenshot)
   Is this happening due to firejail? If yes, how to get rid of all the duplicates? As they are blacklisted, they shouldn't appear in the first place...

2. Within Cryptomator I have the option to open a filebrowser pointing to the vault, in my case KDEs dolphin. When I want to open a document through that filebrowser by double clicking, the associated program opens and immediately closes again. If I open the same program separately, I can browse to the same folder and successfully open that file. If I open dolphin separately, not via Cryptomator, file opening works. Neither Cryptomator nor dolphin are firefailed - could it still be that firejail interferes here?

Thanks

[rusty-snake]

1. File-manager list all mounts in the sidebar. Usually this are removable driver and so on but firejail uses mounts too. Read Duplicate bookmarks in Firefox #2406 for more info. This seems to only happen if /etc/fstab is accessible inside the sandbox (Duplicate bookmarks in Firefox #2406 (comment)). Duplicate bookmarks in Firefox #2406 (comment) shows workarounds.
2. IIRC we create symlinks for dolphin, does firejail --tree not show it?

[MrFrank17]

1. This is already an improvement, but still some (but less) duplicates. I also tried the x-gvfs-hide mount options, but Cryptomator does not like it. Anyway, I can live that
   

2. I removed dolphin from /usr/lib/x86_64-linux-gnu/firejail/firecfg.config so I can open files from dolphin without having the associated programs running under the dolphin profile.

[rusty-snake]

FYI 12d1de4#diff-af35b8a6ad30ea07f24afd1e685ff48567dd39b5ba7df80af8c601408290ffe3

Do you still need help somewhere or can we close?