Sailjail permission allowing access to $HOME

Feature Requests
#1

If I have understood correctly, I can give an app access to user created directories in $HOME directory only by disabling sailjail (Sandboxing=Disabled).

Permissions=Documents;Downloads; … give access to the corresponding directories, and UserDirs to all of them. But if I create $HOME/bin for some shell scripts or $HOME/tmp, the only way to allow an app to see the contents of those directories, is to disable sandboxing.

So, I would like to have HomeDir or similar permission that allows access to all files and directories in $HOME.

1 Like
#2

If you aren’t going to make the app harbour-compatible anyway, but still want SailJail, you should be able to ship whatever FireJail profile you want that adds that.

1 Like
#3

Do you mean to write file HomeDir.permission in /etc/sailjail/permissions/ and then to add HomeDir in Permissions=?
Got to try.

#4

Not exactly (but interesting experiment).
I was thinking a /etc/firejail/yourapp.profile

1 Like
#5

I did some testing with AirSail (harbour-io.edin.projects.airsail-transfer). Without any [X-Sailjail]-section in AirSail.desktop-file, I saw all UserDirs, but not user created ~/bin - for example.

Adding HomeDir.permission in /etc/sailjail/permissions

# -*- mode: sh -*-

# x-sailjail-translation-catalog = sailjail-permissions
# x-sailjail-translation-key-description = permission-la-homedir
# x-sailjail-description = HomeDir
# x-sailjail-translation-key-long-description = permission-la-homedir_description
# x-sailjail-long-description = Access Home-directory

whitelist ${HOME}

and adding

[X-Sailjail]
Permissions=HomeDir;UserDirs;Internet

in AirSail.desktop allowed me to browse all directories. If I omitted UserDirs, I saw but couldn’t browse Documents and Downloads, for example. If I omitted HomeDir, adding AirSail.profile

# -*- mode: sh -*-
whitelist ${HOME}

in /etc/sailjail/permissions did the trick.

However, according to Building Custom Profiles | Firejail, adding .profile-files in ~/.config/firejail/ should also work, but I didn’t get that working. Nor in ~/.config/sailjail/.