You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A per profile 'disable-mnt' like the one configurable in firejail.conf would be super useful, especially for hardening profiles that are currently whitelist only. Like having a sandboxed program that can only access one dir in your home folder, but can still read/write to your other drives is a bit silly.
One issue I do see is that for instance I keep my downloads under /mnt/Drive-X/Temp/Downloads and have it symlinked in ~/, so having disable-mnt in Chromium/Firefox would break access to downloads. Having disable-mnt add a check that would keep that dir (the ones whitelisted in each profile) whitelisted but still blacklist all the other drives/paths would be nice.
The text was updated successfully, but these errors were encountered:
SkewedZeppelin
changed the title
Feature Request: Per profile 'disable-mnt' and 'disable-sys'
Feature Request: Per profile 'disable-mnt'
Apr 17, 2017
A per profile 'disable-mnt' like the one configurable in firejail.conf would be super useful, especially for hardening profiles that are currently whitelist only. Like having a sandboxed program that can only access one dir in your home folder, but can still read/write to your other drives is a bit silly.
Like https://gist.github.com/SpotComms/385bf9f2290b51a2639dacedc74bb666 vs #1009, #1009 would've blocked a lot of programs from accessing files they should have access to, but this would just be for hardening already whitelist only profiles.
One issue I do see is that for instance I keep my downloads under /mnt/Drive-X/Temp/Downloads and have it symlinked in ~/, so having disable-mnt in Chromium/Firefox would break access to downloads. Having disable-mnt add a check that would keep that dir (the ones whitelisted in each profile) whitelisted but still blacklist all the other drives/paths would be nice.
The text was updated successfully, but these errors were encountered: