Feature Request: Per profile 'disable-mnt' #1231
Labels
enhancement
New feature request
Comments
SkewedZeppelin
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
SkewedZeppelin
changed the title
A per profile 'disable-mnt' like the one configurable in firejail.conf would be super useful, especially for hardening profiles that are currently whitelist only. Like having a sandboxed program that can only access one dir in your home folder, but can still read/write to your other drives is a bit silly.
Like https://gist.github.com/SpotComms/385bf9f2290b51a2639dacedc74bb666 vs #1009, #1009 would've blocked a lot of programs from accessing files they should have access to, but this would just be for hardening already whitelist only profiles.
One issue I do see is that for instance I keep my downloads under /mnt/Drive-X/Temp/Downloads and have it symlinked in ~/, so having disable-mnt in Chromium/Firefox would break access to downloads. Having disable-mnt add a check that would keep that dir (the ones whitelisted in each profile) whitelisted but still blacklist all the other drives/paths would be nice.
The text was updated successfully, but these errors were encountered: