Hi,
Sadly they have no effect, because a tmpfs is mounted on /home, masked
over /home/.fscrypt .
A case like this can usually be resolved by adding
> mkdir <path>
> whitelist <path>
in profiles, but unfortunately, "mkdir" only works in ${HOME} and /tmp, so
it seems to be still unsolvable under current version of firejail.
在 2020/1/25 下午7:48, Reiner Herrmann 写道:
> Hi,
>
> On Tue, Jan 21, 2020 at 04:42:16PM +0800, Mad Horse wrote:
>> In order to access unlocked files and directories encrypted with
>> fscrypt, their
>> protectors. which lies under /.fscrypt of root and each FS with this feature
>> deployed, should also be accessible.
>>
>> Inside firejail, /.fscrypt could be made accessible with "noblacklist"
>> statement in profile, but there seems no way to introduce /home/.fscrypt
>> into firejail, which cause all file and directory in separate /home
>> encrypted
>> with fscrypt inaccessible inside it.
> the fscrypt files are currently blocked via disable-common.inc:
>
> blacklist ${HOME}/.fscrypt
> blacklist /.fscrypt
> blacklist /home/.fscrypt
>
> (and also via the AppArmor firejail profile, if you use it)
>
> Can you add to your local override disable-common.local that
> these should be removed from the blacklist?
>
> noblacklist ${HOME}/.fscrypt
> noblacklist /.fscrypt
> noblacklist /home/.fscrypt
>
> Kind regards,
> Reiner
