disable home dir whitelists when --private is present

2 files changed, 7 insertions, 4 deletions

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 77bb5e5bb..9a7a1bac7 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -423,6 +423,13 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
             strcmp(dir, "/sys") == 0)
                 whitelist_error(path);
 
+        // whitelisting home directory is disabled if --private option is present
+        if (arg_private && strcmp(dir, cfg.homedir) == 0) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path);
+                return NULL;
+        }
+
         // do nothing if directory doesn't exist
         struct stat s;
         if (lstat(dir, &s) != 0) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 31694558d..7cfa58078 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1904,8 +1904,6 @@ int main(int argc, char **argv, char **envp) {
                 }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
-                        // disable whitelisting in home directory
-                        profile_add("whitelist ~/*");
                 }
                 else if (strncmp(argv[i], "--private=", 10) == 0) {
                         if (cfg.home_private_keep) {
@@ -1927,8 +1925,6 @@ int main(int argc, char **argv, char **envp) {
                                 cfg.home_private = NULL;
                         }
                         arg_private = 1;
-                        // disable whitelisting in home directory
-                        profile_add("whitelist ~/*");
                 }
 #ifdef HAVE_PRIVATE_HOME
                 else if (strncmp(argv[i], "--private-home=", 15) == 0) {