From 17590553045f40e8c7628608c8330b72412fd7f4 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 18 Oct 2023 22:47:07 +0000
Subject: profiles: exchange private-opt with a whitelist (#6021)

* profiles: drop private-opt (existing whitelist)

* profiles: replace private-opt with whitelist

In most profiles.

Kept private-opt for enpass (~85MB), mate-dictionary (<20MB),
minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't
check: xmr-stak.

* docs: note potential issues with private-opt
---
 src/man/firejail.1.in | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/man')

diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 19fc94ebd..ee4adf5b8 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -2263,6 +2263,18 @@ All modifications are discarded when the sandbox is closed.
 Example:
 .br
 $ firejail --private-opt=firefox /opt/firefox/firefox
+.br
+
+.br
+Note: Program installations in /opt tend to be relatively large and private-opt
+copies the entire path(s) into RAM, which may significantly increase RAM usage
+and break \fBfile-copy-limit\fR in firejail.config.
+Therefore, in general it is recommended to use "whitelist /opt/PATH" instead of
+"private-opt PATH".
+For details, see
+.UR https://github.com/netblue30/firejail/discussions/5307
+#5307
+.UE
 
 .TP
 \fB\-\-private-srv=file,directory
-- 
cgit v1.2.3-54-g00ecf