github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2301] File transfer fails on large files #1532

New issue
Closed
opened 2026-05-05 08:11:38 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 08:11:38 -06:00
Owner
Copy link

Originally created by @laniakea64 on GitHub (Dec 18, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2301

Xubuntu 18.04 64-bit
firejail self build from 9eca281abb

$ firejail --version
firejail version 0.9.57

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Steps to reproduce

  1. check free space available in /run with df -Th, and create or find a file larger than that (On my system I used a 2 GB file)

  2. run firejail --noprofile --overlay-tmpfs

  3. Try to get the large file from (1) using firejail --get=<pid> path/to/the/file

Expected results

At (3), file should be copied from the overlay-tmpfs to the working directory

Actual results

At (3) it sits for a short time, then exits with status 1 without anything seeming to happen. I think it's related to the file being bigger than free space in /run because of this -

9eca281abb/src/firejail/ls.c (L316-L345)

And indeed, a file does appear at /run/firejail/tmpget-... while the firejail --get=... command is running.

Originally created by @laniakea64 on GitHub (Dec 18, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2301 Xubuntu 18.04 64-bit firejail self build from https://github.com/netblue30/firejail/commit/9eca281abbb24f97fdb92c06018cd2bd0a5b215e ``` $ firejail --version firejail version 0.9.57 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` **Steps to reproduce** 1) check free space available in `/run` with `df -Th`, and create or find a file larger than that (On my system I used a 2 GB file) 2) run `firejail --noprofile --overlay-tmpfs` 3) Try to get the large file from (1) using `firejail --get=<pid> path/to/the/file` **Expected results** At (3), file should be copied from the overlay-tmpfs to the working directory **Actual results** At (3) it sits for a short time, then exits with status 1 without anything seeming to happen. I think it's related to the file being bigger than free space in `/run` because of this - https://github.com/netblue30/firejail/blob/9eca281abbb24f97fdb92c06018cd2bd0a5b215e/src/firejail/ls.c#L316-L345 And indeed, a file does appear at `/run/firejail/tmpget-...` while the `firejail --get=...` command is running.
gitea-mirror 2026-05-05 08:11:38 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:11:41 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Feb 7, 2019):

@laniakea64 I presume this is still a problem?

<!-- gh-comment-id:461487233 --> @chiraag-nataraj commented on GitHub (Feb 7, 2019): @laniakea64 I presume this is still a problem?
gitea-mirror commented 2026-05-05 08:11:42 -06:00
Author
Owner
Copy link

@laniakea64 commented on GitHub (Feb 7, 2019):

Yes, this still happens in self build from 2323a45ca7

<!-- gh-comment-id:461512085 --> @laniakea64 commented on GitHub (Feb 7, 2019): Yes, this still happens in self build from https://github.com/netblue30/firejail/commit/2323a45ca7875883784e6debd42caaee06042617
gitea-mirror commented 2026-05-05 08:11:44 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 26, 2019):

@laniakea64 fixed by ccd0152? (#2820)

<!-- gh-comment-id:524762431 --> @rusty-snake commented on GitHub (Aug 26, 2019): @laniakea64 fixed by ccd0152? (#2820)
gitea-mirror commented 2026-05-05 08:11:45 -06:00
Author
Owner
Copy link

@laniakea64 commented on GitHub (Aug 26, 2019):

@laniakea64 fixed by ccd0152? (#2820)

I'm unable to fully test this in self build from 580e49bada because joining the sandbox doesn't seem to actually get me in the overlay-tmpfs -

  1. run firejail --overlay-tmpfs --noprofile, note the parent pid

  2. in the sandbox:

cd ~/Downloads
echo 'Test' > ./test.txt
  1. in another terminal, run: firejail --join=<pid> (replacing <pid> with the parent pid)
    When joined to the sandbox, run:
cd ~/Downloads
ls -la

And the file created in (2) is not there in the second terminal, it's only there in the first terminal.

Edit: It's not just not getting me in the sandbox's overlay-tmpfs. It's completely ignoring that aspect of the sandbox. In the second terminal, running

cd ~/Downloads
touch AAAAA

And a file called AAAAA appears in the real ~/Downloads, despite the sandbox being --overlay-tmpfs! 😱

Actually, looks like --get= might not be affected by this, so maybe I can do a partial test? I set file-copy-limit 4096 in firejail.config, then tried to transfer a 2 GB file. Transfer failed, same as before. Transfer of the 5-byte test.txt file mentioned in this comment seems to work.

<!-- gh-comment-id:524923730 --> @laniakea64 commented on GitHub (Aug 26, 2019): > @laniakea64 fixed by [ccd0152](https://github.com/netblue30/firejail/commit/ccd01529adc647e75b618aa35c1742cffd17c694)? (#2820) I'm unable to fully test this in self build from https://github.com/netblue30/firejail/commit/580e49badab98972913301da6155d9e9d04d4465 because joining the sandbox doesn't seem to actually get me in the overlay-tmpfs - 1) run `firejail --overlay-tmpfs --noprofile`, note the parent pid 2) in the sandbox: ``` cd ~/Downloads echo 'Test' > ./test.txt ``` 3) in another terminal, run: `firejail --join=<pid>` (replacing `<pid>` with the parent pid) When joined to the sandbox, run: ``` cd ~/Downloads ls -la ``` And the file created in (2) is not there in the second terminal, it's only there in the first terminal. Edit: It's not just not getting me in the sandbox's overlay-tmpfs. It's completely ignoring that aspect of the sandbox. In the second terminal, running ``` cd ~/Downloads touch AAAAA ``` And a file called `AAAAA` appears in the real `~/Downloads`, despite the sandbox being `--overlay-tmpfs`! :scream: -------------------- Actually, looks like `--get=` might not be affected by this, so maybe I can do a partial test? I set `file-copy-limit 4096` in `firejail.config`, then tried to transfer a 2 GB file. Transfer failed, same as before. Transfer of the 5-byte `test.txt` file mentioned in this comment seems to work.
gitea-mirror commented 2026-05-05 08:11:45 -06:00
Author
Owner
Copy link

@laniakea64 commented on GitHub (Sep 18, 2019):

The regression reported in https://github.com/netblue30/firejail/issues/2301#issuecomment-524923730 is still there in self build from 0ecbe8631c . Should I be filing it as a separate issue?

<!-- gh-comment-id:532895847 --> @laniakea64 commented on GitHub (Sep 18, 2019): The regression reported in https://github.com/netblue30/firejail/issues/2301#issuecomment-524923730 is still there in self build from https://github.com/netblue30/firejail/commit/0ecbe8631c9102a4a6eda57e49b42bd14c856386 . Should I be filing it as a separate issue?
gitea-mirror commented 2026-05-05 08:11:46 -06:00
Author
Owner
Copy link

@laniakea64 commented on GitHub (Oct 9, 2019):

The regression reported in https://github.com/netblue30/firejail/issues/2301#issuecomment-524923730 is still there in self build from 0ecbe8631c . Should I be filing it as a separate issue?

Since I didn't get a reply to this, I assume you rather it just be discussed here, even though it's not the same as the original issue.

The regression reported in https://github.com/netblue30/firejail/issues/2301#issuecomment-524923730 is still there in self build from b35c000fee . So I did a git bisect, and it pointed to 3e662f793d as the culprit.

<!-- gh-comment-id:540145779 --> @laniakea64 commented on GitHub (Oct 9, 2019): > The regression reported in https://github.com/netblue30/firejail/issues/2301#issuecomment-524923730 is still there in self build from https://github.com/netblue30/firejail/commit/0ecbe8631c9102a4a6eda57e49b42bd14c856386 . Should I be filing it as a separate issue? Since I didn't get a reply to this, I assume you rather it just be discussed here, even though it's not the same as the original issue. The regression reported in https://github.com/netblue30/firejail/issues/2301#issuecomment-524923730 is still there in self build from https://github.com/netblue30/firejail/commit/b35c000fee9a4c1418a44e5a5a641bcf48f08345 . So I did a git bisect, and it pointed to 3e662f793df58fb44a26ba02193a99c26f554021 as the culprit.
gitea-mirror commented 2026-05-05 08:11:47 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 10, 2019):

@laniakea64 Thanks a lot! I'll try to figure out what's going wrong.

<!-- gh-comment-id:540696200 --> @smitsohu commented on GitHub (Oct 10, 2019): @laniakea64 Thanks a lot! I'll try to figure out what's going wrong.
gitea-mirror commented 2026-05-05 08:11:47 -06:00
Author
Owner
Copy link

@laniakea64 commented on GitHub (Oct 18, 2019):

https://github.com/netblue30/firejail/issues/2301#issuecomment-524923730 seems fixed in self build from 61bfaa6927 . Thanks @smitsohu !

Back to the original issue: to finally properly answer @rusty-snake comment https://github.com/netblue30/firejail/issues/2301#issuecomment-524762431 - increasing file-copy-limit in /etc/firejail/firejail.config does not help here.

<!-- gh-comment-id:544000185 --> @laniakea64 commented on GitHub (Oct 18, 2019): https://github.com/netblue30/firejail/issues/2301#issuecomment-524923730 seems fixed in self build from https://github.com/netblue30/firejail/commit/61bfaa69275f881d9ce890f2a15d93325eab110f . Thanks @smitsohu ! Back to the original issue: to finally properly answer @rusty-snake comment https://github.com/netblue30/firejail/issues/2301#issuecomment-524762431 - increasing `file-copy-limit` in `/etc/firejail/firejail.config` does not help here.
gitea-mirror commented 2026-05-05 08:11:48 -06:00
Author
Owner
Copy link

@atrent commented on GitHub (May 8, 2020):

I had to copy large videos generated by Zoom... and I had not edited the limit in config beforehand, so I needed to solve the problem before turning off the program (thus losing tmp files).
I solved by copying files from the inside of the firejail sandbox, e.g. using Midnight Commander:
$ firejail --join= mc
and then copying files using a "Shell Link" (i.e., FISH file transfer) to the host.

(instead of 'firejail --get= ...')

<!-- gh-comment-id:625799822 --> @atrent commented on GitHub (May 8, 2020): I had to copy large videos generated by Zoom... and I had not edited the limit in config beforehand, so I needed to solve the problem before turning off the program (thus losing tmp files). I solved by copying files **from the inside** of the firejail sandbox, e.g. using Midnight Commander: $ firejail --join=<ID> mc and then copying files using a "Shell Link" (i.e., FISH file transfer) to the host. (instead of 'firejail --get=<ID> ...')
gitea-mirror commented 2026-05-05 08:11:49 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 2, 2020):

Should be fixed in ccd01529ad and 27c136dcf4. Also there will be a cat option in 0.9.64 which can be used with shell redirection on files of arbitrary size.

Thanks for reporting the bug.

<!-- gh-comment-id:685463459 --> @smitsohu commented on GitHub (Sep 2, 2020): Should be fixed in ccd01529adc647e75b618aa35c1742cffd17c694 and 27c136dcf4e84daee0c8886c869720ec9be7a594. Also there will be a `cat` option in 0.9.64 which can be used with shell redirection on files of arbitrary size. Thanks for reporting the bug.
gitea-mirror commented 2026-05-05 08:11:50 -06:00
Author
Owner
Copy link

@laniakea64 commented on GitHub (Sep 3, 2020):

I'm unable to check it because build from 6ac40a5979 fails:

strip: 'src/man/preproc': No such file
make[1]: *** [Makefile:157: install-strip] Error 1
make: *** [Makefile:196: deb] Error 2
<!-- gh-comment-id:686525992 --> @laniakea64 commented on GitHub (Sep 3, 2020): I'm unable to check it because build from 6ac40a597939989a55ab5465f548489e1ea4937d fails: ``` strip: 'src/man/preproc': No such file make[1]: *** [Makefile:157: install-strip] Error 1 make: *** [Makefile:196: deb] Error 2 ```
gitea-mirror commented 2026-05-05 08:11:51 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 3, 2020):

I know build is failing ATM. Checkout 4762cf6855 for now.

<!-- gh-comment-id:686535174 --> @rusty-snake commented on GitHub (Sep 3, 2020): I know build is failing ATM. Checkout 4762cf6855b989a7cc90caf5d1dc72cca6b1fd84 for now.
gitea-mirror commented 2026-05-05 08:11:51 -06:00
Author
Owner
Copy link

@laniakea64 commented on GitHub (Sep 3, 2020):

Sorry, this is still not fixed in self build from 4762cf6855 . --cat= + shell redirection does seem to work though.

Can this issue be reopened? Or is the answer to just use --cat= for large files?

Thanks 🙂

<!-- gh-comment-id:686554597 --> @laniakea64 commented on GitHub (Sep 3, 2020): Sorry, this is still not fixed in self build from https://github.com/netblue30/firejail/commit/4762cf6855b989a7cc90caf5d1dc72cca6b1fd84 . `--cat=` + shell redirection does seem to work though. Can this issue be reopened? Or is the answer to just use `--cat=` for large files? Thanks :slightly_smiling_face:
gitea-mirror commented 2026-05-05 08:11:52 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 3, 2020):

Reopening! Sorry @laniakea64 I confused this with a different issue.

Or is the answer to just use --cat= for large files?

Maybe someone comes up with a better idea, but for now it seems that's going to be the answer.
I guess we could just reimplement the current --get using --cat under the hood.

<!-- gh-comment-id:686705409 --> @smitsohu commented on GitHub (Sep 3, 2020): Reopening! Sorry @laniakea64 I confused this with a different issue. > Or is the answer to just use --cat= for large files? Maybe someone comes up with a better idea, but for now it seems that's going to be the answer. I guess we could just reimplement the current `--get` using `--cat` under the hood.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1532
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?