github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2799] --overlay-named exits with error as of linux 5.1.15 (overlayfs) #1753

New issue
Closed
opened 2026-05-05 08:25:32 -06:00 by gitea-mirror · 28 comments
gitea-mirror commented 2026-05-05 08:25:32 -06:00
Owner
Copy link

Originally created by @lskrejci on GitHub (Jun 26, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2799

Running firejail --noprofile --overlay-named=test fails:

  • On a system with a separate /home partition:

Error mounting overlayfs for mounted home directory: fs.c:1132 fs_overlayfs: Too many levels of symbolic links

  • On a system with a single root partition:

Error mounting overlayfs: fs.c:1077 fs_overlayfs: Too many levels of symbolic links

dmesg on both system configurations contains:

overlayfs: overlapping upperdir path

The same command works on linux 5.1.14.
Upstream commit that appears to have introduced the issue: ovl: detect overlapping layers

Environment:

  • Distribution: Arch Linux
  • firejail: 0.9.60-1
  • linux: 5.1.15.arch1-1

Relates to:

Originally created by @lskrejci on GitHub (Jun 26, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2799 Running `firejail --noprofile --overlay-named=test` fails: - On a system with a separate /home partition: > Error mounting overlayfs for mounted home directory: fs.c:1132 fs_overlayfs: Too many levels of symbolic links - On a system with a single root partition: > Error mounting overlayfs: fs.c:1077 fs_overlayfs: Too many levels of symbolic links dmesg on both system configurations contains: > overlayfs: overlapping upperdir path The same command works on linux 5.1.14. Upstream commit that appears to have introduced the issue: [ovl: detect overlapping layers](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.1.y&id=99eb836cd9a4df455ae90807bc00ee635be342f0) Environment: * Distribution: Arch Linux * firejail: 0.9.60-1 * linux: 5.1.15.arch1-1 Relates to: * #4178
gitea-mirror 2026-05-05 08:25:32 -06:00
gitea-mirror commented 2026-05-05 08:25:36 -06:00
Author
Owner
Copy link

@Hello71 commented on GitHub (Jul 16, 2019):

I think --rbind might be able to work around this.

<!-- gh-comment-id:511641893 --> @Hello71 commented on GitHub (Jul 16, 2019): I think --rbind might be able to work around this.
gitea-mirror commented 2026-05-05 08:25:36 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Sep 7, 2019):

Fix for docker: 477bf1e413

<!-- gh-comment-id:529152442 --> @Vincent43 commented on GitHub (Sep 7, 2019): Fix for docker: https://github.com/moby/moby/commit/477bf1e413708076f9ed8cd316102765cc5bdb11
gitea-mirror commented 2026-05-05 08:25:37 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 18, 2019):

Maybe I don't fully understand the docker fix, but I wonder a bit what's the point of an overlay just to make the file system read-only.

@netblue30 do you have an idea regarding the way forward?

<!-- gh-comment-id:532779737 --> @smitsohu commented on GitHub (Sep 18, 2019): Maybe I don't fully understand the docker fix, but I wonder a bit what's the point of an overlay just to make the file system read-only. @netblue30 do you have an idea regarding the way forward?
gitea-mirror commented 2026-05-05 08:25:38 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 19, 2019):

but I wonder a bit what's the point of an overlay just to make the file system read-only.

Or maybe it could serve as a simple switch for apps that really don't need to write anything at all.

<!-- gh-comment-id:533283793 --> @smitsohu commented on GitHub (Sep 19, 2019): > but I wonder a bit what's the point of an overlay just to make the file system read-only. Or maybe it could serve as a simple switch for apps that really don't need to write anything at all.
gitea-mirror commented 2026-05-05 08:25:38 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Sep 22, 2019):

There is some kernel fix available in Linux 5.3.1 and 5.2.17, @lskrejci could you try if you can still reproduce issue no those kernels?

<!-- gh-comment-id:533878288 --> @Vincent43 commented on GitHub (Sep 22, 2019): There is some [kernel fix available](https://github.com/torvalds/linux/commit/0be0bfd2de9dfdd2098a9c5b14bdd8f739c9165d) in Linux 5.3.1 and 5.2.17, @lskrejci could you try if you can still reproduce issue no those kernels?
gitea-mirror commented 2026-05-05 08:25:39 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Sep 22, 2019):

Still fails on Linux 5.2.17 so some firejail changes are still needed:

firejail --noprofile --overlay-named=test
Parent pid 9167, child pid 9168

**     Warning: dropping all Linux capabilities     **
Error mounting overlayfs: fs.c:977 fs_overlayfs: Too many levels of symbolic links
Error: proc 9167 cannot sync with peer: unexpected EOF
Peer 9168 unexpectedly exited with status 1
<!-- gh-comment-id:533890372 --> @Vincent43 commented on GitHub (Sep 22, 2019): Still fails on Linux 5.2.17 so some firejail changes are still needed: ``` firejail --noprofile --overlay-named=test Parent pid 9167, child pid 9168 ** Warning: dropping all Linux capabilities ** Error mounting overlayfs: fs.c:977 fs_overlayfs: Too many levels of symbolic links Error: proc 9167 cannot sync with peer: unexpected EOF Peer 9168 unexpectedly exited with status 1 ```
gitea-mirror commented 2026-05-05 08:25:39 -06:00
Author
Owner
Copy link

@schendstok commented on GitHub (Sep 24, 2019):

The same problem happens with the latest Linux kernel update in Debian Buster.

With the previous 4.19.0-5 kernel Firejail works fine with the overlay feature, but when you upgrade to 4.19.0-6 you get the same "fs_overlayfs: Too many levels of symbolic links" error

<!-- gh-comment-id:534484990 --> @schendstok commented on GitHub (Sep 24, 2019): The same problem happens with the latest Linux kernel update in Debian Buster. With the previous 4.19.0-5 kernel Firejail works fine with the overlay feature, but when you upgrade to 4.19.0-6 you get the same "fs_overlayfs: Too many levels of symbolic links" error
gitea-mirror commented 2026-05-05 08:25:40 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Sep 24, 2019):

I guess debian backported upstream patches as they were security related.

<!-- gh-comment-id:534652024 --> @Vincent43 commented on GitHub (Sep 24, 2019): I guess debian backported upstream patches as they were security related.
gitea-mirror commented 2026-05-05 08:25:40 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Oct 20, 2019):

I have the same problem (at least I think that it's the same) and some logs:

$ journalctl -f
...
Okt 20 10:21:37 j2 kernel: overlayfs: filesystem on '/home/hocuri/.firejail/4112/odiff' not supported as upperdir

and:

$ firejail --overlay --noprofile       

Parent pid 4422, child pid 4423

**     Warning: dropping all Linux capabilities     **
Error mounting overlayfs: fs.c:1077 fs_overlayfs: Invalid argument
Error: proc 4422 cannot sync with peer: unexpected EOF
Peer 4423 unexpectedly exited with status 1

Kernel 4.19.79-1-MANJARO x86_64.

<!-- gh-comment-id:544231806 --> @Hocuri commented on GitHub (Oct 20, 2019): I have the same problem (at least I think that it's the same) and some logs: ``` $ journalctl -f ... Okt 20 10:21:37 j2 kernel: overlayfs: filesystem on '/home/hocuri/.firejail/4112/odiff' not supported as upperdir ``` and: ``` $ firejail --overlay --noprofile Parent pid 4422, child pid 4423 ** Warning: dropping all Linux capabilities ** Error mounting overlayfs: fs.c:1077 fs_overlayfs: Invalid argument Error: proc 4422 cannot sync with peer: unexpected EOF Peer 4423 unexpectedly exited with status 1 ``` Kernel 4.19.79-1-MANJARO x86_64.
gitea-mirror commented 2026-05-05 08:25:40 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Nov 8, 2019):

For now, I ended up disabling --overlay feature for kernels 4.19 and newer.

I am getting "fs_overlayfs: Too many levels of symbolic links" on debian stable, kernel 4.19.

<!-- gh-comment-id:551891564 --> @netblue30 commented on GitHub (Nov 8, 2019): For now, I ended up disabling --overlay feature for kernels 4.19 and newer. I am getting "fs_overlayfs: Too many levels of symbolic links" on debian stable, kernel 4.19.
gitea-mirror commented 2026-05-05 08:25:41 -06:00
Author
Owner
Copy link

@Hello71 commented on GitHub (Nov 8, 2019):

I recall testing and finding that mount --rbind did fix the issue. I can't quite recall what I bind mounted though.

<!-- gh-comment-id:551986365 --> @Hello71 commented on GitHub (Nov 8, 2019): I recall testing and finding that mount --rbind did fix the issue. I can't quite recall what I bind mounted though.
gitea-mirror commented 2026-05-05 08:25:41 -06:00
Author
Owner
Copy link

@Hello71 commented on GitHub (Nov 8, 2019):

I think it's a similar trick to making pivot_root works, you do mount --rbind $dir $dir and then that "tricks" the kernel into allowing it.

<!-- gh-comment-id:551986866 --> @Hello71 commented on GitHub (Nov 8, 2019): I think it's a similar trick to making pivot_root works, you do `mount --rbind $dir $dir` and then that "tricks" the kernel into allowing it.
gitea-mirror commented 2026-05-05 08:25:42 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Nov 13, 2019):

thanks, I'll try it out!

<!-- gh-comment-id:553564247 --> @netblue30 commented on GitHub (Nov 13, 2019): thanks, I'll try it out!
gitea-mirror commented 2026-05-05 08:25:42 -06:00
Author
Owner
Copy link

@springzfx commented on GitHub (Dec 17, 2019):

Distribution: Arch Linux
firejail: 0.9.60-1
linux: 5.4.3.arch1-1
still have the same problem.

<!-- gh-comment-id:566453771 --> @springzfx commented on GitHub (Dec 17, 2019): Distribution: Arch Linux firejail: 0.9.60-1 linux: 5.4.3.arch1-1 still have the same problem.
gitea-mirror commented 2026-05-05 08:25:42 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 17, 2019):

@springzfx OP use the same firejail version. There is a release coming, see release-0.9.62 branch.

<!-- gh-comment-id:566543440 --> @rusty-snake commented on GitHub (Dec 17, 2019): @springzfx OP use the same firejail version. There is a release coming, see release-0.9.62 branch.
gitea-mirror commented 2026-05-05 08:25:43 -06:00
Author
Owner
Copy link

@springzfx commented on GitHub (Dec 17, 2019):

Distribution: Arch Linux
firejail: 0.9.62
linux: 5.4.3.arch1-1
No luck.

<!-- gh-comment-id:566670060 --> @springzfx commented on GitHub (Dec 17, 2019): Distribution: Arch Linux firejail: 0.9.62 linux: 5.4.3.arch1-1 No luck. ![](https://i.loli.net/2019/12/18/YoyzwOeJq2IKukR.png)
gitea-mirror commented 2026-05-05 08:25:43 -06:00
Author
Owner
Copy link

@darkf commented on GitHub (Feb 8, 2020):

This still happens, any fixes in sight? Any viable workaround?

<!-- gh-comment-id:583709752 --> @darkf commented on GitHub (Feb 8, 2020): This still happens, any fixes in sight? Any viable workaround?
gitea-mirror commented 2026-05-05 08:25:43 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Mar 8, 2020):

Instead of waiting for kernel fixes related to this, could it be worked around by having firejail use:
https://github.com/containers/fuse-overlayfs

<!-- gh-comment-id:596152909 --> @jonleivent commented on GitHub (Mar 8, 2020): Instead of waiting for kernel fixes related to this, could it be worked around by having firejail use: https://github.com/containers/fuse-overlayfs
gitea-mirror commented 2026-05-05 08:25:44 -06:00
Author
Owner
Copy link

@0x0D15 commented on GitHub (Mar 19, 2020):

@netblue30 Is there any planned fix or known workaround for this issue? It was one of my favorite things about this project.

<!-- gh-comment-id:601033904 --> @0x0D15 commented on GitHub (Mar 19, 2020): @netblue30 Is there any planned fix or known workaround for this issue? It was one of my favorite things about this project.
gitea-mirror commented 2026-05-05 08:25:44 -06:00
Author
Owner
Copy link

@Hello71 commented on GitHub (Apr 2, 2020):

took another look at the issue. I think the kernel is valid to reject this mount. if you do firejail --overlay-named=x and then access $HOME/.firejail/x then there would be a cycle. but, that change also added runtime checking, so you can apply a patch like this:

From 507605925f22fa2ec3f3ef0ce9ac747139495f88 Mon Sep 17 00:00:00 2001
From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
Date: Sun, 29 Mar 2020 17:18:20 -0400
Subject: [PATCH] ovl: add ignore_overlap option

check overlaps at runtime, allows firejail --overlay-named

Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
---
 fs/overlayfs/ovl_entry.h |  1 +
 fs/overlayfs/super.c     | 37 +++++++++++++++++++++++++++++++++----
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
index 89015ea822e7..f831c06f3bd5 100644
--- a/fs/overlayfs/ovl_entry.h
+++ b/fs/overlayfs/ovl_entry.h
@@ -17,6 +17,7 @@ struct ovl_config {
 	bool nfs_export;
 	int xino;
 	bool metacopy;
+	bool ignore_overlap;
 };
 
 struct ovl_sb {
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index ac967f1cb6e5..f670559defdb 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -403,6 +403,8 @@ enum {
 	OPT_XINO_AUTO,
 	OPT_METACOPY_ON,
 	OPT_METACOPY_OFF,
+	OPT_IGNORE_OVERLAP_ON,
+	OPT_IGNORE_OVERLAP_OFF,
 	OPT_ERR,
 };
 
@@ -421,6 +423,8 @@ static const match_table_t ovl_tokens = {
 	{OPT_XINO_AUTO,			"xino=auto"},
 	{OPT_METACOPY_ON,		"metacopy=on"},
 	{OPT_METACOPY_OFF,		"metacopy=off"},
+	{OPT_IGNORE_OVERLAP_ON,		"ignore_overlap=on"},
+	{OPT_IGNORE_OVERLAP_OFF,	"ignore_overlap=off"},
 	{OPT_ERR,			NULL}
 };
 
@@ -559,6 +563,14 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config)
 			config->metacopy = false;
 			break;
 
+		case OPT_IGNORE_OVERLAP_ON:
+			config->ignore_overlap = true;
+			break;
+
+		case OPT_IGNORE_OVERLAP_OFF:
+			config->ignore_overlap = false;
+			break;
+
 		default:
 			pr_err("unrecognized mount option \"%s\" or missing value\n",
 					p);
@@ -1024,6 +1036,19 @@ static int ovl_report_in_use(struct ovl_fs *ofs, const char *name)
 	}
 }
 
+static int ovl_report_trap_inode(struct ovl_fs *ofs, const char *name)
+{
+	if (ofs->config.ignore_overlap) {
+		pr_warn("overlapping %s path, accessing overlapped path will result in ELOOP.\n",
+			name);
+		return 0;
+	} else {
+		pr_err("overlapping %s path, mount with '-o ignore_overlap=on' to override overlapping upperdir protection.\n",
+			name);
+		return -ELOOP;
+	}
+}
+
 static int ovl_get_upper(struct super_block *sb, struct ovl_fs *ofs,
 			 struct path *upperpath)
 {
@@ -1537,18 +1562,22 @@ static int ovl_check_layer(struct super_block *sb, struct ovl_fs *ofs,
 	/* Walk back ancestors to root (inclusive) looking for traps */
 	while (!err && parent != next) {
 		if (ovl_lookup_trap_inode(sb, parent)) {
-			err = -ELOOP;
-			pr_err("overlapping %s path\n", name);
-		} else if (ovl_is_inuse(parent)) {
+			err = ovl_report_trap_inode(ofs, name);
+			if (err)
+				goto out;
+		}
+		if (ovl_is_inuse(parent)) {
 			err = ovl_report_in_use(ofs, name);
+			if (err)
+				goto out;
 		}
 		next = parent;
 		parent = dget_parent(next);
 		dput(next);
 	}
 
+out:
 	dput(parent);
-
 	return err;
 }
 
-- 
2.26.0

then, patch firejail to use mount -o ignore_overlap=on.

<!-- gh-comment-id:607579228 --> @Hello71 commented on GitHub (Apr 2, 2020): took another look at the issue. I think the kernel is valid to reject this mount. if you do `firejail --overlay-named=x` and then access `$HOME/.firejail/x` then there would be a cycle. but, that change also added runtime checking, so you can apply a patch like this: ``` From 507605925f22fa2ec3f3ef0ce9ac747139495f88 Mon Sep 17 00:00:00 2001 From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca> Date: Sun, 29 Mar 2020 17:18:20 -0400 Subject: [PATCH] ovl: add ignore_overlap option check overlaps at runtime, allows firejail --overlay-named Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca> --- fs/overlayfs/ovl_entry.h | 1 + fs/overlayfs/super.c | 37 +++++++++++++++++++++++++++++++++---- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h index 89015ea822e7..f831c06f3bd5 100644 --- a/fs/overlayfs/ovl_entry.h +++ b/fs/overlayfs/ovl_entry.h @@ -17,6 +17,7 @@ struct ovl_config { bool nfs_export; int xino; bool metacopy; + bool ignore_overlap; }; struct ovl_sb { diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index ac967f1cb6e5..f670559defdb 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -403,6 +403,8 @@ enum { OPT_XINO_AUTO, OPT_METACOPY_ON, OPT_METACOPY_OFF, + OPT_IGNORE_OVERLAP_ON, + OPT_IGNORE_OVERLAP_OFF, OPT_ERR, }; @@ -421,6 +423,8 @@ static const match_table_t ovl_tokens = { {OPT_XINO_AUTO, "xino=auto"}, {OPT_METACOPY_ON, "metacopy=on"}, {OPT_METACOPY_OFF, "metacopy=off"}, + {OPT_IGNORE_OVERLAP_ON, "ignore_overlap=on"}, + {OPT_IGNORE_OVERLAP_OFF, "ignore_overlap=off"}, {OPT_ERR, NULL} }; @@ -559,6 +563,14 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config) config->metacopy = false; break; + case OPT_IGNORE_OVERLAP_ON: + config->ignore_overlap = true; + break; + + case OPT_IGNORE_OVERLAP_OFF: + config->ignore_overlap = false; + break; + default: pr_err("unrecognized mount option \"%s\" or missing value\n", p); @@ -1024,6 +1036,19 @@ static int ovl_report_in_use(struct ovl_fs *ofs, const char *name) } } +static int ovl_report_trap_inode(struct ovl_fs *ofs, const char *name) +{ + if (ofs->config.ignore_overlap) { + pr_warn("overlapping %s path, accessing overlapped path will result in ELOOP.\n", + name); + return 0; + } else { + pr_err("overlapping %s path, mount with '-o ignore_overlap=on' to override overlapping upperdir protection.\n", + name); + return -ELOOP; + } +} + static int ovl_get_upper(struct super_block *sb, struct ovl_fs *ofs, struct path *upperpath) { @@ -1537,18 +1562,22 @@ static int ovl_check_layer(struct super_block *sb, struct ovl_fs *ofs, /* Walk back ancestors to root (inclusive) looking for traps */ while (!err && parent != next) { if (ovl_lookup_trap_inode(sb, parent)) { - err = -ELOOP; - pr_err("overlapping %s path\n", name); - } else if (ovl_is_inuse(parent)) { + err = ovl_report_trap_inode(ofs, name); + if (err) + goto out; + } + if (ovl_is_inuse(parent)) { err = ovl_report_in_use(ofs, name); + if (err) + goto out; } next = parent; parent = dget_parent(next); dput(next); } +out: dput(parent); - return err; } -- 2.26.0 ``` then, patch firejail to use `mount -o ignore_overlap=on`.
gitea-mirror commented 2026-05-05 08:25:45 -06:00
Author
Owner
Copy link

@firejailing commented on GitHub (Aug 12, 2020):

@netblue30 where are you?

this has been broken for over a year now, ridiculous, new profiles are less important than fixing this

<!-- gh-comment-id:672572306 --> @firejailing commented on GitHub (Aug 12, 2020): @netblue30 where are you? this has been broken for over a year now, ridiculous, new profiles are less important than fixing this
gitea-mirror commented 2026-05-05 08:25:45 -06:00
Author
Owner
Copy link

@shuhaowu commented on GitHub (Aug 21, 2020):

Are there no workarounds for this for now?

<!-- gh-comment-id:678321690 --> @shuhaowu commented on GitHub (Aug 21, 2020): Are there no workarounds for this for now?
gitea-mirror commented 2026-05-05 08:25:45 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Oct 3, 2020):

Another workaround has been suggested in: https://bugs.debian.org/971578

<!-- gh-comment-id:703138126 --> @reinerh commented on GitHub (Oct 3, 2020): Another workaround has been suggested in: https://bugs.debian.org/971578
gitea-mirror commented 2026-05-05 08:25:46 -06:00
Author
Owner
Copy link

@garywill commented on GitHub (Dec 30, 2020):

--overlay used to work for me in May 2019 (on openSUSE 15.0 or 15.1).
But not now. Now I'm on openSUSE 15.2 with kernel 5.3.18

# firejail --name=test --overlay --noprofile --debug
Autoselecting /bin/bash as shell
Command name #/bin/bash#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 7586, child pid 7587
The new log directory is /proc/7587/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Linux kernel version 5.3
Mounting OverlayFS
Debug: running on kernel version 5.3
Error mounting overlayfs: fs.c:1063 fs_overlayfs: Too many levels of symbolic links
Error: proc 7586 cannot sync with peer: unexpected EOF
Peer 7587 unexpectedly exited with status 1


# firejail --version
firejail version 0.9.64


# uname -a
Linux linux-lwid 5.3.18-lp152.57-default #1 SMP Fri Dec 4 07:27:58 UTC 2020 (7be5551) x86_64 x86_64 x86_64 GNU/Linux

Wish a fix. Thanks all developers 👍 :)

<!-- gh-comment-id:752408673 --> @garywill commented on GitHub (Dec 30, 2020): `--overlay` used to work for me in May 2019 (on openSUSE 15.0 or 15.1). But not now. Now I'm on openSUSE 15.2 with kernel 5.3.18 ``` # firejail --name=test --overlay --noprofile --debug Autoselecting /bin/bash as shell Command name #/bin/bash# DISPLAY=:0 parsed as 0 Enabling IPC namespace Using the local network stack Parent pid 7586, child pid 7587 The new log directory is /proc/7587/root/var/log Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Linux kernel version 5.3 Mounting OverlayFS Debug: running on kernel version 5.3 Error mounting overlayfs: fs.c:1063 fs_overlayfs: Too many levels of symbolic links Error: proc 7586 cannot sync with peer: unexpected EOF Peer 7587 unexpectedly exited with status 1 # firejail --version firejail version 0.9.64 # uname -a Linux linux-lwid 5.3.18-lp152.57-default #1 SMP Fri Dec 4 07:27:58 UTC 2020 (7be5551) x86_64 x86_64 x86_64 GNU/Linux ``` Wish a fix. Thanks all developers :+1: :)
gitea-mirror commented 2026-05-05 08:25:46 -06:00
Author
Owner
Copy link

@pushqrdx commented on GitHub (Apr 11, 2021):

5.8.0-48-generic

same here

<!-- gh-comment-id:817382631 --> @pushqrdx commented on GitHub (Apr 11, 2021): > 5.8.0-48-generic same here
gitea-mirror commented 2026-05-05 08:25:47 -06:00
Author
Owner
Copy link

@Ristovski commented on GitHub (Jul 11, 2022):

@netblue30 Any news on this? I too like the suggested alternative of using fuse-overlayfs which is also what podman uses for example.

<!-- gh-comment-id:1180670174 --> @Ristovski commented on GitHub (Jul 11, 2022): @netblue30 Any news on this? I too like the suggested alternative of using `fuse-overlayfs` which is also what `podman` uses for example.
gitea-mirror commented 2026-05-05 08:25:47 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 28, 2025):

https://github.com/netblue30/firejail/pull/6632#discussion_r1929573432:

  • The usage in firejail was broken at least two times in the past because of kernel changes (IIRC). And is likely to break again in the future.
    https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html

    Changes to the underlying filesystems while part of a mounted overlay filesystem are not allowed. If the underlying filesystem is changed, the behavior of the overlay is undefined, though it will not result in a crash or deadlock.

    systemd-nspawn has a correct implementation. It cp -a --reflink=auto /*~(proc|sys|dev|...|._my_lower_dir_root) /.my_lower_dir_root first and then uses /.my_lower_dir_root as lower-dir. However this is very slow and inefficient unless you have everything in one Btrfs/XFS.

<!-- gh-comment-id:2618748752 --> @rusty-snake commented on GitHub (Jan 28, 2025): https://github.com/netblue30/firejail/pull/6632#discussion_r1929573432: > * The usage in firejail was broken at least two times in the past because of kernel changes (IIRC). And is likely to break again in the future. > https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html > > Changes to the underlying filesystems while part of a mounted overlay filesystem are not allowed. If the underlying filesystem is changed, the behavior of the overlay is undefined, though it will not result in a crash or deadlock. > > > systemd-nspawn has a correct implementation. It `cp -a --reflink=auto /*~(proc|sys|dev|...|._my_lower_dir_root) /.my_lower_dir_root` first and then uses `/.my_lower_dir_root` as lower-dir. However this is very slow and inefficient unless you have everything in one Btrfs/XFS.
gitea-mirror commented 2026-05-05 08:25:47 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Dec 19, 2025):

Closing, as overlayfs support was removed:

<!-- gh-comment-id:3676051092 --> @kmk3 commented on GitHub (Dec 19, 2025): Closing, as overlayfs support was removed: * #6994
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1753
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?