github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #263] --overlay mode has empty home dir #186

New issue
Closed
opened 2026-05-05 05:16:20 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 05:16:20 -06:00
Owner
Copy link

Originally created by @dshmgh on GitHub (Jan 27, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/263

I am using 0.9.36 tarball and building on a 32 bit Mageia 5 system kernel 4.1.15-desktop586-2.mga5
My setup has a separate mount point for /home. When the overlay is mounted (in fs.c in fs_overlayfs() function) the overlay home dir is empty, the overlay does not contain the original /home contents. I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work. Not sure if a bind mount would work for /home as that might defeat the overlay. I also tried to add /home as a second lowerdir on the overlay mount, but that puts the user dirs at the / level which is not what we want. I can get code to you after I create a new cleaned up version.

Originally created by @dshmgh on GitHub (Jan 27, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/263 I am using 0.9.36 tarball and building on a 32 bit Mageia 5 system kernel 4.1.15-desktop586-2.mga5 My setup has a separate mount point for /home. When the overlay is mounted (in fs.c in fs_overlayfs() function) the overlay home dir is empty, the overlay does not contain the original /home contents. I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work. Not sure if a bind mount would work for /home as that might defeat the overlay. I also tried to add /home as a second lowerdir on the overlay mount, but that puts the user dirs at the / level which is not what we want. I can get code to you after I create a new cleaned up version.
gitea-mirror 2026-05-05 05:16:20 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 05:16:25 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 27, 2016):

I'll look into it, thanks.

<!-- gh-comment-id:175618356 --> @netblue30 commented on GitHub (Jan 27, 2016): I'll look into it, thanks.
gitea-mirror commented 2026-05-05 05:16:27 -06:00
Author
Owner
Copy link

@dshmgh commented on GitHub (Jan 27, 2016):

Should I clean up my code that seems to get around the issue and post it here?

<!-- gh-comment-id:175842120 --> @dshmgh commented on GitHub (Jan 27, 2016): Should I clean up my code that seems to get around the issue and post it here?
gitea-mirror commented 2026-05-05 05:16:28 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 28, 2016):

Yes, thanks!

<!-- gh-comment-id:176174881 --> @netblue30 commented on GitHub (Jan 28, 2016): Yes, thanks!
gitea-mirror commented 2026-05-05 05:16:32 -06:00
Author
Owner
Copy link

@dshmgh commented on GitHub (Jan 29, 2016):

OK This version is from 0.9.36. I compared to the latest on github and at first glance
it does not look like the edits have any collisions. Does github really not allow .c files?
The site complained until I added .txt. Also am using firejail with the palemoon browser
(firefox fork).
fs_0.9.36_new.c.txt

<!-- gh-comment-id:176529218 --> @dshmgh commented on GitHub (Jan 29, 2016): OK This version is from 0.9.36. I compared to the latest on github and at first glance it does not look like the edits have any collisions. Does github really not allow .c files? The site complained until I added .txt. Also am using firejail with the palemoon browser (firefox fork). [fs_0.9.36_new.c.txt](https://github.com/netblue30/firejail/files/109197/fs_0.9.36_new.c.txt)
gitea-mirror commented 2026-05-05 05:16:36 -06:00
Author
Owner
Copy link

@Sidnioulz commented on GitHub (Feb 21, 2016):

I'm going to state that dshmgh's code is likely infinitely cleaner to mines but I had to solve this issue too and decided to parse /proc/mounts on the system and apply rules to detect likely-persistent mount points (/mnt/..., /home*, /media/...) that require OverlayFS. I then place the odiff/owork folders differently from the original Firejail to make it easier for users to relate to where their data is likely to be.

Code is at ecdae3a50b and it IS dirty and it DOES NOT apply on any Firejail, my fork drifted too much and sadly I'm too busy to re-base and clean up

<!-- gh-comment-id:186714463 --> @Sidnioulz commented on GitHub (Feb 21, 2016): I'm going to state that dshmgh's code is likely infinitely cleaner to mines but I had to solve this issue too and decided to parse /proc/mounts on the system and apply rules to detect likely-persistent mount points (/mnt/..., /home*, /media/...) that require OverlayFS. I then place the odiff/owork folders differently from the original Firejail to make it easier for users to relate to where their data is likely to be. Code is at https://github.com/Sidnioulz/firejail/commit/ecdae3a50bb089dd869995f3871522298914b7be and it IS dirty and it DOES NOT apply on any Firejail, my fork drifted too much and sadly I'm too busy to re-base and clean up
gitea-mirror commented 2026-05-05 05:16:39 -06:00
Author
Owner
Copy link

@Sidnioulz commented on GitHub (Feb 21, 2016):

It also becomes trivial with the current --overlay feature to make OverlayFS systems with a private persistent home. I've done that in ecdae3a50b and with my current setup one can alternate between a private and "classic" OverlayFS home directory when they re-run a sandbox (I use sandbox names rather than PIDs for their .firejail folder).

<!-- gh-comment-id:186714555 --> @Sidnioulz commented on GitHub (Feb 21, 2016): It also becomes trivial with the current --overlay feature to make OverlayFS systems with a private persistent home. I've done that in https://github.com/Sidnioulz/firejail/commit/ecdae3a50bb089dd869995f3871522298914b7be and with my current setup one can alternate between a private and "classic" OverlayFS home directory when they re-run a sandbox (I use sandbox names rather than PIDs for their .firejail folder).
gitea-mirror commented 2026-05-05 05:16:41 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 10, 2016):

@dshmgh - Merged, thanks!

@Sidnioulz - I think there is more to come, I've just got https://github.com/netblue30/firejail/issues/361
and ended up mount-binding /run. Overlayfs doesn't play nice with tmpfs mount points also. At some point I'll have to start parsing the /proc/mounts.

<!-- gh-comment-id:194834724 --> @netblue30 commented on GitHub (Mar 10, 2016): @dshmgh - Merged, thanks! @Sidnioulz - I think there is more to come, I've just got https://github.com/netblue30/firejail/issues/361 and ended up mount-binding /run. Overlayfs doesn't play nice with tmpfs mount points also. At some point I'll have to start parsing the /proc/mounts.
gitea-mirror commented 2026-05-05 05:16:43 -06:00
Author
Owner
Copy link

@Sidnioulz commented on GitHub (Mar 10, 2016):

@netblue30 yes, I may be wrong but if I remember properly I do a direct
mount of /run/user/ since this hosts the DBus session and a few other
things. I would not label my approach as secure though, only testing for
usability and not for security at the moment.

On 10 March 2016 at 13:09, netblue30 notifications@github.com wrote:

@dshmgh https://github.com/dshmgh - Merged, thanks!

@Sidnioulz https://github.com/Sidnioulz - I think there is more to
come, I've just got #361
https://github.com/netblue30/firejail/issues/361
and ended up mount-binding /run. Overlayfs doesn't play nice with tmpfs
mount points also. At some point I'll have to start parsing the
/proc/mounts.


Reply to this email directly or view it on GitHub
https://github.com/netblue30/firejail/issues/263#issuecomment-194834724.

Steve Dodier-Lazaro
PhD Student
University College London
Free Software Developer

<!-- gh-comment-id:194836904 --> @Sidnioulz commented on GitHub (Mar 10, 2016): @netblue30 yes, I may be wrong but if I remember properly I do a direct mount of /run/user/<uid> since this hosts the DBus session and a few other things. I would _not_ label my approach as secure though, only testing for usability and not for security at the moment. On 10 March 2016 at 13:09, netblue30 notifications@github.com wrote: > @dshmgh https://github.com/dshmgh - Merged, thanks! > > @Sidnioulz https://github.com/Sidnioulz - I think there is more to > come, I've just got #361 > https://github.com/netblue30/firejail/issues/361 > and ended up mount-binding /run. Overlayfs doesn't play nice with tmpfs > mount points also. At some point I'll have to start parsing the > /proc/mounts. > > — > Reply to this email directly or view it on GitHub > https://github.com/netblue30/firejail/issues/263#issuecomment-194834724. ## Steve Dodier-Lazaro PhD Student University College London Free Software Developer
gitea-mirror commented 2026-05-05 05:16:45 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 10, 2016):

In my case it started with a user complaining about PulseAudio socket in /run/user, but when I looked at /run it was missing all kind of other files. So I just did a mount-bind on /run - basically /run runs outside the overlay, and it fixed the problem for now.

<!-- gh-comment-id:194838924 --> @netblue30 commented on GitHub (Mar 10, 2016): In my case it started with a user complaining about PulseAudio socket in /run/user, but when I looked at /run it was missing all kind of other files. So I just did a mount-bind on /run - basically /run runs outside the overlay, and it fixed the problem for now.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#186
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?