mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #3222] allow firejail home tmp overlay to be fuse mounted outside #2020
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2020
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @jonleivent on GitHub (Feb 12, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3222
I thought of this enhancement when dealing with firejail --get vs. a file with spaces and other unusual characters in its name - which doesn't work well. I had to --join the jail and rename the file, then exit and --get.
Instead, suppose that a firejail's tmp overlay is fuse mountable outside the jail. This would allow standard file managers to have read and write access to that overlay from outside. Which would be much easier than dealing with --ls, --get and --put.
@jonleivent commented on GitHub (Feb 12, 2020):
Just tried another workaround for --get's inability to deal with problematic filenames - I tried
firejail --get=jail ~/Downloadsto get the whole Downloads folder from a jail, which contains files with problematic names. That doesn't work - the --get produces a non-folder 0-length file named Downloads. Maybe the above enhancement of having an outside mountable home tmp overlay would eliminate the need to fix these other bugs in the file transfer protocol.@jonleivent commented on GitHub (Feb 12, 2020):
I'm guessing it would be easiest to first mount a tmpfs over a mountpoint like /run/firejail/home/$PID, then bind mount that as the overlay for home within the jail started with that pid.
@jonleivent commented on GitHub (Feb 12, 2020):
I found a workaround that works:
firejail --quiet --join=jail tar cf - Downloads | tar xvf -@smitsohu commented on GitHub (Feb 15, 2020):
There is a sandbox filesystem and you want an easier and more direct way to access it from the sandbox host, right?
I think you may want to have a look at Firejail's
--private=option.Or, for example, in a profile:
This way you create a new subtree in ~/.local/share/firejail which is trivially accessible from outside the sandbox. It is a bit like what Flatpak does, but in a different location.
As almost all code exists already in Firejail, implementing it as a new option shouldn't be a big deal, just in case that's what's desired.
@jonleivent commented on GitHub (Feb 15, 2020):
Yes, I use the --private= option quite a bit, but in this case I really don't want disk persistence (SSD in this case, so secure delete afterwards is out of the question) for anything other than a carefully selected file downloaded in the jail. But, a variation of what you suggest should work: