github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3353] Cannot get everything read-only but /tmp and a single directory #2106

New issue

Closed

opened 2026-05-05 08:47:03 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 08:47:03 -06:00

Owner

Originally created by @rdiez on GitHub (Apr 14, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3353

Hi all:

I often maintain complicated firmware build systems, and now I am experimenting with OpenWrt, which has an even more complex build system.

I thought I should learn how to sandbox them, so that they do not write or delete anything outside their build sandbox.

The firejail man page does not really show an example for this straightforward scenario, so I searched around and came up with this test:

firejail --noprofile --caps.drop=all --nonewprivs --seccomp --noroot --read-only=/ --read-write=/tmp --read-write=~/MyTestDir bash

However, I am getting the following errors:

Parent pid 23592, child pid 23593
Warning: you are not allowed to change /tmp to read-write
Warning: cannot create a new user namespace, going forward without it...
0;firejail bash Child process initialized in 19.41 ms

I do not understand why --noroot fails to create a new user namespace. I found some hints on the Internet for other Linux distributions, but I did not understand them.

More worryingly, I cannot make /tmp writable.

I am not sure about the order of those --read-only arguments. The following page:

https://superuser.com/questions/1155653/is-it-expected-that-firejail-allows-r-w-outside-of-the-sandbox-without-overla

states:

(I wrote /, ~ and /tmp separately because firejail has a somewhat surprising behaviour of sorting
your directives by some not-so-trivial rules and making its own ~ mounts in the middle.)

I have tried that stanza anyway to no avail.

Even though it is not exactly what I want, I also tried --private-tmp like this:

firejail --noprofile --caps.drop=all --nonewprivs --seccomp --private-tmp --read-only=/ --read-write=~/MyTestDir bash

That gives my a newish /tmp , but does not really write-protect any other directory under my home.

I am puzzled. What is the best way to make all filesystems read-only, except for /tmp and the one directory where the build sandbox is?

Note that I do not want changes outside the build sandbox to be discarded, I want them to fail. Well, maybe changes to /tmp could be discarded, but not anywhere else.

I might also need to make an exception for /dev/null . Is there a profile for such scenario that could help me with such exceptions?

I am using Ubuntu 18.04.4 LTS, which comes with Firejail version 0.9.52, a rather old version indeed. So maybe this is a known, old problem.

I found no mailing list or support forum for Firejail, so this is the only way I could get some help.

Thanks in advance,
rdiez

Originally created by @rdiez on GitHub (Apr 14, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3353 Hi all: I often maintain complicated firmware build systems, and now I am experimenting with OpenWrt, which has an even more complex build system. I thought I should learn how to sandbox them, so that they do not write or delete anything outside their build sandbox. The firejail man page does not really show an example for this straightforward scenario, so I searched around and came up with this test: firejail --noprofile --caps.drop=all --nonewprivs --seccomp --noroot --read-only=/ --read-write=/tmp --read-write=~/MyTestDir bash However, I am getting the following errors: Parent pid 23592, child pid 23593 Warning: you are not allowed to change /tmp to read-write Warning: cannot create a new user namespace, going forward without it... 0;firejail bash Child process initialized in 19.41 ms I do not understand why --noroot fails to create a new user namespace. I found some hints on the Internet for other Linux distributions, but I did not understand them. More worryingly, I cannot make /tmp writable. I am not sure about the order of those --read-only arguments. The following page: https://superuser.com/questions/1155653/is-it-expected-that-firejail-allows-r-w-outside-of-the-sandbox-without-overla states: (I wrote /, ~ and /tmp separately because firejail has a somewhat surprising behaviour of sorting your directives by some not-so-trivial rules and making its own ~ mounts in the middle.) I have tried that stanza anyway to no avail. Even though it is not exactly what I want, I also tried --private-tmp like this: firejail --noprofile --caps.drop=all --nonewprivs --seccomp --private-tmp --read-only=/ --read-write=~/MyTestDir bash That gives my a newish /tmp , but does not really write-protect any other directory under my home. I am puzzled. What is the best way to make all filesystems read-only, except for /tmp and the one directory where the build sandbox is? Note that I do not want changes outside the build sandbox to be discarded, I want them to fail. Well, maybe changes to /tmp could be discarded, but not anywhere else. I might also need to make an exception for /dev/null . Is there a profile for such scenario that could help me with such exceptions? I am using Ubuntu 18.04.4 LTS, which comes with Firejail version 0.9.52, a rather old version indeed. So maybe this is a known, old problem. I found no mailing list or support forum for Firejail, so this is the only way I could get some help. Thanks in advance, rdiez

gitea-mirror closed this issue

2026-05-05 08:47:04 -06:00

gitea-mirror commented

2026-05-05 08:47:05 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 14, 2020):

I do not understand why --noroot fails to create a new user namespace.

Becaue of --read-only=/, it needs some paths writeable. (Maybe /proc? Is /proc ro with --read-only=/ (--read-only=/ does not mean everyhing ro)?)

afb7e0363b (commitcomment-36968957)

More worryingly, I cannot make /tmp writable.

Becaue it is owned by root. Firejail allows --read-write only on file owned by you (are there exceptions?) for security reason.

@rusty-snake commented on GitHub (Apr 14, 2020): > I do not understand why --noroot fails to create a new user namespace. Becaue of `--read-only=/`, it needs some paths writeable. (Maybe /proc? Is /proc ro with --read-only=/ (--read-only=/ does not mean everyhing ro)?) https://github.com/netblue30/firejail/commit/afb7e0363bd630f12773876d486afed4ad485ad7#commitcomment-36968957 > More worryingly, I cannot make /tmp writable. Becaue it is owned by root. Firejail allows --read-write only on file owned by you (are there exceptions?) for security reason.

gitea-mirror commented

2026-05-05 08:47:06 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 14, 2020):

works with git master: firejail --noprofile --read-only=/ --read-write=/tmp

Knowed to be broken with 0.9.62.

If you want to install from git master, you maybe interested in https://github.com/netblue30/firejail/issues/3333#issuecomment-611623863 and the following.

@rusty-snake commented on GitHub (Apr 14, 2020): works with git master: `firejail --noprofile --read-only=/ --read-write=/tmp` Knowed to be broken with 0.9.62. If you want to install from git master, you maybe interested in https://github.com/netblue30/firejail/issues/3333#issuecomment-611623863 and the following.

gitea-mirror commented

2026-05-05 08:47:07 -06:00

Author

Owner

@rdiez commented on GitHub (Apr 14, 2020):

Thanks for the quick answer.

In case anybody is interested, I have settled for:

firejail --noprofile --caps.drop=all --nonewprivs --seccomp --noroot --read-only="$HOME" --read-write="$HOME/MyTestDir"

That is, protection starts with the current user's home directory. The rest of the filesystems should be sufficiently protected, at least for my purposes.

@rdiez commented on GitHub (Apr 14, 2020): Thanks for the quick answer. In case anybody is interested, I have settled for: firejail --noprofile --caps.drop=all --nonewprivs --seccomp --noroot --read-only="$HOME" --read-write="$HOME/MyTestDir" That is, protection starts with the current user's home directory. The rest of the filesystems should be sufficiently protected, at least for my purposes.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2106

No description provided.

Rows
Columns