[GH-ISSUE #3909] bind directory update option for specific time period #2451

New issue

Open

opened 2026-05-05 09:08:11 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 09:08:11 -06:00

Owner

Originally created by @osevan on GitHub (Jan 22, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3909

Overlayfs of firejail,should update content of folder in specific time frame without restarting sandbox and without bind option

As addition hardening thinking step is, to allow specific file names AND extensions of files to create (write inside sandbox) in specific paths

Example in profile:
for filenames :
filename-allow-write path filename1,filename2,filename3

filename-allow-write /var/html/ index.html,index.php

For fileextensions
fileextension-allow-write path .extension1,.extension2,*.extension3

fileextension-allow-write /var/html/ *.html

fileextension-allow-write /var/php/ *.php

fileextension-allow-write /var/js/ *.js

This option combined with readonly inside sandbox specified inside profil, give us absolute filesystem hardening.
Maybe remounting or updating specific directorys in time frame is the solution, but when you have more elegant method you could give a try.

For example
In profile we can declare as:

read-only /var/html

read-only everything

For everything read only exept for log files as additional rule in profile.

read-only-exept /var/log/logfile
Update-folder path timeperiodinseconds
Update-folder /var/html/ 3
Update-file /var/html/index.html 3

These paths are monitored every 3 seconds outside of sandbox, if something changed on real origin and source path, and if true, writing files inside sandbox with linux function splice back, to avoid locks and overhead and for zerocopy transfer.

I hope I was able to stimulate your thought.

Thanks an
best regards

Originally created by @osevan on GitHub (Jan 22, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3909 Overlayfs of firejail,should update content of folder in specific time frame without restarting sandbox and without bind option As addition hardening thinking step is, to allow specific file names AND extensions of files to create (write inside sandbox) in specific paths Example in profile: for filenames : filename-allow-write path filename1,filename2,filename3 filename-allow-write /var/html/ index.html,index.php For fileextensions fileextension-allow-write path *.extension1,*.extension2,*.extension3 fileextension-allow-write /var/html/ *.html fileextension-allow-write /var/php/ *.php fileextension-allow-write /var/js/ *.js This option combined with readonly inside sandbox specified inside profil, give us absolute filesystem hardening. Maybe remounting or updating specific directorys in time frame is the solution, but when you have more elegant method you could give a try. For example In profile we can declare as: read-only /var/html Or read-only everything For everything read only exept for log files as additional rule in profile. read-only-exept /var/log/logfile Update-folder path timeperiodinseconds Update-folder /var/html/ 3 Update-file /var/html/index.html 3 These paths are monitored every 3 seconds outside of sandbox, if something changed on real origin and source path, and if true, writing files inside sandbox with linux function splice back, to avoid locks and overhead and for zerocopy transfer. I hope I was able to stimulate your thought. Thanks an best regards