github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3999] Firejail usage #2498

New issue
Closed
opened 2026-05-05 09:10:52 -06:00 by gitea-mirror · 27 comments
gitea-mirror commented 2026-05-05 09:10:52 -06:00
Owner
Copy link

Originally created by @tansm11 on GitHub (Feb 20, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3999

My laptop OS is Linux Mint 19.1 "Tessa" Cinnamon edition (64-bit).

Before Linux, I was using Windows 10. I installed and used a software called Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
I can install any Windows application in what they called sandbox and then run the Windows application in the sandbox. When I throw away the sandbox, everything that is written to it will be lost. This is extremely useful when I try out suspicious software. If the software contains malware or I just don't like it, I just throw away the sandbox and the program disappears completely.
It also offers secure web browsing by running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded.

Will Firejail work like Sandboxie?

Let's say I want to try out software XX. So, I go install software XX. Then, I run software XX. I don't like it. So, I want everything to be completely disappeared like as if software XX has never been installed. How do I go about it using Firejail?

Originally created by @tansm11 on GitHub (Feb 20, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3999 My laptop OS is Linux Mint 19.1 "Tessa" Cinnamon edition (64-bit). Before Linux, I was using Windows 10. I installed and used a software called Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. I can install any Windows application in what they called sandbox and then run the Windows application in the sandbox. When I throw away the sandbox, everything that is written to it will be lost. This is extremely useful when I try out suspicious software. If the software contains malware or I just don't like it, I just throw away the sandbox and the program disappears completely. It also offers secure web browsing by running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded. Will Firejail work like Sandboxie? Let's say I want to try out software XX. So, I go install software XX. Then, I run software XX. I don't like it. So, I want everything to be completely disappeared like as if software XX has never been installed. How do I go about it using Firejail?
gitea-mirror 2026-05-05 09:10:52 -06:00
  • closed this issue
  • added the
    stale
         label
gitea-mirror commented 2026-05-05 09:10:55 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 20, 2021):

Will Firejail work like Sandboxie?

No, it's an other software. Best you start some reading.
https://firejail.wordpress.com/features-3/
https://firejail.wordpress.com/documentation-2/

Let's say I want to try out software XX. So, I go install software XX. Then, I run software XX. I don't like it. So, I want everything to be completely disappeared like as if software XX has never been installed. How do I go about it using Firejail?

On Linux you install software usually with your packages manager, so the install/remove is very difficult to sandbox. However have a look at the private and private-home features.

try out suspicious software

You should not do this.

<!-- gh-comment-id:782722268 --> @rusty-snake commented on GitHub (Feb 20, 2021): > Will Firejail work like Sandboxie? No, it's an other software. Best you start some reading. https://firejail.wordpress.com/features-3/ https://firejail.wordpress.com/documentation-2/ > Let's say I want to try out software XX. So, I go install software XX. Then, I run software XX. I don't like it. So, I want everything to be completely disappeared like as if software XX has never been installed. How do I go about it using Firejail? On Linux you install software usually with your packages manager, so the install/remove is very difficult to sandbox. However have a look at the `private` and `private-home` features. > try out suspicious software You should not do this.
gitea-mirror commented 2026-05-05 09:10:56 -06:00
Author
Owner
Copy link

@FOSSONLY commented on GitHub (Feb 20, 2021):

On Linux you install software usually with your packages manager, so the install/remove is very difficult to sandbox.

This has changed in the meantime. While I can't speak for other package managers, apt has been running under a restricted user (_apt) for quite some time, and also has an optional seccomp filter that can be enabled (APT::Sandbox::Seccomp "1") in apt's configuration.

<!-- gh-comment-id:782737469 --> @FOSSONLY commented on GitHub (Feb 20, 2021): > On Linux you install software usually with your packages manager, so the install/remove is very difficult to sandbox. This has changed in the meantime. While I can't speak for other package managers, apt has been running under a restricted user (_apt) for quite some time, and also has an optional seccomp filter that can be enabled (APT::Sandbox::Seccomp "1") in apt's configuration.
gitea-mirror commented 2026-05-05 09:10:57 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Feb 20, 2021):

Is there any way to make Firejail to do like this? :

I create a container/sandbox. I install a software. I run the software. I delete/remove the container/sandbox and the software I had been installed will completely disappeared like as if the software has never been installed.

<!-- gh-comment-id:782737900 --> @tansm11 commented on GitHub (Feb 20, 2021): Is there any way to make Firejail to do like this? : I create a container/sandbox. I install a software. I run the software. I delete/remove the container/sandbox and the software I had been installed will completely disappeared like as if the software has never been installed.
gitea-mirror commented 2026-05-05 09:10:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 20, 2021):

This has changed in the meantime. While I can't speak for other package managers, apt has been running under a restricted user (_apt) for quite some time, and also has an optional seccomp filter that can be enabled (APT::Sandbox::Seccomp "1") in apt's configuration.

But still has full write access to the file-system, it doesn't? I see no real benefit if it can write to sudoers or bashrc or whatever. From what kind of attacker should it protect?

I create a container/sandbox. I install a software. I run the software. I delete/remove the container/sandbox and the software I had been installed will completely disappeared like as if the software has never been installed.

Sound podman/docker is more what you search for. However, you could use the chroot feature or use AppImages.

<!-- gh-comment-id:782739095 --> @rusty-snake commented on GitHub (Feb 20, 2021): > This has changed in the meantime. While I can't speak for other package managers, apt has been running under a restricted user (_apt) for quite some time, and also has an optional seccomp filter that can be enabled (APT::Sandbox::Seccomp "1") in apt's configuration. But still has full write access to the file-system, it doesn't? I see no real benefit if it can write to sudoers or bashrc or whatever. From what kind of attacker should it protect? > I create a container/sandbox. I install a software. I run the software. I delete/remove the container/sandbox and the software I had been installed will completely disappeared like as if the software has never been installed. Sound podman/docker is more what you search for. However, you could use the `chroot` feature or use AppImages.
gitea-mirror commented 2026-05-05 09:10:59 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Feb 22, 2021):

I create a container/sandbox. I install a software. I run the software. I delete/remove the container/sandbox and the software I had been installed will completely disappeared like as if the software has never been installed.

Sound podman/docker is more what you search for. However, you could use the chroot feature or use AppImages.

That is close but not close to what I'm looking for.

I'm thinking if Firejail can do like this:

I run Firejail. Then, I install a Linux software (doesn't matter whether from Debian package or from Terminal or from Software Manager) and then I run the Linux software. Then, I close/shutdown Firejail. Whatever filesystem modifications have been done while installing and running the software all will be gone. The host filesystem is not touched. Is that possible?

<!-- gh-comment-id:783158490 --> @tansm11 commented on GitHub (Feb 22, 2021): > > I create a container/sandbox. I install a software. I run the software. I delete/remove the container/sandbox and the software I had been installed will completely disappeared like as if the software has never been installed. > > Sound podman/docker is more what you search for. However, you could use the `chroot` feature or use AppImages. That is close but not close to what I'm looking for. I'm thinking if Firejail can do like this: I run Firejail. Then, I install a Linux software (doesn't matter whether from Debian package or from Terminal or from Software Manager) and then I run the Linux software. Then, I close/shutdown Firejail. Whatever filesystem modifications have been done while installing and running the software all will be gone. The host filesystem is not touched. Is that possible?
gitea-mirror commented 2026-05-05 09:11:00 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 14, 2021):

As I said podman is closer to that what you need IMO.

doesn't matter whether from Debian package or from Terminal or from Software Manager

Matters because Software Manager uses PackageKit.

Whatever filesystem modifications have been done while installing and running the software all will be gone. The host filesystem is not touched. Is that possible?

With --overlayfs-tmpfs. However it is disable.

<!-- gh-comment-id:798969970 --> @rusty-snake commented on GitHub (Mar 14, 2021): As I said podman is closer to that what you need IMO. > doesn't matter whether from Debian package or from Terminal or from Software Manager Matters because Software Manager uses PackageKit. > Whatever filesystem modifications have been done while installing and running the software all will be gone. The host filesystem is not touched. Is that possible? With `--overlayfs-tmpfs`. However it is disable.
gitea-mirror commented 2026-05-05 09:11:01 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 15, 2021):

As I said podman is closer to that what you need IMO.

doesn't matter whether from Debian package or from Terminal or from Software Manager

Matters because Software Manager uses PackageKit.

Whatever filesystem modifications have been done while installing and running the software all will be gone. The host filesystem is not touched. Is that possible?

With --overlayfs-tmpfs. However it is disable.

Maybe I didn't make it clear enough.

Actually, I want to try out a Linux software but I don't want it to make any changes to my real Linux computer system (starting from the time I install it until the time I run it and until the time after I remove it). How can I do that using Firejail?

<!-- gh-comment-id:799454505 --> @tansm11 commented on GitHub (Mar 15, 2021): > As I said podman is closer to that what you need IMO. > > > doesn't matter whether from Debian package or from Terminal or from Software Manager > > Matters because Software Manager uses PackageKit. > > > Whatever filesystem modifications have been done while installing and running the software all will be gone. The host filesystem is not touched. Is that possible? > > With `--overlayfs-tmpfs`. However it is disable. Maybe I didn't make it clear enough. Actually, I want to try out a Linux software but I don't want it to make any changes to my real Linux computer system (starting from the time I install it until the time I run it and until the time after I remove it). How can I do that using Firejail?
gitea-mirror commented 2026-05-05 09:11:02 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 15, 2021):

With the overlayfs feature. But it is disabled at the moment, so you need to workaround it with the chroot feature or by use an other software (docker, podman, runc, crun, bwrap, mount, minijail, systemd-nspawn (example 6), lxc, lxd, ...) together with firejail or not.

To warn again: PackageKit uses D-Bus and therefore it shoots back. (If you want to say so)

<!-- gh-comment-id:799559069 --> @rusty-snake commented on GitHub (Mar 15, 2021): With the overlayfs feature. But it is disabled at the moment, so you need to workaround it with the chroot feature or by use an other software (docker, podman, runc, crun, bwrap, mount, minijail, systemd-nspawn ([example 6](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Examples)), lxc, lxd, ...) together with firejail or not. To warn again: PackageKit uses D-Bus and therefore it shoots back. (If you want to say so)
gitea-mirror commented 2026-05-05 09:11:03 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 15, 2021):

With the overlayfs feature. But it is disabled at the moment, so you need to workaround it with the chroot feature or by use an other software (docker, podman, runc, crun, bwrap, mount, minijail, systemd-nspawn (example 6), lxc, lxd, ...) together with firejail or not.

To warn again: PackageKit uses D-Bus and therefore it shoots back. (If you want to say so)

So, it seems that the overlayfs feature is the closest to the one that I'm looking for. Oh no!.....Please don't be disabled.

<!-- gh-comment-id:799580580 --> @tansm11 commented on GitHub (Mar 15, 2021): > With the overlayfs feature. But it is disabled at the moment, so you need to workaround it with the chroot feature or by use an other software (docker, podman, runc, crun, bwrap, mount, minijail, systemd-nspawn ([example 6](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Examples)), lxc, lxd, ...) together with firejail or not. > > To warn again: PackageKit uses D-Bus and therefore it shoots back. (If you want to say so) So, it seems that the overlayfs feature is the closest to the one that I'm looking for. Oh no!.....Please don't be disabled.
gitea-mirror commented 2026-05-05 09:11:03 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 16, 2021):

I played a bit: Test successfully start zenity --info

  • bwrap: has no overlayfs
  • podman: SELinux kicks in
  • fuse-overlayfs + firejail --chroot: system crash
  • mount -t overlay + firejail: welcome to hell, but works
  • systemd-nspawn: works
<!-- gh-comment-id:800196907 --> @rusty-snake commented on GitHub (Mar 16, 2021): I played a bit: Test successfully start `zenity --info` - bwrap: has no overlayfs - podman: SELinux kicks in - fuse-overlayfs + firejail --chroot: system crash - mount -t overlay + firejail: welcome to hell, but works - systemd-nspawn: works
gitea-mirror commented 2026-05-05 09:11:04 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 18, 2021):

I played a bit: Test successfully start zenity --info

* bwrap: has no overlayfs

* podman: SELinux kicks in

* fuse-overlayfs + firejail --chroot: system crash

* mount -t overlay + firejail: welcome to hell, but works

* systemd-nspawn: works

You mentioned "podman: SELinux kicks in", so it works or not?

<!-- gh-comment-id:801895695 --> @tansm11 commented on GitHub (Mar 18, 2021): > I played a bit: Test successfully start `zenity --info` > > * bwrap: has no overlayfs > > * podman: SELinux kicks in > > * fuse-overlayfs + firejail --chroot: system crash > > * mount -t overlay + firejail: welcome to hell, but works > > * systemd-nspawn: works You mentioned "podman: SELinux kicks in", so it works or not?
gitea-mirror commented 2026-05-05 09:11:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

Did more playing with podman: It works with --security-opt=label=disable.

<!-- gh-comment-id:801900164 --> @rusty-snake commented on GitHub (Mar 18, 2021): Did more playing with podman: It works with `--security-opt=label=disable`.
gitea-mirror commented 2026-05-05 09:11:04 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 18, 2021):

I played a bit: Test successfully start zenity --info

* bwrap: has no overlayfs

* podman: SELinux kicks in

* fuse-overlayfs + firejail --chroot: system crash

* mount -t overlay + firejail: welcome to hell, but works

* systemd-nspawn: works

For "mount -t overlay + firejail", what are the steps to apply?

<!-- gh-comment-id:801906679 --> @tansm11 commented on GitHub (Mar 18, 2021): > I played a bit: Test successfully start `zenity --info` > > * bwrap: has no overlayfs > > * podman: SELinux kicks in > > * fuse-overlayfs + firejail --chroot: system crash > > * mount -t overlay + firejail: welcome to hell, but works > > * systemd-nspawn: works For "mount -t overlay + firejail", what are the steps to apply?
gitea-mirror commented 2026-05-05 09:11:05 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

Collected form my shell history, maybe not complete.

sudo mkdir /overlayfs
# only if you want
sudo mount -t tmpfs -o size=2G,mode=0755,uid=0,gid=0 tmpfs /overlayfs
sudo mkdir -p /overlayfs/{root,diff,work}
sudo mount -t overlay overlay -o lowerdir=/,upperdir=/overlayfs/diff,workdir=/overlayfs/work overlay /overlayfs/root
sudo mount -t overlay overlay -o lowerdir=/home,upperdir=/overlayfs/diff,workdir=/overlayfs/work /overlayfs/root/home
# overlay mount any other mount point that you have and need
sudo mkdir -p /overlayfs/root/run/user/$UID
sudo mount -t overlay overlay -o lowerdir=/run/user/$UID,upperdir=/overlayfs/diff,workdir=/overlayfs/work /overlayfs/root/run/user/$UID
firejail --chroot=/overlayfs/root --noprofile bash
XDG_RUNTIME_DIR=/run/user/$UID zenity --info
exit
sudo umount /overlayfs/root/run/user/1000
sudo umount /overlayfs/root/home
sudo umount /overlayfs/root
sudo umount /overlayfs 
sudo rmdir /overlayfs
<!-- gh-comment-id:801915903 --> @rusty-snake commented on GitHub (Mar 18, 2021): Collected form my shell history, maybe not complete. ```bash sudo mkdir /overlayfs # only if you want sudo mount -t tmpfs -o size=2G,mode=0755,uid=0,gid=0 tmpfs /overlayfs sudo mkdir -p /overlayfs/{root,diff,work} sudo mount -t overlay overlay -o lowerdir=/,upperdir=/overlayfs/diff,workdir=/overlayfs/work overlay /overlayfs/root sudo mount -t overlay overlay -o lowerdir=/home,upperdir=/overlayfs/diff,workdir=/overlayfs/work /overlayfs/root/home # overlay mount any other mount point that you have and need sudo mkdir -p /overlayfs/root/run/user/$UID sudo mount -t overlay overlay -o lowerdir=/run/user/$UID,upperdir=/overlayfs/diff,workdir=/overlayfs/work /overlayfs/root/run/user/$UID firejail --chroot=/overlayfs/root --noprofile bash XDG_RUNTIME_DIR=/run/user/$UID zenity --info exit sudo umount /overlayfs/root/run/user/1000 sudo umount /overlayfs/root/home sudo umount /overlayfs/root sudo umount /overlayfs sudo rmdir /overlayfs ```
gitea-mirror commented 2026-05-05 09:11:05 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 18, 2021):

I played a bit: Test successfully start zenity --info

* bwrap: has no overlayfs

* podman: SELinux kicks in

* fuse-overlayfs + firejail --chroot: system crash

* mount -t overlay + firejail: welcome to hell, but works

* systemd-nspawn: works

For "systemd-nspawn (example 6)", it virtualizes host system together with any removable drives that connected to my computer?

<!-- gh-comment-id:801928087 --> @tansm11 commented on GitHub (Mar 18, 2021): > I played a bit: Test successfully start `zenity --info` > > * bwrap: has no overlayfs > > * podman: SELinux kicks in > > * fuse-overlayfs + firejail --chroot: system crash > > * mount -t overlay + firejail: welcome to hell, but works > > * systemd-nspawn: works For "systemd-nspawn ([example 6](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Examples))", it virtualizes host system together with any removable drives that connected to my computer?
gitea-mirror commented 2026-05-05 09:11:06 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

virtualizes host system

It does not virtualizes anything. virtualization is kvm (for example), emulation is qemu (for example; except qemu-kvm). All tools I listed have no virtualization/emulation.

together with any removable drives that connected to my computer

Yes, like firejail, bwrap or podman (always depending on the used arguments/parameters/commands/options/flags/...).

<!-- gh-comment-id:801944239 --> @rusty-snake commented on GitHub (Mar 18, 2021): > virtualizes host system It does not virtualizes anything. virtualization is kvm (for example), emulation is qemu (for example; except qemu-kvm). All tools I listed have no virtualization/emulation. > together with any removable drives that connected to my computer Yes, like firejail, bwrap or podman (always depending on the used arguments/parameters/commands/options/flags/...).
gitea-mirror commented 2026-05-05 09:11:06 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

What I did for testing:

sudo systemd-nspawn --link-journal=no --volatile=yes --overlay=/usr::/usr --overlay=/home::/home --overlay=/etc::/etc -D / --tmpfs=$XDG_RUNTIME_DIR:uid=$UID,gid=$GID,mode=0700 --bind=$XDG_RUNTIME_DIR/wayland-0 --user=$UID --as-pid2 /bin/bash
XDG_RUNTIME_DIR=/run/user/1000 zenity --info
<!-- gh-comment-id:801945139 --> @rusty-snake commented on GitHub (Mar 18, 2021): What I did for testing: ```bash sudo systemd-nspawn --link-journal=no --volatile=yes --overlay=/usr::/usr --overlay=/home::/home --overlay=/etc::/etc -D / --tmpfs=$XDG_RUNTIME_DIR:uid=$UID,gid=$GID,mode=0700 --bind=$XDG_RUNTIME_DIR/wayland-0 --user=$UID --as-pid2 /bin/bash XDG_RUNTIME_DIR=/run/user/1000 zenity --info ```
gitea-mirror commented 2026-05-05 09:11:07 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 18, 2021):

virtualizes host system

It does not virtualizes anything. virtualization is kvm (for example), emulation is qemu (for example; except qemu-kvm). All tools I listed have no virtualization/emulation.

together with any removable drives that connected to my computer

Yes, like firejail, bwrap or podman (always depending on the used arguments/parameters/commands/options/flags/...).

Yes, it does virtualizes. If you read the description of systemd-nspawn, it stated there:

systemd-nspawn may be used to run a command or OS in a light-weight namespace container. In many ways it is similar to chroot(1), but more powerful since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.

<!-- gh-comment-id:801954653 --> @tansm11 commented on GitHub (Mar 18, 2021): > > virtualizes host system > > It does not virtualizes anything. virtualization is kvm (for example), emulation is qemu (for example; except qemu-kvm). All tools I listed have no virtualization/emulation. > > > together with any removable drives that connected to my computer > > Yes, like firejail, bwrap or podman (always depending on the used arguments/parameters/commands/options/flags/...). Yes, it does virtualizes. If you read the [description](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Description) of systemd-nspawn, it stated there: systemd-nspawn may be used to run a command or OS in a light-weight namespace container. In many ways it is similar to chroot(1), but more powerful since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.
gitea-mirror commented 2026-05-05 09:11:07 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

The file system (and some other ns), but not the host system (which includes your cpu, disk, ...). Anyway these are quibbles.

<!-- gh-comment-id:801966849 --> @rusty-snake commented on GitHub (Mar 18, 2021): The file system (and some other ns), but not the host system (which includes your cpu, disk, ...). Anyway these are quibbles.
gitea-mirror commented 2026-05-05 09:11:07 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 18, 2021):

I'm sorry I think I have misunderstood about that virtualize thing.

Let's get back to "systemd-nspawn (example 6)".

It runs a copy of the host system in a snapshot and at the same time it runs a copy of any removable drives that connected to my computer in that same snapshot?

<!-- gh-comment-id:801987360 --> @tansm11 commented on GitHub (Mar 18, 2021): I'm sorry I think I have misunderstood about that virtualize thing. Let's get back to "systemd-nspawn ([example 6](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Examples))". It runs a copy of the host system in a snapshot and at the same time it runs a copy of any removable drives that connected to my computer in that same snapshot?
gitea-mirror commented 2026-05-05 09:11:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

Yes, it's like mkdir /new_root && cp -r --reflink=auto --exclude=/new_root / /new_root (cp has no --exclude).

... but it can also bind, robind and overlayfs.

<!-- gh-comment-id:801991224 --> @rusty-snake commented on GitHub (Mar 18, 2021): Yes, it's like `mkdir /new_root && cp -r --reflink=auto --exclude=/new_root / /new_root` (cp has no `--exclude`). ... but it can also bind, robind and overlayfs.
gitea-mirror commented 2026-05-05 09:11:08 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 18, 2021):

While it runs a copy of the host system in a snapshot, is there any way to whitelist any removable drives that connected to my computer? So that while it runs a copy of the host system in a snapshot, I can still save anything onto any removable drives that connected to my computer during its runtime and that saving in that removable drives will not be lost on shutdown.

<!-- gh-comment-id:802029364 --> @tansm11 commented on GitHub (Mar 18, 2021): While it runs a copy of the host system in a snapshot, is there any way to whitelist any removable drives that connected to my computer? So that while it runs a copy of the host system in a snapshot, I can still save anything onto any removable drives that connected to my computer during its runtime and that saving in that removable drives will not be lost on shutdown.
gitea-mirror commented 2026-05-05 09:11:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

Just --bind the upper directory.

<!-- gh-comment-id:802032329 --> @rusty-snake commented on GitHub (Mar 18, 2021): Just `--bind` the upper directory.
gitea-mirror commented 2026-05-05 09:11:09 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 19, 2021):

You mean I just --bind the internal hard drive of my computer?

<!-- gh-comment-id:802661519 --> @tansm11 commented on GitHub (Mar 19, 2021): You mean I just `--bind` the internal hard drive of my computer?
gitea-mirror commented 2026-05-05 09:11:09 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 19, 2021):

No --bind /media or /run/media or where else the external driver gets mounted.

<!-- gh-comment-id:802848591 --> @rusty-snake commented on GitHub (Mar 19, 2021): No `--bind` `/media` or `/run/media` or where else the external driver gets mounted.
gitea-mirror commented 2026-05-05 09:11:10 -06:00
Author
Owner
Copy link

@tansm11 commented on GitHub (Mar 19, 2021):

Oh, okay.

<!-- gh-comment-id:802867347 --> @tansm11 commented on GitHub (Mar 19, 2021): Oh, okay.
gitea-mirror commented 2026-05-05 09:11:10 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 4, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

<!-- gh-comment-id:892573583 --> @rusty-snake commented on GitHub (Aug 4, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2498
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?