github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5684] --read-only-files and --read-only-folders to ensure --read-only only matches files/folders #3063

New issue

Open

opened 2026-05-05 09:42:25 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:42:25 -06:00

Owner

Originally created by @bf on GitHub (Feb 25, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5684

A file parser processes files in /data/foo/. It should be prevented from deleting existing files (--read-only=/data/foo/) but it should be allowed to create new files which don't exist yet.

Describe the solution you'd like

There should be option called --read-only-files which works like --read-only= but only includes files.
Similarly, there should be --read-only-folders.

Describe alternatives you've considered

I understand that the globbing relies on man 7 glob and it seems that there is no built-in solution for this.
The only workable alternative I see right now is to find . -type f and turn each of these files into a separate --read-only= parameter.

Additional context

I know it's a weird problem, but I want to make sure that existing files can be access but not overwritten/changed. At the same time in some cases new files need to be created.

Originally created by @bf on GitHub (Feb 25, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5684 ### Is your feature request related to a problem? Please describe. A file parser processes files in /data/foo/. It should be prevented from deleting existing files (--read-only=/data/foo/) but it should be allowed to create new files which don't exist yet. ### Describe the solution you'd like There should be option called `--read-only-files` which works like `--read-only=` but only includes files. Similarly, there should be `--read-only-folders`. ### Describe alternatives you've considered I understand that the globbing relies on `man 7 glob` and it seems that there is no built-in solution for this. The only workable alternative I see right now is to `find . -type f` and turn each of these files into a separate `--read-only=` parameter. ### Additional context I know it's a weird problem, but I want to make sure that existing files can be access but not overwritten/changed. At the same time in some cases new files need to be created.

gitea-mirror added the

enhancement

label 2026-05-05 09:42:25 -06:00

gitea-mirror commented

2026-05-05 09:42:27 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 25, 2023):

--overlayfs has a related use case. Maybe it makes more sense to bring it back.

@rusty-snake commented on GitHub (Feb 25, 2023): `--overlayfs` has a related use case. Maybe it makes more sense to bring it back.

gitea-mirror commented

2026-05-05 09:42:28 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 25, 2023):

@bf on Feb 25:

Describe the solution you'd like

There should be option called --read-only-files which works like
--read-only= but only includes files. Similarly, there should be
--read-only-folders.

Describe alternatives you've considered

I understand that the globbing relies on man 7 glob and it seems that there
is no built-in solution for this. The only workable alternative I see right
now is to find . -type f and turn each of these files into a separate
--read-only= parameter.

The suggested commands seem a bit convoluted; for targetting paths that are not
static (and/or using custom logic), I think that it would be simpler to
dynamically generate commands for them in an include profile before running
firejail.

See for example the following answer, which is about blacklisting all .txt
files in a given directory:

https://github.com/netblue30/firejail/discussions/5616#discussioncomment-4778400

@kmk3 commented on GitHub (Feb 25, 2023): @bf [on Feb 25](https://github.com/netblue30/firejail/issues/5684#issue-1599748185): > ### Describe the solution you'd like > > There should be option called `--read-only-files` which works like > `--read-only=` but only includes files. Similarly, there should be > `--read-only-folders`. > > ### Describe alternatives you've considered > > I understand that the globbing relies on `man 7 glob` and it seems that there > is no built-in solution for this. The only workable alternative I see right > now is to `find . -type f` and turn each of these files into a separate > `--read-only=` parameter. The suggested commands seem a bit convoluted; for targetting paths that are not static (and/or using custom logic), I think that it would be simpler to dynamically generate commands for them in an include profile before running firejail. See for example the following answer, which is about blacklisting all .txt files in a given directory: * <https://github.com/netblue30/firejail/discussions/5616#discussioncomment-4778400>

gitea-mirror commented

2026-05-05 09:42:29 -06:00

Author

Owner

@smitsohu commented on GitHub (Feb 25, 2023):

--overlayfs has a related use case. Maybe it makes more sense to bring it back.

From distant memories, creating a read-only root filesystem using overlayfs and mounting some tmpfs for throwaway modifications (like on /tmp, /run/user/$UID, $HOME) should be possible. As far as I remember this kind of stuff is not subject to the kernel restrictions that led to feature removal in Firejail.

Also the (now deprecated) overlay-tmpfs option did in fact work quite well, even if from the kernel perspective the feature was perhaps not entirely unproblematic (in the past overlayfs used to be unhappy when files changed lowerdir).

Short of turning Firejail into a container engine, there is still probably a lot of potential in overlayfs.

@smitsohu commented on GitHub (Feb 25, 2023): > --overlayfs has a related use case. Maybe it makes more sense to bring it back. From distant memories, creating a read-only root filesystem using overlayfs and mounting some tmpfs for throwaway modifications (like on /tmp, /run/user/$UID, $HOME) should be possible. As far as I remember this kind of stuff is not subject to the kernel restrictions that led to feature removal in Firejail. Also the (now deprecated) `overlay-tmpfs` option did in fact work quite well, even if from the kernel perspective the feature was perhaps not entirely unproblematic (in the past overlayfs used to be unhappy when files changed lowerdir). Short of turning Firejail into a container engine, there is still probably a lot of potential in overlayfs.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3063

No description provided.

Rows
Columns