github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #7038] Not keeping all mounts #3461

New issue

Closed

opened 2026-05-05 10:00:44 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 10:00:44 -06:00

Owner

Originally created by @Melab on GitHub (Jan 20, 2026).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7038

When I run a program with firejail, the mounts that are present at /media/${USER}/* in the initial namespace are not present in the namespace that the jailed program runs in. How can I run a program such that its namespace has all the same mounts as its parent namespace except for the changes that I specify on the command line (like --read-only=/read/only/path)? The resulting mount namespace should be the most plain Jane copy of the originating namespace with the only differences being those specified on the command line. So, if I were to run firejail --read-only=/read/only/directory "${other_necessary_args[@]}" -- program_name, the only difference should be that /read/only/directory is bind mounted read-only. All programs inside it should run and all other privileges should be possessed.

Originally created by @Melab on GitHub (Jan 20, 2026). Original GitHub issue: https://github.com/netblue30/firejail/issues/7038 When I run a program with firejail, the mounts that are present at `/media/${USER}/*` in the initial namespace are not present in the namespace that the jailed program runs in. How can I run a program such that its namespace has all the same mounts as its parent namespace except for the changes that I specify on the command line (like `--read-only=/read/only/path`)? The resulting mount namespace should be the most plain Jane copy of the originating namespace with the only differences being those specified on the command line. So, if I were to run `firejail --read-only=/read/only/directory "${other_necessary_args[@]}" -- program_name`, the *only* difference should be that `/read/only/directory` is bind mounted read-only. All programs inside it should run and all other privileges should be possessed.

gitea-mirror closed this issue

2026-05-05 10:00:45 -06:00

gitea-mirror commented

2026-05-05 10:00:47 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 23, 2026):

It should leave /media and /mnt directories alone by default. Example:

$ ls /media/netblue/
986b5708-d0e6-4771-93cb-b09e9bc3428a
$ firejail
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/landlock-common.inc

** Note: you can use --noprofile to disable default.profile **

firejail version 0.9.79

Parent pid 52600, child pid 52601
Base filesystem installed in 32.75 ms
Child process initialized in 58.05 ms
$ ls /media/netblue/
986b5708-d0e6-4771-93cb-b09e9bc3428a

@netblue30 commented on GitHub (Jan 23, 2026): It should leave /media and /mnt directories alone by default. Example: ````` $ ls /media/netblue/ 986b5708-d0e6-4771-93cb-b09e9bc3428a $ firejail Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/landlock-common.inc ** Note: you can use --noprofile to disable default.profile ** firejail version 0.9.79 Parent pid 52600, child pid 52601 Base filesystem installed in 32.75 ms Child process initialized in 58.05 ms $ ls /media/netblue/ 986b5708-d0e6-4771-93cb-b09e9bc3428a `````

gitea-mirror commented

2026-05-05 10:00:48 -06:00

Author

Owner

@Melab commented on GitHub (Jan 25, 2026):

It should leave /media and /mnt directories alone by default. Example:

$ ls /media/netblue/
986b5708-d0e6-4771-93cb-b09e9bc3428a
$ firejail
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/landlock-common.inc

** Note: you can use --noprofile to disable default.profile **

firejail version 0.9.79

Parent pid 52600, child pid 52601
Base filesystem installed in 32.75 ms
Child process initialized in 58.05 ms
$ ls /media/netblue/
986b5708-d0e6-4771-93cb-b09e9bc3428a

Nope. My command, sudo firejail --read-only=/{etc,usr} loop, does not produce a namespace with my tmpfs mounted at /media. And, if I replace loop with bash, then when I run ls /media/<MY_USERNAME>, I get:

/bin/ls: cannot access '/media/<MY_USERNAME>': Permission denied

@Melab commented on GitHub (Jan 25, 2026): > It should leave /media and /mnt directories alone by default. Example: > > ``` > $ ls /media/netblue/ > 986b5708-d0e6-4771-93cb-b09e9bc3428a > $ firejail > Reading profile /etc/firejail/default.profile > Reading profile /etc/firejail/disable-common.inc > Reading profile /etc/firejail/disable-programs.inc > Reading profile /etc/firejail/landlock-common.inc > > ** Note: you can use --noprofile to disable default.profile ** > > firejail version 0.9.79 > > Parent pid 52600, child pid 52601 > Base filesystem installed in 32.75 ms > Child process initialized in 58.05 ms > $ ls /media/netblue/ > 986b5708-d0e6-4771-93cb-b09e9bc3428a > ``` Nope. My command, `sudo firejail --read-only=/{etc,usr} loop`, does not produce a namespace with my `tmpfs` mounted at `/media`. And, if I replace `loop` with `bash`, then when I run `ls /media/<MY_USERNAME>`, I get: ``` /bin/ls: cannot access '/media/<MY_USERNAME>': Permission denied ```

gitea-mirror commented

2026-05-05 10:00:48 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 28, 2026):

Don't run with --read-only=/{etc,usr}. These directories are read-only inside the sandbox by default.

does not produce a namespace with my tmpfs mounted at /media

I don't know who handles /media in a Linux system. It is a gvfs or systemd thing, definitely something implemented by your desktop manager. Why do you mount a tmpfs on top of it?

@netblue30 commented on GitHub (Jan 28, 2026): Don't run with --read-only=/{etc,usr}. These directories are read-only inside the sandbox by default. > does not produce a namespace with my tmpfs mounted at /media I don't know who handles /media in a Linux system. It is a gvfs or systemd thing, definitely something implemented by your desktop manager. Why do you mount a tmpfs on top of it?

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3461

No description provided.

Rows
Columns