[PR #5136] feature: add keep-xattrs option #5375

New issue

Open

opened 2026-05-05 10:37:18 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:37:18 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/5136
Author: @dseight
Created: 5/8/2022
Status: 🔄 Open

Base: master ← Head: keep-xattr

📝 Commits (3)

7db169b Simplify fcopy args processing
055168c Add --keep-xattrs option to fcopy
624517b Add keep-xattrs option

📊 Changes

13 files changed (+128 additions, -23 deletions)

View changed files

📝 contrib/vim/syntax/firejail.vim (+1 -1)
📝 src/fcopy/main.c (+90 -15)
📝 src/firejail/dhcp.c (+1 -1)
📝 src/firejail/firejail.h (+1 -0)
📝 src/firejail/fs_bin.c (+2 -2)
📝 src/firejail/fs_etc.c (+2 -2)
📝 src/firejail/fs_home.c (+2 -2)
📝 src/firejail/main.c (+8 -0)
📝 src/firejail/profile.c (+5 -0)
📝 src/firejail/usage.c (+1 -0)
📝 src/man/firejail-profile.txt (+4 -0)
📝 src/man/firejail.txt (+10 -0)
📝 src/zsh_completion/_firejail.in (+1 -0)

📄 Description

By default, firejail preserves only xattrs for bind-mounted files. To preserve xattrs on copied files (produced by private-bin, private-etc and private-home options) it's possible to use keep-xattrs option.

keep-xattrs is very useful in systems with signature-based IMA appraisal enabled (especially, when IMA policy prohibits running unsigned binaries).

New command checklist:

Update manpages: firejail(1) and firejail-profile(5)
Update shell completions
Update vim syntax files
Update --help

Edit by @kmk3: Add new command checklist

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/5136 **Author:** [@dseight](https://github.com/dseight) **Created:** 5/8/2022 **Status:** 🔄 Open **Base:** `master` ← **Head:** `keep-xattr` --- ### 📝 Commits (3) - [`7db169b`](https://github.com/netblue30/firejail/commit/7db169bb4b31044bf52e5c46e8698f59009e1615) Simplify fcopy args processing - [`055168c`](https://github.com/netblue30/firejail/commit/055168cab194dc17a0e0b6225ea29fb9fb58708a) Add `--keep-xattrs` option to fcopy - [`624517b`](https://github.com/netblue30/firejail/commit/624517bdcfc74b3884bb95c4a0899daeb759bcc9) Add keep-xattrs option ### 📊 Changes **13 files changed** (+128 additions, -23 deletions) <details> <summary>View changed files</summary> 📝 `contrib/vim/syntax/firejail.vim` (+1 -1) 📝 `src/fcopy/main.c` (+90 -15) 📝 `src/firejail/dhcp.c` (+1 -1) 📝 `src/firejail/firejail.h` (+1 -0) 📝 `src/firejail/fs_bin.c` (+2 -2) 📝 `src/firejail/fs_etc.c` (+2 -2) 📝 `src/firejail/fs_home.c` (+2 -2) 📝 `src/firejail/main.c` (+8 -0) 📝 `src/firejail/profile.c` (+5 -0) 📝 `src/firejail/usage.c` (+1 -0) 📝 `src/man/firejail-profile.txt` (+4 -0) 📝 `src/man/firejail.txt` (+10 -0) 📝 `src/zsh_completion/_firejail.in` (+1 -0) </details> ### 📄 Description By default, firejail preserves only xattrs for bind-mounted files. To preserve xattrs on copied files (produced by private-bin, private-etc and private-home options) it's possible to use keep-xattrs option. keep-xattrs is very useful in systems with signature-based IMA appraisal enabled (especially, when IMA policy prohibits running unsigned binaries). [New command checklist](https://github.com/netblue30/firejail/blob/53b2d817d5f412f0e4043bfea58cea39fd953cab/CONTRIBUTING.md): - [x] Update manpages: firejail(1) and firejail-profile(5) - [x] Update shell completions - [x] Update vim syntax files - [x] Update --help --- Edit by @kmk3: Add new command checklist --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>