[PR #7067] whitelist: allow placing an overlay into the sandbox #6301

New issue

Open

opened 2026-05-05 10:54:23 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:54:23 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/7067
Author: @mardy
Created: 2/17/2026
Status: 🔄 Open

Base: master ← Head: whitelist-overlay

📝 Commits (1)

bac991f whitelist: allow placing an overlay into the sandbox.

📊 Changes

2 files changed (+49 additions, -13 deletions)

View changed files

📝 src/firejail/firejail.h (+1 -0)
📝 src/firejail/fs_whitelist.c (+48 -13)

📄 Description

The use case for this option might not be that common, but I though of sharing it anyway. If you think that this feature is not of general use, feel free to just close this.

This is similar to what a few comments requested in https://github.com/netblue30/firejail/issues/1743 and can be though of a generalisation of the --hosts-file=<file> option. Our use case is that we unpack the application in a special directory, and then when launching it we map some files and directories from the application package into the sandbox. For example:

 whitelist /usr/share/application-data=/path/to/application/data

This operation might deserve its own command name, but since its functionality is 95% the same as the one of the "whitelist" command, I implemented it by just expanding the syntax:

whitelist <path>[=<overlay>]

Maybe overlay, map or replace would be better names for this.

Note: if "<path>" does not exist, it will be created as a new file or directory (depending on whether "<overlay>" is a file or a directory).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/7067 **Author:** [@mardy](https://github.com/mardy) **Created:** 2/17/2026 **Status:** 🔄 Open **Base:** `master` ← **Head:** `whitelist-overlay` --- ### 📝 Commits (1) - [`bac991f`](https://github.com/netblue30/firejail/commit/bac991feb0ad037b2e93aeb853c4db28379abd6f) whitelist: allow placing an overlay into the sandbox. ### 📊 Changes **2 files changed** (+49 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/firejail.h` (+1 -0) 📝 `src/firejail/fs_whitelist.c` (+48 -13) </details> ### 📄 Description The use case for this option might not be that common, but I though of sharing it anyway. If you think that this feature is not of general use, feel free to just close this. This is similar to what a few comments requested in https://github.com/netblue30/firejail/issues/1743 and can be though of a generalisation of the `--hosts-file=<file>` option. Our use case is that we unpack the application in a special directory, and then when launching it we map some files and directories from the application package into the sandbox. For example: whitelist /usr/share/application-data=/path/to/application/data This operation might deserve its own command name, but since its functionality is 95% the same as the one of the "whitelist" command, I implemented it by just expanding the syntax: whitelist <path>[=<overlay>] Maybe `overlay`, `map` or `replace` would be better names for this. Note: if "`<path>`" does not exist, it will be created as a new file or directory (depending on whether "`<overlay>`" is a file or a directory). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror added the

pull-request

label 2026-05-05 10:54:23 -06:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#6301

No description provided.

Rows
Columns