github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1234] Support whitelisting in overlayfs #840

New issue

Closed

opened 2026-05-05 06:57:11 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 06:57:11 -06:00

Owner

Originally created by @laniakea64 on GitHub (Apr 19, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1234

firejail self-build from f94b3bb275
Xubuntu 16.04

While tweaking profiles, I noticed a significant difference in behavior of the home directory in a --overlay-tmpfs sandbox compared to a non-overlay sandbox.

Steps to reproduce:

Create a test profile at ~/Documents/Goo.profile -

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc

caps.drop all
seccomp
protocol unix,inet,inet6,netlink
tracelog
noroot

whitelist ~/Downloads

whitelist ~/Documents
read-only ~/Documents

include /etc/firejail/whitelist-common.inc

Run firejail with the profile -

firejail --profile=/home/(you)/Documents/Goo.profile

In the sandbox, run these commands -

cd
ls -la
exit

Now run firejail with --overlay-tmpfs with that profile -

firejail --ignore=noroot --profile=/home/(you)/Documents/Goo.profile --overlay-tmpfs

Repeat the same commands in the sandbox.

Expected results: No difference in behavior inside the sandbox.

Actual results: In the non-overlay sandbox, only the whitelisted files/folders are listed. Whereas in the --overlay-tmpfs sandbox, everything in the home directory is listed.

Some bisecting seems to point to 567585fe3b as when this difference started.

Is this difference intended? If so, is there a better way to "restore" the non-overlay behavior than using blacklist ${HOME}/* and a lot of noblacklist?

Originally created by @laniakea64 on GitHub (Apr 19, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1234 firejail self-build from https://github.com/netblue30/firejail/commit/f94b3bb27565a93b6d963bda2daac4b912458861 Xubuntu 16.04 While tweaking profiles, I noticed a significant difference in behavior of the home directory in a `--overlay-tmpfs` sandbox compared to a non-overlay sandbox. Steps to reproduce: 1) Create a test profile at `~/Documents/Goo.profile` - ``` include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6,netlink tracelog noroot whitelist ~/Downloads whitelist ~/Documents read-only ~/Documents include /etc/firejail/whitelist-common.inc ``` 2) Run firejail with the profile - ``` firejail --profile=/home/(you)/Documents/Goo.profile ``` In the sandbox, run these commands - ``` cd ls -la exit ``` 3) Now run firejail with `--overlay-tmpfs` with that profile - ``` firejail --ignore=noroot --profile=/home/(you)/Documents/Goo.profile --overlay-tmpfs ``` Repeat the same commands in the sandbox. ________ **Expected results:** No difference in behavior inside the sandbox. **Actual results**: In the non-overlay sandbox, only the whitelisted files/folders are listed. Whereas in the `--overlay-tmpfs` sandbox, everything in the home directory is listed. Some bisecting seems to point to https://github.com/netblue30/firejail/commit/567585fe3b2375e0b9dc55dac3672b99aade19f0 as when this difference started. Is this difference intended? If so, is there a better way to "restore" the non-overlay behavior than using `blacklist ${HOME}/*` and a lot of `noblacklist`?

gitea-mirror

2026-05-05 06:57:11 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 06:57:15 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 20, 2017):

This is what I get:

$ firejail --ignore=noroot --profile=p --overlay-tmpfs
Reading profile p
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 2001, child pid 2002
OverlayFS configured in /run/firejail/mnt directory
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Warning: whitelist feature is disabled in overlay
Blacklist violations are logged to syslog
Child process initialized

Whitelists are disabled when using overlayfs. I'll try to add support for them in a future version.

@netblue30 commented on GitHub (Apr 20, 2017): This is what I get: ````` $ firejail --ignore=noroot --profile=p --overlay-tmpfs Reading profile p Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 2001, child pid 2002 OverlayFS configured in /run/firejail/mnt directory Dropping all Linux capabilities and enforcing default seccomp filter Warning: failed to unmount /sys Warning: whitelist feature is disabled in overlay Blacklist violations are logged to syslog Child process initialized ````` Whitelists are disabled when using overlayfs. I'll try to add support for them in a future version.

gitea-mirror commented

2026-05-05 06:57:18 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 20, 2018):

This seems to be fixed. @laniakea64, please feel free to re-open if you still have this issue.

@chiraag-nataraj commented on GitHub (Aug 20, 2018): This seems to be fixed. @laniakea64, please feel free to re-open if you still have this issue.

gitea-mirror commented

2026-05-05 06:57:20 -06:00

Author

Owner

@laniakea64 commented on GitHub (Aug 20, 2018):

I do not see this issue in self build from 1e13e50799 . Thanks for the fix! 😃

@laniakea64 commented on GitHub (Aug 20, 2018): I do not see this issue in self build from https://github.com/netblue30/firejail/commit/1e13e50799da55d1d475f89aa28206e347bd4757 . Thanks for the fix! :smiley:

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#840

No description provided.

Rows
Columns