I am looking for a certain functionality as follows: Allow a FJ sandbox to write files to a folder without being able to view or access any of the preexisting contents of the folder. Then when sandbox is closed "flatten" the folder so that all the new and old contents are retained.
Is this possible with the overlayfs or other arguments?
Futureknows
All 2 comments
Personally I've never had the need for such a use-case, so this is untested, but I think you can use the --overlay-named=name in combination with the --put options.
Quoting from man firejail:
_Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/
You can drop files into any noblacklisted/whitelisted directory using --put once the relevant sandbox is active (started with an additional --name=foo for ease-of-use):
firejail --put=foo ~/my_special_file ~/my_special_folder/my_special_file
You'll need to do the above for each file you want to transfer into the sandbox. See the FILE TRANSFER section in man firejail for more details. I do recommend experimenting/testing with a small sample of test files before committing such a scripted approach. HTH.
glitsj16
on 14 Dec 2019
Thanks it looks like a good solution. I settled on a script that moves the files above the folder on each launch so the jail just gets the empty directory and I can access all the files outside.
Futureknows
on 7 Jan 2020
Related issues
kmotoko
路
3Comments
reinerh
路
3Comments
fl-chris
路
4Comments
ghost
路
3Comments
yourcelf
路
4Comments
Most helpful comment
Personally I've never had the need for such a use-case, so this is untested, but I think you can use the
--overlay-named=namein combination with the--putoptions.Quoting from
man firejail:_Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/ directory. The created overlay can be reused between multiple sessions. If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled._
You can drop files into any noblacklisted/whitelisted directory using --put once the relevant sandbox is active (started with an additional --name=foo for ease-of-use):
firejail --put=foo ~/my_special_file ~/my_special_folder/my_special_fileYou'll need to do the above for each file you want to transfer into the sandbox. See the FILE TRANSFER section in
man firejailfor more details. I do recommend experimenting/testing with a small sample of test files before committing such a scripted approach. HTH.