-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-attach to an overlay after the sandbox is closed #239
Comments
I have experimented with the overlayfs mount and if I manually remount over a previous sandbox, the merge appears to work properly. If an option is added --reoverlay and then that creates the /home/$USER/.firejail/persist dir and that dir is used instead of /home/$USER/.firejail/$PID for the overlay then I think this enhancement would work. But does this reuse of a previous sandbox somewhat defeat the purpose of using firejail? I'll get some code for this change to you at some point. |
I'm really interested in this feature, so if you send me some code I'll merge it in. The reason I've been sleeping on it is remounting the overlay is a huge security problem. For example, in the overlay you modify /etc/shadow, then start firejail and become root. I'll have to restrict --reoverlay to root user. |
@netblue30 would the issue exist if user namespaces were in place? |
Overlayfs and user namespace should be two different subsystems. |
Implemented in 0.9.42~rc2 |
From wordpress:
Hi,
Is it possible to re-attach to an overlay after the sandbox is closed? Now, a new overlay is always created, but I would like to continue where I left of.
Thanks,
eli
The text was updated successfully, but these errors were encountered: