-
First, I would like to say that I am aware of the security concerns with using overlay and firejail. I wouldn't say that I completely understand the interactions. What I am trying to do doesn't necessarily need iron-clad security, I just want to run a wine program in a persistent file system that cannot make changes to the real filesystem, while taking full advantage of firejail's permission enforcement. I set up the overlay like this
Then I enabled chroot in firejail.config and ran
This seems to work, changes to files are stored in the /home/changes directory, but I am curious of a couple things. Why is chroot disabled by default? Does this interaction with overlay and chroot make sense? Is is not advisable to do something like this, (e.g. some firejail options will not work correctly with this setup)? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
The only real reason there is no overlayfs support in Firejail is that the old feature was broken beyond repair, and now the project needs a new direction where to head with this functionality.
I think the perception was that this option is not used so often, and it was disabled to reduce Firejails default attack surface. That said, it is meant to be used, and it is generally safe for everyone to enable.
From a distance, I think there is nothing wrong with your setup. Combining overlayfs and chroot is totally fine. It is true that some Firejail options are not available if you specify a |
Beta Was this translation helpful? Give feedback.
-
Tangential question: Can I ask if /home is a mount point? I assume this doesn't work if /home is not a mount point. |
Beta Was this translation helpful? Give feedback.
The only real reason there is no overlayfs support in Firejail is that the old feature was broken beyond repair, and now the project needs a new direction where to head with this functionality.
I think the perception was that this option is not used so often, and it was disabled to reduce Firejails default attack surface. That said, it is meant to be used, and it is generally safe for everyone to enable.