You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For fileextensions
fileextension-allow-write path .extension1,.extension2,*.extension3
fileextension-allow-write /var/html/ *.html
fileextension-allow-write /var/php/ *.php
fileextension-allow-write /var/js/ *.js
This option combined with readonly inside sandbox specified inside profil, give us absolute filesystem hardening.
Maybe remounting or updating specific directorys in time frame is the solution, but when you have more elegant method you could give a try.
For example
In profile we can declare as:
read-only /var/html
Or
read-only everything
For everything read only exept for log files as additional rule in profile.
These paths are monitored every 3 seconds outside of sandbox, if something changed on real origin and source path, and if true, writing files inside sandbox with linux function splice back, to avoid locks and overhead and for zerocopy transfer.
I hope I was able to stimulate your thought.
Thanks an
best regards
The text was updated successfully, but these errors were encountered:
Overlayfs of firejail,should update content of folder in specific time frame without restarting sandbox and without bind option
As addition hardening thinking step is, to allow specific file names AND extensions of files to create (write inside sandbox) in specific paths
Example in profile:
for filenames :
filename-allow-write path filename1,filename2,filename3
filename-allow-write /var/html/ index.html,index.php
For fileextensions
fileextension-allow-write path .extension1,.extension2,*.extension3
fileextension-allow-write /var/html/ *.html
fileextension-allow-write /var/php/ *.php
fileextension-allow-write /var/js/ *.js
This option combined with readonly inside sandbox specified inside profil, give us absolute filesystem hardening.
Maybe remounting or updating specific directorys in time frame is the solution, but when you have more elegant method you could give a try.
For example
In profile we can declare as:
read-only /var/html
Or
read-only everything
For everything read only exept for log files as additional rule in profile.
read-only-exept /var/log/logfile
Update-folder path timeperiodinseconds
Update-folder /var/html/ 3
Update-file /var/html/index.html 3
These paths are monitored every 3 seconds outside of sandbox, if something changed on real origin and source path, and if true, writing files inside sandbox with linux function splice back, to avoid locks and overhead and for zerocopy transfer.
I hope I was able to stimulate your thought.
Thanks an
best regards
The text was updated successfully, but these errors were encountered: