we need new bind directory update option for specific timeperiod

[osevan]

Overlayfs of firejail,should update content of folder in specific time frame without restarting sandbox and without bind option

As addition hardening thinking step is, to allow specific file names AND extensions of files to create (write inside sandbox) in specific paths

Example in profile:
for filenames :
filename-allow-write path filename1,filename2,filename3

filename-allow-write /var/html/ index.html,index.php

For fileextensions
fileextension-allow-write path .extension1,.extension2,*.extension3

fileextension-allow-write /var/html/ *.html

fileextension-allow-write /var/php/ *.php

fileextension-allow-write /var/js/ *.js

This option combined with readonly inside sandbox specified inside profil, give us absolute filesystem hardening.
Maybe remounting or updating specific directorys in time frame is the solution, but when you have more elegant method you could give a try.

For example
In profile we can declare as:

read-only /var/html

Or

read-only everything

For everything read only exept for log files as additional rule in profile.

read-only-exept /var/log/logfile
Update-folder path timeperiodinseconds
Update-folder /var/html/ 3
Update-file /var/html/index.html 3

These paths are monitored every 3 seconds outside of sandbox, if something changed on real origin and source path, and if true, writing files inside sandbox with linux function splice back, to avoid locks and overhead and for zerocopy transfer.

I hope I was able to stimulate your thought.

Thanks an
best regards

[osevan]

Anyone can follow my thoughts ?