-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
private-lib: can we mount instead of copy? #3980
Comments
Mounting read-only? |
@reinerh If we remove the read-only flag, it would tear holes in Firejail's basic read-only file system. So read-only would be best, I guess. |
Okay, thanks. Just wanted to clarify if it gets mounted read-only. |
Yes, I think we should clean it up and make it mount-only.. |
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 4, 2021
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 4, 2021
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 4, 2021
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 4, 2021
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 4, 2021
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 4, 2021
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 4, 2021
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 6, 2021
smitsohu
added a commit
to smitsohu/firejail
that referenced
this issue
Mar 6, 2021
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While in general
private
options copy files in the sandbox instead of mounting them, there are two exceptions to the rule:private-tmp
, which mounts a set of paths in the sandbox in order to provide essential socketsprivate-lib
, which currently employs a mix of copying and mounting: files are copied and directories are mountedI would propose to move all of
private-lib
to mounts, mainly for performance reasons. For example it takes Firejail seconds to configure the sandboxfirejail --noprofile --private-lib kcalc
, even on a rather powerful notebook. On legacy hardware it can be ten seconds and more. Switching from copying to mounting accelerates sandbox setup by about an order of magnitude.Resolving the inconsistency in the other direction, that is copy everything and mount nothing, is probably not going to work because of excessive RAM demand. Also it would slow down
private-lib
even more.The text was updated successfully, but these errors were encountered: