Package: firejail Version: 0.9.62.4-2 Severity: normal Dear Maintainer,
"firejail --overlay-named=foobar bash" fails with "Error mounting overlayfs for mounted home directory: fs.c:1064 fs_overlayfs: Too many levels of symbolic links". Similar to upstream https://github.com/netblue30/firejail/issues/2799 This points to overlayfs improvements in recent kernels. It works with linux-image-4.17.0-1-amd64 4.17.8-1, but with newer ones I tested, linux-image-5.2.0-2-amd64 5.2.9-2 & linux-image-5.8.0-2-amd64 5.8.10-1, a possible loop is detected and mount aborts. I hope I found the concept for a solution, but it would need to be adapted for firejail. Lets prepare the dir tree for the demo, /tmp is a tmpfs, /home is physical ext4: ---8<--- # mkdir -p /tmp/merged{1,2} /tmp/step1/{upper1,work1} # export DEMO=username # mkdir -p /home/$DEMO/.firejail/step2/{upper2,work2} --->8--- Currently firejail seems to go direct to what I call step 2, creating a loop which the kernel does not allow, similar to this: ---8<--- # mount -t overlay overlay -olowerdir=/home/,upperdir=/home/$DEMO/.firejail/step2/upper2/,workdir=/home/$DEMO/.firejail/step2/work2/ /tmp/merged2 mount: /tmp/merged2: mount(2) system call failed: Too many levels of symbolic links. --->8--- The workaround I found is to first create an overlay to delete where the looping point would appear: ---8<--- # mount -t overlay overlay -olowerdir=/home/,upperdir=/tmp/step1/upper1/,workdir=/tmp/step1/work1/ /tmp/merged1 # rm -fr /tmp/merged1/$DEMO/.firejail/ --->8--- And now proceed with the desired overlay, that stores data in the user directory for future mounts: ---8<--- # mount -t overlay overlay -olowerdir=/tmp/merged1,upperdir=/home/$DEMO/.firejail/step2/upper2/,workdir=/home/$DEMO/.firejail/step2/work2/ /tmp/merged2 # touch /tmp/merged2/$DEMO/overlay-test # umount /tmp/merged2 # mount -t overlay overlay -olowerdir=/tmp/merged1,upperdir=/home/$DEMO/.firejail/step2/upper2/,workdir=/home/$DEMO/.firejail/step2/work2/ /tmp/merged2 # ls /tmp/merged2/$DEMO/overlay-test --->8--- So instead of "overlay over home storing data in home", first "overlay over home storing data in memory" (reusable for concurrent firejails until next reboot?), then delete the problematic directory in it, and another "overlay over the memory one", so this time we can use home for storage without problems, and hiding it from current (and concurrent) firejail(s). Seeing the complexity of doing it by hand, maybe there could be cmds "firejail --[u]mount-overlay=overlay_name /some/dir/" to make inspection of (non live?) overlays easier. root could run a script, but if user alone can check own overlays, it would be a lot better. (Existing --join-filesystem makes me think the following could be tricky or unsafe or require some kind of network based fs... still learning about namespaces:) Related to above maybe there could be a param "--export-fs=/some/dir" to launch a jail with the filesystem viewable from outside (as alternative to multiple --get, --ls and --put); and cmds "firejail --bind-[u]mount={name|pid} /some/dir" to mount the fs view of a running jail and keep it after it ends down. They would help debugging configs and allowing extraction of data even if you forget to launch with overlays instead of any of the "all discarded on exit" options. Well, I hope the double overlay is the solution, or leads to something that makes the feature work again. Cheers, GSR -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.8.0-2-amd64 (SMP w/8 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages firejail depends on: ii libapparmor1 2.13.4-3 ii libc6 2.31-3 Versions of packages firejail recommends: ii firejail-profiles 0.9.62.4-2 ii iproute2 5.8.0-1 ii iptables 1.8.5-3 ii xauth 1:1.0.10-1 ii xpra 3.0.9+dfsg1-1+b2 ii xserver-xephyr 2:1.20.9-2 ii xvfb 2:1.20.9-2 firejail suggests no packages. -- no debconf information