--overlay rework, adding a persistent directory; implemented --overlay-tmpfs option

author: netblue30 <netblue30@yahoo.com> 2015-08-16 08:56:48 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-16 08:56:48 -0400
commit: 980979d77ebd30ca1d6b518d48068a1e3660a4e8 (patch)
tree: 557800e0132aa52641e1e2886a939164e4c20309
parent: admin work (diff)
download: firejail-980979d77ebd30ca1d6b518d48068a1e3660a4e8.tar.gz
firejail-980979d77ebd30ca1d6b518d48068a1e3660a4e8.tar.zst
firejail-980979d77ebd30ca1d6b518d48068a1e3660a4e8.zip
5 files changed, 97 insertions, 37 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a1833b4bc..7eb4786e6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -26,7 +26,6 @@
 #define RO_DIR  "/tmp/firejail/firejail.ro.dir"
 #define RO_FILE "/tmp/firejail/firejail.ro.file"
 #define MNT_DIR "/tmp/firejail/mnt"
-#define OVERLAY_DIR     "/tmp/firejail/overlay"
 #define HOME_DIR        "/tmp/firejail/mnt/home"
 #define ETC_DIR "/tmp/firejail/mnt/etc"
 #define MAX_INCLUDE_LEVEL 6
@@ -70,6 +69,7 @@ typedef struct config_t {
        char *home_private_keep;        // keep list for private home directory
        char *etc_private_keep; // keep list for private etc directory
        char *cwd;              // current working directory
+        char *overlay_dir;
        // networking
        char *hostname;
@@ -109,11 +109,13 @@ static inline int any_bridge_configured(void) {
        else
                return 0;
 }
 extern int arg_private;         // mount private /home and /tmp directory
 extern int arg_debug;           // print debug messages
 extern int arg_nonetwork;       // --net=none
 extern int arg_command; // -c
-extern int arg_overlay;         // --overlay
+extern int arg_overlay;         // overlay option
+extern int arg_overlay_keep;    // place overlay diff directory in ~/.firejail
 extern int arg_zsh;             // use zsh as default shell
 extern int arg_csh;             // use csh as default shell
@@ -358,3 +360,4 @@ void fs_check_etc_list(void);
 void fs_private_etc_list(void);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5b8093885..c38317371 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -82,30 +82,6 @@ void fs_build_mnt_dir(void) {
        }
 }
-// build /tmp/firejail/overlay directory
-void fs_build_overlay_dir(void) {
-        struct stat s;
-        fs_build_firejail_dir();
-        
-        // create /tmp/firejail directory
-        if (stat(OVERLAY_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", MNT_DIR);
-                /* coverity[toctou] */
-                int rv = mkdir(OVERLAY_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
-                if (rv == -1)
-                        errExit("mkdir");       
-                if (chown(OVERLAY_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(OVERLAY_DIR, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
-                        errExit("chmod");
-        }
-}
 //***********************************************
 // process profile file
 //***********************************************
@@ -629,8 +605,25 @@ void fs_overlayfs(void) {
        if (chmod(oroot, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
                errExit("chmod");
+        char *basedir = MNT_DIR;
+        if (arg_overlay_keep) {
+                // check the directory exists
+                struct stat s;
+                if (stat("/myoverlay", &s) == -1) {
+                        fprintf(stderr, "Error: overlay directory should already exist\n");
+                        exit(1);
+                }
+                // set base for working and diff directories
+                basedir = cfg.overlay_dir;
+                if (mkdir(basedir, S_IRWXU | S_IRWXG | S_IRWXO) != 0) {
+                        fprintf(stderr, "Error: cannot create overlay directory\n");
+                        exit(1);
+                }
+        }
        char *odiff;
-        if(asprintf(&odiff, "%s/odiff", MNT_DIR) == -1)
+        if(asprintf(&odiff, "%s/odiff", basedir) == -1)
                errExit("asprintf");
        if (mkdir(odiff, S_IRWXU | S_IRWXG | S_IRWXO))
                errExit("mkdir");
@@ -638,9 +631,9 @@ void fs_overlayfs(void) {
                errExit("chown");
        if (chmod(odiff, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
                errExit("chmod");
+        
        char *owork;
-        if(asprintf(&owork, "%s/owork", MNT_DIR) == -1)
+        if(asprintf(&owork, "%s/owork", basedir) == -1)
                errExit("asprintf");
        if (mkdir(owork, S_IRWXU | S_IRWXG | S_IRWXO))
                errExit("mkdir");
@@ -648,12 +641,16 @@ void fs_overlayfs(void) {
                errExit("chown");
        if (chmod(owork, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
                errExit("chmod");
+        
        // mount overlayfs
        if (arg_debug)
                printf("Mounting OverlayFS\n");
        char *option;
        if (oldkernel) { // old Ubuntu/OpenSUSE kernels
+                if (arg_overlay_keep) {
+                        fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
+                        exit(1);
+                }
                if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
                        errExit("asprintf");
                if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
@@ -662,10 +659,12 @@ void fs_overlayfs(void) {
        else { // kernel 3.18 or newer
                if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
                        errExit("asprintf");
+//printf("option #%s#\n", option);                      
                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0)
                        errExit("mounting overlayfs");
        }
+        printf("OverlayFS configured in %s directory\n", basedir);
+        
        // mount-bind dev directory
        if (arg_debug)
                printf("Mounting /dev\n");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 6c5d9a44e..3c7a8401e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -52,7 +52,8 @@ int arg_private = 0;				// mount private /home and /tmp directoryu
 int arg_debug = 0;                              // print debug messages
 int arg_nonetwork = 0;                          // --net=none
 int arg_command = 0;                            // -c
-int arg_overlay = 0;                            // --overlay
+int arg_overlay = 0;                            // overlay option
+int arg_overlay_keep = 0;                       // place overlay diff directory in ~/.firejail
 int arg_zsh = 0;                                // use zsh as default shell
 int arg_csh = 0;                                // use csh as default shell
@@ -625,6 +626,38 @@ int main(int argc, char **argv) {
                                exit(1);
                        }
                        arg_overlay = 1;
+                        arg_overlay_keep = 1;
+                        
+                        // create ~/.firejail directory
+                        char *dirname;
+                        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
+                                errExit("asprintf");
+                        struct stat s;
+                        if (stat(dirname, &s) == -1) {
+                                if (mkdir(dirname, S_IRWXU | S_IRWXG | S_IRWXO))
+                                        errExit("mkdir");
+                                if (chown(dirname, getuid(), getgid()) < 0)
+                                        errExit("chown");
+                                if (chmod(dirname, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                                        errExit("chmod");
+                        }
+                        free(dirname);
+                        
+                        // check overlay directory
+                        if (asprintf(&dirname, "%s/.firejail/%d", cfg.homedir, getpid()) == -1)
+                                errExit("asprintf");
+                        if (stat(dirname, &s) == 0) {
+                                fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
+                                exit(1);
+                        }
+                        cfg.overlay_dir = dirname;
+                }
+                else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
+                        if (cfg.chrootdir) {
+                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                exit(1);
+                        }
+                        arg_overlay = 1;
                }
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
                        // multiple profile files are allowed!
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 3ddd85aac..9aeb5895d 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -140,9 +140,19 @@ void usage(void) {
        printf("\t\tlogfile, and keep the size of the file under 500KB using log\n");
        printf("\t\trotation. Five files with prefixes .1 to .5 are used in\n");
        printf("\t\trotation.\n\n");
+        
        printf("\t--overlay - mount a filesystem overlay on top of the current filesystem.\n");
-        printf("\t\t(OverlayFS support is required in Linux kernel for this option\n");
+        printf("\t\tThe upper filesystem layer is persistent, and stored in\n");
-        printf("\t\tto work)\n\n");   
+        printf("\t\t$HOME/.firejail directory. (OverlayFS support is required in\n");
+        printf("\t\tLinux kernel for this option to work). \n\n");   
+        printf("\t--overlay-tmpfs - mount a filesystem overlay on top of the current\n");
+        printf("\t\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
+        printf("\t\tand it is discarded when the sandbox is closed. (OverlayFS\n");
+        printf("\t\tsupport is required in Linux kernel for this option to work).\n\n");   
         
        printf("\t--private - mount new /root and /home/user directories in temporary\n");
        printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index fe2a909c9..3e399db72 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -602,20 +602,35 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-overlay
+Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
+The overlay is stored in $HOME/.firejail directory.
+.br
+.br
+OverlayFS support is required in Linux kernel for this option to work.
+OverlayFS was officially introduced in Linux kernel version 3.18
+.br
+.br
+Example:
+.br
+$ firejail \-\-overlay firefox
+.TP
+\fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
 and are discarded when the sandbox is closed.
 .br
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18. It was also
+OverlayFS was officially introduced in Linux kernel version 3.18
-available in earlier kernel versions in some distributions such as Ubuntu and OpenSUSE. 
 .br
 .br
 Example:
 .br
-$ firejail \-\-overlay firefox
+$ firejail \-\-overlay-tmpfs firefox
 .TP
 \fB\-\-private
author	netblue30 <netblue30@yahoo.com>	2015-08-16 08:56:48 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-16 08:56:48 -0400
commit	980979d77ebd30ca1d6b518d48068a1e3660a4e8 (patch)
tree	557800e0132aa52641e1e2886a939164e4c20309
parent	admin work (diff)
download	firejail-980979d77ebd30ca1d6b518d48068a1e3660a4e8.tar.gz firejail-980979d77ebd30ca1d6b518d48068a1e3660a4e8.tar.zst firejail-980979d77ebd30ca1d6b518d48068a1e3660a4e8.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a1833b4bc..7eb4786e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -26,7 +26,6 @@
26	#define RO_DIR "/tmp/firejail/firejail.ro.dir"	26	#define RO_DIR "/tmp/firejail/firejail.ro.dir"
27	#define RO_FILE "/tmp/firejail/firejail.ro.file"	27	#define RO_FILE "/tmp/firejail/firejail.ro.file"
28	#define MNT_DIR "/tmp/firejail/mnt"	28	#define MNT_DIR "/tmp/firejail/mnt"
29	#define OVERLAY_DIR "/tmp/firejail/overlay"
30	#define HOME_DIR "/tmp/firejail/mnt/home"	29	#define HOME_DIR "/tmp/firejail/mnt/home"
31	#define ETC_DIR "/tmp/firejail/mnt/etc"	30	#define ETC_DIR "/tmp/firejail/mnt/etc"
32	#define MAX_INCLUDE_LEVEL 6	31	#define MAX_INCLUDE_LEVEL 6
@@ -70,6 +69,7 @@ typedef struct config_t {
70	char *home_private_keep; // keep list for private home directory	69	char *home_private_keep; // keep list for private home directory
71	char *etc_private_keep; // keep list for private etc directory	70	char *etc_private_keep; // keep list for private etc directory
72	char *cwd; // current working directory	71	char *cwd; // current working directory
		72	char *overlay_dir;
73		73
74	// networking	74	// networking
75	char *hostname;	75	char *hostname;
@@ -109,11 +109,13 @@ static inline int any_bridge_configured(void) {
109	else	109	else
110	return 0;	110	return 0;
111	}	111	}
		112
112	extern int arg_private; // mount private /home and /tmp directory	113	extern int arg_private; // mount private /home and /tmp directory
113	extern int arg_debug; // print debug messages	114	extern int arg_debug; // print debug messages
114	extern int arg_nonetwork; // --net=none	115	extern int arg_nonetwork; // --net=none
115	extern int arg_command; // -c	116	extern int arg_command; // -c
116	extern int arg_overlay; // --overlay	117	extern int arg_overlay; // overlay option
		118	extern int arg_overlay_keep; // place overlay diff directory in ~/.firejail
117	extern int arg_zsh; // use zsh as default shell	119	extern int arg_zsh; // use zsh as default shell
118	extern int arg_csh; // use csh as default shell	120	extern int arg_csh; // use csh as default shell
119		121
@@ -358,3 +360,4 @@ void fs_check_etc_list(void);
358	void fs_private_etc_list(void);	360	void fs_private_etc_list(void);
359		361
360	#endif	362	#endif
		363


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5b8093885..c38317371 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -82,30 +82,6 @@ void fs_build_mnt_dir(void) {
82	}	82	}
83	}	83	}
84		84
85	// build /tmp/firejail/overlay directory
86	void fs_build_overlay_dir(void) {
87	struct stat s;
88	fs_build_firejail_dir();
89
90	// create /tmp/firejail directory
91	if (stat(OVERLAY_DIR, &s)) {
92	if (arg_debug)
93	printf("Creating %s directory\n", MNT_DIR);
94	/* coverity[toctou] */
95	int rv = mkdir(OVERLAY_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);
96	if (rv == -1)
97	errExit("mkdir");
98	if (chown(OVERLAY_DIR, 0, 0) < 0)
99	errExit("chown");
100	if (chmod(OVERLAY_DIR, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)
101	errExit("chmod");
102	}
103	}
104
105
106
107
108
109	//***********************************************	85	//***********************************************
110	// process profile file	86	// process profile file
111	//***********************************************	87	//***********************************************
@@ -629,8 +605,25 @@ void fs_overlayfs(void) {
629	if (chmod(oroot, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)	605	if (chmod(oroot, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)
630	errExit("chmod");	606	errExit("chmod");
631		607
		608	char *basedir = MNT_DIR;
		609	if (arg_overlay_keep) {
		610	// check the directory exists
		611	struct stat s;
		612	if (stat("/myoverlay", &s) == -1) {
		613	fprintf(stderr, "Error: overlay directory should already exist\n");
		614	exit(1);
		615	}
		616
		617	// set base for working and diff directories
		618	basedir = cfg.overlay_dir;
		619	if (mkdir(basedir, S_IRWXU \| S_IRWXG \| S_IRWXO) != 0) {
		620	fprintf(stderr, "Error: cannot create overlay directory\n");
		621	exit(1);
		622	}
		623	}
		624
632	char *odiff;	625	char *odiff;
633	if(asprintf(&odiff, "%s/odiff", MNT_DIR) == -1)	626	if(asprintf(&odiff, "%s/odiff", basedir) == -1)
634	errExit("asprintf");	627	errExit("asprintf");
635	if (mkdir(odiff, S_IRWXU \| S_IRWXG \| S_IRWXO))	628	if (mkdir(odiff, S_IRWXU \| S_IRWXG \| S_IRWXO))
636	errExit("mkdir");	629	errExit("mkdir");
@@ -638,9 +631,9 @@ void fs_overlayfs(void) {
638	errExit("chown");	631	errExit("chown");
639	if (chmod(odiff, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)	632	if (chmod(odiff, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)
640	errExit("chmod");	633	errExit("chmod");
641		634
642	char *owork;	635	char *owork;
643	if(asprintf(&owork, "%s/owork", MNT_DIR) == -1)	636	if(asprintf(&owork, "%s/owork", basedir) == -1)
644	errExit("asprintf");	637	errExit("asprintf");
645	if (mkdir(owork, S_IRWXU \| S_IRWXG \| S_IRWXO))	638	if (mkdir(owork, S_IRWXU \| S_IRWXG \| S_IRWXO))
646	errExit("mkdir");	639	errExit("mkdir");
@@ -648,12 +641,16 @@ void fs_overlayfs(void) {
648	errExit("chown");	641	errExit("chown");
649	if (chmod(owork, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)	642	if (chmod(owork, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)
650	errExit("chmod");	643	errExit("chmod");
651		644
652	// mount overlayfs	645	// mount overlayfs
653	if (arg_debug)	646	if (arg_debug)
654	printf("Mounting OverlayFS\n");	647	printf("Mounting OverlayFS\n");
655	char *option;	648	char *option;
656	if (oldkernel) { // old Ubuntu/OpenSUSE kernels	649	if (oldkernel) { // old Ubuntu/OpenSUSE kernels
		650	if (arg_overlay_keep) {
		651	fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
		652	exit(1);
		653	}
657	if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)	654	if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
658	errExit("asprintf");	655	errExit("asprintf");
659	if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)	656	if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
@@ -662,10 +659,12 @@ void fs_overlayfs(void) {
662	else { // kernel 3.18 or newer	659	else { // kernel 3.18 or newer
663	if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)	660	if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
664	errExit("asprintf");	661	errExit("asprintf");
		662	//printf("option #%s#\n", option);
665	if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0)	663	if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0)
666	errExit("mounting overlayfs");	664	errExit("mounting overlayfs");
667	}	665	}
668		666	printf("OverlayFS configured in %s directory\n", basedir);
		667
669	// mount-bind dev directory	668	// mount-bind dev directory
670	if (arg_debug)	669	if (arg_debug)
671	printf("Mounting /dev\n");	670	printf("Mounting /dev\n");


diff --git a/src/firejail/main.c b/src/firejail/main.c index 6c5d9a44e..3c7a8401e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -52,7 +52,8 @@ int arg_private = 0; // mount private /home and /tmp directoryu
52	int arg_debug = 0; // print debug messages	52	int arg_debug = 0; // print debug messages
53	int arg_nonetwork = 0; // --net=none	53	int arg_nonetwork = 0; // --net=none
54	int arg_command = 0; // -c	54	int arg_command = 0; // -c
55	int arg_overlay = 0; // --overlay	55	int arg_overlay = 0; // overlay option
		56	int arg_overlay_keep = 0; // place overlay diff directory in ~/.firejail
56	int arg_zsh = 0; // use zsh as default shell	57	int arg_zsh = 0; // use zsh as default shell
57	int arg_csh = 0; // use csh as default shell	58	int arg_csh = 0; // use csh as default shell
58		59
@@ -625,6 +626,38 @@ int main(int argc, char **argv) {
625	exit(1);	626	exit(1);
626	}	627	}
627	arg_overlay = 1;	628	arg_overlay = 1;
		629	arg_overlay_keep = 1;
		630
		631	// create ~/.firejail directory
		632	char *dirname;
		633	if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
		634	errExit("asprintf");
		635	struct stat s;
		636	if (stat(dirname, &s) == -1) {
		637	if (mkdir(dirname, S_IRWXU \| S_IRWXG \| S_IRWXO))
		638	errExit("mkdir");
		639	if (chown(dirname, getuid(), getgid()) < 0)
		640	errExit("chown");
		641	if (chmod(dirname, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)
		642	errExit("chmod");
		643	}
		644	free(dirname);
		645
		646	// check overlay directory
		647	if (asprintf(&dirname, "%s/.firejail/%d", cfg.homedir, getpid()) == -1)
		648	errExit("asprintf");
		649	if (stat(dirname, &s) == 0) {
		650	fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
		651	exit(1);
		652	}
		653	cfg.overlay_dir = dirname;
		654	}
		655	else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
		656	if (cfg.chrootdir) {
		657	fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
		658	exit(1);
		659	}
		660	arg_overlay = 1;
628	}	661	}
629	else if (strncmp(argv[i], "--profile=", 10) == 0) {	662	else if (strncmp(argv[i], "--profile=", 10) == 0) {
630	// multiple profile files are allowed!	663	// multiple profile files are allowed!


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 3ddd85aac..9aeb5895d 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -140,9 +140,19 @@ void usage(void) {
140	printf("\t\tlogfile, and keep the size of the file under 500KB using log\n");	140	printf("\t\tlogfile, and keep the size of the file under 500KB using log\n");
141	printf("\t\trotation. Five files with prefixes .1 to .5 are used in\n");	141	printf("\t\trotation. Five files with prefixes .1 to .5 are used in\n");
142	printf("\t\trotation.\n\n");	142	printf("\t\trotation.\n\n");
		143
143	printf("\t--overlay - mount a filesystem overlay on top of the current filesystem.\n");	144	printf("\t--overlay - mount a filesystem overlay on top of the current filesystem.\n");
144	printf("\t\t(OverlayFS support is required in Linux kernel for this option\n");	145	printf("\t\tThe upper filesystem layer is persistent, and stored in\n");
145	printf("\t\tto work)\n\n");	146	printf("\t\t$HOME/.firejail directory. (OverlayFS support is required in\n");
		147	printf("\t\tLinux kernel for this option to work). \n\n");
		148
		149	printf("\t--overlay-tmpfs - mount a filesystem overlay on top of the current\n");
		150	printf("\t\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
		151	printf("\t\tand it is discarded when the sandbox is closed. (OverlayFS\n");
		152	printf("\t\tsupport is required in Linux kernel for this option to work).\n\n");
		153
		154
		155
146		156
147	printf("\t--private - mount new /root and /home/user directories in temporary\n");	157	printf("\t--private - mount new /root and /home/user directories in temporary\n");
148	printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n");	158	printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fe2a909c9..3e399db72 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -602,20 +602,35 @@ $ ls -l sandboxlog*
602		602
603	.TP	603	.TP
604	\fB\-\-overlay	604	\fB\-\-overlay
		605	Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
		606	The overlay is stored in $HOME/.firejail directory.
		607	.br
		608
		609	.br
		610	OverlayFS support is required in Linux kernel for this option to work.
		611	OverlayFS was officially introduced in Linux kernel version 3.18
		612	.br
		613
		614	.br
		615	Example:
		616	.br
		617	$ firejail \-\-overlay firefox
		618
		619	.TP
		620	\fB\-\-overlay-tmpfs
605	Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,	621	Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
606	and are discarded when the sandbox is closed.	622	and are discarded when the sandbox is closed.
607	.br	623	.br
608		624
609	.br	625	.br
610	OverlayFS support is required in Linux kernel for this option to work.	626	OverlayFS support is required in Linux kernel for this option to work.
611	OverlayFS was officially introduced in Linux kernel version 3.18. It was also	627	OverlayFS was officially introduced in Linux kernel version 3.18
612	available in earlier kernel versions in some distributions such as Ubuntu and OpenSUSE.
613	.br	628	.br
614		629
615	.br	630	.br
616	Example:	631	Example:
617	.br	632	.br
618	$ firejail \-\-overlay firefox	633	$ firejail \-\-overlay-tmpfs firefox
619		634
620	.TP	635	.TP
621	\fB\-\-private	636	\fB\-\-private