file transfer feature

4 files changed, 103 insertions, 1 deletions

diff --git a/README.md b/README.md
index ac436cd8e..c62121b38 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,45 @@ $ firejail --x11 --net=eth0 firefox
 --x11 starts the server, --net is required in order to remove the main X11 server socket from the sandbox.
 More information here: https://firejail.wordpress.com/documentation-2/x11-guide/
 
+## File transfers
+`````
+FILE TRANSFERS
+       These features allow the user to inspect the file system  container  of
+       an  existing  sandbox and transfer files from the container to the host
+       file system.
+
+       --get=name filename
+              Retrieve the container file filename and store it on the host in
+              the  current working directory.  The container is spececified by
+              name (--name option). Full path is needed for filename.
+
+       --get=pid filename
+              Retrieve the container file filename and store it on the host in
+              the  current working directory.  The container is spececified by
+              process ID. Full path is needed for filename.
+
+       --ls=name dir_or_filename
+              List container files.  The  container  is  spececified  by  name
+              (--name option).  Full path is needed for dir_or_filename.
+
+       --ls=pid dir_or_filename
+              List  container  files.  The container is spececified by process
+              ID.  Full path is needed for dir_or_filename.
+
+       Examples:
+
+              $ firejail --ls=mybrowser ~/Downloads
+              drwxr-xr-x netblue  netblue         4096 .
+              drwxr-xr-x netblue  netblue         4096 ..
+              -rw-r--r-- netblue  netblue         7847 x11-x305.png
+              -rw-r--r-- netblue  netblue         6800 x11-x642.png
+              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
+
+              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
+
+
+`````
+
 ## Default seccomp filter update
 
 Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 928da81c1..983927cf1 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -21,6 +21,7 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/wait.h>
 #include <unistd.h>
 #include <dirent.h>
 #include <pwd.h>
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 58f9d2cf7..7bc6ea47a 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -85,7 +85,7 @@ void usage(void) {
         printf("    --env=name=value - set environment variable in the new sandbox.\n\n");
         printf("    --fs.print=name|pid - print the filesystem log for the sandbox identified\n");
         printf("\tby name or PID.\n\n");
-        
+        printf("    --get=name|pid filename - get a file from sandbox container.\n\n");
         printf("    --help, -? - this help screen.\n\n");
         printf("    --hostname=name - set sandbox hostname.\n\n");
         printf("    --ignore=command - ignore command in profile files.\n\n");
@@ -110,6 +110,7 @@ void usage(void) {
         printf("\tidentified by name or PID.\n\n");
 #endif
         printf("    --list - list all sandboxes.\n\n");
+        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n\n");
 #ifdef HAVE_NETWORK     
         printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
         printf("    --mtu=number - set interface MTU.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 56a768614..a53d2d14e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -8,6 +8,12 @@ Start a sandbox:
 firejail [OPTIONS] [program and arguments]
 .RE
 .PP
+File transfer from an existing sandbox
+.PP
+.RS
+firejail {\-\-ls | \-\-get} dir_or_filename
+.RE
+.PP
 Network traffic shaping for an existing sandbox:
 .PP
 .RS
@@ -392,6 +398,9 @@ $ firejail \-\-list
 .br
 $ firejail \-\-fs.print=3272
 
+.TP
+\fB\-\-get=name|pid filename
+Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.
 
 .TP
 \fB\-?\fR, \fB\-\-help\fR
@@ -549,7 +558,11 @@ Security filters, cgroups and cpus configurations are not applied to the process
 
 
 
+.TP
+\fB\-\-ls=name|pid dir_or_filename
+List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
 
+\fB
 
 .TP
 \fB\-\-list
@@ -1521,6 +1534,54 @@ Example:
 .br
 $ firejail \-\-zsh
 
+.SH FILE TRANSFER
+These features allow the user to inspect the file system container of an existing sandbox
+and transfer files from the container to the host file system.
+
+.TP
+\fB\-\-get=name filename
+Retrieve the container file filename and store it on the host in the current working directory.
+The container is spececified by name (\-\-name option). Full path is needed for filename.
+
+.TP
+\fB\-\-get=pid filename
+Retrieve the container file filename and store it on the host in the current working directory.
+The container is spececified by process ID. Full path is needed for filename.
+
+.TP
+\fB\-\-ls=name dir_or_filename
+List container files.
+The container is spececified by name (\-\-name option).
+Full path is needed for dir_or_filename.
+
+.TP
+\fB\-\-ls=pid dir_or_filename
+List container files.
+The container is spececified by process ID.
+Full path is needed for dir_or_filename.
+
+.TP
+Examples:
+.br
+
+.br
+$ firejail \-\-ls=mybrowser ~/Downloads
+.br
+drwxr-xr-x netblue  netblue         4096 .
+.br
+drwxr-xr-x netblue  netblue         4096 ..
+.br
+-rw-r--r-- netblue  netblue         7847 x11-x305.png
+.br
+-rw-r--r-- netblue  netblue         6800 x11-x642.png
+.br
+-rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
+.br
+
+.br
+$ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png
+
+
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
 Traffic shaping allows the user to increase network performance by controlling