[SOLVED] one-time fake read-only filesystem and hidden net

jr_bob_dobbs · 03-12-2018, 02:27 PM

I would like to run a program in such a way that, for just that invocation of that program:

1. The file system appears as read only, as if the partition(s) had been mounted read-only. There would be two exceptions:

1a. The current directory and any sub-directories would be writable.

1b. /tmp and any sub-directories would be writable

2. No net is visible, accessible nor usable.

This would usually be run as root. This would usually be for running something from the command line.

What would be a good way to do this?

Thank you.

jr_bob_dobbs · 03-12-2018, 10:22 PM

Got it. Firejail is a solution, yay.

So, to run bash in the way that I wanted:

Code:

firejail --noprofile --nonewprivs --net=none \
  --read-only=/ --read-write=/tmp --read-write=`pwd` \
  bash

Order may matter: I have the read-write bits occur *after* specifying the entire file system read-only.

Firejail seems to like absolute paths, so that is why I used `pwd` instead of . for the current directory. This may not be necessary?

jefro · 03-13-2018, 05:17 PM

Thanks for the update and solution.