Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] firejail fails with --net
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Mon Feb 18, 2019 10:21 pm    Post subject: [SOLVED] firejail fails with --net Reply with quote

I tried to follow https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Sandboxing_the_Firefox_Browser_with_Firejail#setup_networking_openrc but when executing
Code:
env GTK_IM_MODULE=xim /usr/bin/firejail --x11=xephyr --name=firefox --net=br10 --profile=/etc/firejail/firefox.profile openbox --startup /usr/lib64/firefox/firefox
the Xephyr display closes and I get
Code:
Error: only --net=none is allowed to non-root users
Taking that as a clue I tried
Code:
env GTK_IM_MODULE=xim /usr/bin/firejail --x11=xephyr --name=firefox --net=none --profile=/etc/firejail/firefox.profile openbox --startup /usr/lib64/firefox/firefox
which then "worked" but firefox had no net connection.

I'm too cowardly to execute as root... was one supposed to execute as root?!?

An easier question is: how does one use the search facility to search forums? When I search for firejail I get "Search found 256 matches" the first of which is
https://forums.gentoo.org/viewtopic-t-1093302-highlight-firejail.html but that page does not contain "firejail" ... more generally I never (as far as I can recall) have been able to make the forum's search facility work (so I google instead) :oops:


Last edited by dpaddy on Tue Feb 19, 2019 12:02 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Tue Feb 19, 2019 2:18 am    Post subject: Reply with quote

What is the output of emerge --verbose --info sys-apps/firejail? As I read the equery use output, your results would be expected if you built with USE=network-restricted.

For search, I often see people suggest using a search engine (such as Google or DuckDuckGo) with a site-qualifier site:forums.gentoo.org to restrict the results to only this domain.
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Tue Feb 19, 2019 12:02 pm    Post subject: network-restricted Reply with quote

Yes that flag was set (these tired old eyes are nearly useless).

Much appreciated :)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Wed Feb 20, 2019 2:51 am    Post subject: Reply with quote

In fairness to your eyesight, it would be nice if the error message (Error: only --net=none is allowed to non-root users) had mentioned that the restriction is compile-time configurable. As currently phrased, it sounds like this is a hard technical limitation that would require source code improvements to fix. In truth, it's a policy decision that is set at compile-time. Perhaps if it had said Error: this build of Firejail only allows non-root users to set --net=none or to omit --net. To allow non-root users to use other forms of --net, rebuild Firejail without the configure flag --enable-network=restricted., you would have gone looking and found the answer without a forum post.

If you have a good way to report an issue to the Firejail developer, you might be able to save other people from this problem by asking the developer to improve the message. I am obviously partial to the phrasing I proposed above, but anything that clearly tells the user that this is a compile-time policy would be a nice improvement.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum