| View previous topic :: View next topic |
| Author |
Message |
dpaddy
Tux's lil' helper
Joined: 25 Jun 2008
Posts: 142
|
 Posted: Mon Feb 18, 2019 10:21 pm Post subject: [SOLVED] firejail fails with --net |
 |
|
I tried to follow https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Sandboxing_the_Firefox_Browser_with_Firejail#setup_networking_openrc but when executing | Code: | | env GTK_IM_MODULE=xim /usr/bin/firejail --x11=xephyr --name=firefox --net=br10 --profile=/etc/firejail/firefox.profile openbox --startup /usr/lib64/firefox/firefox |
the Xephyr display closes and I get | Code: | | Error: only --net=none is allowed to non-root users |
Taking that as a clue I tried | Code: | | env GTK_IM_MODULE=xim /usr/bin/firejail --x11=xephyr --name=firefox --net=none --profile=/etc/firejail/firefox.profile openbox --startup /usr/lib64/firefox/firefox |
which then "worked" but firefox had no net connection.
I'm too cowardly to execute as root... was one supposed to execute as root?!?
An easier question is: how does one use the search facility to search forums? When I search for firejail I get "Search found 256 matches" the first of which is
https://forums.gentoo.org/viewtopic-t-1093302-highlight-firejail.html but that page does not contain "firejail" ... more generally I never (as far as I can recall) have been able to make the forum's search facility work (so I google instead) 
Last edited by dpaddy on Tue Feb 19, 2019 12:02 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Tue Feb 19, 2019 2:18 am Post subject: |
|
|
What is the output of emerge --verbose --info sys-apps/firejail? As I read the equery use output, your results would be expected if you built with USE=network-restricted.
For search, I often see people suggest using a search engine (such as Google or DuckDuckGo) with a site-qualifier site:forums.gentoo.org to restrict the results to only this domain. |
|
| Back to top |
|
|
dpaddy
Tux's lil' helper
Joined: 25 Jun 2008
Posts: 142
|
| Posted: Tue Feb 19, 2019 12:02 pm Post subject: network-restricted |
|
|
Yes that flag was set (these tired old eyes are nearly useless).
Much appreciated  |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Wed Feb 20, 2019 2:51 am Post subject: |
|
|
In fairness to your eyesight, it would be nice if the error message (Error: only --net=none is allowed to non-root users) had mentioned that the restriction is compile-time configurable. As currently phrased, it sounds like this is a hard technical limitation that would require source code improvements to fix. In truth, it's a policy decision that is set at compile-time. Perhaps if it had said Error: this build of Firejail only allows non-root users to set --net=none or to omit --net. To allow non-root users to use other forms of --net, rebuild Firejail without the configure flag --enable-network=restricted., you would have gone looking and found the answer without a forum post.
If you have a good way to report an issue to the Firejail developer, you might be able to save other people from this problem by asking the developer to improve the message. I am obviously partial to the phrasing I proposed above, but anything that clearly tells the user that this is a compile-time policy would be a nice improvement. |
|
| Back to top |
|
|
|
Networking & Security
