mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #189] Run Firejail in Docker container #131
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#131
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @webslim on GitHub (Dec 7, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/189
Hi,
my way to use firejail is to 'su' to a user and then enter a sandbox with
firejail --noroot --caps.drop=all --seccomp --ipc-namespace
(If I want GUI separation, I do this in a Xephyr window.)
This used to work perfectly up to version 0.9.28.
The new version outputs a message about an existing sandbox and running without additional restrictions,
even though there is no other sandbox running. 'firejail --list' shows nothing.
I have a Grsecurity enabled kernel and came across https://github.com/netblue30/firejail/issues/141, but I am wondering why this used to work even though I have CONFIG_GRKERNSEC_PROC_USER=y. Did something change in the handling of /proc information?
@netblue30 commented on GitHub (Dec 7, 2015):
I am still to investigate Grsecurity. Some people seem to be running fine, while others have problems.
"existing sandbox detected" is a warning. It means you are already in a firejail sandbox and attempt to start another firejail sandbox inside the current one. Things changed since 0.9.28, firejail sandboxes cannot be chained anymore. Instead, the program for the second sandbox is started as is in the existing sandbox.
I don't think there are any changes in /proc handling.
@tjanczuk commented on GitHub (Dec 16, 2015):
@netblue30 How is the determination made that firejail is running in an existing sandbox? I am getting the "Warning: an existing sandbox was detected" when running firejail from inside of a docker container (one started with --privileged=true).
@tjanczuk commented on GitHub (Dec 16, 2015):
Looks like firejail is making this determination based on the presence of some kernel processes in the PID namespace. A workaround to run firejail in a docker container is to run docker in the host PID namespace (using
--pid=host). If you can.@netblue30 commented on GitHub (Dec 17, 2015):
If I understand correctly, you want to be able to run firejail in a Docker/LXC/whatever container. All I have to do is to disable the checking and let it running. I'll implement it for the next version. Thanks.
@netblue30 commented on GitHub (Dec 17, 2015):
I added a new command line option, --force, that disables the PID namespace checking. So, in a docker container run "firejail --force".
@tjanczuk commented on GitHub (Dec 17, 2015):
This is great, thanks! Is *.deb available for this already?
@netblue30 commented on GitHub (Dec 17, 2015):
Not yet, probably I'll make a new release in about one week.