github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2002] [Feature request] Make settings in firejail.config ignorable in profiles #1348

New issue

Closed

opened 2026-05-05 07:54:51 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 07:54:51 -06:00

Owner

Originally created by @curiosity-seeker on GitHub (Jun 14, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2002

The Firejail Usage page suggests to set

force-nonewprivs yes

in /etc/firejail/firejail.config as one measure to mitigate the concerns about Firejail being a SUID application.

One of the programs affected by this switch is VirtualBox. When I try to start it I'm getting the error:

Adding ignore nonewprivsor ignore force-nonewprivs does not work. Hence, I suggest to add such a feature as it would help to harden Firejail in general but would allow exceptions for specific incompatible applications at the same time.

Originally created by @curiosity-seeker on GitHub (Jun 14, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2002 The `Firejail Usage` page [suggests](https://firejail.wordpress.com/documentation-2/basic-usage/#suid) to set `force-nonewprivs yes` in /etc/firejail/firejail.config as one measure to mitigate the concerns about Firejail being a SUID application. One of the programs affected by this switch is VirtualBox. When I try to start it I'm getting the error: ![grafik](https://user-images.githubusercontent.com/14075215/41418430-33e00620-6fdf-11e8-9bc8-a62c787a94df.png) Adding `ignore nonewprivs`or `ignore force-nonewprivs` does not work. Hence, I suggest to add such a feature as it would help to harden Firejail in general but would allow exceptions for specific incompatible applications at the same time.

gitea-mirror

2026-05-05 07:54:51 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:54:57 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 14, 2018):

One way you can do this is instead put nonewprivs in /etc/firejail/globals.local. Then, you should be able to use ignore nonewprivs in your VirtualBox profile.

Specifically, the part force-turning on nonewprivs is at main.c:1058-1060:

	if (checkcfg(CFG_FORCE_NONEWPRIVS))
		arg_nonewprivs = 1;

@chiraag-nataraj commented on GitHub (Jun 14, 2018): One way you can do this is instead put `nonewprivs` in `/etc/firejail/globals.local`. Then, you should be able to use `ignore nonewprivs` in your VirtualBox profile. Specifically, the part force-turning on `nonewprivs` is at main.c:1058-1060: ``` if (checkcfg(CFG_FORCE_NONEWPRIVS)) arg_nonewprivs = 1; ```

gitea-mirror commented

2026-05-05 07:54:58 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jun 14, 2018):

Adding to @chiraag-nataraj I think the firejail.config is intended to allow system administrators to enforce specific settings to users. Adding support to bypass settings in profiles would also need a new option in the config to allow that.

@SkewedZeppelin commented on GitHub (Jun 14, 2018): Adding to @chiraag-nataraj I think the firejail.config is intended to allow system administrators to enforce specific settings to users. Adding support to bypass settings in profiles would also need a new option in the config to allow that.

gitea-mirror commented

2026-05-05 07:55:00 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Jun 14, 2018):

One way you can do this is instead put nonewprivs in /etc/firejail/globals.local.

Yes, you're right. I had forgotten about that. Thanks!

Nevertheless, the question remains: Wouldn't it make sense to use this setting by default and add an exception for the very few applications affected?

@curiosity-seeker commented on GitHub (Jun 14, 2018): > One way you can do this is instead put nonewprivs in /etc/firejail/globals.local. Yes, you're right. I had forgotten about that. Thanks! Nevertheless, the question remains: Wouldn't it make sense to use this setting by default and add an exception for the very few applications affected?

gitea-mirror commented

2026-05-05 07:55:02 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jun 14, 2018):

Nevertheless, the question remains: Wouldn't it make sense to use this setting by default and add an exception for the very few applications affected?

Nearly all profiles already use nonewprivs

$ grep "redirect" /etc/firejail -RiL | wc -l
385 #number of non-alias profiles
$ grep "nonewprivs" /etc/firejail -R | wc -l
358 #number of profiles with nonewprivs

I think the benefit of force-nonewprivs is however different then that of nonewprivs.

@SkewedZeppelin commented on GitHub (Jun 14, 2018): > Nevertheless, the question remains: Wouldn't it make sense to use this setting by default and add an exception for the very few applications affected? Nearly all profiles already use nonewprivs ``` $ grep "redirect" /etc/firejail -RiL | wc -l 385 #number of non-alias profiles $ grep "nonewprivs" /etc/firejail -R | wc -l 358 #number of profiles with nonewprivs ``` I think the benefit of force-nonewprivs is however different then that of nonewprivs.

gitea-mirror commented

2026-05-05 07:55:03 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Jun 14, 2018):

Nearly all profiles already use nonewprivs

Thanks, I see. I just thought that it might be easier the other way round.

Please feel free to close this issue if it's out of question.

@curiosity-seeker commented on GitHub (Jun 14, 2018): > Nearly all profiles already use nonewprivs Thanks, I see. I just thought that it might be easier the other way round. Please feel free to close this issue if it's out of question.

gitea-mirror commented

2026-05-05 07:55:04 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 14, 2018):

So I think the point of the stuff in firejail.config is that those are settings which can't be overridden by profiles. Those options are designed to override any profile-specific options you may have. Basically, I guess what I'm trying to get at is that force-nonewprivs isn't for the usecase you're describing - the usecase you're describing is solved as I described above :) That being said, we may want to update the docs, since pointing people to firejail.config when it's not necessarily meant to be used in this way (as you found out) isn't exactly a good user experience.

@chiraag-nataraj commented on GitHub (Jun 14, 2018): So I think the point of the stuff in `firejail.config` is that those are settings which can't be overridden by profiles. Those options are designed to override any profile-specific options you may have. Basically, I guess what I'm trying to get at is that `force-nonewprivs` _isn't_ for the usecase you're describing - the usecase you're describing is solved as I described above :) That being said, we may want to update the docs, since pointing people to `firejail.config` when it's not necessarily meant to be used in this way (as you found out) isn't exactly a good user experience.

gitea-mirror commented

2026-05-05 07:55:04 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 9, 2018):

@netblue30 Can you update the suggested usage on the site?

@chiraag-nataraj commented on GitHub (Jul 9, 2018): @netblue30 Can you update the suggested usage on the site?

gitea-mirror commented

2026-05-05 07:55:06 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 26, 2019):

@netblue30 echoing @chiraag-nataraj

@rusty-snake commented on GitHub (Jun 26, 2019): @netblue30 echoing @chiraag-nataraj

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1348

No description provided.

Rows
Columns