github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2112] VS Code cannot perform remote git operations #1431

New issue

Closed

opened 2026-05-05 08:05:49 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 08:05:49 -06:00

Owner

Originally created by @derba on GitHub (Sep 12, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2112

I have up-to-date Firejail (8044acef4c). I installed VS Code on Fedora 28 according to https://code.visualstudio.com/docs/setup/linux.
VS Code works fine. I can commit to git using source control on sidebar. But remote operations such as git push fails:

> git push origin master:master
Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features
ssh: Could not resolve hostname git.example.com: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

If I run VS Code without Firejail then everything is OK.
On command line git push works while firejail --profile=/usr/local/etc/firejail/code.profile git push fails.

Originally created by @derba on GitHub (Sep 12, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2112 I have up-to-date Firejail (8044acef4c08e1013e77cadf84c47e095e7cc8a2). I installed VS Code on Fedora 28 according to https://code.visualstudio.com/docs/setup/linux. VS Code works fine. I can commit to git using source control on sidebar. But remote operations such as git push fails: ``` > git push origin master:master Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features ssh: Could not resolve hostname git.example.com: Name or service not known fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` If I run VS Code without Firejail then everything is OK. On command line `git push` works while `firejail --profile=/usr/local/etc/firejail/code.profile git push` fails.

gitea-mirror

2026-05-05 08:05:49 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:05:52 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 12, 2018):

code.profile has net none which disabled network access
echo "ignore net none" | sudo tee /etc/firejail/code.local

@SkewedZeppelin commented on GitHub (Sep 12, 2018): code.profile has `net none` which disabled network access `echo "ignore net none" | sudo tee /etc/firejail/code.local`

gitea-mirror commented

2026-05-05 08:05:53 -06:00

Author

Owner

@derba commented on GitHub (Sep 13, 2018):

Thanks @SkewedZeppelin that helped.
Plus I added noblacklist ${HOME}/.ssh, too, so that git can use my keys.
I think these are bugs in the profile, need to be fixed.

@derba commented on GitHub (Sep 13, 2018): Thanks @SkewedZeppelin that helped. Plus I added `noblacklist ${HOME}/.ssh`, too, so that git can use my keys. I think these are bugs in the profile, need to be fixed.

gitea-mirror commented

2026-05-05 08:05:54 -06:00

Author

Owner

@Vincent43 commented on GitHub (Sep 13, 2018):

Those are rather deliberately choices not to make remote access possible in default configuration. The local configuration is the place where you can adjust it for your needs.

@Vincent43 commented on GitHub (Sep 13, 2018): Those are rather deliberately choices not to make remote access possible in default configuration. The local configuration is the place where you can adjust it for your needs.

gitea-mirror commented

2026-05-05 08:05:54 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 14, 2018):

An IDE should be trusted (plugins aside), we probably should go through an ensure ~/.gitconfig, ~/.ssh, and network access is enabled.

I know we decided against ~/.gnupg a while back, and I still assume most people signing their commits also prefer the git cli over these GUIs, so we can continue to block that.

@SkewedZeppelin commented on GitHub (Sep 14, 2018): An IDE should be trusted (plugins aside), we probably should go through an ensure ~/.gitconfig, ~/.ssh, and network access is enabled. I know we decided against ~/.gnupg a while back, and I still assume most people signing their commits also prefer the git cli over these GUIs, so we can continue to block that.

gitea-mirror commented

2026-05-05 08:05:55 -06:00

Author

Owner

@Vincent43 commented on GitHub (Sep 14, 2018):

Ok.

@Vincent43 commented on GitHub (Sep 14, 2018): Ok.

gitea-mirror commented

2026-05-05 08:05:56 -06:00

Author

Owner

@derba commented on GitHub (Sep 14, 2018):

Well, it is not that easy question. I installed VSCode from the yum repo of MS. An rpm that can have any kind of script running as root. I cannot really check that script (rpm -qp --scripts code.rpm) as dnf/yum just pulls and runs that on package update. So I have to trust MS or disable automatic updates.

And it is not just MS, but there are other IDEs not compiled by my trusted distro maker (IDEA, PyCharm etc.). And they even pull 3rd party extensions. And each being able to grab my private key in .ssh.

Update: I just realized @SkewedZeppelin mentioned similar concerns before.

Actually I could have chosen Flatpak from Flathub. That is even worse, requiring access to my whole host fs. Okay, I stick with firejail.

@derba commented on GitHub (Sep 14, 2018): Well, it is not that easy question. I installed VSCode from the yum repo of MS. An rpm that can have any kind of script running as root. I cannot really check that script (`rpm -qp --scripts code.rpm`) as dnf/yum just pulls and runs that on package update. So I have to trust MS or disable automatic updates. And it is not just MS, but there are other IDEs not compiled by my trusted distro maker (IDEA, PyCharm etc.). And they even pull 3rd party extensions. And each being able to grab my private key in .ssh. Update: I just realized @SkewedZeppelin mentioned similar concerns before. Actually I could have chosen Flatpak from Flathub. That is even worse, requiring access to my whole host fs. Okay, I stick with firejail.

gitea-mirror commented

2026-05-05 08:05:56 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Sep 27, 2018):

@SkewedZeppelin I actually disagree on this one. By default, an IDE should not have network access. If someone wants to locally enable it, that is their decision, but given that many allow you to load aribtary code (packages/plugins/addons/whatever), it's dangerous to not block network access by default. The same would apply for SSH keys, git config, and so on. The default should err on the side of security, especially in a case where plugins and such are involved.

@chiraag-nataraj commented on GitHub (Sep 27, 2018): @SkewedZeppelin I actually disagree on this one. By default, an IDE should _not_ have network access. If someone wants to locally enable it, that is their decision, but given that many allow you to load aribtary code (packages/plugins/addons/whatever), it's dangerous to _not_ block network access by default. The same would apply for SSH keys, git config, and so on. The default should err on the side of security, especially in a case where plugins and such are involved.

gitea-mirror commented

2026-05-05 08:05:56 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 21, 2019):

I'll go ahead and close this, since the OP's question was answered. @derba, please feel free to re-open if you have more questions.

@chiraag-nataraj commented on GitHub (May 21, 2019): I'll go ahead and close this, since the OP's question was answered. @derba, please feel free to re-open if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:11:08 -06:00

[PR #1431] [MERGED] Add 8 new profiles #3960

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1431

No description provided.

Rows
Columns