github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #209] documentation should reference nsenter #145

New issue
Closed
opened 2026-05-05 05:09:46 -06:00 by gitea-mirror · 5 comments
gitea-mirror commented 2026-05-05 05:09:46 -06:00
Owner
Copy link

Originally created by @the8472 on GitHub (Jan 4, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/209

I have found nsenter to be extremely useful since it allows root to poke around in the the sandbox namespaces after they have been created without being affected by seccomp/caps.drop/noroot.

It's also useful for scripting where static profiles are not powerful enough

Originally created by @the8472 on GitHub (Jan 4, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/209 I have found `nsenter` to be extremely useful since it allows root to poke around in the the sandbox namespaces after they have been created without being affected by seccomp/caps.drop/noroot. It's also useful for scripting where static profiles are not powerful enough
gitea-mirror 2026-05-05 05:09:46 -06:00
gitea-mirror commented 2026-05-05 05:09:52 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 6, 2016):

Even better, I'll implement the following new command line options: --join-filesystem, --join-network, --join-user, where only the mount/network/user namespace is joined, without any additional filters such as seccomp, caps or cgroups. Thanks!

<!-- gh-comment-id:169321959 --> @netblue30 commented on GitHub (Jan 6, 2016): Even better, I'll implement the following new command line options: --join-filesystem, --join-network, --join-user, where only the mount/network/user namespace is joined, without any additional filters such as seccomp, caps or cgroups. Thanks!
gitea-mirror commented 2026-05-05 05:09:54 -06:00
Author
Owner
Copy link

@trou commented on GitHub (Jan 6, 2016):

Not sure if it's relevant but just in case : http://www.openwall.com/lists/oss-security/2016/01/06/6

It really is the responsibility of the party that calls
setns(some_userns) to make certain their process does not have anything
you don't want the root user in the container to get his hands on. That
goes way beyond the root uid.

<!-- gh-comment-id:169479591 --> @trou commented on GitHub (Jan 6, 2016): Not sure if it's relevant but just in case : http://www.openwall.com/lists/oss-security/2016/01/06/6 > It really is the responsibility of the party that calls > setns(some_userns) to make certain their process does not have anything > you don't want the root user in the container to get his hands on. That > goes way beyond the root uid.
gitea-mirror commented 2026-05-05 05:09:57 -06:00
Author
Owner
Copy link

@the8472 commented on GitHub (Jan 7, 2016):

Hrrm, that is a reasonable concern, but aiui it does not apply if one only joins mount/network NS for example while the container is in a separate PID namespace. Or if the container has no root.

But at the very least a here be dragons warning may be appropriate.

The main usecase is to run sbin stuff which needs way more syscalls/caps to configure the container than the jailed process itself would need. Maybe nesting the namespaces where one has an outer one with root that can run configuration scripts and an inner one that runs the target process would be somewhat safer than joining directly with the host's root.

<!-- gh-comment-id:169590235 --> @the8472 commented on GitHub (Jan 7, 2016): Hrrm, that is a reasonable concern, but aiui it does not apply if one only joins mount/network NS for example while the container is in a separate PID namespace. Or if the container has no root. But at the very least a here be dragons warning may be appropriate. The main usecase is to run sbin stuff which needs way more syscalls/caps to configure the container than the jailed process itself would need. Maybe nesting the namespaces where one has an outer one with root that can run configuration scripts and an inner one that runs the target process would be somewhat safer than joining directly with the host's root.
gitea-mirror commented 2026-05-05 05:10:00 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 7, 2016):

Maybe nesting the namespaces where one has an outer one with root that can run configuration scripts and an inner one that runs the target process would be somewhat safer than joining directly with the host's root.

You can do this today. Start a /bin/bash sandbox as root with a network namespace and whitout any seccomp (use --noprofile):

# firejail --net=eth0 --noprofile

In this sandbox you can modify the network (ifconfig), become another user (su someotheruser) and you can start another sandbox using --force option:

$ firejail --force some_program

Some people asked for --force so they can run firejail in Docker containers.

I guess your use case is more like "what do you do if you forgot to start the root sandbox in the first place?"

<!-- gh-comment-id:169659854 --> @netblue30 commented on GitHub (Jan 7, 2016): > Maybe nesting the namespaces where one has an outer one with root that can run configuration scripts and an inner one that runs the target process would be somewhat safer than joining directly with the host's root. You can do this today. Start a /bin/bash sandbox as root with a network namespace and whitout any seccomp (use --noprofile): ``` # firejail --net=eth0 --noprofile ``` In this sandbox you can modify the network (ifconfig), become another user (su someotheruser) and you can start another sandbox using --force option: ``` $ firejail --force some_program ``` Some people asked for --force so they can run firejail in Docker containers. I guess your use case is more like "what do you do if you forgot to start the root sandbox in the first place?"
gitea-mirror commented 2026-05-05 05:10:03 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 14, 2016):

I added --join-filesystem and --join-network. These commands will mount only the mount or network namespace, without any security filters (seccomp, caps, etc). You'll need to be root to run them. Also, if you run --join as root, the security filters are not installed for the new session.

<!-- gh-comment-id:171710315 --> @netblue30 commented on GitHub (Jan 14, 2016): I added --join-filesystem and --join-network. These commands will mount only the mount or network namespace, without any security filters (seccomp, caps, etc). You'll need to be root to run them. Also, if you run --join as root, the security filters are not installed for the new session.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#145
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?