[GH-ISSUE #2830] nonroot --netns=XXX/--net=XXX is insecure #1770

New issue

Open

opened 2026-05-05 08:26:26 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 08:26:26 -06:00

Owner

Originally created by @simonfxr on GitHub (Jul 5, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2830

Using --netns/--net as a non root user is quite useful, however without further access checking it is insecure. It allows any firejail user to join any network namespace or access the net through any device. E.g. some user may run an private openvpn instance in a network namespace (as I do) and a different firejail user can now join the network namespace which is clearly not desirable. I believe --net=XXX (except --net=none of course) poses a similar problem, since it might make it possible to sidestep system routing policies. My suggestion would be to add some access checking, e.g. by introducing new options in firejail.config. E.g. something like

netns_allow <USER>: netns1 netns2 netns3
net_allow <USER>: bridge1 bridge1

Originally created by @simonfxr on GitHub (Jul 5, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2830 Using `--netns/--net` as a non root user is quite useful, however without further access checking it is insecure. It allows any firejail user to join any network namespace or access the net through any device. E.g. some user may run an private openvpn instance in a network namespace (as I do) and a different firejail user can now join the network namespace which is clearly not desirable. I believe `--net=XXX` (except `--net=none` of course) poses a similar problem, since it might make it possible to sidestep system routing policies. My suggestion would be to add some access checking, e.g. by introducing new options in firejail.config. E.g. something like ``` netns_allow <USER>: netns1 netns2 netns3 net_allow <USER>: bridge1 bridge1 ```

gitea-mirror added the

enhancement

networking

labels 2026-05-05 08:26:26 -06:00

gitea-mirror commented

2026-05-05 08:26:28 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 5, 2019):

firejail is focused on single user desktop systems. Which doesn't mean this isn't a issue.
firejail doesn't really separate users (#2768, ...)
You can use restricted-network to full shutdown --net (except of --net=none):

# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

or firejail.users to restrict users who are allowed to use it.
3. To have a netns_allow, net_allow or netns_deny, net_deny or simelar, would be greate.
4. Figure out if --join-network can used to bypass 3. if a sandbox is running.

@rusty-snake commented on GitHub (Jul 5, 2019): 1. firejail is focused on single user desktop systems. Which doesn't mean this isn't a issue. firejail doesn't really separate users (#2768, ...) 2. You can use restricted-network to full shutdown `--net` (except of `--net=none`): ``` # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no ``` or `firejail.users` to restrict users who are allowed to use it. 3. To have a `netns_allow`, `net_allow` or `netns_deny`, `net_deny` or simelar, would be greate. 4. Figure out if `--join-network` can used to bypass 3. if a sandbox is running.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1770

No description provided.

Rows
Columns