[GH-ISSUE #2868] Virtualbox not able to write to /dev/vbox* #1794

New issue

Closed

opened 2026-05-05 08:27:58 -06:00 by gitea-mirror · 22 comments

gitea-mirror commented 2026-05-05 08:27:58 -06:00

Owner

Copy link

Originally created by @Niklas974 on GitHub (Jul 23, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2868

I'm using firejail version 0.9.58.2 and VirtualBox Version 6.06 on Ubuntu 19.04

Running virtualbox in firejail using the default virtualbox profile provided by firejail, I run into networking issues when accessing host-only network adapters in the virtualbox "host-only network manager"

Das Host-Netzwerkinterface konnte nicht erzeugt werden.

VBoxNetAdpCtl: Error while adding new interface: failed to open /dev/vboxnetctl: Operation not permitted.

Fehlercode:NS_ERROR_FAILURE (0x80004005)
Komponente:HostNetworkInterfaceWrap
Interface:IHostNetworkInterface {455f8c45-44a0-a470-ba20-27890b96dba9}

(translated: The Host-Network Interface could not be created)

interestingly, /dev/vbox* looks pretty similar from the outside and from inside the virtualbox firejail:

ls -al /dev/vbox*
crw------- 1 root root      10, 53 Jul 22 15:09 /dev/vboxdrv
crw-rw-rw- 1 root root      10, 52 Jul 22 15:09 /dev/vboxdrvu
crw------- 1 root root      10, 51 Jul 22 15:09 /dev/vboxnetctl

/dev/vboxusb:
insgesamt 0
drwxr-x---  5 root vboxusers  100 Jul 22 15:09 .
drwxr-xr-x 23 root root      5080 Jul 22 15:10 ..
drwxr-x---  2 root vboxusers  100 Jul 22 15:09 001
drwxr-x---  2 root vboxusers   60 Jul 22 15:09 002
drwxr-x---  2 root vboxusers  160 Jul 22 15:10 003
 ~ firejail --join=16421
Switching to pid 16422, the first child process inside the sandbox
Child process initialized in 12.40 ms
ubuntu% ls -al /dev/vbox*
crw------- 1 root root      10, 53 Jul 22 15:09 /dev/vboxdrv
crw-rw-rw- 1 root root      10, 52 Jul 22 15:09 /dev/vboxdrvu
crw------- 1 root root      10, 51 Jul 22 15:09 /dev/vboxnetctl

/dev/vboxusb:
insgesamt 0
drwxr-x---  5 root vboxusers  100 Jul 22 15:09 .
drwxr-xr-x 23 root root      5080 Jul 22 15:10 ..
drwxr-x---  2 root vboxusers  100 Jul 22 15:09 001
drwxr-x---  2 root vboxusers   60 Jul 22 15:09 002
drwxr-x---  2 root vboxusers  160 Jul 22 15:10 003

commenting out "caps.drop all" in the virtualbox profile solves the issue locally
I think this should be fixed or at least annotated in the virtualbox profile.

I know that I do not run the latest version of firejail, but the one provided by ubuntu. If you need me to try with the newest version, please let me know.

EDIT: I previously claimed that commenting out "netfilter" would provide a work-around. It turns out that the "caps.drop all" line is the culprit.
Hint for debugging: On closing the virtualbox GUI, it takes a few seconds for the last virtualbox process to end, if you do not wait for them to end, firejail will not reload the config and thus ignore potential changes.

Originally created by @Niklas974 on GitHub (Jul 23, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2868 I'm using firejail version 0.9.58.2 and VirtualBox Version 6.06 on Ubuntu 19.04 Running virtualbox in firejail using the default virtualbox profile provided by firejail, I run into networking issues when accessing host-only network adapters in the virtualbox "host-only network manager" > Das Host-Netzwerkinterface konnte nicht erzeugt werden. > > VBoxNetAdpCtl: Error while adding new interface: failed to open /dev/vboxnetctl: Operation not permitted. > > Fehlercode:NS_ERROR_FAILURE (0x80004005) > Komponente:HostNetworkInterfaceWrap > Interface:IHostNetworkInterface {455f8c45-44a0-a470-ba20-27890b96dba9} (translated: The Host-Network Interface could not be created) interestingly, /dev/vbox* looks pretty similar from the outside and from inside the virtualbox firejail: ``` ls -al /dev/vbox* crw------- 1 root root 10, 53 Jul 22 15:09 /dev/vboxdrv crw-rw-rw- 1 root root 10, 52 Jul 22 15:09 /dev/vboxdrvu crw------- 1 root root 10, 51 Jul 22 15:09 /dev/vboxnetctl /dev/vboxusb: insgesamt 0 drwxr-x--- 5 root vboxusers 100 Jul 22 15:09 . drwxr-xr-x 23 root root 5080 Jul 22 15:10 .. drwxr-x--- 2 root vboxusers 100 Jul 22 15:09 001 drwxr-x--- 2 root vboxusers 60 Jul 22 15:09 002 drwxr-x--- 2 root vboxusers 160 Jul 22 15:10 003 ~ firejail --join=16421 Switching to pid 16422, the first child process inside the sandbox Child process initialized in 12.40 ms ubuntu% ls -al /dev/vbox* crw------- 1 root root 10, 53 Jul 22 15:09 /dev/vboxdrv crw-rw-rw- 1 root root 10, 52 Jul 22 15:09 /dev/vboxdrvu crw------- 1 root root 10, 51 Jul 22 15:09 /dev/vboxnetctl /dev/vboxusb: insgesamt 0 drwxr-x--- 5 root vboxusers 100 Jul 22 15:09 . drwxr-xr-x 23 root root 5080 Jul 22 15:10 .. drwxr-x--- 2 root vboxusers 100 Jul 22 15:09 001 drwxr-x--- 2 root vboxusers 60 Jul 22 15:09 002 drwxr-x--- 2 root vboxusers 160 Jul 22 15:10 003 ``` commenting out "caps.drop all" in the virtualbox profile solves the issue locally I think this should be fixed or at least annotated in the virtualbox profile. I know that I do not run the latest version of firejail, but the one provided by ubuntu. If you need me to try with the newest version, please let me know. EDIT: I previously claimed that commenting out "netfilter" would provide a work-around. It turns out that the "caps.drop all" line is the culprit. Hint for debugging: On closing the virtualbox GUI, it takes a few seconds for the last virtualbox process to end, if you do not wait for them to end, firejail will not reload the config and thus ignore potential changes.

gitea-mirror closed this issue 2026-05-05 08:28:00 -06:00

gitea-mirror commented 2026-05-05 08:28:01 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Jul 29, 2019):

Thanks for reporting this @Niklas974 !

Besides the error messages, does this cause any issues with virtualbox? If it's just error messages then it's probably better to say these are just cosmetic issues and not change/remove netfilter, but if it actually means you can't use firejail+virtualbox then we should maybe change this.

Thanks!
Fred

<!-- gh-comment-id:515827715 --> @Fred-Barclay commented on GitHub (Jul 29, 2019): Thanks for reporting this @Niklas974 ! Besides the error messages, does this cause any issues with virtualbox? If it's just error messages then it's probably better to say these are just cosmetic issues and not change/remove `netfilter`, but if it actually means you can't use firejail+virtualbox then we should maybe change this. Thanks! Fred

gitea-mirror commented 2026-05-05 08:28:02 -06:00

Author

Owner

Copy link

@Niklas974 commented on GitHub (Jul 29, 2019):

NOTE: I edited the original report, it is not "netfilter" but "caps.drop all" that causes the problem!

Hi @Fred-Barclay ,

thank you for helping with this issue!

Using the original config file provided by firejail, VirtualBox does work, at least the following do not work:
a) adding new Host-Only Network Interfaces in the Host-Only Network Manager
b) Accessing the external Network using NAT Interfaces. I have tried using a ubuntu host and a kali Linux Guest, I cannot ping external machines if the "caps.drop all" line is in the config file. Commenting it out and not changing anything else, I can ping external machines.

(see hints on Virtualbox Networking here)

<!-- gh-comment-id:515880118 --> @Niklas974 commented on GitHub (Jul 29, 2019): **NOTE:** I edited the original report, it is not "netfilter" but "caps.drop all" that causes the problem! Hi @Fred-Barclay , thank you for helping with this issue! Using the original config file provided by firejail, VirtualBox does work, at least the following do not work: a) adding new Host-Only Network Interfaces in the Host-Only Network Manager b) Accessing the external Network using NAT Interfaces. I have tried using a ubuntu host and a kali Linux Guest, I cannot ping external machines if the "caps.drop all" line is in the config file. Commenting it out and not changing anything else, I can ping external machines. (see hints on Virtualbox Networking [here](https://www.virtualbox.org/manual/ch06.html#networkingmodes))

gitea-mirror commented 2026-05-05 08:28:03 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2019):

@Niklas974 getcap /usr/bin/V*

<!-- gh-comment-id:515903022 --> @rusty-snake commented on GitHub (Jul 29, 2019): @Niklas974 `getcap /usr/bin/V*`

gitea-mirror commented 2026-05-05 08:28:05 -06:00

Author

Owner

Copy link

@Niklas974 commented on GitHub (Jul 29, 2019):

 ~  getcap /usr/bin/V*
 ~  getcap /usr/bin/v*
 ~  which virtualbox
/usr/local/bin/virtualbox
 ~  getcap /usr/local/bin/virtualbox

(From outside of firejail)
Am I missing something obvious?

<!-- gh-comment-id:515949695 --> @Niklas974 commented on GitHub (Jul 29, 2019): ``` ~ getcap /usr/bin/V* ~ getcap /usr/bin/v* ~ which virtualbox /usr/local/bin/virtualbox ~ getcap /usr/local/bin/virtualbox ``` (From outside of firejail) Am I missing something obvious?

gitea-mirror commented 2026-05-05 08:28:06 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2019):

Same with getcap /usr/lib64/virtualbox/V* # or where ever on your system or?

<!-- gh-comment-id:515982748 --> @rusty-snake commented on GitHub (Jul 29, 2019): Same with `getcap /usr/lib64/virtualbox/V* # or where ever on your system` or?

gitea-mirror commented 2026-05-05 08:28:07 -06:00

Author

Owner

Copy link

@Niklas974 commented on GitHub (Jul 29, 2019):

 ~  which virtualbox
/usr/local/bin/virtualbox
 ~  ll /usr/local/bin/virtualbox
lrwxrwxrwx 1 root root 17 Jul 17 08:52 /usr/local/bin/virtualbox -> /usr/bin/firejail*
 ~  ll /usr/bin/virtualbox
lrwxrwxrwx 1 root root 27 Apr 17 00:08 /usr/bin/virtualbox -> ../share/virtualbox/VBox.sh*
 ~  getcap /usr/share/virtualbox/*
 ~  getcap /usr/lib/virtualbox/*        
 ~  ls /usr/lib/virtualbox 
components         VBoxAutostart    VBoxDDRC.rc            VBoxExtPackHelperApp    vbox-img         VBoxNetNAT              VBoxREM.so              vboxshell.py    VBoxVMMPreload.so  VirtualBox
ExtensionPacks     VBoxBalloonCtrl  VBoxDD.so              VBoxGlobal.so           VBoxKeyboard.so  VBoxNetNAT.so           VBoxRT.so               VBoxSVC         VBoxVMM.so         VirtualBoxVM
libvboxjxpcom.so   VBoxBugReport    VBoxDDU.so             VBoxGuestControlSvc.so  VBoxManage       VBoxOGLhostcrutil.so    VBoxSDL                 VBoxSVGA3D.so   VBoxVolInfo        VirtualBoxVM.so
__pycache__        VBoxCpuReport    VBoxDragAndDropSvc.so  VBoxGuestPropSvc.so     VBoxManageHelp   VBoxOGLhosterrorspu.so  VBoxSDL.so              VBoxSysInfo.sh  vboxwebsrv         VMMR0.r0
sdk                VBoxDbg.so       VBoxDTrace             VBoxHeadless            VBoxNetAdpCtl    VBoxOGLrenderspu.so     VBoxSharedClipboard.so  VBoxTestOGL     VBoxXPCOMC.so      VMMRC.rc
VBoxAuthSimple.so  VBoxDD2.so       VBoxEFI32.fd           VBoxHeadless.so         VBoxNetDHCP      VBoxPython3_7m.so       VBoxSharedCrOpenGL.so   VBoxTunctl      VBoxXPCOMIPCD      webtest
VBoxAuth.so        VBoxDDR0.r0      VBoxEFI64.fd           VBoxHostChannel.so      VBoxNetDHCP.so   VBoxPython.so           VBoxSharedFolders.so    VBoxVMMPreload  VBoxXPCOM.so

<!-- gh-comment-id:515987779 --> @Niklas974 commented on GitHub (Jul 29, 2019): ``` ~  which virtualbox /usr/local/bin/virtualbox ~  ll /usr/local/bin/virtualbox lrwxrwxrwx 1 root root 17 Jul 17 08:52 /usr/local/bin/virtualbox -> /usr/bin/firejail* ~  ll /usr/bin/virtualbox lrwxrwxrwx 1 root root 27 Apr 17 00:08 /usr/bin/virtualbox -> ../share/virtualbox/VBox.sh* ~  getcap /usr/share/virtualbox/* ~  getcap /usr/lib/virtualbox/* ~  ls /usr/lib/virtualbox components VBoxAutostart VBoxDDRC.rc VBoxExtPackHelperApp vbox-img VBoxNetNAT VBoxREM.so vboxshell.py VBoxVMMPreload.so VirtualBox ExtensionPacks VBoxBalloonCtrl VBoxDD.so VBoxGlobal.so VBoxKeyboard.so VBoxNetNAT.so VBoxRT.so VBoxSVC VBoxVMM.so VirtualBoxVM libvboxjxpcom.so VBoxBugReport VBoxDDU.so VBoxGuestControlSvc.so VBoxManage VBoxOGLhostcrutil.so VBoxSDL VBoxSVGA3D.so VBoxVolInfo VirtualBoxVM.so __pycache__ VBoxCpuReport VBoxDragAndDropSvc.so VBoxGuestPropSvc.so VBoxManageHelp VBoxOGLhosterrorspu.so VBoxSDL.so VBoxSysInfo.sh vboxwebsrv VMMR0.r0 sdk VBoxDbg.so VBoxDTrace VBoxHeadless VBoxNetAdpCtl VBoxOGLrenderspu.so VBoxSharedClipboard.so VBoxTestOGL VBoxXPCOMC.so VMMRC.rc VBoxAuthSimple.so VBoxDD2.so VBoxEFI32.fd VBoxHeadless.so VBoxNetDHCP VBoxPython3_7m.so VBoxSharedCrOpenGL.so VBoxTunctl VBoxXPCOMIPCD webtest VBoxAuth.so VBoxDDR0.r0 VBoxEFI64.fd VBoxHostChannel.so VBoxNetDHCP.so VBoxPython.so VBoxSharedFolders.so VBoxVMMPreload VBoxXPCOM.so ```

gitea-mirror commented 2026-05-05 08:28:08 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2019):

Well, no idea more how to findout what we need for caps.keep.

<!-- gh-comment-id:515989868 --> @rusty-snake commented on GitHub (Jul 29, 2019): Well, no idea more how to findout what we need for `caps.keep`.

gitea-mirror commented 2026-05-05 08:28:08 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Jul 30, 2019):

AFAIK vbox uses full suid binaries instead of caps.

@Niklas974 could you show ls -al /usr/lib/virtualbox?

Also could you try replacing caps.drop all with caps.keep sys_admin in profile?

Alternatively caps.keep net_raw,sys_nice

<!-- gh-comment-id:516389287 --> @Vincent43 commented on GitHub (Jul 30, 2019): AFAIK vbox uses full suid binaries instead of caps. @Niklas974 could you show `ls -al /usr/lib/virtualbox`? Also could you try replacing `caps.drop all` with `caps.keep sys_admin` in profile? Alternatively `caps.keep net_raw,sys_nice`

gitea-mirror commented 2026-05-05 08:28:09 -06:00

Author

Owner

Copy link

@Niklas974 commented on GitHub (Aug 6, 2019):

@Vincent43 ls -al is attached at the bottom

• setting caps.drop all I cannot add and delete host only network adapters, and I cannot use NAT network adapters from within guests
• setting caps.keep sys_admin I can add and delete host only network adapters, but I cannot use NAT network adapters from within guests
• setting caps.keep net_raw,sys_nice I cannot add and delete host only network adapters, but I can use NAT network adapters from within guests
• setting caps.keep sys_admin,net_raw,sys_nice I can add and delete host only network adapters, and I can use NAT network adapters from within guests
• setting neither of those, I can add and delete host only network adapters, and I can use NAT network adapters from within guests

 ~  ls -al /usr/lib/virtualbox 
insgesamt 123684
drwxr-xr-x   6 root root    12288 Mai  7 08:40 .
drwxr-xr-x 160 root root    12288 Jul 19 15:49 ..
drwxr-xr-x   2 root root     4096 Mai  7 08:25 components
drwxr-xr-x   4 root root     4096 Mai  7 08:43 ExtensionPacks
-rw-r--r--   1 root root   126032 Apr 17 00:08 libvboxjxpcom.so
drwxr-xr-x   2 root root     4096 Mai  7 08:43 __pycache__
drwxr-xr-x   3 root root     4096 Feb 14 09:45 sdk
-rw-r--r--   1 root root    31168 Apr 17 00:08 VBoxAuthSimple.so
-rw-r--r--   1 root root    14496 Apr 17 00:08 VBoxAuth.so
-rwxr-xr-x   1 root root   121016 Apr 17 00:08 VBoxAutostart
-rwxr-xr-x   1 root root   170512 Apr 17 00:08 VBoxBalloonCtrl
-rwxr-xr-x   1 root root    88240 Apr 17 00:08 VBoxBugReport
-rwxr-xr-x   1 root root  1038864 Apr 17 00:08 VBoxCpuReport
-rw-r--r--   1 root root   171248 Apr 17 00:08 VBoxDbg.so
-rw-r--r--   1 root root   362392 Apr 17 00:08 VBoxDD2.so
-rw-r--r--   1 root root   261240 Apr 17 00:08 VBoxDDR0.r0
-rw-r--r--   1 root root   187932 Apr 17 00:08 VBoxDDRC.rc
-rw-r--r--   1 root root  2059400 Apr 17 00:08 VBoxDD.so
-rw-r--r--   1 root root   430656 Apr 17 00:08 VBoxDDU.so
-rw-r--r--   1 root root    39216 Apr 17 00:08 VBoxDragAndDropSvc.so
-rwxr-xr-x   1 root root    14408 Apr 17 00:08 VBoxDTrace
-rw-r--r--   1 root root  2097152 Jan 25  2019 VBoxEFI32.fd
-rw-r--r--   1 root root  2097152 Jan 25  2019 VBoxEFI64.fd
-rwxr-xr-x   1 root root    63712 Apr 17 00:08 VBoxExtPackHelperApp
-rw-r--r--   1 root root 37329640 Apr 17 00:08 VBoxGlobal.so
-rw-r--r--   1 root root    35064 Apr 17 00:08 VBoxGuestControlSvc.so
-rw-r--r--   1 root root    43488 Apr 17 00:08 VBoxGuestPropSvc.so
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VBoxHeadless
-rw-r--r--   1 root root   101320 Apr 17 00:08 VBoxHeadless.so
-rw-r--r--   1 root root    18512 Apr 17 00:08 VBoxHostChannel.so
-rwxr-xr-x   1 root root  1889568 Apr 17 00:08 vbox-img
-rw-r--r--   1 root root    78248 Apr 17 00:08 VBoxKeyboard.so
-rwxr-xr-x   1 root root  1194232 Apr 17 00:08 VBoxManage
-rwxr-xr-x   1 root root  1256328 Apr 17 00:08 VBoxManageHelp
-rwsr-sr-x   1 root root    30888 Apr 17 00:08 VBoxNetAdpCtl
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VBoxNetDHCP
-rw-r--r--   1 root root   183728 Apr 17 00:08 VBoxNetDHCP.so
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VBoxNetNAT
-rw-r--r--   1 root root   282824 Apr 17 00:08 VBoxNetNAT.so
-rw-r--r--   1 root root   196360 Apr 17 00:08 VBoxOGLhostcrutil.so
-rw-r--r--   1 root root   136072 Apr 17 00:08 VBoxOGLhosterrorspu.so
-rw-r--r--   1 root root   172608 Apr 17 00:08 VBoxOGLrenderspu.so
-rw-r--r--   1 root root   209688 Apr 17 00:08 VBoxPython3_7m.so
-rw-r--r--   1 root root   209688 Apr 17 00:08 VBoxPython.so
-rw-r--r--   1 root root   768232 Apr 17 00:08 VBoxREM.so
-rw-r--r--   1 root root  3362888 Apr 17 00:08 VBoxRT.so
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VBoxSDL
-rw-r--r--   1 root root   175600 Apr 17 00:08 VBoxSDL.so
-rw-r--r--   1 root root    51712 Apr 17 00:08 VBoxSharedClipboard.so
-rw-r--r--   1 root root  1170352 Apr 17 00:08 VBoxSharedCrOpenGL.so
-rw-r--r--   1 root root    59984 Apr 17 00:08 VBoxSharedFolders.so
-rwxr-xr-x   1 root root   122000 Apr 17 00:08 vboxshell.py
-rwxr-xr-x   1 root root  7169560 Apr 17 00:08 VBoxSVC
-rw-r--r--   1 root root   244408 Apr 17 00:08 VBoxSVGA3D.so
-rwxr-xr-x   1 root root     4163 Apr 16 12:16 VBoxSysInfo.sh
-rwxr-xr-x   1 root root   108704 Apr 17 00:08 VBoxTestOGL
-rwxr-xr-x   1 root root    14328 Apr 17 00:08 VBoxTunctl
-rwxr-xr-x   1 root root   161872 Apr 17 00:08 VBoxVMMPreload
-rw-r--r--   1 root root    14552 Apr 17 00:08 VBoxVMMPreload.so
-rw-r--r--   1 root root  3946472 Apr 17 00:08 VBoxVMM.so
-rwxr-xr-x   1 root root    14328 Apr 17 00:08 VBoxVolInfo
-rwxr-xr-x   1 root root 26152768 Apr 17 00:08 vboxwebsrv
-rw-r--r--   1 root root    47752 Apr 17 00:08 VBoxXPCOMC.so
-rwxr-xr-x   1 root root    30880 Apr 17 00:08 VBoxXPCOMIPCD
-rw-r--r--   1 root root  1151184 Apr 17 00:08 VBoxXPCOM.so
-rwxr-xr-x   1 root root  2299368 Apr 17 00:08 VirtualBox
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VirtualBoxVM
-rw-r--r--   1 root root  1546728 Apr 17 00:08 VirtualBoxVM.so
-rw-r--r--   1 root root  2391616 Apr 17 00:08 VMMR0.r0
-rw-r--r--   1 root root  1588028 Apr 17 00:08 VMMRC.rc
-rwxr-xr-x   1 root root 20343152 Apr 17 00:08 webtest

<!-- gh-comment-id:518647630 --> @Niklas974 commented on GitHub (Aug 6, 2019): @Vincent43 `ls -al` is attached at the bottom - setting `caps.drop all` I cannot add and delete host only network adapters, and I cannot use NAT network adapters from within guests - setting `caps.keep sys_admin` I can add and delete host only network adapters, but I cannot use NAT network adapters from within guests - setting `caps.keep net_raw,sys_nice` I cannot add and delete host only network adapters, but I can use NAT network adapters from within guests - setting `caps.keep sys_admin,net_raw,sys_nice` I can add and delete host only network adapters, and I can use NAT network adapters from within guests - setting neither of those, I can add and delete host only network adapters, and I can use NAT network adapters from within guests ``` ~  ls -al /usr/lib/virtualbox insgesamt 123684 drwxr-xr-x 6 root root 12288 Mai 7 08:40 . drwxr-xr-x 160 root root 12288 Jul 19 15:49 .. drwxr-xr-x 2 root root 4096 Mai 7 08:25 components drwxr-xr-x 4 root root 4096 Mai 7 08:43 ExtensionPacks -rw-r--r-- 1 root root 126032 Apr 17 00:08 libvboxjxpcom.so drwxr-xr-x 2 root root 4096 Mai 7 08:43 __pycache__ drwxr-xr-x 3 root root 4096 Feb 14 09:45 sdk -rw-r--r-- 1 root root 31168 Apr 17 00:08 VBoxAuthSimple.so -rw-r--r-- 1 root root 14496 Apr 17 00:08 VBoxAuth.so -rwxr-xr-x 1 root root 121016 Apr 17 00:08 VBoxAutostart -rwxr-xr-x 1 root root 170512 Apr 17 00:08 VBoxBalloonCtrl -rwxr-xr-x 1 root root 88240 Apr 17 00:08 VBoxBugReport -rwxr-xr-x 1 root root 1038864 Apr 17 00:08 VBoxCpuReport -rw-r--r-- 1 root root 171248 Apr 17 00:08 VBoxDbg.so -rw-r--r-- 1 root root 362392 Apr 17 00:08 VBoxDD2.so -rw-r--r-- 1 root root 261240 Apr 17 00:08 VBoxDDR0.r0 -rw-r--r-- 1 root root 187932 Apr 17 00:08 VBoxDDRC.rc -rw-r--r-- 1 root root 2059400 Apr 17 00:08 VBoxDD.so -rw-r--r-- 1 root root 430656 Apr 17 00:08 VBoxDDU.so -rw-r--r-- 1 root root 39216 Apr 17 00:08 VBoxDragAndDropSvc.so -rwxr-xr-x 1 root root 14408 Apr 17 00:08 VBoxDTrace -rw-r--r-- 1 root root 2097152 Jan 25 2019 VBoxEFI32.fd -rw-r--r-- 1 root root 2097152 Jan 25 2019 VBoxEFI64.fd -rwxr-xr-x 1 root root 63712 Apr 17 00:08 VBoxExtPackHelperApp -rw-r--r-- 1 root root 37329640 Apr 17 00:08 VBoxGlobal.so -rw-r--r-- 1 root root 35064 Apr 17 00:08 VBoxGuestControlSvc.so -rw-r--r-- 1 root root 43488 Apr 17 00:08 VBoxGuestPropSvc.so -rwsr-sr-x 1 root root 161872 Apr 17 00:08 VBoxHeadless -rw-r--r-- 1 root root 101320 Apr 17 00:08 VBoxHeadless.so -rw-r--r-- 1 root root 18512 Apr 17 00:08 VBoxHostChannel.so -rwxr-xr-x 1 root root 1889568 Apr 17 00:08 vbox-img -rw-r--r-- 1 root root 78248 Apr 17 00:08 VBoxKeyboard.so -rwxr-xr-x 1 root root 1194232 Apr 17 00:08 VBoxManage -rwxr-xr-x 1 root root 1256328 Apr 17 00:08 VBoxManageHelp -rwsr-sr-x 1 root root 30888 Apr 17 00:08 VBoxNetAdpCtl -rwsr-sr-x 1 root root 161872 Apr 17 00:08 VBoxNetDHCP -rw-r--r-- 1 root root 183728 Apr 17 00:08 VBoxNetDHCP.so -rwsr-sr-x 1 root root 161872 Apr 17 00:08 VBoxNetNAT -rw-r--r-- 1 root root 282824 Apr 17 00:08 VBoxNetNAT.so -rw-r--r-- 1 root root 196360 Apr 17 00:08 VBoxOGLhostcrutil.so -rw-r--r-- 1 root root 136072 Apr 17 00:08 VBoxOGLhosterrorspu.so -rw-r--r-- 1 root root 172608 Apr 17 00:08 VBoxOGLrenderspu.so -rw-r--r-- 1 root root 209688 Apr 17 00:08 VBoxPython3_7m.so -rw-r--r-- 1 root root 209688 Apr 17 00:08 VBoxPython.so -rw-r--r-- 1 root root 768232 Apr 17 00:08 VBoxREM.so -rw-r--r-- 1 root root 3362888 Apr 17 00:08 VBoxRT.so -rwsr-sr-x 1 root root 161872 Apr 17 00:08 VBoxSDL -rw-r--r-- 1 root root 175600 Apr 17 00:08 VBoxSDL.so -rw-r--r-- 1 root root 51712 Apr 17 00:08 VBoxSharedClipboard.so -rw-r--r-- 1 root root 1170352 Apr 17 00:08 VBoxSharedCrOpenGL.so -rw-r--r-- 1 root root 59984 Apr 17 00:08 VBoxSharedFolders.so -rwxr-xr-x 1 root root 122000 Apr 17 00:08 vboxshell.py -rwxr-xr-x 1 root root 7169560 Apr 17 00:08 VBoxSVC -rw-r--r-- 1 root root 244408 Apr 17 00:08 VBoxSVGA3D.so -rwxr-xr-x 1 root root 4163 Apr 16 12:16 VBoxSysInfo.sh -rwxr-xr-x 1 root root 108704 Apr 17 00:08 VBoxTestOGL -rwxr-xr-x 1 root root 14328 Apr 17 00:08 VBoxTunctl -rwxr-xr-x 1 root root 161872 Apr 17 00:08 VBoxVMMPreload -rw-r--r-- 1 root root 14552 Apr 17 00:08 VBoxVMMPreload.so -rw-r--r-- 1 root root 3946472 Apr 17 00:08 VBoxVMM.so -rwxr-xr-x 1 root root 14328 Apr 17 00:08 VBoxVolInfo -rwxr-xr-x 1 root root 26152768 Apr 17 00:08 vboxwebsrv -rw-r--r-- 1 root root 47752 Apr 17 00:08 VBoxXPCOMC.so -rwxr-xr-x 1 root root 30880 Apr 17 00:08 VBoxXPCOMIPCD -rw-r--r-- 1 root root 1151184 Apr 17 00:08 VBoxXPCOM.so -rwxr-xr-x 1 root root 2299368 Apr 17 00:08 VirtualBox -rwsr-sr-x 1 root root 161872 Apr 17 00:08 VirtualBoxVM -rw-r--r-- 1 root root 1546728 Apr 17 00:08 VirtualBoxVM.so -rw-r--r-- 1 root root 2391616 Apr 17 00:08 VMMR0.r0 -rw-r--r-- 1 root root 1588028 Apr 17 00:08 VMMRC.rc -rwxr-xr-x 1 root root 20343152 Apr 17 00:08 webtest ```

gitea-mirror commented 2026-05-05 08:28:09 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Aug 7, 2019):

setting caps.keep sys_admin,net_raw,sys_nice I can add and delete host only network adapters, and I can use NAT network adapters from within guests

So, this one looks sufficient.

@Niklas974
One more thing before we add it: could you try replacing sys_admin with net_admin, like caps.keep net_admin,net_raw,sys_nice?

<!-- gh-comment-id:519050269 --> @Vincent43 commented on GitHub (Aug 7, 2019): > setting caps.keep sys_admin,net_raw,sys_nice I can add and delete host only network adapters, and I can use NAT network adapters from within guests So, this one looks sufficient. @Niklas974 One more thing before we add it: could you try replacing `sys_admin` with `net_admin`, like `caps.keep net_admin,net_raw,sys_nice`?

gitea-mirror commented 2026-05-05 08:28:10 -06:00

Author

Owner

Copy link

@Niklas974 commented on GitHub (Aug 13, 2019):

I have just tried caps.keep net_admin,net_raw,sys_nice and with this directive I cannot add and delete host only network adapters.

<!-- gh-comment-id:520739308 --> @Niklas974 commented on GitHub (Aug 13, 2019): I have just tried `caps.keep net_admin,net_raw,sys_nice` and with this directive I **cannot** add and delete host only network adapters.

gitea-mirror commented 2026-05-05 08:28:10 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Aug 13, 2019):

Ok, we go for sys_admin then, thx for testing.

<!-- gh-comment-id:520760463 --> @Vincent43 commented on GitHub (Aug 13, 2019): Ok, we go for `sys_admin` then, thx for testing.

gitea-mirror commented 2026-05-05 08:28:10 -06:00

Author

Owner

Copy link

@githlp commented on GitHub (Jan 19, 2022):

with this profile i still cannot change the IPv4 address for adapter and DHCP server when adding a Host-only network.

I already created an exception like described in this manual section:

cat /etc/vbox/networks.conf
* 10.0.0.0/8 192.168.0.0/16
* 2001::/64

and now it works when called dircetly via /usr/bin/virtualbox

But with firejail i still get this error message:

network interface parameter could not be stored.

Callee RC: E_ACCESSDENIED (0x80070005)
 

<!-- gh-comment-id:1016741836 --> @githlp commented on GitHub (Jan 19, 2022): with this profile i still cannot change the IPv4 address for adapter and DHCP server when adding a Host-only network. I already created an exception like described in this [manual section](https://www.virtualbox.org/manual/ch06.html#network_hostonly): cat /etc/vbox/networks.conf `* 10.0.0.0/8 192.168.0.0/16` `* 2001::/64` and now it works when called dircetly via `/usr/bin/virtualbox` But with firejail i still get this error message: ``` network interface parameter could not be stored. Callee RC: E_ACCESSDENIED (0x80070005) ```

gitea-mirror commented 2026-05-05 08:28:11 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 19, 2022):

@githlp The virtualbox profile has private-etc, but that currently doesn't include /etc/vbox. If you can confirm your setup is working when adding private-etc vbox to a virtualbox.local IMO we should fix our profile.

<!-- gh-comment-id:1016775442 --> @ghost commented on GitHub (Jan 19, 2022): @githlp The virtualbox profile has `private-etc`, but that currently doesn't include `/etc/vbox`. If you can confirm your setup is working when adding `private-etc vbox` to a virtualbox.local IMO we should fix our profile.

gitea-mirror commented 2026-05-05 08:28:11 -06:00

Author

Owner

Copy link

@githlp commented on GitHub (Jan 19, 2022):

that did not work, the error message remains the same.

<!-- gh-comment-id:1016790095 --> @githlp commented on GitHub (Jan 19, 2022): that did not work, the error message remains the same.

gitea-mirror commented 2026-05-05 08:28:12 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 20, 2022):

I noticed the original fix from d94e38a53f got changed later on. Did you see the comment about needing sys_admin for host-only network? I can't find the commit that took that out of the original caps.keep sys_admin,net_raw,sys_nice but that could just be a side-effect of a github etc reorganization we went through. Did you try adding sys_admin to caps.keep yet, in combination with private-etc vbox?

<!-- gh-comment-id:1017059083 --> @ghost commented on GitHub (Jan 20, 2022): I noticed the original fix from https://github.com/netblue30/firejail/commit/d94e38a53f2cc9152ce0814af27fd9957b8e9e89 got changed later on. Did you see the [comment](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/virtualbox.profile#L34) about needing `sys_admin` for host-only network? I can't find the commit that took that out of the original ` caps.keep sys_admin,net_raw,sys_nice` but that could just be a side-effect of a github etc reorganization we went through. Did you try adding sys_admin to caps.keep yet, in combination with `private-etc vbox`?

gitea-mirror commented 2026-05-05 08:28:12 -06:00

Author

Owner

Copy link

@githlp commented on GitHub (Jan 20, 2022):

Yes, I followed the comment within virtualbox.profile and added sys_admin to the caps.keep line. I just checked again and both is fullfilled:

/etc/firejail/virtualbox.profile
caps.keep sys_admin,net_raw,sys_nice

~/.config/firejail/virtualbox.local
private-etc vbox

<!-- gh-comment-id:1017186711 --> @githlp commented on GitHub (Jan 20, 2022): Yes, I followed the comment within virtualbox.profile and added sys_admin to the caps.keep line. I just checked again and both is fullfilled: /etc/firejail/virtualbox.profile `caps.keep sys_admin,net_raw,sys_nice` ~/.config/firejail/virtualbox.local `private-etc vbox`

gitea-mirror commented 2026-05-05 08:28:13 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 20, 2022):

@githlp Good. In that case you have some detective work to do. Adding ignore caps.keep and ignore private-etc to virtualbox.local would be where I'd start. You might need to go through a few different combinations here. TIP: keep a terminal open in which you tail journalctl (or syslog if you don't have a systemd system) so you can spot any relevant errors in there. When in doubt, post errors somewhere online and provide a link here so we can assist.

<!-- gh-comment-id:1017198070 --> @ghost commented on GitHub (Jan 20, 2022): @githlp Good. In that case you have some detective work to do. Adding `ignore caps.keep` and `ignore private-etc` to virtualbox.local would be where I'd start. You might need to go through a few different combinations here. TIP: keep a terminal open in which you tail journalctl (or syslog if you don't have a systemd system) so you can spot any relevant errors in there. When in doubt, post errors somewhere online and provide a link here so we can assist.

gitea-mirror commented 2026-05-05 08:28:13 -06:00

Author

Owner

Copy link

@githlp commented on GitHub (Jan 20, 2022):

well with this setting in virtualbox.local the host-based network adapter can be set up/modified

private-etc vbox
ignore caps.keep

but does it make sense to ignore the caps.keep completely ?

i still get those messages in journal every time i start virtualbox

Jän 20 19:42:07 desktop firejail[85293]: blacklist violation - sandbox 85211, exe VBoxSVC, syscall lstat64, path /dev/sr0
Jän 20 19:42:07 desktop firejail[85293]: blacklist violation - sandbox 85211, exe VBoxSVC, syscall lstat64, path /dev/sr0
Jän 20 19:43:54 desktop firejail[87716]: blacklist violation - sandbox 87652, exe VBoxSVC, syscall lstat64, path /dev/sr0
Jän 20 19:43:54 desktop firejail[87716]: blacklist violation - sandbox 87652, exe VBoxSVC, syscall lstat64, path /dev/sr0

and this is the output on the shell
0bin.net

<!-- gh-comment-id:1017833874 --> @githlp commented on GitHub (Jan 20, 2022): well with this setting in virtualbox.local the host-based network adapter can be set up/modified `private-etc vbox` `ignore caps.keep` but does it make sense to ignore the caps.keep completely ? i still get those messages in journal every time i start virtualbox ``` Jän 20 19:42:07 desktop firejail[85293]: blacklist violation - sandbox 85211, exe VBoxSVC, syscall lstat64, path /dev/sr0 Jän 20 19:42:07 desktop firejail[85293]: blacklist violation - sandbox 85211, exe VBoxSVC, syscall lstat64, path /dev/sr0 Jän 20 19:43:54 desktop firejail[87716]: blacklist violation - sandbox 87652, exe VBoxSVC, syscall lstat64, path /dev/sr0 Jän 20 19:43:54 desktop firejail[87716]: blacklist violation - sandbox 87652, exe VBoxSVC, syscall lstat64, path /dev/sr0 ``` and this is the output on the shell [0bin.net](https://0bin.net/paste/xrd0c-lt#UabuLPzOKkAzJh5tneEJOpID-r3jbucysv1Pie4F9VS)

gitea-mirror commented 2026-05-05 08:28:13 -06:00

Author

Owner

Copy link

@githlp commented on GitHub (Jan 21, 2022):

The network does not get a connection on the default route 10.0.2.15, too.

Started without firejail it works on same config settings.

<!-- gh-comment-id:1018596263 --> @githlp commented on GitHub (Jan 21, 2022): The network does not get a connection on the default route 10.0.2.15, too. Started without firejail it works on same config settings.

gitea-mirror commented 2026-05-05 08:28:14 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 3, 2022):

@githlp Apologies for the radio-silence. The pastebin has expired but here's what I see in my notes:

• add ignore nodvd (the blacklist violations suggest VBox tries to access /dev/sr0);
• The libkmod 'permission denied' warnings stem from hardcoded protections but can be fixed by adding

noblacklist /sys/module
read-only /sys/module

<!-- gh-comment-id:1029412891 --> @ghost commented on GitHub (Feb 3, 2022): @githlp Apologies for the radio-silence. The pastebin has expired but here's what I see in my notes: - add `ignore nodvd` (the blacklist violations suggest VBox tries to access /dev/sr0); - The libkmod 'permission denied' warnings stem from [hardcoded protections](https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L743-#L746) but can be fixed by adding ``` noblacklist /sys/module read-only /sys/module ```

gitea-mirror commented 2026-05-05 08:28:14 -06:00

Author

Owner

Copy link

@githlp commented on GitHub (Feb 7, 2022):

but still no connection on my 10.0.2.x virtual eth

Reading profile /etc/firejail/virtualbox.profile
Reading profile /home/ronald/.config/firejail/virtualbox.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 680494, child pid 680495
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 2.05 ms
Warning: skipping vbox for private /usr/etc
Private /usr/etc installed in 0.07 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 209.39 ms
whoami: Für Benutzerkennung 1000 kann kein Name gefunden werden: Datei oder Verzeichnis nicht gefunden
Fehler: Liste von realen Benutzern muss auf -U folgen
..

<!-- gh-comment-id:1031771966 --> @githlp commented on GitHub (Feb 7, 2022): but still no connection on my 10.0.2.x virtual eth ``` Reading profile /etc/firejail/virtualbox.profile Reading profile /home/ronald/.config/firejail/virtualbox.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 680494, child pid 680495 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 2.05 ms Warning: skipping vbox for private /usr/etc Private /usr/etc installed in 0.07 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 209.39 ms whoami: Für Benutzerkennung 1000 kann kein Name gefunden werden: Datei oder Verzeichnis nicht gefunden Fehler: Liste von realen Benutzern muss auf -U folgen .. ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1794

No description provided.