[GH-ISSUE #3050] Opera FireJail-profile network problem

gitea-mirror commented

2026-05-05 08:35:07 -06:00

Owner

Originally created by @ghost on GitHub (Nov 22, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3050

Hi!

How can I fix that here:

firejail --private --dns=84.200.69.80 --dns=84.200.70.40 opera

Reading profile /etc/firejail/opera.profile
Reading profile /etc/firejail/opera-base.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 19907, child pid 19908

DNS server 84.200.69.80
DNS server 84.200.70.40

Child process initialized in 151.94 ms

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

While handling crash: can't execute crash inspector.

Parent is shutting down, bye...

opera.profile:

caps.drop all
caps.keep sys_admin,sys_chroot
machine-id
netfilter

# nodbus
nodvd
nogroups
notv
?BROWSER_DISABLE_U2F: nou2f
shell none

disable-mnt
private-dev
#private-etc fonts
# private-tmp - problems with multiple browser sessions

# the file dialog needs to work without d-bus
?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1

What must I add to my profile to fix "Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted"?

EDIT by @rusty-snake: code-block for profile.

Originally created by @ghost on GitHub (Nov 22, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/3050 Hi! How can I fix that here: firejail --private --dns=84.200.69.80 --dns=84.200.70.40 opera Reading profile /etc/firejail/opera.profile Reading profile /etc/firejail/opera-base.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 19907, child pid 19908 DNS server 84.200.69.80 DNS server 84.200.70.40 Child process initialized in 151.94 ms Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted While handling crash: can't execute crash inspector. Parent is shutting down, bye... opera.profile: ``` caps.drop all caps.keep sys_admin,sys_chroot machine-id netfilter # nodbus nodvd nogroups notv ?BROWSER_DISABLE_U2F: nou2f shell none disable-mnt private-dev #private-etc fonts # private-tmp - problems with multiple browser sessions # the file dialog needs to work without d-bus ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 ``` What must I add to my profile to fix "Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted"? --- EDIT by @rusty-snake: code-block for profile.

gitea-mirror

2026-05-05 08:35:07 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:35:10 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 22, 2019):

Probably you need to drop caps.drop all.

@rusty-snake commented on GitHub (Nov 22, 2019): Probably you need to drop `caps.drop all`.

gitea-mirror commented

2026-05-05 08:35:11 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 22, 2019):

--caps.drop=capability,capability,capability
Define a custom blacklist Linux capabilities filter.

--caps.keep=capability,capability,capability
Define a custom whitelist Linux capabilities filter.

@rusty-snake commented on GitHub (Nov 22, 2019): > **--caps.drop=capability,capability,capability** Define a custom blacklist Linux capabilities filter. > **--caps.keep=capability,capability,capability** Define a custom whitelist Linux capabilities filter.

gitea-mirror commented

2026-05-05 08:35:13 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 22, 2019):

caps.keep CAPS mean remove all caps except of the once listed in CAPS.

@rusty-snake commented on GitHub (Nov 22, 2019): `caps.keep CAPS` mean remove all caps except of the once listed in CAPS.

gitea-mirror commented

2026-05-05 08:35:13 -06:00

Author

Owner

@ghost commented on GitHub (Nov 22, 2019):

I have also problems to run a video-slot game on online casino.

The game opened but no connection to game server.

Is there a way to fix that in the Opera.profile, maybee CAPS?

@ghost commented on GitHub (Nov 22, 2019): I have also problems to run a video-slot game on online casino. The game opened but no connection to game server. Is there a way to fix that in the Opera.profile, maybee CAPS?

gitea-mirror commented

2026-05-05 08:35:14 -06:00

Author

Owner

@ghost commented on GitHub (Nov 22, 2019):

without FireJail, the online game works.

@ghost commented on GitHub (Nov 22, 2019): without FireJail, the online game works.

gitea-mirror commented

2026-05-05 08:35:15 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 22, 2019):

maybee CAPS?

Try removing all caps* lines. Probably it is --dns=... maybe this site wants ISP-DNS. Does it work with firejail --noprofile opera? What firejail verison do you use?

@rusty-snake commented on GitHub (Nov 22, 2019): > maybee CAPS? Try removing all `caps*` lines. Probably it is `--dns=...` maybe this site wants ISP-DNS. Does it work with `firejail --noprofile opera`? What firejail verison do you use?

gitea-mirror commented

2026-05-05 08:35:15 -06:00

Author

Owner

@ghost commented on GitHub (Nov 22, 2019):

firejail --noprofile --private --dns=84.200.69.80 --dns=84.200.70.40 opera

loads...
but same problem.

I suppose it could also be in connection with my Opera AppArmor profile.

Which CAPS do I need for network in my Opera FireJail profile? Idea?

In Opera AppArmor profile:

network tcp,
network inet stream,

network udp,
network inet dgram,

Maybee I did a mistake or forgot to add something.

firejail version 0.9.58.2

Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

@ghost commented on GitHub (Nov 22, 2019): firejail --noprofile --private --dns=84.200.69.80 --dns=84.200.70.40 opera loads... but same problem. I suppose it could also be in connection with my Opera AppArmor profile. Which CAPS do I need for network in my Opera FireJail profile? Idea? In Opera AppArmor profile: network tcp, network inet stream, network udp, network inet dgram, Maybee I did a mistake or forgot to add something. firejail version 0.9.58.2 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled

gitea-mirror commented

2026-05-05 08:35:16 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 22, 2019):

Which CAPS do I need for network in my Opera FireJail profile? Idea?

see man capabilities for what caps are and which exists. but I don't think that caps are the issue here.

In Opera AppArmor profile:

IPv6?

@rusty-snake commented on GitHub (Nov 22, 2019): > Which CAPS do I need for network in my Opera FireJail profile? Idea? see `man capabilities` for what caps are and which exists. but I don't think that caps are the issue here. > In Opera AppArmor profile: IPv6?

gitea-mirror commented

2026-05-05 08:35:16 -06:00

Author

Owner

@ghost commented on GitHub (Nov 22, 2019):

I don't use IPv6 so I deny it in Opera AppArmor profile:

deny network inet6 stream,
deny network inet6 dgram,

audit deny "@{PROC}/[0-9]*/net/if_inet6" r,
audit deny "@{PROC}/[0-9]*/net/ipv6_route" r,

@ghost commented on GitHub (Nov 22, 2019): I don't use IPv6 so I deny it in Opera AppArmor profile: deny network inet6 stream, deny network inet6 dgram, audit deny "@{PROC}/[0-9]*/net/if_inet6" r, audit deny "@{PROC}/[0-9]*/net/ipv6_route" r,

gitea-mirror commented

2026-05-05 08:35:17 -06:00

Author

Owner

@ghost commented on GitHub (Nov 22, 2019):

I don't know what this error means:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
While handling crash: can't execute crash inspector.

Must I add network protocol/network-caps to my Opera FireJail profile?

@ghost commented on GitHub (Nov 22, 2019): I don't know what this error means: Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted While handling crash: can't execute crash inspector. Must I add network protocol/network-caps to my Opera FireJail profile?

gitea-mirror commented

2026-05-05 08:35:17 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 22, 2019):

The IPv6 idea was that the site maybe requires ipv6.

The error message looks like the opera (chromium) sandbox conflicts with AA or FJ.

@rusty-snake commented on GitHub (Nov 22, 2019): The IPv6 idea was that the site maybe requires ipv6. The error message looks like the opera (chromium) sandbox conflicts with AA or FJ.

gitea-mirror commented

2026-05-05 08:35:17 -06:00

Author

Owner

@Vincent43 commented on GitHub (Nov 24, 2019):

I suppose it could also be in connection with my Opera AppArmor profile.

Could you try disabling it? In general mixing external apparmor profile with firejail is not supported and usually leads to trouble. You can use --apparmor option to load generic apparmor profile as a companion to firejail. You may also use your external apparmor profile without firejail.

@Vincent43 commented on GitHub (Nov 24, 2019): > I suppose it could also be in connection with my Opera AppArmor profile. Could you try disabling it? In general mixing external apparmor profile with firejail is not supported and usually leads to trouble. You can use `--apparmor` option to load generic apparmor profile as a companion to firejail. You may also use your external apparmor profile without firejail.

gitea-mirror commented

2026-05-05 08:35:18 -06:00

Author

Owner

@ghost commented on GitHub (Nov 28, 2019):

...I have it:

firejail --noprofile --nogroups --private=/path-to/ --private-dev --private-tmp --ipc-namespace --machine-id --noroot --caps.drop=all --seccomp --nosound --no3d opera --no-sandbox

Must be changed:

--private=/path-to/

Any path, for example:

/home/user/Opera-Jail/

Re-create the path first:

Example:

/home/user/Opera-Jail/

@ghost commented on GitHub (Nov 28, 2019): ...I have it: firejail --noprofile --nogroups --private=/path-to/ --private-dev --private-tmp --ipc-namespace --machine-id --noroot --caps.drop=all --seccomp --nosound --no3d opera --no-sandbox Must be changed: --private=/path-to/ Any path, for example: /home/user/Opera-Jail/ Re-create the path first: Example: /home/user/Opera-Jail/

gitea-mirror commented

2026-05-05 08:35:18 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 23, 2019):

@trancemind65
I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Dec 23, 2019): @trancemind65 I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:16:40 -06:00

[PR #2293] [MERGED] enable apparmor in libreoffice profile #4256

Rows
Columns

[GH-ISSUE #3050] Opera FireJail-profile network problem #1917