github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3451] firejail.config defaults for cgroup/restricted-network and Debian bug 916920 #2168

New issue

Closed

opened 2026-05-05 08:50:55 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:50:55 -06:00

Owner

Originally created by @ghost on GitHub (Jun 5, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3451

While working on the Debian/Ubuntu firejail-from-git wiki page I remembered a comment from @reinerh on Debian bug 916920.

If I'm not mistaken the firejail packages from the PPA patch firejail.config to set cgroup no and restricted-network yes. If these are considered insecure (as the bug report suggests), I wonder why we keep cgroup yes and restricted-network no as our defaults. Thoughts?

Originally created by @ghost on GitHub (Jun 5, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3451 While working on the Debian/Ubuntu [firejail-from-git wiki page](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git#Debian) I remembered a [comment](https://github.com/netblue30/firejail/issues/3420#issuecomment-629850160) from @reinerh on Debian bug [916920](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916920). If I'm not mistaken the firejail packages from the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail) patch **firejail.config** to set `cgroup no` and `restricted-network yes`. If these are considered insecure (as the bug report suggests), I wonder why we keep `cgroup yes` and `restricted-network no` as our defaults. Thoughts?

gitea-mirror closed this issue

2026-05-05 08:50:56 -06:00

gitea-mirror commented

2026-05-05 08:50:58 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 5, 2020):

If we change "restricted-network" we should keep in mind that net eth0 for example in firefox.local or so is silently ignored.

In general disabling firejail-features either in firejail.config or with configure reduces the risk that bugs in this code can be used for priv-esc. On the other hand sandboxes are not so tight when things like whitelist are disabled.

my firejail.config hardening

NOTE: I've disabled some of them also via ./configure --disable-*.

#############
# Hardening #
#############

# Deny apparmor  -- using SELinux
apparmor no

# Deny bind -- I not use this
bind no

# Deny cgroup -- I not use this
cgroup no

# Deny chroot -- I not use this/was broken on last try
chroot no 

# Force disable-mnt -- moved to locals
#disable-mnt yes

# Disable file transfer -- I not use this
file-transfer no

# Force nonewprivs -- mitigation against several attacks with suid-bins
# NOTE: programs like wireshark or chrome are not usable anymore with firejail
# you need bubblewarp or something else.
force-nonewprivs yes

# Deny join
#join no

# Deny name
#name-change no

# Deny net netfilter and interface -- I not use this
network no

# Deny overlayfs -- I not use this
overlayfs no

# Deny private-home -- I not use this
private-home no

# Deny private-cache
#private-cache no

# Deny private-lib
#private-lib no

# Resrict network features to root only
restricted-network yes

# Deny seccomp
#seccomp no

# Deny noroot
#userns no

# Deny whitelist
#whitelist no

# Deny x11 -- X11 is dead, long live Wayland
x11 no

@rusty-snake commented on GitHub (Jun 5, 2020): If we change "restricted-network" we should keep in mind that `net eth0` for example in `firefox.local` or so is silently ignored. --- In general disabling firejail-features either in firejail.config or with configure reduces the risk that bugs in this code can be used for priv-esc. On the other hand sandboxes are not so tight when things like whitelist are disabled. <details><summary>my firejail.config hardening </summary> NOTE: I've disabled some of them also via `./configure --disable-*`. ``` ############# # Hardening # ############# # Deny apparmor -- using SELinux apparmor no # Deny bind -- I not use this bind no # Deny cgroup -- I not use this cgroup no # Deny chroot -- I not use this/was broken on last try chroot no # Force disable-mnt -- moved to locals #disable-mnt yes # Disable file transfer -- I not use this file-transfer no # Force nonewprivs -- mitigation against several attacks with suid-bins # NOTE: programs like wireshark or chrome are not usable anymore with firejail # you need bubblewarp or something else. force-nonewprivs yes # Deny join #join no # Deny name #name-change no # Deny net netfilter and interface -- I not use this network no # Deny overlayfs -- I not use this overlayfs no # Deny private-home -- I not use this private-home no # Deny private-cache #private-cache no # Deny private-lib #private-lib no # Resrict network features to root only restricted-network yes # Deny seccomp #seccomp no # Deny noroot #userns no # Deny whitelist #whitelist no # Deny x11 -- X11 is dead, long live Wayland x11 no ``` </details>

gitea-mirror commented

2026-05-05 08:50:58 -06:00

Author

Owner

@ghost commented on GitHub (Jun 12, 2020):

Let's close this and stay with current defaults. Users can always change preferences themselves.

@ghost commented on GitHub (Jun 12, 2020): Let's close this and stay with current defaults. Users can always change preferences themselves.

gitea-mirror referenced this issue

2026-05-05 10:15:35 -06:00

[PR #2168] [MERGED] New profile devilspie2 #4198

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2168

No description provided.

Rows
Columns