github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3846] Not able to use `netns` configuration directive in .profile or .local files #2424

New issue

Closed

opened 2026-05-05 09:05:53 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:05:53 -06:00

Owner

Originally created by @faern on GitHub (Dec 27, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3846

Bug and expected behavior

$ cat /home/faern/.config/firejail/foobar.profile
netns whatever
$ firejail --profile=foobar
Reading profile /home/faern/.config/firejail/foobar.profile
Error: line 1 in /home/faern/.config/firejail/foobar.profile is invalid

I can use --netns=whatever from the command line. But if I put netns anythinggoes in a profile it says that line of the configuration is invalid. I would expect to be able to set up a profile that persistently joins a network namespace. For many of my jailed programs I want them to always join a given namespace, but if I can't specify that in my program.local override I will have to have separate launcher scripts for them, which is inconvenient and complicates the setup.

Environment
Fedora 33 Workstation

$ firejail --version
firejail version 0.9.64

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- SELinux support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Originally created by @faern on GitHub (Dec 27, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3846 **Bug and expected behavior** ```bash $ cat /home/faern/.config/firejail/foobar.profile netns whatever $ firejail --profile=foobar Reading profile /home/faern/.config/firejail/foobar.profile Error: line 1 in /home/faern/.config/firejail/foobar.profile is invalid ``` I can use `--netns=whatever` from the command line. But if I put `netns anythinggoes` in a profile it says that line of the configuration is invalid. I would expect to be able to set up a profile that persistently joins a network namespace. For many of my jailed programs I want them to always join a given namespace, but if I can't specify that in my `program.local` override I will have to have separate launcher scripts for them, which is inconvenient and complicates the setup. **Environment** Fedora 33 Workstation ``` $ firejail --version firejail version 0.9.64 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ```

gitea-mirror

2026-05-05 09:05:53 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 09:05:55 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 28, 2020):

Untested:

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ff8b4710..fe9d27ff 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -616,6 +616,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                else
                        warning_feature_disabled("networking");
+#endif
+               return 0;
+       }
+       else if (strncmp(ptr, "netns  ", 6) == 0) {
+#ifdef HAVE_NETWORK
+               if (checkcfg(CFG_NETWORK)) {
+                       arg_netns = ptr + 6;
+                       check_netns(arg_netns);
+               }
+               else
+                       warning_feature_disabled("networking");
 #endif
                return 0;
        }

@rusty-snake commented on GitHub (Dec 28, 2020): Untested: ```patch diff --git a/src/firejail/profile.c b/src/firejail/profile.c index ff8b4710..fe9d27ff 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -616,6 +616,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } else warning_feature_disabled("networking"); +#endif + return 0; + } + else if (strncmp(ptr, "netns ", 6) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + arg_netns = ptr + 6; + check_netns(arg_netns); + } + else + warning_feature_disabled("networking"); #endif return 0; } ```

gitea-mirror commented

2026-05-05 09:05:56 -06:00

Author

Owner

@faern commented on GitHub (Dec 28, 2020):

Is this really an enhancement rather than a bug? Are not all CLI arguments supposed to be possible to specify in the profiles also?

@faern commented on GitHub (Dec 28, 2020): Is this really an enhancement rather than a bug? Are not all CLI arguments supposed to be possible to specify in the profiles also?

gitea-mirror commented

2026-05-05 09:05:57 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 28, 2020):

Interesting question. I considered it as "not implemented yet". Let's see what differences we have ith other commands. (These greps are incomplete and wrong. Their only intention is to provide a first overview.)

grep "strncmp(ptr, " src/firejail/profile.c | grep -oE "\".*\"" | sed -e "s/ \"//g" -e "s/\"//g" | sort -u > prfl

bind
blacklist
blacklist-nolog
caps.drop
caps.keep
cgroup
cpu
dbus-system.broadcast
dbus-system.call
dbus-system.own
dbus-system.see
dbus-system.talk
dbus-user.broadcast
dbus-user.call
dbus-user.own
dbus-user.see
dbus-user.talk
defaultgw
dns
env
hostname
hosts-file
ignore
include
ip
ip6
iprange
join-or-start
mac
mkdir
mkfile
mtu
name
net
netfilter
netfilter6
netmask
netns 
nice
noblacklist
noexec
nowhitelist
overlay-named
private
private-bin
private-cwd
private-etc
private-home
private-lib
private-opt
private-srv
protocol
quiet
read-only
read-write
rlimit
rlimit-as
rlimit-cpu
rlimit-fsize
rlimit-nofile
rlimit-nproc
rlimit-sigpending
rmenv
seccomp
seccomp.32
seccomp.32.drop
seccomp.32.keep
seccomp.drop
seccomp-error-action
seccomp.keep
timeout
tmpfs
veth-name
whitelist
xephyr-screen

grep "strncmp(argv\[i\]" src/firejail/main.c | grep -oE "\--.*=\"" | sed -e "s/--//g" -e "s/=\"//g" | sort -u > cli

apparmor.print
audit
bandwidth
bind
blacklist
caps.drop
caps.keep
caps.print
cat
cgroup
chroot
cpu
cpu.print
dbus-log
dbus-system.broadcast
dbus-system.call
dbus-system.own
dbus-system.see
dbus-system.talk
dbus-user.broadcast
dbus-user.call
dbus-user.own
dbus-user.see
dbus-user.talk
defaultgw
dns
dns.print
env
fs.print
get
hostname
hosts-file
ignore
include
interface
ip
ip6
iprange
join
join-filesystem
join-network
join-or-start
ls
mac
mtu
name
net
netfilter
netfilter6
netfilter6.print
netfilter.print
netmask
netns
net.print
nice
noblacklist
noexec
nowhitelist
overlay-named
private
private-bin
private-cwd
private-etc
private-home
private-opt
private-srv
profile
profile.print
protocol
protocol.print
put
read-only
read-write
rlimit-as
rlimit-cpu
rlimit-fsize
rlimit-nofile
rlimit-nproc
rlimit-sigpending
rmenv
seccomp
seccomp.32
seccomp.32.drop
seccomp.32.keep
seccomp.drop
seccomp-error-action
seccomp.keep
seccomp.print
shell
shutdown
timeout
tmpfs
trace
tunnel
veth-name
whitelist
xephyr-screen

diff prfl cli

0a1,3
> apparmor.print
> audit
> bandwidth
3d5
< blacklist-nolog
5a8,9
> caps.print
> cat
6a11
> chroot
7a13,14
> cpu.print
> dbus-log
19a27
> dns.print
20a29,30
> fs.print
> get
24a35
> interface
27a39,41
> join
> join-filesystem
> join-network
28a43
> ls
30,31d44
< mkdir
< mkfile
36a50,51
> netfilter6.print
> netfilter.print
38c53,54
< netns 
---
> netns
> net.print
49d64
< private-lib
51a67,68
> profile
> profile.print
53c70,71
< quiet
---
> protocol.print
> put
56d73
< rlimit
70a88,90
> seccomp.print
> shell
> shutdown
72a93,94
> trace
> tunnel

Some cli-only like audit, *.print, cat, put, ls, get, join, noprofile, ... are right of course. Others like chroot, dbus-log, interface, bandwidth, shell or on profile-only side mkdir, mkfile, blacklist-nolog make sense to be implemented in cli and profile.

@rusty-snake commented on GitHub (Dec 28, 2020): Interesting question. I considered it as "not implemented yet". Let's see what differences we have ith other commands. (These greps are incomplete and wrong. Their only intention is to provide a first overview.) <details><summary><code>grep "strncmp(ptr, " src/firejail/profile.c | grep -oE "\".*\"" | sed -e "s/ \"//g" -e "s/\"//g" | sort -u > prfl</code></summary> ``` bind blacklist blacklist-nolog caps.drop caps.keep cgroup cpu dbus-system.broadcast dbus-system.call dbus-system.own dbus-system.see dbus-system.talk dbus-user.broadcast dbus-user.call dbus-user.own dbus-user.see dbus-user.talk defaultgw dns env hostname hosts-file ignore include ip ip6 iprange join-or-start mac mkdir mkfile mtu name net netfilter netfilter6 netmask netns nice noblacklist noexec nowhitelist overlay-named private private-bin private-cwd private-etc private-home private-lib private-opt private-srv protocol quiet read-only read-write rlimit rlimit-as rlimit-cpu rlimit-fsize rlimit-nofile rlimit-nproc rlimit-sigpending rmenv seccomp seccomp.32 seccomp.32.drop seccomp.32.keep seccomp.drop seccomp-error-action seccomp.keep timeout tmpfs veth-name whitelist xephyr-screen ``` </details> <details><summary><code>grep "strncmp(argv\[i\]" src/firejail/main.c | grep -oE "\--.*=\"" | sed -e "s/--//g" -e "s/=\"//g" | sort -u > cli</code></summary> ``` apparmor.print audit bandwidth bind blacklist caps.drop caps.keep caps.print cat cgroup chroot cpu cpu.print dbus-log dbus-system.broadcast dbus-system.call dbus-system.own dbus-system.see dbus-system.talk dbus-user.broadcast dbus-user.call dbus-user.own dbus-user.see dbus-user.talk defaultgw dns dns.print env fs.print get hostname hosts-file ignore include interface ip ip6 iprange join join-filesystem join-network join-or-start ls mac mtu name net netfilter netfilter6 netfilter6.print netfilter.print netmask netns net.print nice noblacklist noexec nowhitelist overlay-named private private-bin private-cwd private-etc private-home private-opt private-srv profile profile.print protocol protocol.print put read-only read-write rlimit-as rlimit-cpu rlimit-fsize rlimit-nofile rlimit-nproc rlimit-sigpending rmenv seccomp seccomp.32 seccomp.32.drop seccomp.32.keep seccomp.drop seccomp-error-action seccomp.keep seccomp.print shell shutdown timeout tmpfs trace tunnel veth-name whitelist xephyr-screen ``` </details> <details><summary><code>diff prfl cli</code></summary> ```diff 0a1,3 > apparmor.print > audit > bandwidth 3d5 < blacklist-nolog 5a8,9 > caps.print > cat 6a11 > chroot 7a13,14 > cpu.print > dbus-log 19a27 > dns.print 20a29,30 > fs.print > get 24a35 > interface 27a39,41 > join > join-filesystem > join-network 28a43 > ls 30,31d44 < mkdir < mkfile 36a50,51 > netfilter6.print > netfilter.print 38c53,54 < netns --- > netns > net.print 49d64 < private-lib 51a67,68 > profile > profile.print 53c70,71 < quiet --- > protocol.print > put 56d73 < rlimit 70a88,90 > seccomp.print > shell > shutdown 72a93,94 > trace > tunnel ``` </details> Some cli-only like `audit`, `*.print`, `cat`, `put`, `ls`, `get`, `join`, `noprofile`, ... are right of course. Others like `chroot`, `dbus-log`, `interface`, `bandwidth`, `shell` or on profile-only side `mkdir`, `mkfile`, `blacklist-nolog` make sense to be implemented in cli and profile.

gitea-mirror referenced this issue

2026-05-05 10:17:30 -06:00

[PR #2424] [MERGED] Add gconf-editor profile #4299

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2424

No description provided.

Rows
Columns

[GH-ISSUE #3846] Not able to use netns configuration directive in .profile or .local files #2424

[GH-ISSUE #3846] Not able to use `netns` configuration directive in .profile or .local files #2424