[GH-ISSUE #3958] firejail hangs with net parameter #2474

New issue

Closed

opened 2026-05-05 09:09:36 -06:00 by gitea-mirror · 10 comments

gitea-mirror commented 2026-05-05 09:09:36 -06:00

Owner

Copy link

Originally created by @fjthrowaway on GitHub (Feb 8, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3958

Hi,

Bug and expected behavior

some recent arch update must have (partially) broken firejails --net parameter. It used to work fine but now the program just hangs when executed with --net on a bridge device.
For some reason, one of my systemd startup service has no issues starting with --net.
What I have tried so far: downgrade kernel, downgrade networkmanager, downgrade firejail with no success.
I have also encountered #3948 which could be "solved" by downgrading the kernel from 5.10.13 to 5.10.12
I used networkmanager to create the bridge.

No profile and disabling firejail

• What changed calling firejail --noprofile /path/to/program in a terminal?
  nothing changed
• What changed calling the program by path (check which <program> or firejail --list while the sandbox is running)?
  nothing changed

Reproduce
Steps to reproduce the behavior:

1. Run in bash firejail --noprofile --net=br1 --defaultgw=192.168.0.1 --dns=192.168.0.1 --ip=192.168.0.254 --debug sh
2. See error

Autoselecting /bin/bash as shell
Building quoted command line: 'sh' 
Command name #sh#
get interface br1 configuration
MTU of br1 is 1500.
Bridge device br1 at 192.168.0.2/24
Trying 192.168.0.254 ...

3. It just hangs forever.

Environment

• Linux distribution and version (ie output of lsb_release -a, screenfetch or cat /etc/os-release)

cat /etc/os-release
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://www.archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"
LOGO=archlinux

• Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)

firejail version 0.9.64.2

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

debug output

Autoselecting /bin/bash as shell
Building quoted command line: 'sh' 
Command name #sh#
get interface br1 configuration
MTU of br1 is 1500.
Bridge device br1 at 192.168.0.2/24
Trying 192.168.0.254 ...

Originally created by @fjthrowaway on GitHub (Feb 8, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3958 Hi, **Bug and expected behavior** some recent arch update must have (partially) broken firejails --net parameter. It used to work fine but now the program just hangs when executed with --net on a bridge device. For some reason, one of my systemd startup service has no issues starting with --net. What I have tried so far: downgrade kernel, downgrade networkmanager, downgrade firejail with no success. I have also encountered #3948 which could be "solved" by downgrading the kernel from 5.10.13 to 5.10.12 I used networkmanager to create the bridge. **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? nothing changed - What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)? nothing changed **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail --noprofile --net=br1 --defaultgw=192.168.0.1 --dns=192.168.0.1 --ip=192.168.0.254 --debug sh` 2. See error ``` Autoselecting /bin/bash as shell Building quoted command line: 'sh' Command name #sh# get interface br1 configuration MTU of br1 is 1500. Bridge device br1 at 192.168.0.2/24 Trying 192.168.0.254 ... ``` 3. It just hangs forever. **Environment** - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) ``` cat /etc/os-release NAME="Arch Linux" PRETTY_NAME="Arch Linux" ID=arch BUILD_ID=rolling ANSI_COLOR="38;2;23;147;209" HOME_URL="https://www.archlinux.org/" DOCUMENTATION_URL="https://wiki.archlinux.org/" SUPPORT_URL="https://bbs.archlinux.org/" BUG_REPORT_URL="https://bugs.archlinux.org/" LOGO=archlinux ``` - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) ``` firejail version 0.9.64.2 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` <details><summary> debug output </summary> ``` Autoselecting /bin/bash as shell Building quoted command line: 'sh' Command name #sh# get interface br1 configuration MTU of br1 is 1500. Bridge device br1 at 192.168.0.2/24 Trying 192.168.0.254 ... ``` </details>

gitea-mirror 2026-05-05 09:09:36 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 09:09:39 -06:00

Author

Owner

Copy link

@waterlubber commented on GitHub (Feb 12, 2021):

I'm having the same issue. I tried with --noprofile and with various network interfaces. It would occasionally start, but didn't work with any actual interface or bridge interface.

<!-- gh-comment-id:778431685 --> @waterlubber commented on GitHub (Feb 12, 2021): I'm having the same issue. I tried with --noprofile and with various network interfaces. It would occasionally start, but didn't work with any actual interface or bridge interface.

gitea-mirror commented 2026-05-05 09:09:40 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Feb 19, 2021):

We got another report about problems with AppArmor, which automagically resolve upon kernel upgrade to 5.10.16.

If you get a chance, could you confirm the issues persist with a newer kernel?

<!-- gh-comment-id:781728200 --> @smitsohu commented on GitHub (Feb 19, 2021): We got another [report](https://github.com/netblue30/firejail/issues/3987) about problems with AppArmor, which automagically resolve upon kernel upgrade to 5.10.16. If you get a chance, could you confirm the issues persist with a newer kernel?

gitea-mirror commented 2026-05-05 09:09:41 -06:00

Author

Owner

Copy link

@fjthrowaway commented on GitHub (Feb 19, 2021):

I just tried 5.10.16 and had mixed results with it. First few attempts didn't work (i.e. stuck) but then it started working.

The problem is that I can't use 5.10.16 due to bug #3948. I can't enter any sandbox with 5.10.16.

<!-- gh-comment-id:782002418 --> @fjthrowaway commented on GitHub (Feb 19, 2021): I just tried 5.10.16 and had mixed results with it. First few attempts didn't work (i.e. stuck) but then it started working. The problem is that I can't use 5.10.16 due to bug #3948. I can't enter any sandbox with 5.10.16.

gitea-mirror commented 2026-05-05 09:09:43 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Feb 20, 2021):

The problem is that I can't use 5.10.16 due to bug #3948. I can't enter any sandbox with 5.10.16.

Do you see something in the system log?

(only for the record: I cannot reproduce either issue on 5.10.13 kernels of Debian or Fedora, so this looks like something Arch specific)

<!-- gh-comment-id:782610251 --> @smitsohu commented on GitHub (Feb 20, 2021): > The problem is that I can't use 5.10.16 due to bug #3948. I can't enter any sandbox with 5.10.16. Do you see something in the system log? (only for the record: I cannot reproduce either issue on 5.10.13 kernels of Debian or Fedora, so this looks like something Arch specific)

gitea-mirror commented 2026-05-05 09:09:43 -06:00

Author

Owner

Copy link

@fjthrowaway commented on GitHub (Feb 20, 2021):

(only for the record: I cannot reproduce either issue on 5.10.13 kernels of Debian or Fedora, so this looks like something Arch specific)

Could it be this commit?

the other changes seem unrelated

<!-- gh-comment-id:782721049 --> @fjthrowaway commented on GitHub (Feb 20, 2021): > (only for the record: I cannot reproduce either issue on 5.10.13 kernels of Debian or Fedora, so this looks like something Arch specific) [Could it be this commit?](https://github.com/archlinux/svntogit-packages/commit/69cb8c2d2884181e799e67b09d67fcf7944d8408#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a) the other [changes](https://github.com/archlinux/svntogit-packages/commits/packages/linux/trunk) seem unrelated

gitea-mirror commented 2026-05-05 09:09:44 -06:00

Author

Owner

Copy link

@matthew-nichols commented on GitHub (Jul 18, 2021):

I just updated from Pop OS 20.10 to 21.04. 21.04 appears to have this issue while it was working in 20.10.

firejail version 0.9.64.4

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Pop
Description:	Pop!_OS 21.04
Release:	21.04
Codename:	hirsute
$ uname -a
Linux pop-desktop 5.11.0-7620-generic #21~1624379747~21.04~3abeff8-Ubuntu SMP Wed Jun 23 02:34:03 UTC  x86_64 x86_64 x86_64 GNU/Linux

<!-- gh-comment-id:882114211 --> @matthew-nichols commented on GitHub (Jul 18, 2021): I just updated from Pop OS 20.10 to 21.04. 21.04 appears to have this issue while it was working in 20.10. ```$ firejail --version firejail version 0.9.64.4 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is enabled $ lsb_release -a No LSB modules are available. Distributor ID: Pop Description: Pop!_OS 21.04 Release: 21.04 Codename: hirsute $ uname -a Linux pop-desktop 5.11.0-7620-generic #21~1624379747~21.04~3abeff8-Ubuntu SMP Wed Jun 23 02:34:03 UTC x86_64 x86_64 x86_64 GNU/Linux ```

gitea-mirror commented 2026-05-05 09:09:45 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 18, 2021):

@matthew-nichols Latest Firejail release is 0.9.66. You can install that via https://launchpad.net/~deki/+archive/ubuntu/firejail. Would be appreciated if you could confirm your issue with that version.

<!-- gh-comment-id:882123636 --> @ghost commented on GitHub (Jul 18, 2021): @matthew-nichols Latest Firejail release is [0.9.66](https://github.com/netblue30/firejail/releases/latest). You can install that via https://launchpad.net/~deki/+archive/ubuntu/firejail. Would be appreciated if you could confirm your issue with that version.

gitea-mirror commented 2026-05-05 09:09:46 -06:00

Author

Owner

Copy link

@matthew-nichols commented on GitHub (Jul 18, 2021):

Slightly different result (operation not permitted as normal user, hang as root)

$ firejail --net=br0 --noprofile --debug
Autoselecting /bin/bash as shell
Command name #/bin/bash#
get interface br0 configuration
MTU of br0 is 1500.
Bridge device br0 at 192.168.5.9/24
ARP-scan br0, 192.168.5.9/24
IP address range from 192.168.5.1 to 192.168.5.255
Trying 192.168.5.51 ...
Error socket: arp.c:132 arp_check: Operation not permitted
$ sudo firejail --net=br0 --noprofile --debug
sudo firejail --net=br0 --noprofile --debug
Autoselecting /bin/bash as shell
Command name #/bin/bash#
get interface br0 configuration
MTU of br0 is 1500.
Bridge device br0 at 192.168.5.9/24
ARP-scan br0, 192.168.5.9/24
IP address range from 192.168.5.1 to 192.168.5.255
Trying 192.168.5.51 ...

<!-- gh-comment-id:882124247 --> @matthew-nichols commented on GitHub (Jul 18, 2021): Slightly different result (operation not permitted as normal user, hang as root) ``` $ firejail --net=br0 --noprofile --debug Autoselecting /bin/bash as shell Command name #/bin/bash# get interface br0 configuration MTU of br0 is 1500. Bridge device br0 at 192.168.5.9/24 ARP-scan br0, 192.168.5.9/24 IP address range from 192.168.5.1 to 192.168.5.255 Trying 192.168.5.51 ... Error socket: arp.c:132 arp_check: Operation not permitted $ sudo firejail --net=br0 --noprofile --debug sudo firejail --net=br0 --noprofile --debug Autoselecting /bin/bash as shell Command name #/bin/bash# get interface br0 configuration MTU of br0 is 1500. Bridge device br0 at 192.168.5.9/24 ARP-scan br0, 192.168.5.9/24 IP address range from 192.168.5.1 to 192.168.5.255 Trying 192.168.5.51 ... ```

gitea-mirror commented 2026-05-05 09:09:47 -06:00

Author

Owner

Copy link

@minus7 commented on GitHub (Aug 22, 2021):

I observe the same symptoms (firejail hangs on startup at "Trying ..." for a long time and it eventually starting). So far I worked around that by patching out the call to arp_check in net_configure_sandbox_ip.
After some debugging, I think I found the issue: arp_check intends to probe for the configured IP address twice, with a delay of 500ms between ARP requests. But if the interface gets a lot of traffic, the timeout on select doesn't trigger. select may decrease the given timeout value after returning early, but the actual behavior is unspecified by POSIX. And despite the select(2) man page saying that the timeout does get decreased on Linux, that is not the case on my machine.

<!-- gh-comment-id:903245870 --> @minus7 commented on GitHub (Aug 22, 2021): I observe the same symptoms (firejail hangs on startup at "Trying <ip>..." for a long time and it eventually starting). So far I worked around that by patching out the call to `arp_check` in `net_configure_sandbox_ip`. After some debugging, I think I found the issue: `arp_check` intends to probe for the configured IP address twice, with a delay of 500ms between ARP requests. But if the interface gets a lot of traffic, the timeout on `select` doesn't trigger. `select` may decrease the given timeout value after returning early, but the actual behavior is unspecified by POSIX. And despite the select(2) man page saying that the timeout does get decreased on Linux, that is not the case on my machine.

gitea-mirror commented 2026-05-05 09:09:47 -06:00

Author

Owner

Copy link

@minus7 commented on GitHub (Aug 22, 2021):

I'm not sure why it's receiving so many packets, but one reason might be that a recvfrom of fixed length ETH_FRAME_LEN is not correct, assuming the ethernet frames are streamed in on the packet socket and the rest of the frame is not discarded.

<!-- gh-comment-id:903250044 --> @minus7 commented on GitHub (Aug 22, 2021): I'm not sure why it's receiving so many packets, but one reason might be that a recvfrom of fixed length ETH_FRAME_LEN is not correct, assuming the ethernet frames are streamed in on the packet socket and the rest of the frame is not discarded.

gitea-mirror referenced this issue 2026-05-05 10:18:15 -06:00

[PR #2474] [MERGED] Streamline Include comment for relevant profiles #4340

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2474

No description provided.