github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #360] CentOS 7: Cannot mount a new user namespace. Unshare: Invalid argument #257

New issue

Closed

opened 2026-05-05 05:26:29 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 05:26:29 -06:00

Owner

Originally created by @jlj2 on GitHub (Mar 9, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/360

Immediately after installing on CentOS 7.2 with sudo yum localinstall firejail-0.9.38-1.x86_64.rpm :

$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 7614, child pid 7615
Blacklist violations are logged to syslog

Error: cannot mount a new user namespace
unshare: Invalid argument
Error: cannot write to /proc/7615/uid_map: Operation not permitted
Error: cannot establish communication with the parent, exiting...

Perhaps some of my hardening has caused this? e.g.

sudo chmod 700 /root 
sudo rnano -w  /etc/sysctl.conf
#Following line added 
kernel.exec-shield = 1

sudo rnano -w /etc/fstab
# added 'nosuid,nodev' on home partition

sudo rnano -w  /etc/security/limits.conf
#Following line added 
*               hard    core         0

If the hardening may be to blame, is there a way around this without reversing the hardening?

$ firejail --seccomp firefox
produces a similar result. Thank you very much for your program; it worked well in another distro.

Originally created by @jlj2 on GitHub (Mar 9, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/360 Immediately after installing on CentOS 7.2 with `sudo yum localinstall firejail-0.9.38-1.x86_64.rpm` : ``` $ firejail firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 7614, child pid 7615 Blacklist violations are logged to syslog Error: cannot mount a new user namespace unshare: Invalid argument Error: cannot write to /proc/7615/uid_map: Operation not permitted Error: cannot establish communication with the parent, exiting... ``` Perhaps some of my hardening has caused this? e.g. ``` sudo chmod 700 /root sudo rnano -w /etc/sysctl.conf #Following line added kernel.exec-shield = 1 sudo rnano -w /etc/fstab # added 'nosuid,nodev' on home partition sudo rnano -w /etc/security/limits.conf #Following line added * hard core 0 ``` If the hardening may be to blame, is there a way around this without reversing the hardening? ` $ firejail --seccomp firefox` produces a similar result. Thank you very much for your program; it worked well in another distro.

gitea-mirror

2026-05-05 05:26:29 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:26:33 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 9, 2016):

Yes, this is a problem with how they implement user namespaces in the 3.10 kernel distributed with Centos 7. It used to work, but it was broken last month by a kernel update. You'll need to reconfigure firejail code with --disable-userns and recompile:

$ cd firejail-souce-code-directory
$ ./configure --disable-userns --prefix=/usr
$ make
$ sudo make install

In the next version, the rpm packages will be fixed, I'll have a test version out in a few days.

@netblue30 commented on GitHub (Mar 9, 2016): Yes, this is a problem with how they implement user namespaces in the 3.10 kernel distributed with Centos 7. It used to work, but it was broken last month by a kernel update. You'll need to reconfigure firejail code with --disable-userns and recompile: ``` $ cd firejail-souce-code-directory $ ./configure --disable-userns --prefix=/usr $ make $ sudo make install ``` In the next version, the rpm packages will be fixed, I'll have a test version out in a few days.

gitea-mirror commented

2026-05-05 05:26:36 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 10, 2016):

I put a fix in, disregard my previous comment. Thanks.

@netblue30 commented on GitHub (Mar 10, 2016): I put a fix in, disregard my previous comment. Thanks.

gitea-mirror commented

2026-05-05 05:26:39 -06:00

Author

Owner

@jessfraz commented on GitHub (Aug 17, 2016):

@netblue30 do you have a link to the centos 7 bugzilla for this

@jessfraz commented on GitHub (Aug 17, 2016): @netblue30 do you have a link to the centos 7 bugzilla for this

gitea-mirror commented

2026-05-05 05:26:41 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 18, 2016):

You mean on CentOS website?

@netblue30 commented on GitHub (Aug 18, 2016): You mean on CentOS website?

gitea-mirror commented

2026-05-05 05:26:44 -06:00

Author

Owner

@jessfraz commented on GitHub (Aug 18, 2016):

yeah I was trying to find one

@jessfraz commented on GitHub (Aug 18, 2016): yeah I was trying to find one

gitea-mirror commented

2026-05-05 05:26:47 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 20, 2016):

There isn't any, firejail is not included in CentOS, so they don't track firejail bugs.

@netblue30 commented on GitHub (Aug 20, 2016): There isn't any, firejail is not included in CentOS, so they don't track firejail bugs.

gitea-mirror commented

2026-05-05 05:26:50 -06:00

Author

Owner

@jessfraz commented on GitHub (Aug 20, 2016):

Obviously I meant with regard to their messed up user namespaces.

On Saturday, August 20, 2016, netblue30 notifications@github.com wrote:

There isn't any, firejail is not included in CentOS, so they don't track
firejail bugs.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/360#issuecomment-241197851,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABYNbJeSo5V9h4-hRVSNDGpnaRjfTuI8ks5qhvSMgaJpZM4HsYYh
.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

@jessfraz commented on GitHub (Aug 20, 2016): Obviously I meant with regard to their messed up user namespaces. On Saturday, August 20, 2016, netblue30 notifications@github.com wrote: > There isn't any, firejail is not included in CentOS, so they don't track > firejail bugs. > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > https://github.com/netblue30/firejail/issues/360#issuecomment-241197851, > or mute the thread > https://github.com/notifications/unsubscribe-auth/ABYNbJeSo5V9h4-hRVSNDGpnaRjfTuI8ks5qhvSMgaJpZM4HsYYh > . ## Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

gitea-mirror commented

2026-05-05 05:26:52 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 20, 2016):

They are still running a 3.10 kernel. I think user namespace went in 3.8, and they've been fixing it ever since - mostly security problems. You really need a much newer kernel to be able to use them.

@netblue30 commented on GitHub (Aug 20, 2016): They are still running a 3.10 kernel. I think user namespace went in 3.8, and they've been fixing it ever since - mostly security problems. You really need a much newer kernel to be able to use them.

gitea-mirror referenced this issue

2026-05-05 10:03:55 -06:00

[PR #257] [MERGED] Make the sandbox process reap all children. #3575

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#257

No description provided.

Rows
Columns