github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5153] Add a profile for Check Point's Ssl Network eXtender (SNX) #2897

New issue

Closed

opened 2026-05-05 09:33:43 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 09:33:43 -06:00

Owner

Originally created by @raelschiffler on GitHub (May 20, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5153

I'm having a hard time to build a profile for Ssl Network eXtender SNX. I need to sandbox it and in the same sandbox run Firefox and another famous private enterprise communication messenger.
Could you help me building this profile?

Originally created by @raelschiffler on GitHub (May 20, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5153 I'm having a hard time to build a profile for [Ssl Network eXtender SNX](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65210). I need to sandbox it and in the same sandbox run Firefox and another famous private enterprise communication messenger. Could you help me building this profile?

gitea-mirror

2026-05-05 09:33:43 -06:00

closed this issue
added the
profile-request
label

gitea-mirror commented

2026-05-05 09:33:47 -06:00

Author

Owner

@raelschiffler commented on GitHub (May 20, 2022):

~/.config/firejail$ firejail --build=snx.profile /usr/bin/snx -s mycompanyremoteserver.com -c ~/Documents/vpn_cert.p12
ERROR: ld.so: object '/run/firejail/lib/libtrace.so' from /etc/ld.so.preload cannot be preloaded (wrong ELF class: ELFCLASS64): ignored.
Check Point's Linux SNX
build 800010003
Please enter the certificate's password:

SNX authentication:
Please confirm the connection to gateway: mycompanyremoteservergateway.com
Root CA fingerprint: BLA BLA BLA BLA BLA
Do you accept? [y]es/[N]o:
y
modprobe: FATAL: Module tun not found in directory /lib/modules/5.13.0-41-generic
SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect.

@raelschiffler commented on GitHub (May 20, 2022): ``` ~/.config/firejail$ firejail --build=snx.profile /usr/bin/snx -s mycompanyremoteserver.com -c ~/Documents/vpn_cert.p12 ERROR: ld.so: object '/run/firejail/lib/libtrace.so' from /etc/ld.so.preload cannot be preloaded (wrong ELF class: ELFCLASS64): ignored. Check Point's Linux SNX build 800010003 Please enter the certificate's password: SNX authentication: Please confirm the connection to gateway: mycompanyremoteservergateway.com Root CA fingerprint: BLA BLA BLA BLA BLA Do you accept? [y]es/[N]o: y modprobe: FATAL: Module tun not found in directory /lib/modules/5.13.0-41-generic SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. ```

gitea-mirror commented

2026-05-05 09:33:48 -06:00

Author

Owner

@raelschiffler commented on GitHub (May 20, 2022):

After I whitelist /lib/modules/5.13.0-41-generic in the created profile file and run firejail /usr/bin/snx -s mycompanyremoteserver.com -c ~/Documents/vpn_cert.p12 I get this output with error:

Reading profile /home/myuser/.config/firejail/snx.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 18980, child pid 18981
6 programs installed in 7.45 ms
Private /etc installed in 2.33 ms
Private /usr/etc installed in 0.00 ms
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 83.63 ms
Error: no suitable snx executable found

Parent is shutting down, bye...

@raelschiffler commented on GitHub (May 20, 2022): After I whitelist /lib/modules/5.13.0-41-generic in the created profile file and run `firejail /usr/bin/snx -s mycompanyremoteserver.com -c ~/Documents/vpn_cert.p12` I get this output with error: ``` Reading profile /home/myuser/.config/firejail/snx.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 18980, child pid 18981 6 programs installed in 7.45 ms Private /etc installed in 2.33 ms Private /usr/etc installed in 0.00 ms Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Child process initialized in 83.63 ms Error: no suitable snx executable found Parent is shutting down, bye... ```

gitea-mirror commented

2026-05-05 09:33:48 -06:00

Author

Owner

@kmk3 commented on GitHub (Jun 9, 2022):

@raelschiffler commented on May 20:

After I whitelist /lib/modules/5.13.0-41-generic in the created profile file
and run firejail /usr/bin/snx -s mycompanyremoteserver.com -c ~/Documents/vpn_cert.p12 I get this output with error:

Reading profile /home/myuser/.config/firejail/snx.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 18980, child pid 18981
6 programs installed in 7.45 ms
Private /etc installed in 2.33 ms
Private /usr/etc installed in 0.00 ms
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 83.63 ms
Error: no suitable snx executable found

Parent is shutting down, bye...

What is the content of snx.profile?

Error: no suitable snx executable found

This is usually caused by private-bin or IIRC include disable-shell.inc.

If private-bin is used, try to add snx to it.

@kmk3 commented on GitHub (Jun 9, 2022): @raelschiffler commented [on May 20](https://github.com/netblue30/firejail/issues/5153#issuecomment-1132896284): > After I whitelist /lib/modules/5.13.0-41-generic in the created profile file > and run `firejail /usr/bin/snx -s mycompanyremoteserver.com -c > ~/Documents/vpn_cert.p12` I get this output with error: > > ``` > Reading profile /home/myuser/.config/firejail/snx.profile > Reading profile /etc/firejail/disable-common.inc > Reading profile /etc/firejail/disable-programs.inc > Reading profile /etc/firejail/whitelist-usr-share-common.inc > Reading profile /etc/firejail/whitelist-var-common.inc > Parent pid 18980, child pid 18981 > 6 programs installed in 7.45 ms > Private /etc installed in 2.33 ms > Private /usr/etc installed in 0.00 ms > Blacklist violations are logged to syslog > Warning: cleaning all supplementary groups > Child process initialized in 83.63 ms > Error: no suitable snx executable found > > Parent is shutting down, bye... > ``` What is the content of snx.profile? > Error: no suitable snx executable found This is usually caused by `private-bin` or IIRC `include disable-shell.inc`. If `private-bin` is used, try to add `snx` to it.

gitea-mirror commented

2026-05-05 09:33:49 -06:00

Author

Owner

@raelschiffler commented on GitHub (Apr 17, 2023):

Hi, after those years I made a slow progress over this issue.

The thing is: if you need a connection to be sandboxed you must leave at list a shell prompt to run any other thing over this sandboxed connection, like a web browser.

Therefore I was wrong in my approach tot he situation: I was trying to run the snx as a start command, and it would never work.

Now I'm in the right approach, but facing another issue that may interest @netblue30.

Whenever I run snx -s mycompanyremoteserver.com -c ~/Documents/vpn_cert.p12 command in bare metal shell, the expected outcome is:

Check Point's Linux SNX
build 800010003
Please enter the certificate's password:

SNX - connected.

Session parameters:

Office Mode IP : PRIVATE INFORMATION
DNS Server : PRIVATE INFORMATION
Secondary DNS Server: PRIVATE INFORMATION
Tertiary DNS Server : PRIVATE INFORMATION
DNS Suffix : PRIVATE INFORMATION
Timeout : 4 hours

Now when I run $ firejail and the sandboxed shell prompt loads, I try running the same command and the output is:

Check Point's Linux SNX
build 800010003
Please enter the certificate's password:

SNX authentication:
Please confirm the connection to gateway: PRIVATE INFORMATION
Root CA fingerprint: PRIVATE INFORMATION
Do you accept? [y]es/[N]o:
ySNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect.

Which raises the question in our days:
Could firejail support many vpn connections sandboxing Virtual Network Adapter?

@raelschiffler commented on GitHub (Apr 17, 2023): Hi, after those years I made a slow progress over this issue. The thing is: if you need a connection to be sandboxed you must leave at list a shell prompt to run any other thing over this sandboxed connection, like a web browser. Therefore I was wrong in my approach tot he situation: I was trying to run the snx as a start command, and it would never work. Now I'm in the right approach, but facing another issue that may interest @netblue30. Whenever I run `snx -s mycompanyremoteserver.com -c ~/Documents/vpn_cert.p12` command in bare metal shell, the expected outcome is: > Check Point's Linux SNX > build 800010003 > Please enter the certificate's password: > > > SNX - connected. > > Session parameters: > =================== > Office Mode IP : PRIVATE INFORMATION > DNS Server : PRIVATE INFORMATION > Secondary DNS Server: PRIVATE INFORMATION > Tertiary DNS Server : PRIVATE INFORMATION > DNS Suffix : PRIVATE INFORMATION > Timeout : 4 hours Now when I run `$ firejail` and the sandboxed shell prompt loads, I try running the same command and the output is: > Check Point's Linux SNX > build 800010003 > Please enter the certificate's password: > > SNX authentication: > Please confirm the connection to gateway: PRIVATE INFORMATION > Root CA fingerprint: PRIVATE INFORMATION > Do you accept? [y]es/[N]o: > ySNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. Which raises the question in our days: Could firejail support many vpn connections sandboxing Virtual Network Adapter?

gitea-mirror commented

2026-05-05 09:33:49 -06:00

Author

Owner

@raelschiffler commented on GitHub (Apr 17, 2023):

This is the SNX --debug output.

ssl_tunnel::send_slim_protocol: working link is 08cefc30
ssl_link:: send_packet: Entering for 23 bytes
fwasync_mux_out: 5: sent 0 of 31 bytes == 31 bytes to send
ckpSSL_do_write: write 31 bytes
fwasync_mux_out: 5: managed to send 31 of 31 bytes
fwasync_mux_out: 5: call: 80fa8f0 with 4
ssl_link_fwasync_client_handler: after sending packet, vola 2
fwasync_mux_out: 5: rc=1, next: 80fa8f0 with 4, req: 0r, 0w
ssl_tunnel::slim_connected: setting KA to 20
ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION
ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION
ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION
ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION
ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION
ssl_tunnel::prepare_om_config_data: More DNS search suffixes configured than we have room for (5). Remaining suffxes 'PRIVATE INFORMATION' ignored.
ssl_tunnel::prepare_om_config_data: setting search suffix counter to 5
om_mngr_allocate_link: called while not initialized initalized
ssl_tunnel::om_link_init: failed to allocate om link
ssl_link_fwasync_client_handler: received packet ok
fwasync_mux_in: 5: rc=1, next: 80fa8f0 with 3, req: 8r, 0w
tunnel_stop_handler: called!
ssl_link:: ~ssl_link: delete link
ssl_link:: ssl_link_fwasync_end_handler: ending connection
ssl_tunnel::link_failure_cb: got link failure, close tunnel
ssl_tunnel::link_failure_cb: scheduling reuse to 2000 milli-seconds
ssl_tunnel::tunnel_stop: error: Virtual Network Adapter initialization and configuration failed. Try to reconnect.
snx_mngr:: tunnel_down_cb: tunnel closed - Virtual Network Adapter initialization and configuration failed. Try to reconnect.

snx_mngr:: tunnel_down_cb: quit.

As you can see, there's something about this **om_mngr_allocate_link: called while not initialized initalized**...

@raelschiffler commented on GitHub (Apr 17, 2023): This is the SNX --debug output. > ssl_tunnel::send_slim_protocol: working link is 08cefc30 > ssl_link:: send_packet: Entering for 23 bytes > fwasync_mux_out: 5: sent 0 of 31 bytes == 31 bytes to send > ckpSSL_do_write: write 31 bytes > fwasync_mux_out: 5: managed to send 31 of 31 bytes > fwasync_mux_out: 5: call: 80fa8f0 with 4 > ssl_link_fwasync_client_handler: after sending packet, vola 2 > fwasync_mux_out: 5: rc=1, next: 80fa8f0 with 4, req: 0r, 0w > ssl_tunnel::slim_connected: setting KA to 20 > ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION > ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION > ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION > ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION > ssl_tunnel::prepare_om_config_data: added PRIVATE INFORMATION > ssl_tunnel::prepare_om_config_data: More DNS search suffixes configured than we have room for (5). Remaining suffxes 'PRIVATE INFORMATION' ignored. > ssl_tunnel::prepare_om_config_data: setting search suffix counter to 5 > **om_mngr_allocate_link: called while not initialized initalized** > ssl_tunnel::om_link_init: failed to allocate om link > ssl_link_fwasync_client_handler: received packet ok > fwasync_mux_in: 5: rc=1, next: 80fa8f0 with 3, req: 8r, 0w > tunnel_stop_handler: called! > ssl_link:: ~ssl_link: delete link > ssl_link:: ssl_link_fwasync_end_handler: ending connection > ssl_tunnel::link_failure_cb: got link failure, close tunnel > ssl_tunnel::link_failure_cb: scheduling reuse to 2000 milli-seconds > ssl_tunnel::tunnel_stop: error: Virtual Network Adapter initialization and configuration failed. Try to reconnect. > snx_mngr:: tunnel_down_cb: tunnel closed - Virtual Network Adapter initialization and configuration failed. Try to reconnect. > > snx_mngr:: tunnel_down_cb: quit. As you can see, there's something about this `**om_mngr_allocate_link: called while not initialized initalized**`...

gitea-mirror commented

2026-05-05 09:33:50 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 17, 2023):

(Offtopic)

@raelschiffler

Please see the following links for how to format code blocks in markdown:

@kmk3 commented on GitHub (Apr 17, 2023): (Offtopic) @raelschiffler Please see the following links for how to format code blocks in markdown: * <https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks> * <https://github.github.com/gfm/#fenced-code-blocks>

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2897

No description provided.

Rows
Columns