github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5480] vscodium: cannot use sudo nor ssh #3012

New issue
Closed
opened 2026-05-05 09:39:48 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 09:39:48 -06:00
Owner
Copy link

Originally created by @g4njawizard on GitHub (Nov 23, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5480

Hi,
I am still a noob in terms of firejail configuration.
I have Apparmor and Firejail enabled and I can use it with firefox or thunderbird, but when I try to use codium, I have some problems.
When I run codium and use the default profile, codium is way too restricted.
I can't sudo, nor access .ssh or different directories that are important for my test's or pushing for github etc.
So I've build a custom profile with whitelistings.
Unfortunately I cannot start codium with my custom profile.

my profile:

# Save this file as "application.profile" (change "application" with the
# program name) in ~/.config/firejail directory. Firejail will find it
# automatically every time you sandbox your application.
#
# Run "firejail application" to test it. In the file there are
# some other commands you can try. Enable them by removing the "#".

# Firejail profile for codium
# Persistent local customizations
include codium.local
# Persistent global definitions
include globals.local

### Basic Blacklisting ###
### Enable as many of them as you can! A very important one is
### "disable-exec.inc". This will make among other things your home
### and /tmp directories non-executable.
#include disable-common.inc	# dangerous directories like ~/.ssh and ~/.gnupg
#include disable-devel.inc	# development tools such as gcc and gdb
#include disable-exec.inc	# non-executable directories such as /var, /tmp, and /home
#include disable-interpreters.inc	# perl, python, lua etc.
include disable-programs.inc	# user configuration for programs such as firefox, vlc etc.
#include disable-shell.inc	# sh, bash, zsh etc.
#include disable-xdg.inc	# standard user directories: Documents, Pictures, Videos, Music

### Home Directory Whitelisting ###
### If something goes wrong, this section is the first one to comment out.
### Instead, you'll have to relay on the basic blacklisting above.
whitelist ${HOME}/.zsh_history
whitelist ${HOME}/.local/bin
whitelist ${HOME}/.zcompdump-mjolnir-5.9.zwc
whitelist ${HOME}/.zcompdump-mjolnir-5.9
whitelist ${HOME}/.oh-my-zsh
whitelist ${HOME}/.zshrc
whitelist ${HOME}/.gitconfig
whitelist ${HOME}/.config/git
whitelist ${HOME}/git
whitelist ${HOME}/.ssh
whitelist ${HOME}/.pki/nssdb
whitelist ${HOME}/.local/share//mime
whitelist ${HOME}/git/.vscode
whitelist ${HOME}/.ssh/.vscode
whitelist ${HOME}/.cache/mesa_shader_cache
whitelist ${HOME}/.Xdefaults-mjolnir
whitelist ${HOME}/.config/VSCodium
whitelist ${HOME}/.vscode-oss
include whitelist-common.inc

### Filesystem Whitelisting ###
whitelist /run/systemd/resolve/io.systemd.Resolve
whitelist /run/udev/control
include whitelist-run-common.inc
whitelist ${RUNUSER}/vscode-ipc-a5c72f62-960e-4857-a8fa-c6a2c097b54d.sock
whitelist ${RUNUSER}/at-spi/bus_0
include whitelist-runuser-common.inc
whitelist /usr/share/zsh
whitelist /usr/share/xfce4
whitelist /usr/share/codium
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

#apparmor	# if you have AppArmor running, try this one!
caps.drop all
ipc-namespace
netfilter
#no3d	# disable 3D acceleration
#nodvd	# disable DVD and CD devices
#nogroups	# disable supplementary user groups
#noinput	# disable input devices
nonewprivs
#noroot
#notv	# disable DVB TV devices
#nou2f	# disable U2F devices
#novideo	# disable video capture devices
protocol unix,inet,inet6,netlink,
#net eth0
netfilter
seccomp !chroot	# allowing chroot, just in case this is an Electron app
shell none
#tracelog	# send blacklist violations to syslog

#disable-mnt	# no access to /mnt, /media, /run/mount and /run/media
private-bin sleep,cat,sed,bash,ps,ssh-add,diff,ls,wc,rm,mkdir,zsh,git,dirname,readlink,id,grep,dash,env,
#private-cache	# run with an empty ~/.cache directory
private-dev
private-etc ssl,zsh,terminfo,gitconfig,passwd,alpine-release,shells,resolv.conf,os-release,debian_version,libva.conf,drirc,nsswitch.conf,hosts,xdg,gtk-3.0,fonts,login.defs,selinux,
#private-lib
#private-tmp
# File accessed in /tmp directory:
# /tmp/ssh-XXXXXXxN7FIE/agent.2530278,/tmp/odin-codium-zsh/.zlogin,/tmp/odin-codium-zsh/.zshenv,/tmp/odin-codium-zsh/.zprofile,/tmp/odin-codium-zsh/.zshrc,/tmp/.org.chromium.Chromium.Kp0z5c,/tmp/.org.chromium.Chromium.UZUvmQ,
#dbus-user none
#dbus-system none

#memory-deny-write-execute

When I try to run codium

user@notebook# codium
Reading profile /home/odin/.config/firejail/codium.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 2517658, child pid 2517659
19 programs installed in 42.63 ms
Warning: skipping gitconfig for private /etc
Warning: skipping alpine-release for private /etc
Warning: skipping libva.conf for private /etc
Warning: skipping drirc for private /etc
Private /etc installed in 33.17 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 198.91 ms
Error: no suitable /usr/bin/codium executable found

Parent is shutting down, bye...

ll /usr/bin/codium
lrwxrwxrwx 1 root root 28 Nov 11 05:17 /usr/bin/codium -> /usr/share/codium/bin/codium

Is there something like a learning mode for profile building? So I can run codium and firejail tracks everything the application uses?

firejail version 0.9.70

Originally created by @g4njawizard on GitHub (Nov 23, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5480 Hi, I am still a noob in terms of firejail configuration. I have Apparmor and Firejail enabled and I can use it with firefox or thunderbird, but when I try to use codium, I have some problems. When I run codium and use the default profile, codium is way too restricted. I can't sudo, nor access .ssh or different directories that are important for my test's or pushing for github etc. So I've build a custom profile with whitelistings. Unfortunately I cannot start codium with my custom profile. my profile: ``` # Save this file as "application.profile" (change "application" with the # program name) in ~/.config/firejail directory. Firejail will find it # automatically every time you sandbox your application. # # Run "firejail application" to test it. In the file there are # some other commands you can try. Enable them by removing the "#". # Firejail profile for codium # Persistent local customizations include codium.local # Persistent global definitions include globals.local ### Basic Blacklisting ### ### Enable as many of them as you can! A very important one is ### "disable-exec.inc". This will make among other things your home ### and /tmp directories non-executable. #include disable-common.inc # dangerous directories like ~/.ssh and ~/.gnupg #include disable-devel.inc # development tools such as gcc and gdb #include disable-exec.inc # non-executable directories such as /var, /tmp, and /home #include disable-interpreters.inc # perl, python, lua etc. include disable-programs.inc # user configuration for programs such as firefox, vlc etc. #include disable-shell.inc # sh, bash, zsh etc. #include disable-xdg.inc # standard user directories: Documents, Pictures, Videos, Music ### Home Directory Whitelisting ### ### If something goes wrong, this section is the first one to comment out. ### Instead, you'll have to relay on the basic blacklisting above. whitelist ${HOME}/.zsh_history whitelist ${HOME}/.local/bin whitelist ${HOME}/.zcompdump-mjolnir-5.9.zwc whitelist ${HOME}/.zcompdump-mjolnir-5.9 whitelist ${HOME}/.oh-my-zsh whitelist ${HOME}/.zshrc whitelist ${HOME}/.gitconfig whitelist ${HOME}/.config/git whitelist ${HOME}/git whitelist ${HOME}/.ssh whitelist ${HOME}/.pki/nssdb whitelist ${HOME}/.local/share//mime whitelist ${HOME}/git/.vscode whitelist ${HOME}/.ssh/.vscode whitelist ${HOME}/.cache/mesa_shader_cache whitelist ${HOME}/.Xdefaults-mjolnir whitelist ${HOME}/.config/VSCodium whitelist ${HOME}/.vscode-oss include whitelist-common.inc ### Filesystem Whitelisting ### whitelist /run/systemd/resolve/io.systemd.Resolve whitelist /run/udev/control include whitelist-run-common.inc whitelist ${RUNUSER}/vscode-ipc-a5c72f62-960e-4857-a8fa-c6a2c097b54d.sock whitelist ${RUNUSER}/at-spi/bus_0 include whitelist-runuser-common.inc whitelist /usr/share/zsh whitelist /usr/share/xfce4 whitelist /usr/share/codium include whitelist-usr-share-common.inc include whitelist-var-common.inc #apparmor # if you have AppArmor running, try this one! caps.drop all ipc-namespace netfilter #no3d # disable 3D acceleration #nodvd # disable DVD and CD devices #nogroups # disable supplementary user groups #noinput # disable input devices nonewprivs #noroot #notv # disable DVB TV devices #nou2f # disable U2F devices #novideo # disable video capture devices protocol unix,inet,inet6,netlink, #net eth0 netfilter seccomp !chroot # allowing chroot, just in case this is an Electron app shell none #tracelog # send blacklist violations to syslog #disable-mnt # no access to /mnt, /media, /run/mount and /run/media private-bin sleep,cat,sed,bash,ps,ssh-add,diff,ls,wc,rm,mkdir,zsh,git,dirname,readlink,id,grep,dash,env, #private-cache # run with an empty ~/.cache directory private-dev private-etc ssl,zsh,terminfo,gitconfig,passwd,alpine-release,shells,resolv.conf,os-release,debian_version,libva.conf,drirc,nsswitch.conf,hosts,xdg,gtk-3.0,fonts,login.defs,selinux, #private-lib #private-tmp # File accessed in /tmp directory: # /tmp/ssh-XXXXXXxN7FIE/agent.2530278,/tmp/odin-codium-zsh/.zlogin,/tmp/odin-codium-zsh/.zshenv,/tmp/odin-codium-zsh/.zprofile,/tmp/odin-codium-zsh/.zshrc,/tmp/.org.chromium.Chromium.Kp0z5c,/tmp/.org.chromium.Chromium.UZUvmQ, #dbus-user none #dbus-system none #memory-deny-write-execute ``` When I try to run codium ``` user@notebook# codium Reading profile /home/odin/.config/firejail/codium.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 2517658, child pid 2517659 19 programs installed in 42.63 ms Warning: skipping gitconfig for private /etc Warning: skipping alpine-release for private /etc Warning: skipping libva.conf for private /etc Warning: skipping drirc for private /etc Private /etc installed in 33.17 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: cleaning all supplementary groups Child process initialized in 198.91 ms Error: no suitable /usr/bin/codium executable found Parent is shutting down, bye... ``` ll /usr/bin/codium lrwxrwxrwx 1 root root 28 Nov 11 05:17 /usr/bin/codium -> /usr/share/codium/bin/codium Is there something like a learning mode for profile building? So I can run codium and firejail tracks everything the application uses? firejail version 0.9.70
gitea-mirror 2026-05-05 09:39:48 -06:00
  • closed this issue
  • added the
    notabug
         label
gitea-mirror commented 2026-05-05 09:39:50 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Nov 25, 2022):

Your profile has a commented line #include disable-common.inc, but when you run Firejail it reports Reading profile /etc/firejail/disable-common.inc. So we have a mismatch here. Can you please verify the pasted profile is correct?

It might be easier to adapt the codium profile shipped by Firejail to your needs, rather than build a new profile from scratch (even though that's admittedly more fun). To enable ssh, you probably will need to add include allow-ssh.inc. Maybe it helps to take a look at the other rules in ssh.profile?

Allowing sudo inside a sandbox is quite painful; it is possible to get this running, but you will need to water down the sandbox very significantly. If you are ok with this, add to the profile:

ignore caps.drop all  # from your pasted profile
ignore caps.keep  # capability list from electron.profile is not sufficient for sudo
ignore nonewprivs
ignore protocol  # implemented using seccomp
ignore seccomp
ignore private-bin  # nosuid mount
ignore private-lib  # without private-bin, private-lib is not as automagical, so this needs more tuning
<!-- gh-comment-id:1326949553 --> @smitsohu commented on GitHub (Nov 25, 2022): Your profile has a commented line `#include disable-common.inc`, but when you run Firejail it reports `Reading profile /etc/firejail/disable-common.inc`. So we have a mismatch here. Can you please verify the pasted profile is correct? It might be easier to adapt the codium profile shipped by Firejail to your needs, rather than build a new profile from scratch (even though that's admittedly more fun). To enable `ssh`, you probably will need to add `include allow-ssh.inc`. Maybe it helps to take a look at the other rules in `ssh.profile`? Allowing `sudo` inside a sandbox is quite painful; it is possible to get this running, but you will need to water down the sandbox very significantly. If you are ok with this, add to the profile: ``` ignore caps.drop all # from your pasted profile ignore caps.keep # capability list from electron.profile is not sufficient for sudo ignore nonewprivs ignore protocol # implemented using seccomp ignore seccomp ignore private-bin # nosuid mount ignore private-lib # without private-bin, private-lib is not as automagical, so this needs more tuning ```
gitea-mirror commented 2026-05-05 09:39:52 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Nov 25, 2022):

Is there something like a learning mode for profile building? So I can run codium and firejail tracks everything the application uses?

--build, --trace and --tracelog options do this. But it doesn't work with all applications.

<!-- gh-comment-id:1326950503 --> @smitsohu commented on GitHub (Nov 25, 2022): > Is there something like a learning mode for profile building? So I can run codium and firejail tracks everything the application uses? `--build`, `--trace` and -`-tracelog` options do this. But it doesn't work with all applications.
gitea-mirror commented 2026-05-05 09:39:53 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Feb 8, 2023):

odin@mjolnir:~/git/ansible|⇒  codium
Reading profile /etc/firejail/codium.profile
Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/allow-ssh.inc
Parent pid 129439, child pid 129440
Child process initialized in 126.27 ms

Still have the same error despite the fact that it is reading the "allow-ssh.inc"

2023-02-08 08:45:52.976 [info] Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features
Error: no suitable /usr/bin/ssh executable found
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The profiles that has been loaded:

user@workstation:~/git/ansible|⇒  cat /etc/firejail/codium.profile 
# Firejail profile alias for VSCodium
# This file is overwritten after every install/update
# Persistent local customizations
include codium.local
# Persistent global definitions
# added by included profile
#include globals.local

# Redirect
include vscodium.profile
user@workstation:~/git/ansible|⇒  cat /etc/firejail/vscodium.profile
# Firejail profile alias for VSCodium
# This file is overwritten after every install/update
# Persistent local customizations
include vscodium.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.VSCodium
noblacklist ${HOME}/.config/VSCodium

# Redirect
include code.profile
include allow-ssh.inc
user@workstation:~/git/ansible|⇒  cat /etc/firejail/code.profile 
# Firejail profile for Visual Studio Code
# This file is overwritten after every install/update
# Persistent local customizations
include code.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt
ignore dbus-user none
ignore dbus-system none

noblacklist ${HOME}/.config/Code
noblacklist ${HOME}/.config/Code - OSS
noblacklist ${HOME}/.vscode
noblacklist ${HOME}/.vscode-oss

# Allows files commonly used by IDEs
include allow-common-devel.inc

nosound

# Disabling noexec ${HOME} for now since it will
# probably interfere with running some programmes
# in VS Code
# noexec ${HOME}
noexec /tmp

# Redirect
include electron.profile
user@workstation:~/git/ansible|⇒
<!-- gh-comment-id:1422187210 --> @g4njawizard commented on GitHub (Feb 8, 2023): ``` odin@mjolnir:~/git/ansible|⇒ codium Reading profile /etc/firejail/codium.profile Reading profile /etc/firejail/vscodium.profile Reading profile /etc/firejail/code.profile Reading profile /etc/firejail/allow-common-devel.inc Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Reading profile /etc/firejail/allow-ssh.inc Parent pid 129439, child pid 129440 Child process initialized in 126.27 ms ``` Still have the same error despite the fact that it is reading the "allow-ssh.inc" ``` 2023-02-08 08:45:52.976 [info] Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features Error: no suitable /usr/bin/ssh executable found fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` The profiles that has been loaded: ``` user@workstation:~/git/ansible|⇒ cat /etc/firejail/codium.profile # Firejail profile alias for VSCodium # This file is overwritten after every install/update # Persistent local customizations include codium.local # Persistent global definitions # added by included profile #include globals.local # Redirect include vscodium.profile user@workstation:~/git/ansible|⇒ cat /etc/firejail/vscodium.profile # Firejail profile alias for VSCodium # This file is overwritten after every install/update # Persistent local customizations include vscodium.local # Persistent global definitions # added by included profile #include globals.local noblacklist ${HOME}/.VSCodium noblacklist ${HOME}/.config/VSCodium # Redirect include code.profile include allow-ssh.inc user@workstation:~/git/ansible|⇒ cat /etc/firejail/code.profile # Firejail profile for Visual Studio Code # This file is overwritten after every install/update # Persistent local customizations include code.local # Persistent global definitions include globals.local # Disabled until someone reported positive feedback ignore include disable-devel.inc ignore include disable-exec.inc ignore include disable-interpreters.inc ignore include disable-xdg.inc ignore whitelist ${DOWNLOADS} ignore whitelist ${HOME}/.config/Electron ignore whitelist ${HOME}/.config/electron*-flag*.conf ignore include whitelist-common.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc ignore include whitelist-var-common.inc ignore apparmor ignore disable-mnt ignore dbus-user none ignore dbus-system none noblacklist ${HOME}/.config/Code noblacklist ${HOME}/.config/Code - OSS noblacklist ${HOME}/.vscode noblacklist ${HOME}/.vscode-oss # Allows files commonly used by IDEs include allow-common-devel.inc nosound # Disabling noexec ${HOME} for now since it will # probably interfere with running some programmes # in VS Code # noexec ${HOME} noexec /tmp # Redirect include electron.profile user@workstation:~/git/ansible|⇒ ```
gitea-mirror commented 2026-05-05 09:39:54 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 8, 2023):

2023-02-08 08:45:52.976 [info] Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features

This warning might be important to double-check. It usually means that you're using firecfg, which creates symlinks under /usr/local/bin/foo to the firejail binary, usually located at /usr/bin/firejail. Or you've created similar symlinks yourself. Either way, if you have a /usr/local/bin/ssh, try to move it out of the way for testing (temporarily rename it) and post the output from the below command here please:

$ firejail --ignore=quiet /usr/bin/codium
<!-- gh-comment-id:1423143793 --> @ghost commented on GitHub (Feb 8, 2023): > 2023-02-08 08:45:52.976 [info] Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features This warning might be important to double-check. It usually means that you're using `firecfg`, which creates symlinks under /usr/local/bin/foo to the firejail binary, usually located at /usr/bin/firejail. Or you've created similar symlinks yourself. Either way, if you have a `/usr/local/bin/ssh`, try to move it out of the way for testing (temporarily rename it) and post the output from the below command here please: ```console $ firejail --ignore=quiet /usr/bin/codium ```
gitea-mirror commented 2026-05-05 09:39:55 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Feb 9, 2023):

codium now has lost it's connection to the internet, but I haven't changed the config.

When I move the ssh file and run codium, I see the following:

odin@mjolnir:~|⇒  firejail --ignore=quiet /usr/bin/codium           
Reading profile /etc/firejail/codium.profile
Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/allow-ssh.inc
Parent pid 156435, child pid 156436
Child process initialized in 122.72 ms

Parent is shutting down, bye...

Inside Codium:

> git pull --tags origin main
error: cannot run ssh: No such file or directory
fatal: unable to fork
<!-- gh-comment-id:1423810445 --> @g4njawizard commented on GitHub (Feb 9, 2023): codium now has lost it's connection to the internet, but I haven't changed the config. When I move the ssh file and run codium, I see the following: ``` odin@mjolnir:~|⇒ firejail --ignore=quiet /usr/bin/codium Reading profile /etc/firejail/codium.profile Reading profile /etc/firejail/vscodium.profile Reading profile /etc/firejail/code.profile Reading profile /etc/firejail/allow-common-devel.inc Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Reading profile /etc/firejail/allow-ssh.inc Parent pid 156435, child pid 156436 Child process initialized in 122.72 ms Parent is shutting down, bye... ``` Inside Codium: ``` > git pull --tags origin main error: cannot run ssh: No such file or directory fatal: unable to fork ```
gitea-mirror commented 2026-05-05 09:39:56 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 9, 2023):

@g4njawizard on Feb 9:

codium now has lost it's connection to the internet, but I haven't changed
the config.

When I move the ssh file and run codium, I see the following:

odin@mjolnir:~|⇒  firejail --ignore=quiet /usr/bin/codium           
Reading profile /etc/firejail/codium.profile
Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/allow-ssh.inc
Parent pid 156435, child pid 156436
Child process initialized in 122.72 ms

Parent is shutting down, bye...

Inside Codium:

> git pull --tags origin main
error: cannot run ssh: No such file or directory
fatal: unable to fork

The issue appears to be that allow-ssh.inc is being included after (rather than
before) disable- .inc files. See also profile.template.

Unless you intend to override an entire profile, it's recommended to put the
changes in a .local file instead of overriding .profile files.

This also makes it easier to see what exactly was changed.

Try this: Remove all modifications from related .profile files in /etc/firejail
and add the following to ~/.config/firejail/code.local:

include allow-ssh.inc
<!-- gh-comment-id:1423844250 --> @kmk3 commented on GitHub (Feb 9, 2023): @g4njawizard [on Feb 9](https://github.com/netblue30/firejail/issues/5480#issuecomment-1423810445): > codium now has lost it's connection to the internet, but I haven't changed > the config. > > When I move the ssh file and run codium, I see the following: > > ``` > odin@mjolnir:~|⇒ firejail --ignore=quiet /usr/bin/codium > Reading profile /etc/firejail/codium.profile > Reading profile /etc/firejail/vscodium.profile > Reading profile /etc/firejail/code.profile > Reading profile /etc/firejail/allow-common-devel.inc > Reading profile /etc/firejail/electron.profile > Reading profile /etc/firejail/disable-common.inc > Reading profile /etc/firejail/disable-programs.inc > Warning: networking feature is disabled in Firejail configuration file > Reading profile /etc/firejail/allow-ssh.inc > Parent pid 156435, child pid 156436 > Child process initialized in 122.72 ms > > Parent is shutting down, bye... > ``` > > Inside Codium: > > ``` > > git pull --tags origin main > error: cannot run ssh: No such file or directory > fatal: unable to fork > ``` The issue appears to be that allow-ssh.inc is being included after (rather than before) `disable-` .inc files. See also profile.template. Unless you intend to override an entire profile, it's recommended to put the changes in a .local file instead of overriding .profile files. This also makes it easier to see what exactly was changed. Try this: Remove all modifications from related .profile files in /etc/firejail and add the following to ~/.config/firejail/code.local: ``` include allow-ssh.inc ```
gitea-mirror commented 2026-05-05 09:39:56 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Feb 9, 2023):

Thanks for that! SSH works now. Do you know what setting I need to enable network connection for plugins?

<!-- gh-comment-id:1423859462 --> @g4njawizard commented on GitHub (Feb 9, 2023): Thanks for that! SSH works now. Do you know what setting I need to enable network connection for plugins?
gitea-mirror commented 2026-05-05 09:39:57 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 9, 2023):

@g4njawizard on Feb 9:

Thanks for that! SSH works now.

No problem.

Do you know what setting I need to enable network connection for plugins?

Warning: networking feature is disabled in Firejail configuration file

Did you change the network option in /etc/firejail/firejail.config?

<!-- gh-comment-id:1423953484 --> @kmk3 commented on GitHub (Feb 9, 2023): @g4njawizard [on Feb 9](https://github.com/netblue30/firejail/issues/5480#issuecomment-1423859462): > Thanks for that! SSH works now. No problem. > Do you know what setting I need to enable network connection for plugins? > ``` > Warning: networking feature is disabled in Firejail configuration file > ``` Did you change the `network` option in /etc/firejail/firejail.config?
gitea-mirror commented 2026-05-05 09:39:58 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Feb 9, 2023):

I dont remember if I've set it, or it is default:

firejail.config:

#network yes
restricted-network yes

Do I have to create a namespace and allow for specific programms in that namespace network access?

<!-- gh-comment-id:1423991353 --> @g4njawizard commented on GitHub (Feb 9, 2023): I dont remember if I've set it, or it is default: firejail.config: ``` #network yes restricted-network yes ``` Do I have to create a namespace and allow for specific programms in that namespace network access?
gitea-mirror commented 2026-05-05 09:39:59 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 9, 2023):

@g4njawizard on Feb 9:

I dont remember if I've set it, or it is default:

firejail.config:

#network yes
restricted-network yes

See the description:

# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

Do I have to create a namespace and allow for specific programms in that
namespace network access?

I don't think so, unless you are doing something firewall-related.

<!-- gh-comment-id:1424020327 --> @kmk3 commented on GitHub (Feb 9, 2023): @g4njawizard [on Feb 9](https://github.com/netblue30/firejail/issues/5480#issuecomment-1423991353): > I dont remember if I've set it, or it is default: > > firejail.config: > > ``` > #network yes > restricted-network yes > ``` See the description: ``` # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no ``` > Do I have to create a namespace and allow for specific programms in that > namespace network access? I don't think so, unless you are doing something firewall-related.
gitea-mirror commented 2026-05-05 09:40:00 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Feb 9, 2023):

You're right. I've done it in the past with the idea of allowing single applications to access the network. But I never configured something in that way and forgot about it.
Thanks for the support!

<!-- gh-comment-id:1424029133 --> @g4njawizard commented on GitHub (Feb 9, 2023): You're right. I've done it in the past with the idea of allowing single applications to access the network. But I never configured something in that way and forgot about it. Thanks for the support!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3012
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?