github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6426] Hardcoded tc command is not found on NixOS #3268

New issue
Closed
opened 2026-05-05 09:52:39 -06:00 by gitea-mirror · 5 comments
gitea-mirror commented 2026-05-05 09:52:39 -06:00
Owner
Copy link

Originally created by @Arcterus on GitHub (Jul 31, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6426

Description

It seems that fshaper.sh hardcodes the path to tc, which causes setting bandwidth to fail on NixOS given that it has neither /sbin nor /usr/sbin. I think this could resolved fairly easily by just letting users set a variable with the path to tc or something like that. Alternatively, you could just allow configuring the path when building the project.

Steps to Reproduce

  1. Use NixOS.
  2. firejail --noprofile --name=blah --net=eth0
  3. firejail --bandwidth=blah set eth0 1 1

Expected behavior

The bandwidth to be set properly.

Actual behavior

An error saying that tc could not be found.

Behavior without a profile

No difference since this is an issue with the script's paths.

Additional context

This is basically the same issue as:

Environment

  • NixOS 24.05
  • Firejail version 0.9.72

Checklist

  • The issue is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail --bandwidth=blah set enp5s0 1 1 

Switching to pid 5297, the first child process inside the sandbox
Error: traffic control utility (tc) not found

Output of LC_ALL=C firejail --debug --bandwidth=blah set enp5s0 1 1 

Switching to pid 5297, the first child process inside the sandbox
sbox exec: /bin/sh -c /nix/store/w2wdpq3m7qlhg13pwpwq0g80jlqcvwn7-firejail-0.9.72/lib/firejail/fshaper.sh --set eth0-5296 1 1 
Set caps filter 3000
Error: traffic control utility (tc) not found

Originally created by @Arcterus on GitHub (Jul 31, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6426 ### Description It seems that `fshaper.sh` hardcodes the path to `tc`, which causes setting bandwidth to fail on NixOS given that it has neither `/sbin` nor `/usr/sbin`. I think this could resolved fairly easily by just letting users set a variable with the path to `tc` or something like that. Alternatively, you could just allow configuring the path when building the project. ### Steps to Reproduce 1. Use NixOS. 2. `firejail --noprofile --name=blah --net=eth0` 3. `firejail --bandwidth=blah set eth0 1 1` ### Expected behavior The bandwidth to be set properly. ### Actual behavior An error saying that `tc` could not be found. ### Behavior without a profile No difference since this is an issue with the script's paths. ### Additional context This is basically the same issue as: * #3620 ### Environment - NixOS 24.05 - Firejail version 0.9.72 ### Checklist - [x] The issue is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). ### Log <details> <summary>Output of <code>LC_ALL=C firejail --bandwidth=blah set enp5s0 1 1</code></summary> <p> ``` Switching to pid 5297, the first child process inside the sandbox Error: traffic control utility (tc) not found ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug --bandwidth=blah set enp5s0 1 1</code></summary> <p> ``` Switching to pid 5297, the first child process inside the sandbox sbox exec: /bin/sh -c /nix/store/w2wdpq3m7qlhg13pwpwq0g80jlqcvwn7-firejail-0.9.72/lib/firejail/fshaper.sh --set eth0-5296 1 1 Set caps filter 3000 Error: traffic control utility (tc) not found ``` </p> </details>
gitea-mirror 2026-05-05 09:52:39 -06:00
gitea-mirror commented 2026-05-05 09:52:42 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 1, 2024):

Thanks for reporting this. Can you try the below patch and report back if that fixes traffic shaping on NixOS?

$ cat nixos-fshaper.patch
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -3,13 +3,10 @@
 # Copyright (C) 2014-2024 Firejail Authors
 # License GPL v2
 
-TCFILE=""
-if [ -x "/usr/sbin/tc" ]; then
-	TCFILE="/usr/sbin/tc"
-elif [ -x "/sbin/tc" ]; then
-	TCFILE="/sbin/tc";
+if [ "$(command -v tc >/dev/null)" ]; then
+	TCFILE="$(command -v tc)"
 else
-	echo "Error: traffic control utility (tc) not found";
+	echo "Error: traffic control utility (tc) not found"
 	exit 1
 fi
<!-- gh-comment-id:2262188377 --> @ghost commented on GitHub (Aug 1, 2024): Thanks for reporting this. Can you try the below patch and report back if that fixes traffic shaping on NixOS? ```sh $ cat nixos-fshaper.patch --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh @@ -3,13 +3,10 @@ # Copyright (C) 2014-2024 Firejail Authors # License GPL v2 -TCFILE="" -if [ -x "/usr/sbin/tc" ]; then - TCFILE="/usr/sbin/tc" -elif [ -x "/sbin/tc" ]; then - TCFILE="/sbin/tc"; +if [ "$(command -v tc >/dev/null)" ]; then + TCFILE="$(command -v tc)" else - echo "Error: traffic control utility (tc) not found"; + echo "Error: traffic control utility (tc) not found" exit 1 fi ```
gitea-mirror commented 2026-05-05 09:52:43 -06:00
Author
Owner
Copy link

@Arcterus commented on GitHub (Aug 1, 2024):

No, it's still broken with that patch. I messed around with it a bit, and it looks like the PATH when that script executes is set to /no-such-path, so it can't find tc.

<!-- gh-comment-id:2262537512 --> @Arcterus commented on GitHub (Aug 1, 2024): No, it's still broken with that patch. I messed around with it a bit, and it looks like the `PATH` when that script executes is set to `/no-such-path`, so it can't find `tc`.
gitea-mirror commented 2026-05-05 09:52:43 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 1, 2024):

Thanks for testing!

Here's attempt 2:

$ cat nixos-fshaper.patch
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -7,9 +7,13 @@
 if [ -x "/usr/sbin/tc" ]; then
 	TCFILE="/usr/sbin/tc"
 elif [ -x "/sbin/tc" ]; then
-	TCFILE="/sbin/tc";
+	TCFILE="/sbin/tc"
+elif [ -x "/run/current-system/sw/bin/tc" ]; then
+    TCFILE="/run/current-system/sw/bin/tc"
+elif [ -x "$(readlink -e $(which tc))" ]; then
+    TCFILE="$(readlink -e $(which tc))"
 else
-	echo "Error: traffic control utility (tc) not found";
+	echo "Error: traffic control utility (tc) not found"
 	exit 1
 fi

HTH

<!-- gh-comment-id:2262699980 --> @ghost commented on GitHub (Aug 1, 2024): Thanks for testing! Here's attempt 2: ```sh $ cat nixos-fshaper.patch --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh @@ -7,9 +7,13 @@ if [ -x "/usr/sbin/tc" ]; then TCFILE="/usr/sbin/tc" elif [ -x "/sbin/tc" ]; then - TCFILE="/sbin/tc"; + TCFILE="/sbin/tc" +elif [ -x "/run/current-system/sw/bin/tc" ]; then + TCFILE="/run/current-system/sw/bin/tc" +elif [ -x "$(readlink -e $(which tc))" ]; then + TCFILE="$(readlink -e $(which tc))" else - echo "Error: traffic control utility (tc) not found"; + echo "Error: traffic control utility (tc) not found" exit 1 fi ``` HTH
gitea-mirror commented 2026-05-05 09:52:44 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 1, 2024):

Suggestion to use PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc instead of this elif cascade.

<!-- gh-comment-id:2262740269 --> @rusty-snake commented on GitHub (Aug 1, 2024): Suggestion to use `PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc` instead of this elif cascade.
gitea-mirror commented 2026-05-05 09:52:44 -06:00
Author
Owner
Copy link

@Arcterus commented on GitHub (Aug 2, 2024):

I'll have to test it later today, but that should work given that it's basically what I did locally to get things functioning. However, I imagine the which command wouldn't be useful for anyone assuming PATH is set to /no-such-path on other distros too.

<!-- gh-comment-id:2265282828 --> @Arcterus commented on GitHub (Aug 2, 2024): I'll have to test it later today, but that should work given that it's basically what I did locally to get things functioning. However, I imagine the `which` command wouldn't be useful for anyone assuming `PATH` is set to `/no-such-path` on other distros too.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3268
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?