github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6430] Cannot use tap device with --net= #3271

New issue
Open
opened 2026-05-05 09:52:45 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 09:52:45 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Aug 2, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6430

firejail --private --net=ta0 --ip=192.168.5.2 firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 11856, child pid 11859

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-11856       7e:31:a2:4a:0e:f5  192.168.5.2      255.255.255.0    DOWN

Screenshot_20240802_082623
And the browser cannot use the proxy. But if I use:

firejail --private firefox

And input the same proxy settings again, it can use the proxy. 192.168.5.1 is the address of ta0 tap device.

Originally created by @ghost on GitHub (Aug 2, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6430 ~~~ firejail --private --net=ta0 --ip=192.168.5.2 firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 11856, child pid 11859 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-11856 7e:31:a2:4a:0e:f5 192.168.5.2 255.255.255.0 DOWN ~~~ ![Screenshot_20240802_082623](https://github.com/user-attachments/assets/83966c46-63a0-4c45-9c6c-eb13179ccfc3) And the browser cannot use the proxy. But if I use: ~~~ firejail --private firefox ~~~ And input the same proxy settings again, it can use the proxy. 192.168.5.1 is the address of ta0 tap device.
gitea-mirror added the
networking
needinfo
 labels 2026-05-05 09:52:45 -06:00
gitea-mirror commented 2026-05-05 09:52:47 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 2, 2024):

I do not get what you want. However it sounds XY to me. So can you rephrase it, start with the problem you want to solve and then your suggested fix.

<!-- gh-comment-id:2264905815 --> @rusty-snake commented on GitHub (Aug 2, 2024): I do not get what you want. However it sounds XY to me. So can you rephrase it, start with the problem you want to solve and then your suggested fix.
gitea-mirror commented 2026-05-05 09:52:47 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 2, 2024):

Firejail will not try to configure the interface inside the sandbox. Besides --ip, you'll need to specify --netmask and --defaultgw. Have you tried that yet?

<!-- gh-comment-id:2264907109 --> @ghost commented on GitHub (Aug 2, 2024): Firejail will not try to configure the interface inside the sandbox. Besides `--ip`, you'll need to specify `--netmask` and `--defaultgw`. Have you tried that yet?
gitea-mirror commented 2026-05-05 09:52:49 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 4, 2024):

I added a tap device using ip command

ip tuntap add t0 mode tap
ip a add 10.0.0.1/24 dev t0
ip link set t0 up
firejail --private --net=t0 --ip=10.0.0.2/24 --defaultgw=10.0.0.1 ping -c 3 10.0.0.1

Ping says missing cap_net_raw+p capability or setuid. @glitsj16 @rusty-snake

<!-- gh-comment-id:2267434466 --> @ghost commented on GitHub (Aug 4, 2024): I added a tap device using ip command ~~~ ip tuntap add t0 mode tap ip a add 10.0.0.1/24 dev t0 ip link set t0 up firejail --private --net=t0 --ip=10.0.0.2/24 --defaultgw=10.0.0.1 ping -c 3 10.0.0.1 ~~~ Ping says missing cap_net_raw+p capability or setuid. @glitsj16 @rusty-snake
gitea-mirror commented 2026-05-05 09:52:50 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 4, 2024):

If your kernel allows unprivileged userns clone:

$ cat ~/.config/firejail/ping.local
include ping-hardened.inc.profile

Otherwise, you can try:

$ cat ~/.config/firejail/ping.local
caps.keep net_raw,setgid,setuid
ignore caps.keep

HTH

<!-- gh-comment-id:2267443089 --> @ghost commented on GitHub (Aug 4, 2024): If your kernel allows `unprivileged userns clone`: ```sh $ cat ~/.config/firejail/ping.local include ping-hardened.inc.profile ``` Otherwise, you can try: ```sh $ cat ~/.config/firejail/ping.local caps.keep net_raw,setgid,setuid ignore caps.keep ``` HTH
gitea-mirror commented 2026-05-05 09:52:50 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 20, 2024):

If your kernel allows unprivileged userns clone:

$ cat ~/.config/firejail/ping.local
include ping-hardened.inc.profile

Otherwise, you can try:

$ cat ~/.config/firejail/ping.local
caps.keep net_raw,setgid,setuid
ignore caps.keep

HTH

What's the solution for web browsers?

<!-- gh-comment-id:2298713839 --> @ghost commented on GitHub (Aug 20, 2024): > If your kernel allows `unprivileged userns clone`: > > ```shell > $ cat ~/.config/firejail/ping.local > include ping-hardened.inc.profile > ``` > > Otherwise, you can try: > > ```shell > $ cat ~/.config/firejail/ping.local > caps.keep net_raw,setgid,setuid > ignore caps.keep > ``` > > HTH What's the solution for web browsers?
gitea-mirror commented 2026-05-05 09:52:51 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 20, 2024):

What's the solution for web browsers?

If this needs the net_raw, setgid and setuid capabilities, you can apply similar 'logic' as above cfr. ping. firefox-common.profile drops all caps via caps.drop all, so an override would look like:

$ cat ~/.config/firejail/firefox.local
caps.keep net_raw,setgid,setuid
ignore caps.drop
<!-- gh-comment-id:2298770293 --> @ghost commented on GitHub (Aug 20, 2024): > What's the solution for web browsers? If this needs the _net_raw_, _setgid_ and _setuid_ `capabilities`, you can apply similar 'logic' as above cfr. ping. firefox-common.profile drops all caps via `caps.drop all`, so an override would look like: ```sh $ cat ~/.config/firejail/firefox.local caps.keep net_raw,setgid,setuid ignore caps.drop ```
gitea-mirror commented 2026-05-05 09:52:51 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 24, 2024):

Will you let firejail automatically apply these settings for --net parameter?

<!-- gh-comment-id:2308364015 --> @ghost commented on GitHub (Aug 24, 2024): Will you let firejail automatically apply these settings for --net parameter?
gitea-mirror commented 2026-05-05 09:52:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 26, 2024):

caps.keep net_raw,setgid,setuid
ignore caps.drop

Doesn't work on

Linux parabola 6.7.4-gnu-1 #1 SMP PREEMPT_DYNAMIC Thu, 08 Feb 2024 16:52:51 +0000 x86_64 GNU/Linux

Parabola is based on ArchLinux, so it may not work on Arch too.

<!-- gh-comment-id:2377296614 --> @ghost commented on GitHub (Sep 26, 2024): > ```shell > caps.keep net_raw,setgid,setuid > ignore caps.drop > ``` Doesn't work on ~~~ Linux parabola 6.7.4-gnu-1 #1 SMP PREEMPT_DYNAMIC Thu, 08 Feb 2024 16:52:51 +0000 x86_64 GNU/Linux ~~~ Parabola is based on ArchLinux, so it may not work on Arch too.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3271
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?