github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #546] Using both --net=none and --overlay-tmpfs => no access to X11 #382

New issue

Closed

opened 2026-05-05 05:44:23 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 05:44:23 -06:00

Owner

Originally created by @laniakea64 on GitHub (May 30, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/546

firejail 0.9.38, Lubuntu 14.04

This command doesn't work:

$ firejail --net=none --overlay-tmpfs leafpad
Warning: default profile disabled by --overlay option
Parent pid 9615, child pid 9616
OverlayFS configured in /run/firejail/mnt directory
Warning: failed to unmount /sys

Child process initialized
leafpad: Cannot open display: 

parent is shutting down, bye...

Removing either --net=none or --overlay-tmpfs and it works:

$ firejail --overlay-tmpfs leafpad
Warning: default profile disabled by --overlay option
Parent pid 9728, child pid 9729
OverlayFS configured in /run/firejail/mnt directory
Warning: failed to unmount /sys

Child process initialized

$ firejail --net=none leafpad
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 9780, child pid 9781

Child process initialized

Is this a bug? If not, how to use firejail to disable unnecessary Internet access and use --overlay-tmpfs, while keeping access to X11?

Originally created by @laniakea64 on GitHub (May 30, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/546 firejail 0.9.38, Lubuntu 14.04 This command doesn't work: ``` $ firejail --net=none --overlay-tmpfs leafpad Warning: default profile disabled by --overlay option Parent pid 9615, child pid 9616 OverlayFS configured in /run/firejail/mnt directory Warning: failed to unmount /sys Child process initialized leafpad: Cannot open display: parent is shutting down, bye... ``` Removing either `--net=none` or `--overlay-tmpfs` and it works: ``` $ firejail --overlay-tmpfs leafpad Warning: default profile disabled by --overlay option Parent pid 9728, child pid 9729 OverlayFS configured in /run/firejail/mnt directory Warning: failed to unmount /sys Child process initialized ``` ``` $ firejail --net=none leafpad Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 9780, child pid 9781 Child process initialized ``` Is this a bug? If not, how to use firejail to disable unnecessary Internet access and use `--overlay-tmpfs`, while keeping access to X11?

gitea-mirror

2026-05-05 05:44:23 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:44:32 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 31, 2016):

I think it has something to do with X11 having two sockets - one that listens on the network interface and one that listens through a unix socket in /tmp. --net=none creates a new network namespace and so disables access to the network socket. --overlay-tmpfs (or equivalently --private-tmp) disables access to the unix socket in /tmp. Thus the client cannot connect to the X11 server.

As for how to fix this, you could use --x11 to spawn a new X server.
[EDIT] It seems --x11 only works if I don't use --private-tmp. Trying to figure out a workaround now.

@chiraag-nataraj commented on GitHub (May 31, 2016): I think it has something to do with X11 having two sockets - one that listens on the network interface and one that listens through a unix socket in /tmp. `--net=none` creates a new network namespace and so disables access to the network socket. `--overlay-tmpfs` (or equivalently `--private-tmp`) disables access to the unix socket in /tmp. Thus the client cannot connect to the X11 server. As for how to fix this, you could use `--x11` to spawn a new X server. [EDIT] It seems `--x11` only works if I don't use `--private-tmp`. Trying to figure out a workaround now.

gitea-mirror commented

2026-05-05 05:44:35 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 31, 2016):

It seems that the problem is that the tmpfs is mounted after creating the new X server, which means the child can't find the server. @netblue30, could you instantiate the tmpfs before running xpra? That way, I think this would be solved (if you use --x11 along with --private-tmp and --net=none).

@chiraag-nataraj commented on GitHub (May 31, 2016): It seems that the problem is that the tmpfs is mounted _after_ creating the new X server, which means the child can't find the server. @netblue30, could you instantiate the tmpfs before running xpra? That way, I think this would be solved (if you use `--x11` along with `--private-tmp` and `--net=none`).

gitea-mirror commented

2026-05-05 05:44:39 -06:00

Author

Owner

@netblue30 commented on GitHub (May 31, 2016):

Bug! It happens also on Ubuntu 16.04

@netblue30 commented on GitHub (May 31, 2016): Bug! It happens also on Ubuntu 16.04

gitea-mirror commented

2026-05-05 05:44:41 -06:00

Author

Owner

@laniakea64 commented on GitHub (May 31, 2016):

Thanks for the insights. Is there a way to work around this without using X11 sandboxing? For example, does using --protocol=unix (which does work in place of --net=none) completely disable network access?

@laniakea64 commented on GitHub (May 31, 2016): Thanks for the insights. Is there a way to work around this without using X11 sandboxing? For example, does using `--protocol=unix` (which does work in place of `--net=none`) completely disable network access?

gitea-mirror commented

2026-05-05 05:44:43 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 31, 2016):

I think so? It seems to work through a cursory test:
firejail --noprofile --protocol=unix
ping google.com => Operation not supported
wget google.com => Temporary failure in name resolution

@chiraag-nataraj commented on GitHub (May 31, 2016): I think so? It seems to work through a cursory test: `firejail --noprofile --protocol=unix` `ping google.com` => Operation not supported `wget google.com` => Temporary failure in name resolution

gitea-mirror commented

2026-05-05 05:44:45 -06:00

Author

Owner

@netblue30 commented on GitHub (May 31, 2016):

I put a fix in master branch here on github, now it should work fine.

--protocol=unix is similar to --net=none, unless you run into some DNS problems.

@netblue30 commented on GitHub (May 31, 2016): I put a fix in master branch here on github, now it should work fine. --protocol=unix is similar to --net=none, unless you run into some DNS problems.

gitea-mirror commented

2026-05-05 05:44:47 -06:00

Author

Owner

@laniakea64 commented on GitHub (Jun 1, 2016):

Confirmed fixed by a81568d4f0, thanks! 😃

@laniakea64 commented on GitHub (Jun 1, 2016): Confirmed fixed by https://github.com/netblue30/firejail/commit/a81568d4f03a12817ab2b0ad6d52159eb5a9eb10, thanks! :smiley:

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#382

No description provided.

Rows
Columns