[PR #2297] [MERGED] enforce nonewprivs instead of seccomp for chroot sandboxes #4258

New issue

Closed

opened 2026-05-05 10:16:44 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:16:44 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/2297
Author: @smitsohu
Created: 12/15/2018
Status: ✅ Merged
Merged: 12/17/2018
Merged by: @startx2017

Base: master ← Head: patch

📝 Commits (1)

89fa2a7 enforce nonewprivs instead of seccomp for chroot sandboxes

📊 Changes

4 files changed (+43 additions, -46 deletions)

View changed files

📝 src/firejail/main.c (+15 -10)
📝 src/firejail/sandbox.c (+22 -24)
📝 src/firejail/seccomp.c (+0 -6)
📝 src/man/firejail.txt (+6 -6)

📄 Description

Currently users are always able to specify a seccomp filter of their choosing, including for chroot, appimage and overlay sandboxes. For example, Firejail allows me to do something like:

firejail --noprofile --chroot=/somedir --seccomp.drop=merry,christmas

Since the requirement for seccomp looks more or less obsolete now, this PR proposes to remove it entirely and replace it with an explicit nonewprivs enforcement.

There is no security benefit (or harm, AFAICT) in this. It is only about the streamlining of requirements and keeping things easy to explain. While I would regard the patch as ready for merging, I was also hoping to inspire an exchange if it is actually heading in the right direction.

Cheers!

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/2297 **Author:** [@smitsohu](https://github.com/smitsohu) **Created:** 12/15/2018 **Status:** ✅ Merged **Merged:** 12/17/2018 **Merged by:** [@startx2017](https://github.com/startx2017) **Base:** `master` ← **Head:** `patch` --- ### 📝 Commits (1) - [`89fa2a7`](https://github.com/netblue30/firejail/commit/89fa2a7562e84338d88ea83777861f00e545135d) enforce nonewprivs instead of seccomp for chroot sandboxes ### 📊 Changes **4 files changed** (+43 additions, -46 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/main.c` (+15 -10) 📝 `src/firejail/sandbox.c` (+22 -24) 📝 `src/firejail/seccomp.c` (+0 -6) 📝 `src/man/firejail.txt` (+6 -6) </details> ### 📄 Description Currently users are always able to specify a seccomp filter of their choosing, including for chroot, appimage and overlay sandboxes. For example, Firejail allows me to do something like: `firejail --noprofile --chroot=/somedir --seccomp.drop=merry,christmas` Since the requirement for seccomp looks more or less obsolete now, this PR proposes to remove it entirely and replace it with an explicit nonewprivs enforcement. There is no security benefit (or harm, AFAICT) in this. It is only about the streamlining of requirements and keeping things easy to explain. While I would regard the patch as ready for merging, I was also hoping to inspire an exchange if it is actually heading in the right direction. Cheers! --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:16:44 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:32:01 -06:00

[PR #4258] [MERGED] revert comment changes from #4257 #5086

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4258

No description provided.

Rows
Columns