github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1246] grsec: user can not create network interfaces #847

New issue

Closed

opened 2026-05-05 06:58:29 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 06:58:29 -06:00

Owner

Originally created by @voidzero on GitHub (Apr 26, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1246

I'm trying to start a httpd (caddy) on kernel 4.9.22-hardened (Gentoo) and firejail 0.9.44.10, as a regular user, via the following command:

$ firejail --name=caddy --noprofile --noroot --seccomp --caps --machine-id --hostname=caddy --shell=none --net=vbr0 --mac=02:00:14:00:00:28 --veth-name=caddy --ip=10.20.0.40/27 --dns=8.8.8.8 caddy -conf ~/etc/caddy/Caddyfile4
Parent pid 128009, child pid 128010

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-128009      02:00:14:00:00:28  10.20.0.40       255.255.255.224  DOWN  
DNS server 8.8.8.8

Child process initialized

vbr0 does exist on the host and has IP 10.20.0.33/27.

If I run firejail with sudo (just to experiment), the veth pair is created and bound correctly to the bridge. But as a user this does not happen, even when the kernel.grsecurity sysctls are all set to disable, and with kernel.pax.softmode=1 it does not work for the regular user.

The user does have /proc access (a restriction that is possible on grsecurity is to only allow users full access to /proc when they are in a certain group - this user is a member of that group.)

If I start the firejail with zsh, inside the user namespace, I see that 'ip link list' does show the ethernet device:

% ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0-128048@if18: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether 02:00:14:00:00:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0

But on the host, nothing.

dmesg shows:

kernel: device vbr0 entered promiscuous mode
kernel: IPv6: ADDRCONF(NETDEV_UP): eth0-127997: link is not ready

Hope we can find a way to enable this, I'd love to be able to run this httpd inside of a firejail.

Originally created by @voidzero on GitHub (Apr 26, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1246 I'm trying to start a httpd (caddy) on kernel 4.9.22-hardened (Gentoo) and firejail 0.9.44.10, as a regular user, via the following command: ``` $ firejail --name=caddy --noprofile --noroot --seccomp --caps --machine-id --hostname=caddy --shell=none --net=vbr0 --mac=02:00:14:00:00:28 --veth-name=caddy --ip=10.20.0.40/27 --dns=8.8.8.8 caddy -conf ~/etc/caddy/Caddyfile4 Parent pid 128009, child pid 128010 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-128009 02:00:14:00:00:28 10.20.0.40 255.255.255.224 DOWN DNS server 8.8.8.8 Child process initialized ``` vbr0 does exist on the host and has IP 10.20.0.33/27. If I run firejail with sudo (just to experiment), the veth pair is created and bound correctly to the bridge. But as a user this does not happen, even when the kernel.grsecurity sysctls are all set to disable, and with kernel.pax.softmode=1 it does not work for the regular user. The user does have /proc access (a restriction that is possible on grsecurity is to only allow users full access to /proc when they are in a certain group - this user is a member of that group.) If I start the firejail with zsh, inside the user namespace, I see that 'ip link list' does show the ethernet device: ``` % ip l 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0-128048@if18: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT group default qlen 1000 link/ether 02:00:14:00:00:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0 ``` But on the host, nothing. dmesg shows: ``` kernel: device vbr0 entered promiscuous mode kernel: IPv6: ADDRCONF(NETDEV_UP): eth0-127997: link is not ready ``` Hope we can find a way to enable this, I'd love to be able to run this httpd inside of a firejail.

gitea-mirror

2026-05-05 06:58:29 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:58:34 -06:00

Author

Owner

@voidzero commented on GitHub (Apr 26, 2017):

I also made sure that /etc/firejail/firejail.config does not accidentally contain restricted-networking no. In other words: "it should work" so there must be something grsec is blocking.

Right now I'm considering to change to a non-grsec enabled kernel just to get this to work.

@voidzero commented on GitHub (Apr 26, 2017): I also made sure that /etc/firejail/firejail.config does not accidentally contain `restricted-networking no`. In other words: "it should work" so there must be something grsec is blocking. Right now I'm considering to change to a non-grsec enabled kernel just to get this to work.

gitea-mirror commented

2026-05-05 06:58:37 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Apr 30, 2017):

It might be related to CONFIG_GRKERNSEC_SOCKET.
https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Socket_restrictions

@SkewedZeppelin commented on GitHub (Apr 30, 2017): It might be related to CONFIG_GRKERNSEC_SOCKET. https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Socket_restrictions

gitea-mirror commented

2026-05-05 06:58:39 -06:00

Author

Owner

@voidzero commented on GitHub (May 6, 2017):

Thank you for the suggestion @SpotComms. I'll check it out, but not soon - I need a server to be available, so for the next round of kernel updates I'll be sure to test.

@voidzero commented on GitHub (May 6, 2017): Thank you for the suggestion @SpotComms. I'll check it out, but not soon - I need a server to be available, so for the next round of kernel updates I'll be sure to test.

gitea-mirror commented

2026-05-05 06:58:40 -06:00

Author

Owner

@netblue30 commented on GitHub (May 9, 2017):

If you still have the problem after testing, I'll reopen it.

@netblue30 commented on GitHub (May 9, 2017): If you still have the problem after testing, I'll reopen it.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#847

No description provided.

Rows
Columns