github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #9] Warning: user namespaces not available in the current kernel. #9

New issue

Closed

opened 2026-05-05 04:43:32 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 04:43:32 -06:00

Owner

Originally created by @dmp1ce on GitHub (Aug 10, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/9

I am trying to sandbox firefox but I can still access files that should be blocked like my private ssh key. Is kernel 4 supported?

> firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Warning: user namespaces not available in the current kernel.
Parent pid 5042, child pid 5043
Child process initialized

(process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

parent is shutting down, bye...
> uname -rv
4.1.4-1-ARCH #1 SMP PREEMPT Mon Aug 3 21:30:37 UTC 2015

Originally created by @dmp1ce on GitHub (Aug 10, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/9 I am trying to sandbox firefox but I can still access files that should be blocked like my private ssh key. Is kernel 4 supported? ``` > firejail firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Warning: user namespaces not available in the current kernel. Parent pid 5042, child pid 5043 Child process initialized (process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed parent is shutting down, bye... > uname -rv 4.1.4-1-ARCH #1 SMP PREEMPT Mon Aug 3 21:30:37 UTC 2015 ```

gitea-mirror closed this issue

2026-05-05 04:43:36 -06:00

gitea-mirror commented

2026-05-05 04:43:40 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 10, 2015):

I think you already have a Firefox instance running. By default Firefox keeps only one browser process running. When you start a new Firefox process, it looks for an existing one. If one is found, the new process shuts down, and the existing one opens a new tab or a new window. Use -no-remote Firefox option to force a new sandboxed process.

$ firejail firefox -no-remote

My guess is your first Firefox instance is not running in the sandbox.

User namespace needs to be compiled into the kernel. Do a short check: in a terminal you should be able to see the following files:

/proc/self/uid_map (user id mapping)
/proc/self/gid_map (group id mapping)
/proc/self/ns/user (used for join operations)

@netblue30 commented on GitHub (Aug 10, 2015): I think you already have a Firefox instance running. By default Firefox keeps only one browser process running. When you start a new Firefox process, it looks for an existing one. If one is found, the new process shuts down, and the existing one opens a new tab or a new window. Use -no-remote Firefox option to force a new sandboxed process. ``` $ firejail firefox -no-remote ``` My guess is your first Firefox instance is not running in the sandbox. User namespace needs to be compiled into the kernel. Do a short check: in a terminal you should be able to see the following files: /proc/self/uid_map (user id mapping) /proc/self/gid_map (group id mapping) /proc/self/ns/user (used for join operations)

gitea-mirror commented

2026-05-05 04:43:44 -06:00

Author

Owner

@dmp1ce commented on GitHub (Aug 10, 2015):

You were right about having firefox already open. Now the .ssh directory is blocked. Thanks!

About the "User namespace", Arch has this turned of in the kernel because of security concerns. https://bugs.archlinux.org/task/36969

Here is the lxc configuration on my Arch machine.

> lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

@dmp1ce commented on GitHub (Aug 10, 2015): You were right about having firefox already open. Now the .ssh directory is blocked. Thanks! About the "User namespace", Arch has this turned of in the kernel because of security concerns. https://bugs.archlinux.org/task/36969 Here is the lxc configuration on my Arch machine. ``` > lxc-checkconfig --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: missing Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup namespace: required Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: missing Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled File capabilities: enabled Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig ```

gitea-mirror commented

2026-05-05 04:43:46 -06:00

Author

Owner

@dmp1ce commented on GitHub (Aug 10, 2015):

I am curious though. How does having user namespace turned off effect firejail?

@dmp1ce commented on GitHub (Aug 10, 2015): I am curious though. How does having user namespace turned off effect firejail?

gitea-mirror commented

2026-05-05 04:43:49 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 10, 2015):

Thanks, good to know about Arch. The usual reason to turn it off is the number of bugs and fixes still coming into the kernel for user namespaces feature. The bugs are related to creating a root user in the user namespace. This root user is not fully separated from the real root user.

Firejail does not create a root user in the user namespace. I don't think firejail is affected by the problem, but who knows... User namespace is just a supplementary sandboxing feature, firejail will work fine without it.

@netblue30 commented on GitHub (Aug 10, 2015): Thanks, good to know about Arch. The usual reason to turn it off is the number of bugs and fixes still coming into the kernel for user namespaces feature. The bugs are related to creating a root user in the user namespace. This root user is not fully separated from the real root user. Firejail does not create a root user in the user namespace. I don't think firejail is affected by the problem, but who knows... User namespace is just a supplementary sandboxing feature, firejail will work fine without it.

gitea-mirror referenced this issue

2026-05-05 05:06:26 -06:00

[GH-ISSUE #175] using links in sandboxed firefox #121

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#9

No description provided.

Rows
Columns