Open biergaizi opened 7 years ago
Even without the grsecurity specific bit, I think adding an option to manually select the interface type is a good idea, both for completeness/testing, and because there are paranoid people like me who manually set permissions on /sys to deny access for unprivileged users even though we're not using grsecurity kernels.
Anything to go here?
@rusty-snake Nothing. Perhaps I should submit a patch then?
Grsecurity, Firejail and Bridge Networking
This issue is intended to document a problem on Grsecurity's kernel. It is not an issue of firejail at all. I just want to document this issue to help others who may encounter the same problem in the future.
firejail is a sandboxing program which utilizes the namespace functionality of the Linux kernel.
One of its feature is creating an isolated the network namespace,
Unfortunately, it doesn't work with Grsecurity kernel. If firejail is executed as root instead, it will work as expected.
From the debug log, we observe a
veth
interface is created by firejail for networking under normal operations.but a
macvlan
is created instead on Grsecurity kernel without root.Inspecting the source code, we identified the source of the problem in network_main.c.
firejail relies on information from
/sys/class/net
to decide whether it is a bridge device or an Ethernet interface, ifCONFIG_GRKERNSEC_SYSFS_RESTRICT
is enabled on a Grsecurity kernel, these files will be inaccessible by regular users to prevent information leaks.The solution is to disable
CONFIG_GRKERNSEC_SYSFS_RESTRICT
in Grsecurity's kernel configuration, on a desktop system, this option should not be enabled anyway since it creates compatibility issues with many desktop programs.Manually running
chmod
to hack these permissions is another solution. Since/sys/class/net
contains symbol links to other directories, permissions of other directories, such as/sys/devices/virtual/net
should be also changed.Since hiding
/sys
is generally desirable on security-focused production servers, an alternative approach is to change the source code of firejail if feasible, e.g. add an option to allow users to choice the interface type.