search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.81k stars 567 forks source link

--ignore=net does not work. Should it? #506

Closed vn971 closed 8 years ago

vn971 commented 8 years ago

Currently, --ignore=net does not ignore a --net command. Should it, by design?

Steps to reproduce: firejail --noprofile --ignore=net --net=none --ignore=net ping 8.8.8.8

Expected: successful ping. Actually: "network unreachable".

pyamsoft commented 8 years ago

Ignore only ignores options specified in profile files, not on the command line.

Because net is entered on the command line, it will not be ignored.

netblue30 commented 8 years ago

Yes, it only ignores commands in profile files.

vn971 commented 8 years ago

@pyamsoft @netblue30 oh, you're right. I don't know how I would prefer things to be (ignore CLI arguments or not), but at least the current behavior is documented, and makes sense. (People rarely concatenate arguments in my experience, although I did.) Closing for now. Thanks.