netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.83k stars 568 forks source link

Cannot use tap device with --net= #6430

Open bingmatv opened 3 months ago

bingmatv commented 3 months ago
firejail --private --net=ta0 --ip=192.168.5.2 firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 11856, child pid 11859

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-11856       7e:31:a2:4a:0e:f5  192.168.5.2      255.255.255.0    DOWN

Screenshot_20240802_082623 And the browser cannot use the proxy. But if I use:

firejail --private firefox

And input the same proxy settings again, it can use the proxy. 192.168.5.1 is the address of ta0 tap device.

rusty-snake commented 3 months ago

I do not get what you want. However it sounds XY to me. So can you rephrase it, start with the problem you want to solve and then your suggested fix.

glitsj16 commented 3 months ago

Firejail will not try to configure the interface inside the sandbox. Besides --ip, you'll need to specify --netmask and --defaultgw. Have you tried that yet?

bingmatv commented 3 months ago

I added a tap device using ip command

ip tuntap add t0 mode tap
ip a add 10.0.0.1/24 dev t0
ip link set t0 up
firejail --private --net=t0 --ip=10.0.0.2/24 --defaultgw=10.0.0.1 ping -c 3 10.0.0.1

Ping says missing cap_net_raw+p capability or setuid. @glitsj16 @rusty-snake

glitsj16 commented 3 months ago

If your kernel allows unprivileged userns clone:

$ cat ~/.config/firejail/ping.local
include ping-hardened.inc.profile

Otherwise, you can try:

$ cat ~/.config/firejail/ping.local
caps.keep net_raw,setgid,setuid
ignore caps.keep

HTH

bingmatv commented 3 months ago

If your kernel allows unprivileged userns clone:

$ cat ~/.config/firejail/ping.local
include ping-hardened.inc.profile

Otherwise, you can try:

$ cat ~/.config/firejail/ping.local
caps.keep net_raw,setgid,setuid
ignore caps.keep

HTH

What's the solution for web browsers?

glitsj16 commented 3 months ago

What's the solution for web browsers?

If this needs the _netraw, setgid and setuid capabilities, you can apply similar 'logic' as above cfr. ping. firefox-common.profile drops all caps via caps.drop all, so an override would look like:

$ cat ~/.config/firejail/firefox.local
caps.keep net_raw,setgid,setuid
ignore caps.drop
bingmatv commented 3 months ago

Will you let firejail automatically apply these settings for --net parameter?

bingmatv commented 2 months ago
caps.keep net_raw,setgid,setuid
ignore caps.drop

Doesn't work on

Linux parabola 6.7.4-gnu-1 #1 SMP PREEMPT_DYNAMIC Thu, 08 Feb 2024 16:52:51 +0000 x86_64 GNU/Linux

Parabola is based on ArchLinux, so it may not work on Arch too.