Open bingmatv opened 3 months ago
I do not get what you want. However it sounds XY to me. So can you rephrase it, start with the problem you want to solve and then your suggested fix.
Firejail will not try to configure the interface inside the sandbox. Besides --ip
, you'll need to specify --netmask
and --defaultgw
. Have you tried that yet?
I added a tap device using ip command
ip tuntap add t0 mode tap
ip a add 10.0.0.1/24 dev t0
ip link set t0 up
firejail --private --net=t0 --ip=10.0.0.2/24 --defaultgw=10.0.0.1 ping -c 3 10.0.0.1
Ping says missing cap_net_raw+p capability or setuid. @glitsj16 @rusty-snake
If your kernel allows unprivileged userns clone
:
$ cat ~/.config/firejail/ping.local
include ping-hardened.inc.profile
Otherwise, you can try:
$ cat ~/.config/firejail/ping.local
caps.keep net_raw,setgid,setuid
ignore caps.keep
HTH
If your kernel allows
unprivileged userns clone
:$ cat ~/.config/firejail/ping.local include ping-hardened.inc.profile
Otherwise, you can try:
$ cat ~/.config/firejail/ping.local caps.keep net_raw,setgid,setuid ignore caps.keep
HTH
What's the solution for web browsers?
What's the solution for web browsers?
If this needs the _netraw, setgid and setuid capabilities
, you can apply similar 'logic' as above cfr. ping. firefox-common.profile drops all caps via caps.drop all
, so an override would look like:
$ cat ~/.config/firejail/firefox.local
caps.keep net_raw,setgid,setuid
ignore caps.drop
Will you let firejail automatically apply these settings for --net parameter?
caps.keep net_raw,setgid,setuid ignore caps.drop
Doesn't work on
Linux parabola 6.7.4-gnu-1 #1 SMP PREEMPT_DYNAMIC Thu, 08 Feb 2024 16:52:51 +0000 x86_64 GNU/Linux
Parabola is based on ArchLinux, so it may not work on Arch too.
And the browser cannot use the proxy. But if I use:
And input the same proxy settings again, it can use the proxy. 192.168.5.1 is the address of ta0 tap device.