Firejail: Having trouble getting firejail to work in a Docker container

Created on 24 May 2018 · 4Comments · Source: netblue30/firejail

We are having trouble getting firejail to work as expected in a Docker container.

We have Ubuntu 160.4 running in VirtualBox on a Windows host. Firejail works as expected in that environment. But if we run a Docker container in Ubuntu (using "docker run -ti bash"), with firejail installed in the container, we get: "Warning: an existing sandbox was detected. touch will run without any additional sandboxing features".

Based on some searching, we tried using the --force option, but there is no change. We continue to get the warning message, and firejail seems to have no effect.

Should firejail work within a Docker container? Are we missing something, or doing something wrong?

For example, using the fact that /usr is read-only within a firejail sandbox, here is what we get on our simple Ubuntu vm when we try to create a file in /usr/local/test without firejail, and again with firejail:

root@krutherford-VirtualBox:/usr/local/test# touch x.x
root@krutherford-VirtualBox:/usr/local/test# ls
x.x
root@krutherford-VirtualBox:/usr/local/test# rm x.x
root@krutherford-VirtualBox:/usr/local/test# firejail touch x.x
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

* Note: you can use --noprofile to disable server.profile *

Parent pid 4111, child pid 4113
The new log directory is /proc/4113/root/var/log
Child process initialized in 38.43 ms
touch: cannot touch 'x.x': Read-only file system

Parent is shutting down, bye...

Doing the same thing in our Docker container, with and without the --force option:

[root@5e1f26ef0bb2 gsf23]# cd /usr/local/test
[root@5e1f26ef0bb2 test]# touch x.x
[root@5e1f26ef0bb2 test]# ls
x.x
[root@5e1f26ef0bb2 test]# rm x.x
rm: remove regular empty file ‘x.x’? y
[root@5e1f26ef0bb2 test]# firejail touch x.x
Warning: an existing sandbox was detected. touch will run without any additional sandboxing features
[root@5e1f26ef0bb2 test]# ls
x.x
[root@5e1f26ef0bb2 test]# rm x.x
rm: remove regular empty file ‘x.x’? y
[root@5e1f26ef0bb2 test]# firejail --force touch x.x
Warning: an existing sandbox was detected. touch will run without any additional sandboxing features
[root@5e1f26ef0bb2 test]# ls
x.x

Some version information from the Docker container:

[root@5e1f26ef0bb2 test]# firejail --version
firejail version 0.9.54
[root@5e1f26ef0bb2 test]# uname -a
Linux 5e1f26ef0bb2 4.13.0-43-generic #48~16.04.1-Ubuntu SMP Thu May 17 12:56:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@5e1f26ef0bb2 test]#

question

Source

kruthe01

All 4 comments

Docker and firejail use similar features like namespaces, seccomp, capabilities. This means firejail is unable to create its own sandbox when run inside docker.

Vincent43 on 24 May 2018

😕1

Thanks for the explanation. We had found this thread: https://github.com/netblue30/firejail/issues/189 and apparently misunderstood the use/purpose of "--force".

kruthe01 on 24 May 2018

--force has also been removed in the latest version of firejail 0.9.54

SkewedZeppelin on 24 May 2018

@SkewedZeppelin:

--force has also been removed in the latest version of firejail 0.9.54

My desktop environment runs in an nspawn container; I've just started looking at firejail using 0.9.38 (in ubuntu 16.04) .. it seems to run quite happily - and work - with --force. Is there more detail on the decision to drop --force, and/or suggested alternatives?