Firejail: DBUS firejail. Solved but need an "expert" opinion
Hi. I get this wanring when starting firefox with firejail:
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
I solved this by adding 'net enp0s3' in my profile and now I don't get the warning BUT now when i start firefox with firejail the terminal writes out:
Interface MAC IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0-9345 ac:tu:al:MAC:adr:ess 10.0.2.55 255.255.255.0 UP
Default gateway 10.0.2.2
My question is if this is a security risk? I am trying to get rid of all error/warnings from applications that has the largest security risks.
And while I am asking about this I would like your input on the matter with another warning i get 4 times every time I launch firejail firefox:
Warning: cleaning all supplementary groups
This I solved by removing 'noroot' from the profile. And basically the same question here. Is this the way to go or is it a security risk?
I am running arch linux with hardened kernel.
Thank you for taking your time.
anteg
All 2 comments
When you add net enp0s3 to your profile, Firejail will give you some details about the newly configured network namespace. This is information about a security feature, no security risk.
Warning: cleaning all supplementary groups
This is no security risk either. When running with --noroot, Firejail tries to remove most groups but keep a few in the new user namespace. If this fails for whatever reason, _all_ groups are removed with the only exception of your user group, the same as if you had provided the --nogroups option. And if _this_ fails, Firejail dies. So the warning is only about functionality, not security.
smitsohu
on 20 Feb 2019
Great!! Appriciete it!!
anteg
on 20 Feb 2019
Related issues
crass
路
3Comments
polyzen
路
4Comments
reinerh
路
3Comments
nuxwin
路
3Comments
ghost
路
3Comments
Most helpful comment
When you add
net enp0s3to your profile, Firejail will give you some details about the newly configured network namespace. This is information about a security feature, no security risk.This is no security risk either. When running with
--noroot, Firejail tries to remove most groups but keep a few in the new user namespace. If this fails for whatever reason, _all_ groups are removed with the only exception of your user group, the same as if you had provided the--nogroupsoption. And if _this_ fails, Firejail dies. So the warning is only about functionality, not security.