Firejail: nonroot --netns=XXX/--net=XXX is insecure

Created on 5 Jul 2019  路  1Comment  路  Source: netblue30/firejail

Using --netns/--net as a non root user is quite useful, however without further access checking it is insecure. It allows any firejail user to join any network namespace or access the net through any device. E.g. some user may run an private openvpn instance in a network namespace (as I do) and a different firejail user can now join the network namespace which is clearly not desirable. I believe --net=XXX (except --net=none of course) poses a similar problem, since it might make it possible to sidestep system routing policies. My suggestion would be to add some access checking, e.g. by introducing new options in firejail.config. E.g. something like

netns_allow <USER>: netns1 netns2 netns3
net_allow <USER>: bridge1 bridge1
enhancement
Source
picture simonfxr

Most helpful comment

  1. firejail is focused on single user desktop systems. Which doesn't mean this isn't a issue.
    firejail doesn't really separate users (#2768, ...)
  2. You can use restricted-network to full shutdown --net (except of --net=none):
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

or firejail.users to restrict users who are allowed to use it.

  1. To have a netns_allow, net_allow or netns_deny, net_deny or simelar, would be greate.
  2. Figure out if --join-network can used to bypass 3. if a sandbox is running.
picture rusty-snake on 5 Jul 2019
👍4

>All comments

  1. firejail is focused on single user desktop systems. Which doesn't mean this isn't a issue.
    firejail doesn't really separate users (#2768, ...)
  2. You can use restricted-network to full shutdown --net (except of --net=none):
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

or firejail.users to restrict users who are allowed to use it.

  1. To have a netns_allow, net_allow or netns_deny, net_deny or simelar, would be greate.
  2. Figure out if --join-network can used to bypass 3. if a sandbox is running.
rusty-snake picture rusty-snake on 5 Jul 2019
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nuxwin picture nuxwin  路  3Comments
thiswillbeyourgithub picture thiswillbeyourgithub  路  3Comments
ghost picture ghost  路  3Comments
dandelionred picture dandelionred  路  3Comments
kmotoko picture kmotoko  路  3Comments