Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Having trouble getting firejail to work in a Docker container #1956

Closed
kruthe01 opened this issue May 23, 2018 · 4 comments
Closed

Having trouble getting firejail to work in a Docker container #1956

kruthe01 opened this issue May 23, 2018 · 4 comments
Labels

Comments

@kruthe01
Copy link

@kruthe01 kruthe01 commented May 23, 2018

We are having trouble getting firejail to work as expected in a Docker container.

We have Ubuntu 160.4 running in VirtualBox on a Windows host. Firejail works as expected in that environment. But if we run a Docker container in Ubuntu (using "docker run -ti bash"), with firejail installed in the container, we get: "Warning: an existing sandbox was detected. touch will run without any additional sandboxing features".

Based on some searching, we tried using the --force option, but there is no change. We continue to get the warning message, and firejail seems to have no effect.

Should firejail work within a Docker container? Are we missing something, or doing something wrong?

For example, using the fact that /usr is read-only within a firejail sandbox, here is what we get on our simple Ubuntu vm when we try to create a file in /usr/local/test without firejail, and again with firejail:

root@krutherford-VirtualBox:/usr/local/test# touch x.x
root@krutherford-VirtualBox:/usr/local/test# ls
x.x
root@krutherford-VirtualBox:/usr/local/test# rm x.x
root@krutherford-VirtualBox:/usr/local/test# firejail touch x.x
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable server.profile **

Parent pid 4111, child pid 4113
The new log directory is /proc/4113/root/var/log
Child process initialized in 38.43 ms
touch: cannot touch 'x.x': Read-only file system

Parent is shutting down, bye...

Doing the same thing in our Docker container, with and without the --force option:

[root@5e1f26ef0bb2 gsf23]# cd /usr/local/test
[root@5e1f26ef0bb2 test]# touch x.x
[root@5e1f26ef0bb2 test]# ls
x.x
[root@5e1f26ef0bb2 test]# rm x.x
rm: remove regular empty file ‘x.x’? y
[root@5e1f26ef0bb2 test]# firejail touch x.x
Warning: an existing sandbox was detected. touch will run without any additional sandboxing features
[root@5e1f26ef0bb2 test]# ls
x.x
[root@5e1f26ef0bb2 test]# rm x.x
rm: remove regular empty file ‘x.x’? y
[root@5e1f26ef0bb2 test]# firejail --force touch x.x
Warning: an existing sandbox was detected. touch will run without any additional sandboxing features
[root@5e1f26ef0bb2 test]# ls
x.x

Some version information from the Docker container:

[root@5e1f26ef0bb2 test]# firejail --version
firejail version 0.9.54
[root@5e1f26ef0bb2 test]# uname -a
Linux 5e1f26ef0bb2 4.13.0-43-generic #48~16.04.1-Ubuntu SMP Thu May 17 12:56:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@5e1f26ef0bb2 test]#

@Vincent43

This comment has been minimized.

Copy link
Collaborator

@Vincent43 Vincent43 commented May 24, 2018

Docker and firejail use similar features like namespaces, seccomp, capabilities. This means firejail is unable to create its own sandbox when run inside docker.

@kruthe01

This comment has been minimized.

Copy link
Author

@kruthe01 kruthe01 commented May 24, 2018

Thanks for the explanation. We had found this thread: #189 and apparently misunderstood the use/purpose of "--force".

@SkewedZeppelin

This comment has been minimized.

Copy link
Collaborator

@SkewedZeppelin SkewedZeppelin commented May 24, 2018

--force has also been removed in the latest version of firejail 0.9.54

@Vincent43 Vincent43 added the question label Jul 11, 2018
@Vincent43 Vincent43 closed this Jul 11, 2018
@srd424

This comment has been minimized.

Copy link

@srd424 srd424 commented Feb 17, 2019

@SkewedZeppelin:

--force has also been removed in the latest version of firejail 0.9.54

My desktop environment runs in an nspawn container; I've just started looking at firejail using 0.9.38 (in ubuntu 16.04) .. it seems to run quite happily - and work - with --force. Is there more detail on the decision to drop --force, and/or suggested alternatives?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.