How to debug a firejail sandbox

[rusty-snake]

Really good article if you want to start to dig deeper with firejail and create/customize
profiles or troubleshoot:

• https://debugging.works/blog/debugging-firejail/

cc @kmille

---

I really like firejail, but there are some things I don’t like:

• The website is outdated!? The man page of the website are older than the man page of the Arch Linux package. Newer features like --nettrace are not listed on the website. Things like --audit has been moved to the jailcheck tool.

@netblue30 can you update the manpages on wordpress.

• The docs are good, but sometimes not super clear. Some more examples and command line output would be nice. For example: how to disable all protocols? protocol, protocol none , net none? I still don’t know.

To answer the specific example:

• net none will isolate "namespaced protocols" (inet, inet6 and abstract-unix) in an own private, unshared namespaces

• [protocol] is based on seccomp and checks the first argument to socket system call

  So if you want to disable all protocols, you want to disable all possible values for the first argument of socket. Therefore you can just disable the entire syscall using seccomp socket (which adds socket to the seccomp drop list) or seccomp.drop socket (if you really want to disable only socket).

  Note: seccomp[.drop] socket will return a different errno (default EPERM) than protocol none (allow empty --protocol= list #639) which returns EOPNOTSUPP.

  See also: allow empty --protocol= list #639 (comment)

  Did I misunderstand something or do we realy return EOPNOTSUPP rather than EAFNOSUPPORT?