Unix & Linux
networking namespace network-namespaces sandbox firejail
Updated Fri, 20 May 2022 10:27:24 GMT

firejail : only let a program access localhost


I have this local network service and this client program needing to access it. I am running them both as an unprivileged user.

I am looking for a way to sandbox the client using firejail, in a way that it cannot access network, except for localhost (or even better, except for that service). first thing I tried was of course

firejail --net=lo program

But it didnt work.

Error: cannot attach to lo device

I think I could work around it by creating a virtual network interface, for example veth0 and veth1, moving veth1 to a new network namespace in which Id run the service and using firejail to restrain the client to veth0

Is there a way to actually automate this setting in a firejail profile, so that all of these interfaces are created and veth1 is moved when I type

firejail server

(without having to run anything as root)?

Or is there a simpler way solve this problem? (I cannot run both the client and the service in the same namespace, because the service needs to access the network)




Solution

I would use and option kind of like:

firejail --interface=eth0.vlan100 --ip=someipaddress someprogram

Support for ipvlan driver was introduced in Linux kernel 3.19.

Found Here: man firejail | Firejail





Comments (3)

  • +0 – That command doesn't work for me, it gives the error "Error: no network device configured" — Dec 06, 2018 at 11:13  
  • +0 – You still have to set up that virtual interface. That command is given as an example, I have no idea what your network interface is it could be eth0 wlan0 or eth1, wlan1 etc.... — Dec 06, 2018 at 16:09  
  • +0 – Problem is that having to setup the virtual interface means that some commands should be run as root (which contradicts what I asked), so if somebody has a better solution, I'll accept that one instead — Jul 06, 2021 at 13:17  


External Links

External links referenced by this document: