Cannot use tap device with --net=

[bingmatv]

firejail --private --net=ta0 --ip=192.168.5.2 firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 11856, child pid 11859

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-11856       7e:31:a2:4a:0e:f5  192.168.5.2      255.255.255.0    DOWN

And the browser cannot use the proxy. But if I use:

firejail --private firefox

And input the same proxy settings again, it can use the proxy. 192.168.5.1 is the address of ta0 tap device.

[rusty-snake]

I do not get what you want. However it sounds XY to me. So can you rephrase it, start with the problem you want to solve and then your suggested fix.

[glitsj16]

Firejail will not try to configure the interface inside the sandbox. Besides --ip, you'll need to specify --netmask and --defaultgw. Have you tried that yet?

[bingmatv]

I added a tap device using ip command

ip tuntap add t0 mode tap
ip a add 10.0.0.1/24 dev t0
ip link set t0 up
firejail --private --net=t0 --ip=10.0.0.2/24 --defaultgw=10.0.0.1 ping -c 3 10.0.0.1

Ping says missing cap_net_raw+p capability or setuid. @glitsj16 @rusty-snake

[glitsj16]

If your kernel allows unprivileged userns clone:

$ cat ~/.config/firejail/ping.local
include ping-hardened.inc.profile

Otherwise, you can try:

$ cat ~/.config/firejail/ping.local
caps.keep net_raw,setgid,setuid
ignore caps.keep

HTH

[bingmatv]

If your kernel allows unprivileged userns clone:

$ cat ~/.config/firejail/ping.local
include ping-hardened.inc.profile

Otherwise, you can try:

$ cat ~/.config/firejail/ping.local
caps.keep net_raw,setgid,setuid
ignore caps.keep

HTH

What's the solution for web browsers?

[glitsj16]

What's the solution for web browsers?

If this needs the net_raw, setgid and setuid capabilities, you can apply similar 'logic' as above cfr. ping. firefox-common.profile drops all caps via caps.drop all, so an override would look like:

$ cat ~/.config/firejail/firefox.local
caps.keep net_raw,setgid,setuid
ignore caps.drop

[bingmatv]

Will you let firejail automatically apply these settings for --net parameter?

[bingmatv]

caps.keep net_raw,setgid,setuid
ignore caps.drop

Doesn't work on

Linux parabola 6.7.4-gnu-1 #1 SMP PREEMPT_DYNAMIC Thu, 08 Feb 2024 16:52:51 +0000 x86_64 GNU/Linux

Parabola is based on ArchLinux, so it may not work on Arch too.