How to launch dnsmasq as dnsmasq user in a network namespace?

[crocket]

Launching dnsmasq as dnsmasq user in a network namespace with firejail required

/etc/firejail/dnsmasq.local

# this includes `netns vpn`
include bridge-vpn.inc

# `netns vpn` requires
ignore nonewprivs
## Even `protocol unix,inet,inet6,netlink,packet,bluetooth`
## denies permission to create any listening socket
## with `netns vpn`
ignore protocol
ignore seccomp

/etc/firejail/globals.local

# private and private-cache require ${HOME} to not be /dev/null
ignore private
ignore private-cache

• Why does netns vpn require ignore=nonewprivs, ignore=protocol, and ignore=seccomp?
• private and private-cache shouldn't require ${HOME} to not be /dev/null.
• include *.local shouldn't require ${HOME} to not be /dev/null.

[SkewedZeppelin]

Just use systemd sandboxing, way more tightly integrated.

[crocket]

I don't use systemd.

[rusty-snake]

Why does netns vpn require ignore=nonewprivs, ignore=protocol, and ignore=seccomp?

seccomp (and therefore protocol) implies nnp (if you are not root?).

Which error do you get if nnp is set?

[rusty-snake]

man 2 prctl:

PR_SET_NO_NEW_PRIVS (since Linux 3.5)
Set the calling thread's no_new_privs attribute to the
value in arg2. With no_new_privs set to 1, execve(2)
promises not to grant privileges to do anything that could
not have been done without the execve(2) call (for
example, rendering the set-user-ID and set-group-ID mode
bits, and file capabilities non-functional). Once set,
the no_new_privs attribute cannot be unset. The setting
of this attribute is inherited by children created by
fork(2) and clone(2), and preserved across execve(2).

[rusty-snake]

Is caps.keep broken?

Nope

$ firejail --quiet --noprofile --caps.keep=ipc_lock,net_bind_service,setgid,setuid,sys_chroot grep CapBnd /proc/self/status 
CapBnd:	00000000000444c

[crocket]

I think man firejail should mention file capabilities are ignored by --nonewprivs.

[rusty-snake]

--nonewprivs
Sets the NO_NEW_PRIVS prctl. This ensures that child processes cannot acquire new privileges using execve(2); in particular, this means that calling a suid binary (

or one with file capabilities

) does not result in an increase of privilege. This option is enabled by default if seccomp filter is activated.

[crocket]

Hell, it seems my brain was too tired to notice that.

[rusty-snake]

Summary

1. If you want to bind to a privileged port (port < net.ipv4.ip_unprivileged_port_start), you need to be root or have CAP_NET_BIND_SERVICE.
2. If you set PR_SET_NO_NEW_PRIVS, file capabilities are ignored.

[crocket]

I didn't know about setpriv. Perhaps, it should be mentioned in man firejail or somewhere else?

[rusty-snake]

Amb-caps don't seem to go through firejail. But inh-caps do, maybe you can move them to the eff-caps from outside by attaching? IDK.

(Assuming you want to use seccomp, ...), the best way is likely to start firejail as root and drop to a different user inside the sandbox.

Or just use systemd … 🙊

[crocket]

I don't use systemd. I ended up resorting to sysctl net.ipv4.ip_unprivileged_port_start=0.

It seems apparmor can be better than firejail for system daemons.

[crocket]

@rusty-snake I updated #4808 accordingly.

[kmk3]

Misc: Changed the title to match the accepted answer:

How to make firejail more suitable for system daemons.

->

How to launch dnsmasq as dnsmasq user in a network namespace?

@crocket Please be more specific when creating discussions to troubleshoot a
specific problem.