Not able to use netns configuration directive in .profile or .local files

[faern]

Bug and expected behavior

$ cat /home/faern/.config/firejail/foobar.profile
netns whatever
$ firejail --profile=foobar
Reading profile /home/faern/.config/firejail/foobar.profile
Error: line 1 in /home/faern/.config/firejail/foobar.profile is invalid

I can use --netns=whatever from the command line. But if I put netns anythinggoes in a profile it says that line of the configuration is invalid. I would expect to be able to set up a profile that persistently joins a network namespace. For many of my jailed programs I want them to always join a given namespace, but if I can't specify that in my program.local override I will have to have separate launcher scripts for them, which is inconvenient and complicates the setup.

Environment
Fedora 33 Workstation

$ firejail --version
firejail version 0.9.64

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- SELinux support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

[rusty-snake]

Untested:

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ff8b4710..fe9d27ff 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -616,6 +616,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                else
                        warning_feature_disabled("networking");
+#endif
+               return 0;
+       }
+       else if (strncmp(ptr, "netns  ", 6) == 0) {
+#ifdef HAVE_NETWORK
+               if (checkcfg(CFG_NETWORK)) {
+                       arg_netns = ptr + 6;
+                       check_netns(arg_netns);
+               }
+               else
+                       warning_feature_disabled("networking");
 #endif
                return 0;
        }

[faern]

Is this really an enhancement rather than a bug? Are not all CLI arguments supposed to be possible to specify in the profiles also?

[rusty-snake]

Interesting question. I considered it as "not implemented yet". Let's see what differences we have ith other commands. (These greps are incomplete and wrong. Their only intention is to provide a first overview.)

grep "strncmp(ptr, " src/firejail/profile.c | grep -oE "\".*\"" | sed -e "s/ \"//g" -e "s/\"//g" | sort -u > prfl

bind
blacklist
blacklist-nolog
caps.drop
caps.keep
cgroup
cpu
dbus-system.broadcast
dbus-system.call
dbus-system.own
dbus-system.see
dbus-system.talk
dbus-user.broadcast
dbus-user.call
dbus-user.own
dbus-user.see
dbus-user.talk
defaultgw
dns
env
hostname
hosts-file
ignore
include
ip
ip6
iprange
join-or-start
mac
mkdir
mkfile
mtu
name
net
netfilter
netfilter6
netmask
netns 
nice
noblacklist
noexec
nowhitelist
overlay-named
private
private-bin
private-cwd
private-etc
private-home
private-lib
private-opt
private-srv
protocol
quiet
read-only
read-write
rlimit
rlimit-as
rlimit-cpu
rlimit-fsize
rlimit-nofile
rlimit-nproc
rlimit-sigpending
rmenv
seccomp
seccomp.32
seccomp.32.drop
seccomp.32.keep
seccomp.drop
seccomp-error-action
seccomp.keep
timeout
tmpfs
veth-name
whitelist
xephyr-screen

grep "strncmp(argv\[i\]" src/firejail/main.c | grep -oE "\--.*=\"" | sed -e "s/--//g" -e "s/=\"//g" | sort -u > cli

apparmor.print
audit
bandwidth
bind
blacklist
caps.drop
caps.keep
caps.print
cat
cgroup
chroot
cpu
cpu.print
dbus-log
dbus-system.broadcast
dbus-system.call
dbus-system.own
dbus-system.see
dbus-system.talk
dbus-user.broadcast
dbus-user.call
dbus-user.own
dbus-user.see
dbus-user.talk
defaultgw
dns
dns.print
env
fs.print
get
hostname
hosts-file
ignore
include
interface
ip
ip6
iprange
join
join-filesystem
join-network
join-or-start
ls
mac
mtu
name
net
netfilter
netfilter6
netfilter6.print
netfilter.print
netmask
netns
net.print
nice
noblacklist
noexec
nowhitelist
overlay-named
private
private-bin
private-cwd
private-etc
private-home
private-opt
private-srv
profile
profile.print
protocol
protocol.print
put
read-only
read-write
rlimit-as
rlimit-cpu
rlimit-fsize
rlimit-nofile
rlimit-nproc
rlimit-sigpending
rmenv
seccomp
seccomp.32
seccomp.32.drop
seccomp.32.keep
seccomp.drop
seccomp-error-action
seccomp.keep
seccomp.print
shell
shutdown
timeout
tmpfs
trace
tunnel
veth-name
whitelist
xephyr-screen

diff prfl cli

0a1,3
> apparmor.print
> audit
> bandwidth
3d5
< blacklist-nolog
5a8,9
> caps.print
> cat
6a11
> chroot
7a13,14
> cpu.print
> dbus-log
19a27
> dns.print
20a29,30
> fs.print
> get
24a35
> interface
27a39,41
> join
> join-filesystem
> join-network
28a43
> ls
30,31d44
< mkdir
< mkfile
36a50,51
> netfilter6.print
> netfilter.print
38c53,54
< netns 
---
> netns
> net.print
49d64
< private-lib
51a67,68
> profile
> profile.print
53c70,71
< quiet
---
> protocol.print
> put
56d73
< rlimit
70a88,90
> seccomp.print
> shell
> shutdown
72a93,94
> trace
> tunnel

Some cli-only like audit, *.print, cat, put, ls, get, join, noprofile, ... are right of course. Others like chroot, dbus-log, interface, bandwidth, shell or on profile-only side mkdir, mkfile, blacklist-nolog make sense to be implemented in cli and profile.