Warning: user namespaces not available in the current kernel.

[dmp1ce]

I am trying to sandbox firefox but I can still access files that should be blocked like my private ssh key. Is kernel 4 supported?

> firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Warning: user namespaces not available in the current kernel.
Parent pid 5042, child pid 5043
Child process initialized

(process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

parent is shutting down, bye...
> uname -rv
4.1.4-1-ARCH #1 SMP PREEMPT Mon Aug 3 21:30:37 UTC 2015

[netblue30]

I think you already have a Firefox instance running. By default Firefox keeps only one browser process running. When you start a new Firefox process, it looks for an existing one. If one is found, the new process shuts down, and the existing one opens a new tab or a new window. Use -no-remote Firefox option to force a new sandboxed process.

$ firejail firefox -no-remote

My guess is your first Firefox instance is not running in the sandbox.

User namespace needs to be compiled into the kernel. Do a short check: in a terminal you should be able to see the following files:

/proc/self/uid_map (user id mapping)
/proc/self/gid_map (group id mapping)
/proc/self/ns/user (used for join operations)

[dmp1ce]

You were right about having firefox already open. Now the .ssh directory is blocked. Thanks!

About the "User namespace", Arch has this turned of in the kernel because of security concerns. https://bugs.archlinux.org/task/36969

Here is the lxc configuration on my Arch machine.

> lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

[dmp1ce]

I am curious though. How does having user namespace turned off effect firejail?

[netblue30]

Thanks, good to know about Arch. The usual reason to turn it off is the number of bugs and fixes still coming into the kernel for user namespaces feature. The bugs are related to creating a root user in the user namespace. This root user is not fully separated from the real root user.

Firejail does not create a root user in the user namespace. I don't think firejail is affected by the problem, but who knows... User namespace is just a supplementary sandboxing feature, firejail will work fine without it.