Lxd with firejail. Issue with creating /dev/zero

I’ve been trying to get firejail working with lxd. I’m trying this:

firejail --x11=xorg firefox but the error result is:

Error: cannot create /dev/zero device

Anyone know why this is? The /dev/zero device exists in the container.

You cannot create devices inside an unprivileged container.
But LXD creates the /dev/zero device for the container (as you’ve seen).

Why are you trying to run firejail inside a container (which is also a form of jail)?

I’m trying out different combinations of containerisation. Also, firejail has the option for --x11=xorg which restricts some X11 calls.

I see.

Well you may have some success using the recently added syscall interception feature to allow mknod calls for certain device types (including /dev/zero) using security.syscalls.intercept.mknod=true

See System call interception | LXD