I’ve been trying to get firejail working with lxd. I’m trying this:
firejail --x11=xorg firefox
but the error result is:
Error: cannot create /dev/zero device
Anyone know why this is? The /dev/zero device exists in the container.
I’ve been trying to get firejail working with lxd. I’m trying this:
firejail --x11=xorg firefox
but the error result is:
Error: cannot create /dev/zero device
Anyone know why this is? The /dev/zero device exists in the container.
You cannot create devices inside an unprivileged container.
But LXD creates the /dev/zero device for the container (as you’ve seen).
Why are you trying to run firejail inside a container (which is also a form of jail)?
I’m trying out different combinations of containerisation. Also, firejail has the option for --x11=xorg which restricts some X11 calls.
I see.
Well you may have some success using the recently added syscall interception feature to allow mknod
calls for certain device types (including /dev/zero
) using security.syscalls.intercept.mknod=true