Package: firejail Version: 0.9.52-2 Severity: normal If I do have two instances of ping running from same user, even to different target addresses, both ping instances will receive all responses, even the ones not destined to them.
I belive this is because with firejail different type of socket is used, and ping is running not as root/setuid. And ping reports all responses. # Instance 1: $ ping 8.8.8.8 -n ... 64 bytes from 8.8.8.8: icmp_seq=134 ttl=57 time=0.759 ms 64 bytes from 8.8.8.8: icmp_seq=135 ttl=57 time=0.644 ms 64 bytes from 216.58.205.110: icmp_seq=1 ttl=55 time=4.42 ms (DUP!) 64 bytes from 8.8.8.8: icmp_seq=136 ttl=57 time=0.644 ms 64 bytes from 216.58.205.110: icmp_seq=2 ttl=55 time=4.39 ms (DUP!) 64 bytes from 8.8.8.8: icmp_seq=137 ttl=57 time=0.868 ms 64 bytes from 216.58.205.110: icmp_seq=3 ttl=55 time=4.52 ms (DUP!) 64 bytes from 8.8.8.8: icmp_seq=138 ttl=57 time=0.695 ms ... # Instance 2: $ ping -4 google.com PING GOOgle.com (216.58.205.110) 56(84) bytes of data. 64 bytes from mil04s26-in-f110.1e100.net (216.58.205.110): icmp_seq=1 ttl=55 time=4.42 ms 64 bytes from google-public-dns-a.google.com (8.8.8.8): icmp_seq=136 ttl=57 time=0.644 ms 64 bytes from mil04s26-in-f14.1e100.net (216.58.205.110): icmp_seq=2 ttl=55 time=4.39 ms 64 bytes from google-public-dns-a.google.com (8.8.8.8): icmp_seq=137 ttl=57 time=0.868 ms 64 bytes from mil04s26-in-f110.1e100.net (216.58.205.110): icmp_seq=3 ttl=55 time=4.52 ms ... This happens even if I run ping from root (as it will use /usr/local/bin/ping). If I use /bin/ping everything works fine. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-3-amd64 (SMP w/12 CPU cores) Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8), LANGUAGE=pl_PL.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail depends on: ii libapparmor1 2.12-4 ii libc6 2.27-3 Versions of packages firejail recommends: ii firejail-profiles 0.9.52-2 ii iptables 1.6.2-1 ii xauth 1:1.0.10-1 ii xserver-xephyr 2:1.19.99.901-1 firejail suggests no packages. -- Configuration Files: /etc/firejail/disable-programs.inc changed [not included] -- no debconf information
