ping with --net: socket: Operation not permitted

[kmk3]

Description

ping fails with --net=eth0.

Steps to Reproduce

Default:

$ LC_ALL=C firejail --ignore='include ping.local' \
  --ignore='include globals.local' \
  /usr/bin/ping -c 1 -q 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.020/0.020/0.020/0.000 ms

With --net=eth0:

$ LC_ALL=C firejail --ignore='include ping.local' \
  --ignore='include globals.local' --net=eth0 \
  /usr/bin/ping -c 1 -q 127.0.0.1
/usr/bin/ping: socktype: SOCK_RAW
/usr/bin/ping: socket: Operation not permitted
/usr/bin/ping: => missing cap_net_raw+p capability or setuid?

Expected behavior

ping pings localhost.

Actual behavior

ping fails to ping localhost.

Behavior without a profile

It works with ping.profile.

Environment

• Artix Linux
• firejail 0.9.73 (ab70db5)
• iputils 20221126-1

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

---

Originally reported by @Abdalnablse10 in #5769 / #5774.