Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

private-etc breaks with 'net none' and 'dns=foo' #5650

Closed
glitsj16 opened this issue Feb 8, 2023 · 3 comments
Closed

private-etc breaks with 'net none' and 'dns=foo' #5650

glitsj16 opened this issue Feb 8, 2023 · 3 comments
Labels
bug Something isn't working networking Issues related to networking features (--net=, etc)

Comments

@glitsj16
Copy link
Collaborator

glitsj16 commented Feb 8, 2023
edited
Loading

During testing of the recent private-etc refactoring (mostly in 5d0822c) I think there's a bug under specific conditions. I'll keep digging to try to pinpoint it as accurate as I can, but the below might already be a reproducer.

Relates to #5610 (see this comment).

This works as expected:

$ firejail --net=none --ignore=dns --private-etc=@tls-ca,java*
[glitsj16@lab ~]$ pwd
/home/glitsj16

These (and similar) variations however keeps failing for me:

$ firejail --net=none --private-etc=@tls-ca,java*
Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory
Error: proc 79088 cannot sync with peer: unexpected EOF
Peer 79089 unexpectedly exited with status 1
$ firejail --net=none --private-etc=java*
Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory
Error: proc 79088 cannot sync with peer: unexpected EOF
Peer 79089 unexpectedly exited with status 1

Note that the actual value of private-etc doesn't matter. When dns is there it will alway fail in my tests.

Current code logic in fs_etc.c always tries to create a new /etc/resolv.conf, even when networking is disabled via --net=none:

firejail/src/firejail/fs_etc.c

Lines 113 to 121 in 45a641d

void fs_resolvconf(void) {
if (arg_debug)
printf("Creating a new /etc/resolv.conf file\n");
FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");
if (!fp) {
fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
exit(1);
}

If I understand the relevant code there, I think it would make sense to create /etc/resolv.conf in a more conditional way, something like:

[...]
 void fs_resolvconf(void) {
	if (arg_nonetwork)
		if (arg_debug)
			printf("Network disabled via --net=none. Skip creating new /etc/resolv.conf file\n");
		return;
 	if (arg_debug)
 		printf("Creating a new /etc/resolv.conf file\n");
 	FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");
[...]

Can anyone reproduce this? Thoughts on how to fix this in a safer way (if indeed this is a bug)?

UPDATE: I've made a small patch that seems to work for me. Here it is if anyone wants to test it:

--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -111,6 +111,10 @@
 }
 
 void fs_resolvconf(void) {
+	if (arg_nonetwork)
+		if (arg_debug)
+			printf("arg_nonetwork found (--net=none). Skip creating new /etc/resolv.conf file\n");
+		return;
 	if (arg_debug)
 		printf("Creating a new /etc/resolv.conf file\n");
 	FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");

Do note that this needs to go on top of current git master.
@glitsj16 glitsj16 mentioned this issue Feb 28, 2023
Open
@glitsj16 glitsj16 mentioned this issue Mar 9, 2023
Closed
7 tasks
@glitsj16 glitsj16 changed the title private-etc sometimes breaks with 'net none' private-etc breaks with 'net none' and 'dns=foo' Mar 15, 2023
@glitsj16 glitsj16 added the bug Something isn't working label Mar 15, 2023
@glitsj16 glitsj16 mentioned this issue Mar 15, 2023
Merged
@glitsj16
Copy link
Collaborator Author

glitsj16 commented Mar 15, 2023
edited
Loading

UPDATED PATCH (fixed misleading indentation):

--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -111,6 +111,11 @@
 }
 
 void fs_resolvconf(void) {
+	if (arg_nonetwork) {
+		if (arg_debug)
+			printf("arg_nonetwork found (--net=none). Skip /etc/resolv.conf file creation\n");
+		return;
+	}
 	if (arg_debug)
 		printf("Creating a new /etc/resolv.conf file\n");
 	FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");

@kmk3
Copy link
Collaborator

kmk3 commented Aug 18, 2024

@glitsj16

It looks like #5737 was supposed to fix this.

Does the issue still happen?

@kmk3 kmk3 mentioned this issue Aug 18, 2024
Open
@glitsj16
Copy link
Collaborator Author

@kmk3

It looks like #5737 was supposed to fix this.
Does the issue still happen?

This issue is fixed. Closing.

@github-project-automation github-project-automation bot moved this to In progress in Release 0.9.74 Aug 28, 2024
@kmk3 kmk3 added the networking Issues related to networking features (--net=, etc) label Sep 2, 2024
kmk3 added a commit that referenced this issue Oct 5, 2024
@kmk3
RELNOTES: add private-etc rework feature item
116f7bf 
And move the #6104 item into it.

Relates to #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643 #5650 #5655.
Relates to #5681 #5737 #5844 #5989 #6016 #6104 #6400.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working networking Issues related to networking features (--net=, etc)
Projects
Release 0.9.74
Status: Done (on RELNOTES)
Milestone
No milestone
Development

No branches or pull requests
2 participants
@glitsj16 @kmk3