github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1731] unbound: error with DNSSEC validation enabled #1172

New issue
Closed
opened 2026-05-05 07:35:17 -06:00 by gitea-mirror · 12 comments
gitea-mirror commented 2026-05-05 07:35:17 -06:00
Owner
Copy link

Originally created by @curiosity-seeker on GitHub (Jan 14, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1731

I've firejailed unbound in Fedora 27. lib/systemd/system/unbound.service looks like this:

[Unit]
Description=Unbound recursive Domain Name Server
After=network.target
After=unbound-keygen.service
Wants=unbound-keygen.service
Wants=unbound-anchor.timer
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecReload=/usr/sbin/unbound-control reload

[Install]
WantedBy=multi-user.target

I've created the following /etc/systemd/system/unbound.service.d/override.conf file:

[Service]
ExecStart=
ExecStart=/usr/bin/firejail /usr/sbin/unbound -d $UNBOUND_OPTIONS

This works very well. systemctl status unbound doesn't show any errors.

However, the situation changes if I enable DNSSEC validation in unbound.conf by uncommenting the line:

auto-trust-anchor-file: "/var/lib/unbound/root.key"

If I remove above unbound.service.d folder and, hence, execute unbound unsandboxed (with systemctl daemon-reload and systemctl restart unbound) everything works as expected without any errors.

If I start unbound sandboxed I get the following output from systemctl status unbound:

● unbound.service - Unbound recursive Domain Name Server
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/unbound.service.d
           └─override.conf
   Active: failed (Result: exit-code) since Sun 2018-01-14 17:38:04 CET; 2s ago
  Process: 6868 ExecStart=/usr/bin/firejail --noprofile /usr/sbin/unbound -d $UNBOUND_OPTIONS (code=exited, status=1/FAILURE)
  Process: 6867 ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem (code=exited, status=0/SUCCESS)
  Process: 6866 ExecStartPre=/usr/sbin/unbound-checkconf (code=exited, status=0/SUCCESS)
 Main PID: 6868 (code=exited, status=1/FAILURE)

Jan 14 17:38:03 HANK unbound[6871]: [2:0] notice: init module 1: validator
Jan 14 17:38:03 HANK unbound[6871]: [2:0] notice: init module 2: iterator
Jan 14 17:38:03 HANK unbound[6871]: [2:0] info: start of service (unbound 1.6.7).
Jan 14 17:38:03 HANK unbound[6871]: [2:6] info: 127.0.0.1 curl. A IN
Jan 14 17:38:04 HANK unbound[6871]: [2:6] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.2-6: Read-only file system
Jan 14 17:38:04 HANK firejail[6868]: Parent is shutting down, bye...
Jan 14 17:38:04 HANK firejail[6868]: The new log directory is /proc/6869/root/var/log
Jan 14 17:38:04 HANK systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Jan 14 17:38:04 HANK systemd[1]: unbound.service: Unit entered failed state.
Jan 14 17:38:04 HANK systemd[1]: unbound.service: Failed with result 'exit-code'.

The respective output in journalctl is:

Jan 14 17:41:03 HANK systemd[1]: Starting Unbound recursive Domain Name Server...
Jan 14 17:41:03 HANK unbound-checkconf[7862]: unbound-checkconf: no errors in /etc/unbound/unbound.conf
Jan 14 17:41:03 HANK systemd[1]: Started Unbound recursive Domain Name Server.
Jan 14 17:41:03 HANK audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=unbound comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 14 17:41:03 HANK firejail[7864]: Parent pid 7864, child pid 7865
Jan 14 17:41:03 HANK firejail[7864]: [72B blob data]
Jan 14 17:41:03 HANK unbound[7867]: [2:0] error: cannot open pidfile /var/lib/unbound/unbound.pid: Read-only file system
Jan 14 17:41:03 HANK unbound[7867]: [2:0] notice: init module 0: ipsecmod
Jan 14 17:41:03 HANK unbound[7867]: [2:0] notice: init module 1: validator
Jan 14 17:41:03 HANK unbound[7867]: [2:0] notice: init module 2: iterator
Jan 14 17:41:03 HANK unbound[7867]: [2:0] info: start of service (unbound 1.6.7).
Jan 14 17:41:03 HANK unbound[7867]: [2:2] info: 127.0.0.1 curl. A IN
Jan 14 17:41:04 HANK unbound[7867]: [2:2] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.2-2: Read-only file system
Jan 14 17:41:04 HANK firejail[7864]: Parent is shutting down, bye...
Jan 14 17:41:04 HANK firejail[7864]: The new log directory is /proc/7865/root/var/log
Jan 14 17:41:04 HANK systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Jan 14 17:41:04 HANK systemd[1]: unbound.service: Unit entered failed state.
Jan 14 17:41:04 HANK audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=unbound comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jan 14 17:41:04 HANK systemd[1]: unbound.service: Failed with result 'exit-code'.

The funny thing is that I get the same error if I comment every line in unbound.profile (i.e. effectively an empty profile) or add the --noprofile option.

Originally created by @curiosity-seeker on GitHub (Jan 14, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1731 I've firejailed unbound in Fedora 27. `lib/systemd/system/unbound.service` looks like this: ``` [Unit] Description=Unbound recursive Domain Name Server After=network.target After=unbound-keygen.service Wants=unbound-keygen.service Wants=unbound-anchor.timer Before=nss-lookup.target Wants=nss-lookup.target [Service] Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload [Install] WantedBy=multi-user.target ``` I've created the following `/etc/systemd/system/unbound.service.d/override.conf` file: ``` [Service] ExecStart= ExecStart=/usr/bin/firejail /usr/sbin/unbound -d $UNBOUND_OPTIONS ``` This works very well. `systemctl status unbound` doesn't show any errors. However, the situation changes if I enable DNSSEC validation in `unbound.conf` by uncommenting the line: `auto-trust-anchor-file: "/var/lib/unbound/root.key"` If I _remove_ above `unbound.service.d` folder and, hence, execute unbound **unsandboxed** (with systemctl daemon-reload and systemctl restart unbound) everything works as expected without any errors. If I start unbound **sandboxed** I get the following output from systemctl status unbound: ``` ● unbound.service - Unbound recursive Domain Name Server Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/unbound.service.d └─override.conf Active: failed (Result: exit-code) since Sun 2018-01-14 17:38:04 CET; 2s ago Process: 6868 ExecStart=/usr/bin/firejail --noprofile /usr/sbin/unbound -d $UNBOUND_OPTIONS (code=exited, status=1/FAILURE) Process: 6867 ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem (code=exited, status=0/SUCCESS) Process: 6866 ExecStartPre=/usr/sbin/unbound-checkconf (code=exited, status=0/SUCCESS) Main PID: 6868 (code=exited, status=1/FAILURE) Jan 14 17:38:03 HANK unbound[6871]: [2:0] notice: init module 1: validator Jan 14 17:38:03 HANK unbound[6871]: [2:0] notice: init module 2: iterator Jan 14 17:38:03 HANK unbound[6871]: [2:0] info: start of service (unbound 1.6.7). Jan 14 17:38:03 HANK unbound[6871]: [2:6] info: 127.0.0.1 curl. A IN Jan 14 17:38:04 HANK unbound[6871]: [2:6] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.2-6: Read-only file system Jan 14 17:38:04 HANK firejail[6868]: Parent is shutting down, bye... Jan 14 17:38:04 HANK firejail[6868]: The new log directory is /proc/6869/root/var/log Jan 14 17:38:04 HANK systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE Jan 14 17:38:04 HANK systemd[1]: unbound.service: Unit entered failed state. Jan 14 17:38:04 HANK systemd[1]: unbound.service: Failed with result 'exit-code'. ``` The respective output in journalctl is: ``` Jan 14 17:41:03 HANK systemd[1]: Starting Unbound recursive Domain Name Server... Jan 14 17:41:03 HANK unbound-checkconf[7862]: unbound-checkconf: no errors in /etc/unbound/unbound.conf Jan 14 17:41:03 HANK systemd[1]: Started Unbound recursive Domain Name Server. Jan 14 17:41:03 HANK audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=unbound comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 14 17:41:03 HANK firejail[7864]: Parent pid 7864, child pid 7865 Jan 14 17:41:03 HANK firejail[7864]: [72B blob data] Jan 14 17:41:03 HANK unbound[7867]: [2:0] error: cannot open pidfile /var/lib/unbound/unbound.pid: Read-only file system Jan 14 17:41:03 HANK unbound[7867]: [2:0] notice: init module 0: ipsecmod Jan 14 17:41:03 HANK unbound[7867]: [2:0] notice: init module 1: validator Jan 14 17:41:03 HANK unbound[7867]: [2:0] notice: init module 2: iterator Jan 14 17:41:03 HANK unbound[7867]: [2:0] info: start of service (unbound 1.6.7). Jan 14 17:41:03 HANK unbound[7867]: [2:2] info: 127.0.0.1 curl. A IN Jan 14 17:41:04 HANK unbound[7867]: [2:2] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.2-2: Read-only file system Jan 14 17:41:04 HANK firejail[7864]: Parent is shutting down, bye... Jan 14 17:41:04 HANK firejail[7864]: The new log directory is /proc/7865/root/var/log Jan 14 17:41:04 HANK systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE Jan 14 17:41:04 HANK systemd[1]: unbound.service: Unit entered failed state. Jan 14 17:41:04 HANK audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=unbound comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Jan 14 17:41:04 HANK systemd[1]: unbound.service: Failed with result 'exit-code'. ``` The funny thing is that I get the same error if I comment **every** line in unbound.profile (i.e. effectively an empty profile) or add the --noprofile option.
gitea-mirror 2026-05-05 07:35:17 -06:00
gitea-mirror commented 2026-05-05 07:35:21 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jan 14, 2018):

Try it with --writable-var. /var is always read-only, unless you tell firejail otherwise.

<!-- gh-comment-id:357541303 --> @smitsohu commented on GitHub (Jan 14, 2018): Try it with `--writable-var`. /var is always read-only, unless you tell firejail otherwise.
gitea-mirror commented 2026-05-05 07:35:23 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jan 15, 2018):

Actually it should be possible to adjust unbound.conf such that all the setup works take place in a different location than /var. On Debian (Jessie) for example the default paths are all below /etc/unbound.

This way writable-var is not necessary.

<!-- gh-comment-id:357718820 --> @smitsohu commented on GitHub (Jan 15, 2018): Actually it should be possible to adjust unbound.conf such that all the setup works take place in a different location than /var. On Debian (Jessie) for example the default paths are all below /etc/unbound. This way `writable-var` is not necessary.
gitea-mirror commented 2026-05-05 07:35:24 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Jan 15, 2018):

You're absolutely right, of course. It's really embarrassing - I obviously had a complete mental blackout :-(

I chose the combination --writable-var --whitelist=/var/lib/unbound

<!-- gh-comment-id:357734431 --> @curiosity-seeker commented on GitHub (Jan 15, 2018): You're absolutely right, of course. It's really embarrassing - I obviously had a complete mental blackout :-( I chose the combination `--writable-var --whitelist=/var/lib/unbound`
gitea-mirror commented 2026-05-05 07:35:25 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jan 15, 2018):

I chose the combination --writable-var --whitelist=/var/lib/unbound

If you don't mind I'd like to upstream this solution.

<!-- gh-comment-id:357738245 --> @smitsohu commented on GitHub (Jan 15, 2018): > I chose the combination --writable-var --whitelist=/var/lib/unbound If you don't mind I'd like to upstream this solution.
gitea-mirror commented 2026-05-05 07:35:27 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Jan 15, 2018):

If you don't mind I'd like to upstream this solution.

Yes, of course! However, I'm not sure if all distros save root.key under /var/lib/unbound ....

<!-- gh-comment-id:357742509 --> @curiosity-seeker commented on GitHub (Jan 15, 2018): > If you don't mind I'd like to upstream this solution. Yes, of course! However, I'm not sure if all distros save root.key under /var/lib/unbound ....
gitea-mirror commented 2026-05-05 07:35:29 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Feb 11, 2018):

Weird! I've noticed that I'm getting now an error when executing systemctl status unbound:

● unbound.service - Unbound recursive Domain Name Server
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/unbound.service.d
           └─override.conf
   Active: active (running) since Sun 2018-02-11 12:23:03 CET; 3s ago
  Process: 8224 ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem (code=exited, status=0/SUCCESS)
  Process: 8223 ExecStartPre=/usr/sbin/unbound-checkconf (code=exited, status=0/SUCCESS)
 Main PID: 8225 (firejail)
    Tasks: 10 (limit: 4915)
   CGroup: /system.slice/unbound.service
           ├─8225 /usr/bin/firejail /usr/sbin/unbound -d
           ├─8226 /usr/bin/firejail /usr/sbin/unbound -d
           └─8230 /usr/sbin/unbound -d

Feb 11 12:23:03 HANK firejail[8225]: [72B blob data]
Feb 11 12:23:03 HANK firejail[8225]: Feb 11 12:23:03 unbound[4:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Feb 11 12:23:03 HANK firejail[8225]: Feb 11 12:23:03 unbound[4:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Feb 11 12:23:03 HANK firejail[8225]: Feb 11 12:23:03 unbound[4:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Feb 11 12:23:03 HANK firejail[8225]: Feb 11 12:23:03 unbound[4:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Feb 11 12:23:03 HANK unbound[8230]: [4:0] error: cannot open pidfile /var/lib/unbound/unbound.pid: Permission denied
Feb 11 12:23:03 HANK unbound[8230]: [4:0] notice: init module 0: ipsecmod
Feb 11 12:23:03 HANK unbound[8230]: [4:0] notice: init module 1: validator
Feb 11 12:23:03 HANK unbound[8230]: [4:0] notice: init module 2: iterator
Feb 11 12:23:03 HANK unbound[8230]: [4:0] info: start of service (unbound 1.6.8).

However, after adding the --trace option I'm getting this:

● unbound.service - Unbound recursive Domain Name Server
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/unbound.service.d
           └─override.conf
   Active: active (running) since Sun 2018-02-11 12:23:49 CET; 3s ago
  Process: 8477 ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem (code=exited, status=0/SUCCESS)
  Process: 8476 ExecStartPre=/usr/sbin/unbound-checkconf (code=exited, status=0/SUCCESS)
 Main PID: 8478 (firejail)
    Tasks: 10 (limit: 4915)
   CGroup: /system.slice/unbound.service
           ├─8478 /usr/bin/firejail --trace /usr/sbin/unbound -d
           ├─8479 /usr/bin/firejail --trace /usr/sbin/unbound -d
           └─8484 /usr/sbin/unbound -d

Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:64
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:connect 64 145.100.185.15 port 853:-1
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:65
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:connect 65 145.100.185.15 port 853:-1
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:fopen /var/lib/unbound/root.key.4-5:0x7f5eb457e2c0
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:63
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:connect 63 145.100.185.16 port 853:-1
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:63
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:connect 63 89.233.43.71 port 853:-1
Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:64

No error any more - how come?

<!-- gh-comment-id:364744754 --> @curiosity-seeker commented on GitHub (Feb 11, 2018): Weird! I've noticed that I'm getting now an error when executing `systemctl status unbound`: ``` ● unbound.service - Unbound recursive Domain Name Server Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/unbound.service.d └─override.conf Active: active (running) since Sun 2018-02-11 12:23:03 CET; 3s ago Process: 8224 ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem (code=exited, status=0/SUCCESS) Process: 8223 ExecStartPre=/usr/sbin/unbound-checkconf (code=exited, status=0/SUCCESS) Main PID: 8225 (firejail) Tasks: 10 (limit: 4915) CGroup: /system.slice/unbound.service ├─8225 /usr/bin/firejail /usr/sbin/unbound -d ├─8226 /usr/bin/firejail /usr/sbin/unbound -d └─8230 /usr/sbin/unbound -d Feb 11 12:23:03 HANK firejail[8225]: [72B blob data] Feb 11 12:23:03 HANK firejail[8225]: Feb 11 12:23:03 unbound[4:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted Feb 11 12:23:03 HANK firejail[8225]: Feb 11 12:23:03 unbound[4:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted Feb 11 12:23:03 HANK firejail[8225]: Feb 11 12:23:03 unbound[4:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted Feb 11 12:23:03 HANK firejail[8225]: Feb 11 12:23:03 unbound[4:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted Feb 11 12:23:03 HANK unbound[8230]: [4:0] error: cannot open pidfile /var/lib/unbound/unbound.pid: Permission denied Feb 11 12:23:03 HANK unbound[8230]: [4:0] notice: init module 0: ipsecmod Feb 11 12:23:03 HANK unbound[8230]: [4:0] notice: init module 1: validator Feb 11 12:23:03 HANK unbound[8230]: [4:0] notice: init module 2: iterator Feb 11 12:23:03 HANK unbound[8230]: [4:0] info: start of service (unbound 1.6.8). ``` However, after adding the --trace option I'm getting this: ``` ● unbound.service - Unbound recursive Domain Name Server Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/unbound.service.d └─override.conf Active: active (running) since Sun 2018-02-11 12:23:49 CET; 3s ago Process: 8477 ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem (code=exited, status=0/SUCCESS) Process: 8476 ExecStartPre=/usr/sbin/unbound-checkconf (code=exited, status=0/SUCCESS) Main PID: 8478 (firejail) Tasks: 10 (limit: 4915) CGroup: /system.slice/unbound.service ├─8478 /usr/bin/firejail --trace /usr/sbin/unbound -d ├─8479 /usr/bin/firejail --trace /usr/sbin/unbound -d └─8484 /usr/sbin/unbound -d Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:64 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:connect 64 145.100.185.15 port 853:-1 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:65 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:connect 65 145.100.185.15 port 853:-1 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:fopen /var/lib/unbound/root.key.4-5:0x7f5eb457e2c0 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:63 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:connect 63 145.100.185.16 port 853:-1 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:63 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:connect 63 89.233.43.71 port 853:-1 Feb 11 12:23:51 HANK firejail[8478]: 4:unbound:socket AF_INET SOCK_STREAM IPPROTO_TCP:64 ``` No error any more - how come?
gitea-mirror commented 2026-05-05 07:35:31 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Feb 26, 2018):

warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted

Not really answering your question, but I think a capability is missing here.... the ip-transparent option of unbound is broken without cap_net_admin, so the the profile should read:

caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource

<!-- gh-comment-id:368527461 --> @smitsohu commented on GitHub (Feb 26, 2018): > warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted Not really answering your question, but I think a capability is missing here.... the `ip-transparent` option of unbound is broken without cap_net_admin, so the the profile should read: `caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource`
gitea-mirror commented 2026-05-05 07:35:32 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Mar 1, 2018):

@smitsohu : Thanks, I added that to unbound.local. However, I'm still getting the error:

error: cannot open pidfile /var/lib/unbound/unbound.pid: Permission denied

I'm getting this error even after commenting everything in the profile. This does not happen if unbound is not firejailed. So something is still missing.

<!-- gh-comment-id:369674000 --> @curiosity-seeker commented on GitHub (Mar 1, 2018): @smitsohu : Thanks, I added that to `unbound.local`. However, I'm still getting the error: `error: cannot open pidfile /var/lib/unbound/unbound.pid: Permission denied` I'm getting this error even after commenting everything in the profile. This does not happen if unbound is **not** firejailed. So something is still missing.
gitea-mirror commented 2026-05-05 07:35:33 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Mar 14, 2018):

Thanks, @smitsohu . Unfortunately, I'm still getting that error even after above fix.

<!-- gh-comment-id:373109691 --> @curiosity-seeker commented on GitHub (Mar 14, 2018): Thanks, @smitsohu . Unfortunately, I'm still getting that error even after above fix.
gitea-mirror commented 2026-05-05 07:35:35 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 26, 2019):

@curiosity-seeker still an issue?

<!-- gh-comment-id:505810271 --> @rusty-snake commented on GitHub (Jun 26, 2019): @curiosity-seeker still an issue?
gitea-mirror commented 2026-05-05 07:35:36 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Jun 26, 2019):

@rusty-snake : I don't know as I'm no longer using unbound. Sorry!

<!-- gh-comment-id:505837348 --> @curiosity-seeker commented on GitHub (Jun 26, 2019): @rusty-snake : I don't know as I'm no longer using unbound. Sorry!
gitea-mirror commented 2026-05-05 07:35:37 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 26, 2019):

ok, then I go ahead and close for now, if anyone still has this issue, fell free to re-open

<!-- gh-comment-id:505857215 --> @rusty-snake commented on GitHub (Jun 26, 2019): ok, then I go ahead and close for now, if anyone still has this issue, fell free to re-open
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1172
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?