mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #266] Using systemd-resolved causes DNS to not work #188
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#188
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @kalegrill on GitHub (Jan 28, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/266
I haven't debugged this too much, but I noticed if /etc/nsswitch.conf is set with "resolve" instead of "dns" as per nss-resolve(8), then in firejail an inaccessible file is attempted to be read (/sys/fs/kdbus/0-system/bus gets an EACCES) and names are not resolved. This is regardless of if systemd-resolved is active, it only needs to be configured in /etc/nsswitch.conf.
@kalegrill commented on GitHub (Feb 2, 2016):
Some tests:
Curl run outside firejail, resolved active or inactive, nsswitch with or without "dns" after "resolve": DNS works.
Curl run inside firejail, resolved active or inactive, nsswitch without "dns": DNS doesn't work.
Curl run inside firejail, resolved active or inactive, nsswitch with "dns" after "resolve": DNS works.
I haven't looked into how exactly this works, but evidently outside of firejail nss-resolve failsover correctly even without the "dns" entry in nsswitch; however, inside firejail it does not failover without "dns" included.
The example in the nss-resolve(8) lacks the "dns" option yet claims that "nss-resolve will chain-load nss-dns if systemd-resolved.service is not running". From my brief look that seems to be the case when the return for /sys/fs/kdbus/0-system/bus is ENOENT but not when it is EACCES. This doesn't look like a firejail issue to me?
The easy fix if one wants to use systemd-resolved outside of firejail is to put dns after resolve on the hosts line in nsswitch.conf. I should have been doing that in the first place.
@netblue30 commented on GitHub (Feb 6, 2016):
Thanks for the hint. I'll do a test here and I'll have something in the next release.
@netblue30 commented on GitHub (Jun 1, 2016):
Try version 0.9.40, it has lots of fixes. If you still see the problem, let me know and I'll reopen the bug.
@aineko commented on GitHub (Aug 9, 2017):
I am observing the same issue on version 0.9.48 when trying to access zeroconf-discovered hosts.
If I compare
$ strace /usr/bin/ping some_intranet_host
and
$ /usr/bin/firejail --noprofile --allow-debuggers strace /usr/bin/ping some_intranet_host
I can clearly see that nss-resolve abandons resolution when it gets EACCES instead of ENOENT for /sys/fs/kdbus/0-system/bus
Unblacklisting /sys/fs makes the nss-resolve get ENOENT for /sys/fs/kdbus/0-system/bus and then continue by opening /var/run/dbus/system_bus_socket which succeeds:
$ /usr/bin/firejail --noprofile --noblacklist=/sys/fs /usr/bin/ping some_intranet_host
Still looks like the proper way to fix this is on nss-resolve side. Opened an issue there.