[GH-ISSUE #5490] (Duplicate of #5489) #3014

New issue

Closed

opened 2026-05-05 09:40:01 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 09:40:01 -06:00

Owner

Originally created by @bodachaitanya on GitHub (Nov 28, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5490

Discussed in https://github.com/netblue30/firejail/discussions/5489

^{Originally posted by bodachaitanya November 28, 2022}
Hi Firejail team,

Could you please help in clarification for below queries, which I am seeing inconsistent behavior in my environment (on CentOS-7.9):

Suppose I have /etc/hosts as softlink to /data/runtime/hosts, something like below:
```
/etc/hosts -> /data/runtime/hosts
```
Having below rules was not allowing firejail to run:
```
read-only /etc/hosts
whitelist /data/runtime/hosts
read-only /data/runtime/hosts
```

Context: I have experienced this problem when I run ping in firejail with FQDN name. The DNS resolution is configured to go via non-default interface (which is achieved by preloading internal library which has modified connect, sendto, bind API's). Same is the case with /etc/resolv.conf, /etc/nsswitch.conf files, for this specific use-case. Firejail always comes out without executing them with above rules in place. When I remove whitelist (eg: in above case whitelist /data/runtime/hosts), this scenario works fine.
Could anyone please explain the behavior of firejail here.

Suppose I have a situation something like this:
- /var/lib -> /data (/var/lib is a softlink to /data)
- I have a read-only /var/lib/runtime rule in common profile.
- I have another rule in application profile whitelist /data/runtime/temp, which is added before including common profile which has above read-only rule for same path, something like this in sequence:
```
whitelist /data/runtime/temp
        :
read-only /var/lib/runtime
```
- I noticed firejail comes out, without any error.

Context: I am trying to run tcpdump in firejail with above situation with filters having FQDN name (eg: host google.com), and tcpdump will create runtime files (along with snoop file) in /data/runtime/temp/ path. I noticed firejail comes out without any error not executing as desired and the behaviour is inconsistent. Could you please explain this behavior.

I also have some issues with tools running in firejail with some rules configured (with whitelist and read-only) only in case of tools attempted to get DNS resolution from outside.

For all the above queries, one thing is common. When network library calls are intercepted through the preloaded library, and with DNS context, the rules which were working before as mentioned in above examples, were started not working, and the behavior is not understable from firejail pov. Could you please help in here in understanding firejail behavior, what is causing the conflicts and how to analyse it.

Please let me know for any more information. Thanks

Originally created by @bodachaitanya on GitHub (Nov 28, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5490 ### Discussed in https://github.com/netblue30/firejail/discussions/5489 <div type='discussions-op-text'> <sup>Originally posted by **bodachaitanya** November 28, 2022</sup> Hi Firejail team, Could you please help in clarification for below queries, which I am seeing inconsistent behavior in my environment (on CentOS-7.9): 1. Suppose I have /etc/hosts as softlink to /data/runtime/hosts, something like below: ``` /etc/hosts -> /data/runtime/hosts ``` Having below rules was not allowing firejail to run: ``` read-only /etc/hosts whitelist /data/runtime/hosts read-only /data/runtime/hosts ``` **Context**: I have experienced this problem when I run ping in firejail with FQDN name. The DNS resolution is configured to go via non-default interface (which is achieved by preloading internal library which has modified connect, sendto, bind API's). Same is the case with /etc/resolv.conf, /etc/nsswitch.conf files, for this specific use-case. Firejail always comes out without executing them with above rules in place. When I remove whitelist (eg: in above case `whitelist /data/runtime/hosts`), this scenario works fine. Could anyone please explain the behavior of firejail here. 2. Suppose I have a situation something like this: - /var/lib -> /data (/var/lib is a softlink to /data) - I have a `read-only /var/lib/runtime` rule in common profile. - I have another rule in application profile `whitelist /data/runtime/temp`, which is added before including common profile which has above read-only rule for same path, something like this in sequence: ``` whitelist /data/runtime/temp : read-only /var/lib/runtime ``` - I noticed firejail comes out, without any error. **Context**: I am trying to run tcpdump in firejail with above situation with filters having FQDN name (eg: host google.com), and tcpdump will create runtime files (along with snoop file) in /data/runtime/temp/ path. I noticed firejail comes out without any error not executing as desired and the behaviour is inconsistent. Could you please explain this behavior. 3. I also have some issues with tools running in firejail with some rules configured (with whitelist and read-only) only in case of tools attempted to get DNS resolution from outside. For all the above queries, one thing is common. When network library calls are intercepted through the preloaded library, and with DNS context, the rules which were working before as mentioned in above examples, were started not working, and the behavior is not understable from firejail pov. Could you please help in here in understanding firejail behavior, what is causing the conflicts and how to analyse it. Please let me know for any more information. Thanks</div>