github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5650] private-etc breaks with 'net none' and 'dns=foo' #3055

New issue

Closed

opened 2026-05-05 09:42:05 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:42:05 -06:00

Owner

Originally created by @ghost on GitHub (Feb 8, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5650

During testing of the recent private-etc refactoring (mostly in 5d0822c52c) I think there's a bug under specific conditions. I'll keep digging to try to pinpoint it as accurate as I can, but the below might already be a reproducer.

Relates to #5610 (see this comment).

This works as expected:

$ firejail --net=none --ignore=dns --private-etc=@tls-ca,java*
[glitsj16@lab ~]$ pwd
/home/glitsj16

These (and similar) variations however keeps failing for me:

$ firejail --net=none --private-etc=@tls-ca,java*
Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory
Error: proc 79088 cannot sync with peer: unexpected EOF
Peer 79089 unexpectedly exited with status 1

$ firejail --net=none --private-etc=java*
Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory
Error: proc 79088 cannot sync with peer: unexpected EOF
Peer 79089 unexpectedly exited with status 1

Note that the actual value of private-etc doesn't matter. When dns is there it will alway fail in my tests.

Current code logic in fs_etc.c always tries to create a new /etc/resolv.conf, even when networking is disabled via --net=none:

45a641deab/src/firejail/fs_etc.c (L113-L121)

If I understand the relevant code there, I think it would make sense to create /etc/resolv.conf in a more conditional way, something like:

[...]
 void fs_resolvconf(void) {
	if (arg_nonetwork)
		if (arg_debug)
			printf("Network disabled via --net=none. Skip creating new /etc/resolv.conf file\n");
		return;
 	if (arg_debug)
 		printf("Creating a new /etc/resolv.conf file\n");
 	FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");
[...]

Can anyone reproduce this? Thoughts on how to fix this in a safer way (if indeed this is a bug)?

UPDATE: I've made a small patch that seems to work for me. Here it is if anyone wants to test it:

--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -111,6 +111,10 @@
 }
 
 void fs_resolvconf(void) {
+	if (arg_nonetwork)
+		if (arg_debug)
+			printf("arg_nonetwork found (--net=none). Skip creating new /etc/resolv.conf file\n");
+		return;
 	if (arg_debug)
 		printf("Creating a new /etc/resolv.conf file\n");
 	FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");

Do note that this needs to go on top of current git master.

Originally created by @ghost on GitHub (Feb 8, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5650 During testing of the recent private-etc refactoring (mostly in https://github.com/netblue30/firejail/commit/5d0822c52c9a5e631676899e9642911d9143dba8) I think there's a bug under specific conditions. I'll keep digging to try to pinpoint it as accurate as I can, but the below might already be a reproducer. Relates to #5610 (see [this](https://github.com/netblue30/firejail/discussions/5610#discussioncomment-4880993) comment). This works as expected: ```console $ firejail --net=none --ignore=dns --private-etc=@tls-ca,java* [glitsj16@lab ~]$ pwd /home/glitsj16 ``` These (and similar) variations however keeps failing for me: ```console $ firejail --net=none --private-etc=@tls-ca,java* Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory Error: proc 79088 cannot sync with peer: unexpected EOF Peer 79089 unexpectedly exited with status 1 ``` ```console $ firejail --net=none --private-etc=java* Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory Error: proc 79088 cannot sync with peer: unexpected EOF Peer 79089 unexpectedly exited with status 1 ``` Note that the actual value of `private-etc` doesn't matter. When `dns` is there it will alway fail in my tests. Current code logic in `fs_etc.c` _always_ tries to create a new /etc/resolv.conf, even when networking is disabled via --net=none: https://github.com/netblue30/firejail/blob/45a641deaba84cb19126753f9bcfbbc14813f7c4/src/firejail/fs_etc.c#L113-L121 If I understand the relevant code there, I think it would make sense to create /etc/resolv.conf in a more conditional way, something like: ``` [...] void fs_resolvconf(void) { if (arg_nonetwork) if (arg_debug) printf("Network disabled via --net=none. Skip creating new /etc/resolv.conf file\n"); return; if (arg_debug) printf("Creating a new /etc/resolv.conf file\n"); FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe"); [...] ``` Can anyone reproduce this? Thoughts on how to fix this in a safer way (if indeed this is a bug)? UPDATE: I've made a small patch that seems to work for me. Here it is if anyone wants to test it: ``` --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -111,6 +111,10 @@ } void fs_resolvconf(void) { + if (arg_nonetwork) + if (arg_debug) + printf("arg_nonetwork found (--net=none). Skip creating new /etc/resolv.conf file\n"); + return; if (arg_debug) printf("Creating a new /etc/resolv.conf file\n"); FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe"); ``` Do note that this needs to go on top of current git master.

gitea-mirror

2026-05-05 09:42:05 -06:00

closed this issue
added the
bug

networking
labels

gitea-mirror commented

2026-05-05 09:42:07 -06:00

Author

Owner

@ghost commented on GitHub (Mar 15, 2023):

UPDATED PATCH (fixed misleading indentation):

--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -111,6 +111,11 @@
 }
 
 void fs_resolvconf(void) {
+	if (arg_nonetwork) {
+		if (arg_debug)
+			printf("arg_nonetwork found (--net=none). Skip /etc/resolv.conf file creation\n");
+		return;
+	}
 	if (arg_debug)
 		printf("Creating a new /etc/resolv.conf file\n");
 	FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");

@ghost commented on GitHub (Mar 15, 2023): `UPDATED PATCH (fixed misleading indentation)`: ``` --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -111,6 +111,11 @@ } void fs_resolvconf(void) { + if (arg_nonetwork) { + if (arg_debug) + printf("arg_nonetwork found (--net=none). Skip /etc/resolv.conf file creation\n"); + return; + } if (arg_debug) printf("Creating a new /etc/resolv.conf file\n"); FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe"); ```

gitea-mirror commented

2026-05-05 09:42:08 -06:00

Author

Owner

@kmk3 commented on GitHub (Aug 18, 2024):

@glitsj16

It looks like #5737 was supposed to fix this.

Does the issue still happen?

@kmk3 commented on GitHub (Aug 18, 2024): @glitsj16 It looks like #5737 was supposed to fix this. Does the issue still happen?

gitea-mirror commented

2026-05-05 09:42:09 -06:00

Author

Owner

@ghost commented on GitHub (Aug 18, 2024):

@kmk3

It looks like #5737 was supposed to fix this.
Does the issue still happen?

This issue is fixed. Closing.

@ghost commented on GitHub (Aug 18, 2024): @kmk3 > It looks like #5737 was supposed to fix this. Does the issue still happen? This issue is fixed. Closing.

gitea-mirror referenced this issue

2026-05-05 10:23:33 -06:00

[PR #3055] [MERGED] New profile: audio-recorder #4622

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3055

No description provided.

Rows
Columns