[GH-ISSUE #5723] Arch Linux: Cannot install/update AUR packages (fs_resolvconf: No such file or directory) #3075

New issue

Closed

opened 2026-05-05 09:42:53 -06:00 by gitea-mirror · 12 comments

gitea-mirror commented 2026-05-05 09:42:53 -06:00

Owner

Copy link

Originally created by @curiosityseeker on GitHub (Mar 9, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5723

Description

See title of the issue.

Steps to Reproduce

Steps to reproduce the behavior

1. Install or update an AUR package with an AUR helper or via git clone .... and makepkg -s.
2. You'll see the following error:

==> Validating source files with sha256sums...
    random_package ... Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory
Error: proc XXXXX cannot sync with peer: unexpected EOF
Peer YYYYY unexpectedly exited with status 1
FAILED
==> ERROR: One or more files did not pass the validity check!

Expected behavior

What you expected to happen

Actual behavior

What actually happened

Behavior without a profile

makepkg is not sandboxed by default, but hasher-common.profile is called.

Additional context

Commenting private-etc in hasher-common.profile fixes the issue. I haven't had the time to investigate if a more fine-grained private-etc rule can be applied.

Environment

• Arch Linux
• firejail-git
• fb49f72999

Checklist

• The issues is caused by firejail. Commenting private-etc in hasher-common.profile fixes the issue.
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

Originally created by @curiosityseeker on GitHub (Mar 9, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5723 ### Description See title of the issue. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Install or update an AUR package with an AUR helper or via `git clone ....` and `makepkg -s`. 2. You'll see the following error: ``` ==> Validating source files with sha256sums... random_package ... Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory Error: proc XXXXX cannot sync with peer: unexpected EOF Peer YYYYY unexpectedly exited with status 1 FAILED ==> ERROR: One or more files did not pass the validity check! ``` ### Expected behavior _What you expected to happen_ ### Actual behavior _What actually happened_ ### Behavior without a profile `makepkg` is not sandboxed by default, but `hasher-common.profile` is called. ### Additional context Commenting `private-etc` in `hasher-common.profile` fixes the issue. I haven't had the time to investigate if a more fine-grained `private-etc` rule can be applied. ### Environment - Arch Linux - firejail-git - fb49f72999a60f7a05575698b6d10e1fa00a39a4 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail. Commenting `private-etc` in `hasher-common.profile` fixes the issue. - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` output goes here ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> ``` output goes here ``` </p> </details>

gitea-mirror 2026-05-05 09:42:53 -06:00

• closed this issue
• added the
  bug
  networking
  duplicate
  labels

gitea-mirror commented 2026-05-05 09:42:56 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 9, 2023):

On what directory are the AUR repos stored?

On what directory are the packages built?

<!-- gh-comment-id:1462175903 --> @kmk3 commented on GitHub (Mar 9, 2023): On what directory are the AUR repos stored? On what directory are the packages built?

gitea-mirror commented 2026-05-05 09:42:57 -06:00

Author

Owner

Copy link

@curiosityseeker commented on GitHub (Mar 9, 2023):

That depends. If you install an AUR package with git clone ... and makepkg -s it's really up to you where you want to store it.

If you're using an AUR helper like paru , it is done in ~/.cache/paru.

<!-- gh-comment-id:1462205628 --> @curiosityseeker commented on GitHub (Mar 9, 2023): That depends. If you [install](https://wiki.archlinux.org/title/Arch_User_Repository#Acquire_build_files) an AUR package with `git clone ...` and `makepkg -s` it's really up to you where you want to store it. If you're using an [AUR helper](https://wiki.archlinux.org/title/AUR_helpers) like paru , it is done in `~/.cache/paru`.

gitea-mirror commented 2026-05-05 09:42:59 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 9, 2023):

@curiosityseeker on Mar 9:

That depends. If you
install
an AUR package with git clone ... and makepkg -s it's really up to you
where you want to store it.

Yes; I'm asking where they are on your system since that is where the errors
are happening. The paths could be currently blocked by an include profile.

Also, when adding the following to ~/.config/firejail/sha256sum.local:

ignore quiet
ignore include sha256sum.local
ignore include globals.local

What is the output of makepkg?

<!-- gh-comment-id:1462219150 --> @kmk3 commented on GitHub (Mar 9, 2023): @curiosityseeker [on Mar 9](https://github.com/netblue30/firejail/issues/5723#issuecomment-1462205628): > That depends. If you > [install](https://wiki.archlinux.org/title/Arch_User_Repository#Acquire_build_files) > an AUR package with `git clone ...` and `makepkg -s` it's really up to you > where you want to store it. Yes; I'm asking where they are on _your system_ since that is where the errors are happening. The paths could be currently blocked by an include profile. Also, when adding the following to ~/.config/firejail/sha256sum.local: ``` ignore quiet ignore include sha256sum.local ignore include globals.local ``` What is the output of `makepkg`?

gitea-mirror commented 2026-05-05 09:43:00 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 9, 2023):

FTR 7176e6324d

They got added to firecfg just recently.

<!-- gh-comment-id:1462243131 --> @rusty-snake commented on GitHub (Mar 9, 2023): FTR https://github.com/netblue30/firejail/commit/7176e6324d444b681b822f2a29c15d61c7f92677 They got added to firecfg just recently.

gitea-mirror commented 2026-05-05 09:43:01 -06:00

Author

Owner

Copy link

@curiosityseeker commented on GitHub (Mar 9, 2023):

Yes; I'm asking where they are on your system since that is where the errors are happening. The paths could be currently blocked by an include profile.

Well, as mentioned in the OP, I've tried both AUR helpers (-> ~/.cache) and git clone (-> individual paths in ~).

Also, when adding the following to ~/.config/firejail/sha256sum.local:

ignore quiet
ignore include sha256sum.local
ignore include globals.local

What is the output of makepkg?

EDITED: Need some more debugging.

<!-- gh-comment-id:1462357010 --> @curiosityseeker commented on GitHub (Mar 9, 2023): > Yes; I'm asking where they are on _your system_ since that is where the errors are happening. The paths could be currently blocked by an include profile. Well, as mentioned in the OP, I've tried both AUR helpers (-> ~/.cache) and `git clone` (-> individual paths in ~). > > Also, when adding the following to ~/.config/firejail/sha256sum.local: > > ``` > ignore quiet > ignore include sha256sum.local > ignore include globals.local > ``` > > What is the output of `makepkg`? EDITED: Need some more debugging.

gitea-mirror commented 2026-05-05 09:43:02 -06:00

Author

Owner

Copy link

@curiosityseeker commented on GitHub (Mar 9, 2023):

Sorry for the noise. The culprit was my globals.local. I still don't understand why as it doesn't seem to include any blacklisted paths which look relevant here, though. But anyway, ignoring it solves the problem.

<!-- gh-comment-id:1462412746 --> @curiosityseeker commented on GitHub (Mar 9, 2023): Sorry for the noise. The culprit was my `globals.local`. I still don't understand why as it doesn't seem to include any blacklisted paths which look relevant here, though. But anyway, ignoring it solves the problem.

gitea-mirror commented 2026-05-05 09:43:03 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 9, 2023):

... Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory

Hmm, longshot, but it could be #5650. Conditions seem to fit the bill, hasher-common.profile does have net none. But nobody seems to have been able to reproduce it (yet). I've been using the patch mentioned in #5650 ever since I reported the issue and it WFM on Arch Linux.

<!-- gh-comment-id:1462422234 --> @ghost commented on GitHub (Mar 9, 2023): > ... Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory Hmm, longshot, but it _could_ be #5650. Conditions seem to fit the bill, hasher-common.profile does have `net none`. But nobody seems to have been able to reproduce it (yet). I've been using the patch mentioned in #5650 ever since I reported the issue and it WFM on Arch Linux.

gitea-mirror commented 2026-05-05 09:43:03 -06:00

Author

Owner

Copy link

@curiosityseeker commented on GitHub (Mar 9, 2023):

Update: I found the culprit. I have

dns 127.0.0.1

in my globals.local to make sure that every network request goes through dnscrypt-proxy. Removing that rule in hasher-common.local fixes the issue although I don't know why. (Note: the blocklists in dnscrypt-proxy didn't block anything related)

<!-- gh-comment-id:1462477939 --> @curiosityseeker commented on GitHub (Mar 9, 2023): Update: I found the culprit. I have `dns 127.0.0.1` in my `globals.local` to make sure that every network request goes through dnscrypt-proxy. Removing that rule in `hasher-common.local` fixes the issue although I don't know why. (Note: the blocklists in dnscrypt-proxy didn't block anything related)

gitea-mirror commented 2026-05-05 09:43:04 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 9, 2023):

Update: I found the culprit. I have
dns 127.0.0.1

I'm more and more convinced this is #5650. Can you try the patch from that?

<!-- gh-comment-id:1462488723 --> @ghost commented on GitHub (Mar 9, 2023): > Update: I found the culprit. I have dns 127.0.0.1 I'm more and more convinced this is #5650. Can you try the patch from that?

gitea-mirror commented 2026-05-05 09:43:05 -06:00

Author

Owner

Copy link

@curiosityseeker commented on GitHub (Mar 9, 2023):

Wow! I applied your patch, removed ignore dns 127.0.0.1 in hasher-common.local - and got no errors!

So just to make sure: hasher-common.local now contains

#ignore dns 127.0.0.1
include globals.local

include disable-common.inc

and my globals.local contains dns 127.0.0.1.

<!-- gh-comment-id:1462525268 --> @curiosityseeker commented on GitHub (Mar 9, 2023): Wow! I applied your patch, removed `ignore dns 127.0.0.1` in hasher-common.local - and got no errors! So just to make sure: hasher-common.local now contains ``` #ignore dns 127.0.0.1 include globals.local include disable-common.inc ``` and my `globals.local` contains `dns 127.0.0.1`.

gitea-mirror commented 2026-05-05 09:43:06 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 9, 2023):

I have a pretty similar setup, also using dns 127.0.0.1 in globals.local. That seems to be a part of what triggers the bug. We'll have to ask @netblue30 and/or @smitsohu to take a closer look at my patch. As we all know my C is rather limited so there might be better fixes.

Anyway, thanks for taking the time to test!

Duplicate of #5650.

<!-- gh-comment-id:1462556566 --> @ghost commented on GitHub (Mar 9, 2023): I have a pretty similar setup, also using `dns 127.0.0.1` in globals.local. That seems to be a part of what triggers the bug. We'll have to ask @netblue30 and/or @smitsohu to take a closer look at my patch. As we all know my C is rather limited so there might be better fixes. Anyway, thanks for taking the time to test! Duplicate of #5650.

gitea-mirror commented 2026-05-05 09:43:06 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 9, 2023):

Duplicate of #5650.

(Closing as a duplicate)

<!-- gh-comment-id:1462581032 --> @kmk3 commented on GitHub (Mar 9, 2023): > Duplicate of #5650. (Closing as a duplicate)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3075

No description provided.