github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5870] dhclient-script: cannot update resolv.conf with read-only /etc #3113

New issue

Open

opened 2026-05-05 09:45:06 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 09:45:06 -06:00

Owner

Originally created by @kris7t on GitHub (Jun 27, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5870

Originally assigned to: @kris7t on GitHub.

Description

It looks like since d1124df32d, the default ISC dhclient-script is broken inside the sandbox, because it is not allowed to create a new resolv.conf.

Falling back to --writable-etc is not desirable, because ordinarily, configuring DNS in the sandbox via DHCP should not cause changes to the configuration of the host machine. Instead, we should provide an /etc/dhclient-enter-hooks (by mounting an appropriate one) that relays DNS settings back to firejail or otherwise makes the changes private to the sandbox.

I could try working of this if I have some free time.

Steps to Reproduce

Run firejail with --net=<some bridge interface> --ip=dhcp ip6=dhcp options, but without specifying --writable-etc.

Expected behavior

The ISC dhclient configures domain name resolution according to the DHCP server.

Actual behavior

DNS servers are not configured within the sandbox. This means that, unless the system default DNS server is reachable from within the sandbox, domain name resolution within the sandbox will fail.

This can be worked out somewhat by manually specifying the DNS server address with the --dns flag. This is feasible where the user completely controls the network (e.g., the network is a bridge interface managed by Libvirt, NetworkManager, or similar, and the DNS server runs on the host machine). However, it might be a challenge in setups where the DHCP or DNS server address might change.

Even if the --dns flag is specified to fix domain name resolution, warnings such as

/sbin/dhclient-script: line 70: /etc/resolv.conf.dhclient-new: Read-only file system
chown: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory
chmod: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory

will be printed to the terminal.

If dhclient is not in ordinary use on the host machine (e.g., DHCP is usually handled by NetworkManager or systemd-networkd), removing resolv.conf update altogether from the purview of dhclient (and relying entirely on --dns) can be a sufficient workaround. According to dhclient-script(8), /sbin/dhclient-script should not be modified directly. Instead, I created /etc/dhclient-enter-hooks with the following contents

#!/bin/bash

make_resolv_conf() {
    return
}

to override make_resolv_conf behavior with a no-op.

Behavior without a profile

Nothing changes, as the --ip=dhcp --ip6=dhcp flags are not set by any profile.

Additional context

I am using ISC dhclient 4.4.3.P1-2 with the default /sbin/dhclient-script.

Environment

Linux distribution and version: Arch Linux
Firejail version (firejail --version): firejail-git 0.9.72.r9473.524902401-1
If you use a development version of firejail, also the commit from which it
was compiled (git rev-parse HEAD): 5249024013

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

The relevant portion of the firejail --net=<some bridge interface> --ip=dhcp --ip6=dhcp --debug log is as follows (details of the network and DHCP responses were redacted for privacy):

sbox run: /run/firejail/mnt/dhclient -4 -pf /run/firejail/mnt/dhclient-dir/dhclient.pid -lf /run/firejail/mnt/dhclient-dir/dhclient.leases -i -v eth0
Set caps filter 3c00
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/<redacted>
Sending on   LPF/eth0/<redacted>
Sending on   Socket/fallback
<request details redacted>
/sbin/dhclient-script: line 70: /etc/resolv.conf.dhclient-new: Read-only file system
chown: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory
chmod: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory
mv: cannot stat '/etc/resolv.conf.dhclient-new': No such file or directory
bound to <redacted> -- renewal in 841 seconds.
Running dhclient -4 in the background as pid 12
sbox run: /run/firejail/lib/fnet waitll eth0
Set caps filter 3000
sbox run: /run/firejail/mnt/dhclient -6 -pf /run/firejail/mnt/dhclient-dir/dhclient6.pid -lf /run/firejail/mnt/dhclient-dir/dhclient6.leases -df /run/firejail/mnt/dhclient-dir/dhclient.leases -v eth0
Set caps filter 3c00
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on Socket/eth0
Sending on   Socket/eth0
PRC: Soliciting for leases (INIT).
XMT: Forming Solicit, 0 ms elapsed.
<solicit details redacted>
/sbin/dhclient-script: line 97: /etc/resolv.conf.dhclient-new: Read-only file system
chown: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory
chmod: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory
mv: cannot stat '/etc/resolv.conf.dhclient-new': No such file or directory
Running dhclient -6 in the background as pid 24

Originally created by @kris7t on GitHub (Jun 27, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5870 Originally assigned to: @kris7t on GitHub.  ### Description It looks like since d1124df32d45e7ca1cc0b32ba961764ad5a84614, the default ISC `dhclient-script` is broken inside the sandbox, because it is not allowed to create a new `resolv.conf`. Falling back to `--writable-etc` is not desirable, because ordinarily, configuring DNS in the sandbox via DHCP should not cause changes to the configuration of the host machine. Instead, we should provide an `/etc/dhclient-enter-hooks` (by mounting an appropriate one) that relays DNS settings back to firejail or otherwise makes the changes private to the sandbox. I could try working of this if I have some free time. ### Steps to Reproduce Run firejail with `--net=<some bridge interface> --ip=dhcp ip6=dhcp` options, but without specifying `--writable-etc`. ### Expected behavior The ISC `dhclient` configures domain name resolution according to the DHCP server. ### Actual behavior DNS servers are not configured within the sandbox. This means that, unless the system default DNS server is reachable from within the sandbox, domain name resolution within the sandbox will fail. This can be worked out somewhat by manually specifying the DNS server address with the `--dns` flag. This is feasible where the user completely controls the network (e.g., the network is a bridge interface managed by Libvirt, NetworkManager, or similar, and the DNS server runs on the host machine). However, it might be a challenge in setups where the DHCP or DNS server address might change. Even if the `--dns` flag is specified to fix domain name resolution, warnings such as ``` /sbin/dhclient-script: line 70: /etc/resolv.conf.dhclient-new: Read-only file system chown: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory chmod: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory ``` will be printed to the terminal. If `dhclient` is not in ordinary use on the host machine (e.g., DHCP is usually handled by NetworkManager or systemd-networkd), removing `resolv.conf` update altogether from the purview of `dhclient` (and relying entirely on `--dns`) can be a sufficient workaround. According to [`dhclient-script(8)`](https://man.archlinux.org/man/dhclient-script.8), `/sbin/dhclient-script` should not be modified directly. Instead, I created `/etc/dhclient-enter-hooks` with the following contents ``` #!/bin/bash make_resolv_conf() { return } ``` to override `make_resolv_conf` behavior with a no-op. ### Behavior without a profile Nothing changes, as the `--ip=dhcp --ip6=dhcp` flags are not set by any profile. ### Additional context I am using ISC `dhclient 4.4.3.P1-2` with the default `/sbin/dhclient-script`. ### Environment - Linux distribution and version: Arch Linux - Firejail version (`firejail --version`): `firejail-git 0.9.72.r9473.524902401-1` - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): 52490240133df6533466d99674ffb28482ac0687 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log The relevant portion of the `firejail --net=<some bridge interface> --ip=dhcp --ip6=dhcp --debug` log is as follows (details of the network and DHCP responses were redacted for privacy): ``` sbox run: /run/firejail/mnt/dhclient -4 -pf /run/firejail/mnt/dhclient-dir/dhclient.pid -lf /run/firejail/mnt/dhclient-dir/dhclient.leases -i -v eth0 Set caps filter 3c00 Internet Systems Consortium DHCP Client 4.4.3-P1 Copyright 2004-2022 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/eth0/<redacted> Sending on LPF/eth0/<redacted> Sending on Socket/fallback <request details redacted> /sbin/dhclient-script: line 70: /etc/resolv.conf.dhclient-new: Read-only file system chown: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory chmod: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory mv: cannot stat '/etc/resolv.conf.dhclient-new': No such file or directory bound to <redacted> -- renewal in 841 seconds. Running dhclient -4 in the background as pid 12 sbox run: /run/firejail/lib/fnet waitll eth0 Set caps filter 3000 sbox run: /run/firejail/mnt/dhclient -6 -pf /run/firejail/mnt/dhclient-dir/dhclient6.pid -lf /run/firejail/mnt/dhclient-dir/dhclient6.leases -df /run/firejail/mnt/dhclient-dir/dhclient.leases -v eth0 Set caps filter 3c00 Internet Systems Consortium DHCP Client 4.4.3-P1 Copyright 2004-2022 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on Socket/eth0 Sending on Socket/eth0 PRC: Soliciting for leases (INIT). XMT: Forming Solicit, 0 ms elapsed. <solicit details redacted> /sbin/dhclient-script: line 97: /etc/resolv.conf.dhclient-new: Read-only file system chown: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory chmod: cannot access '/etc/resolv.conf.dhclient-new': No such file or directory mv: cannot stat '/etc/resolv.conf.dhclient-new': No such file or directory Running dhclient -6 in the background as pid 24 ```

gitea-mirror added the

networking

label 2026-05-05 09:45:06 -06:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3113

No description provided.

Rows
Columns