github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

resolv.conf (chattr +i) #3237

New issue

Closed

opened 2026-05-05 09:50:46 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:50:46 -06:00

Owner

Originally created by @ipaqmaster on GitHub (Mar 27, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6296

Description

Describe the bug

Firejail can't start if its dealing with an immutable /etc/resolv.conf due to fcopy throwing an error trying to change its ownership.

Steps to Reproduce

Steps to reproduce the behavior

Launch any program with a $PATH that causes it to use firejail while /etc/resolv.conf has been hit with chattr +i /etc/resolv.conf

chattr +i /etc/resolv.conf
Firejail any program with a profile involving jailing for /etc or this particular file.

Expected behavior

What you expected to happen

Launch my programs in firejail.

Actual behavior

What actually happened

Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 297689 cannot sync with peer: unexpected EOF
Peer 297690 unexpectedly exited with status 1

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Software launches without issue.

Additional context

Any other detail that may help to understand/debug the problem

Environment

Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
Arch Linux
Firejail version (firejail --version).
0.9.72
If you use a development version of firejail, also the commit from which it
was compiled (git rev-parse HEAD).
NA

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @ipaqmaster on GitHub (Mar 27, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6296  ### Description _Describe the bug_ Firejail can't start if its dealing with an immutable /etc/resolv.conf due to fcopy throwing an error trying to change its ownership. ### Steps to Reproduce _Steps to reproduce the behavior_ Launch any program with a $PATH that causes it to use firejail while /etc/resolv.conf has been hit with `chattr +i /etc/resolv.conf` 1. `chattr +i /etc/resolv.conf` 2. Firejail any program with a profile involving jailing for /etc or this particular file. ### Expected behavior _What you expected to happen_ Launch my programs in firejail. ### Actual behavior _What actually happened_ ``` Error fcopy: invalid ownership for file /etc/resolv.conf Error: failed to run /run/firejail/lib/fcopy, exiting... Error: proc 297689 cannot sync with peer: unexpected EOF Peer 297690 unexpectedly exited with status 1 ``` ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Software launches without issue. ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") Arch Linux - Firejail version (`firejail --version`). 0.9.72 - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). NA ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror

2026-05-05 09:50:46 -06:00

closed this issue
added the
networking

duplicate

needinfo
labels

gitea-mirror commented

2026-05-05 09:50:49 -06:00

Author

Owner

@ghost commented on GitHub (Mar 27, 2024):

I cannot reproduce on Arch Linux with firejail-git, using an ext4 file system. The private-etc option was significantly refactored after 0.9.72. Here Firejail doesn't list the requested file attributes, but it doesn't break after changing them in the real file system:

$ lsattr -l /etc/resolv.conf
/etc/resolv.conf             Extents

$ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf
/etc/resolv.conf             ---

$ sudo chattr +i /etc/resolv.conf

$ lsattr -l /etc/resolv.conf
/etc/resolv.conf             Immutable, Extents

$ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf
/etc/resolv.conf             ---

What file system are you seeing this on? Does the issue still show with firejail-git?

@ghost commented on GitHub (Mar 27, 2024): I `cannot` reproduce on Arch Linux with [firejail-git](https://aur.archlinux.org/packages/firejail-git), using an `ext4` file system. The `private-etc` option was significantly [refactored](https://github.com/netblue30/firejail/discussions/5610) after 0.9.72. Here Firejail doesn't list the requested file attributes, but it doesn't break after changing them in the real file system: ```sh $ lsattr -l /etc/resolv.conf /etc/resolv.conf Extents $ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf /etc/resolv.conf --- $ sudo chattr +i /etc/resolv.conf $ lsattr -l /etc/resolv.conf /etc/resolv.conf Immutable, Extents $ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf /etc/resolv.conf --- ``` What file system are you seeing this on? Does the issue still show with firejail-git?

gitea-mirror commented

2026-05-05 09:50:51 -06:00

Author

Owner

@tredondo commented on GitHub (Oct 29, 2024):

I've just compiled from source on Fedora and I'm getting the same error:

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 1714580 cannot sync with peer: unexpected EOF
Peer 1714582 unexpectedly exited with status 1

$ ls -al /etc/resolv.conf
-rw-r--r--. 1 systemd-resolve systemd-resolve 26 Oct 29 07:10 /etc/resolv.conf

Filesystem is btrfs. The error is avoided if I include net none in the local profile.

@tredondo commented on GitHub (Oct 29, 2024): I've just compiled from source on Fedora and I'm getting the same error: ``` ** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl ** Mounting appimage type 2 Error fcopy: invalid ownership for file /etc/resolv.conf Error: failed to run /run/firejail/lib/fcopy, exiting... Error: proc 1714580 cannot sync with peer: unexpected EOF Peer 1714582 unexpectedly exited with status 1 $ ls -al /etc/resolv.conf -rw-r--r--. 1 systemd-resolve systemd-resolve 26 Oct 29 07:10 /etc/resolv.conf ``` Filesystem is btrfs. The error is avoided if I include `net none` in the local profile.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3237

No description provided.

Rows
Columns