github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #569] Is it possible to have proper support for systemd-resolved? #400

New issue
Closed
opened 2026-05-05 05:47:25 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 05:47:25 -06:00
Owner
Copy link

Originally created by @tomgar on GitHub (Jun 12, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/569

The point of systemd-resolved is that it has a DNS cache.

I noticed that inside firejails if the system doesn't have a /etc/resolv.conf file and /etc/nsswitch.conf is just configured to use the nss-resolve, dns queries will fail. At the moment a resolv.conf file is added to /etc/ (like symlinking the one from systemd-resolved in /run/systemd/resolve/resolv.conf), dns queries will work but the DNS cache is bypassed completely.

Originally created by @tomgar on GitHub (Jun 12, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/569 The point of systemd-resolved is that it has a DNS cache. I noticed that inside firejails if the system doesn't have a /etc/resolv.conf file and /etc/nsswitch.conf is just configured to use the nss-resolve, dns queries will fail. At the moment a resolv.conf file is added to /etc/ (like symlinking the one from systemd-resolved in /run/systemd/resolve/resolv.conf), dns queries will work but the DNS cache is bypassed completely.
gitea-mirror 2026-05-05 05:47:25 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 05:47:31 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 12, 2016):

What seems to be the issue? I am reading from systemd-resolvd man page:

In addition it maintains the /run/systemd/resolve/resolv.conf file for compatibility with traditional Linux programs. This file may be symlinked from /etc/resolv.conf.

systemd-resolvd should work just fine with the symlink. Also, according to nss-resolv man page, the library installed by systemd-resolvd, the host line in /etc/nsswitch,conf should look like this:

hosts: files resolve mymachines myhostname

What distro are you using?

<!-- gh-comment-id:225453481 --> @netblue30 commented on GitHub (Jun 12, 2016): What seems to be the issue? I am reading from systemd-resolvd man page: > In addition it maintains the /run/systemd/resolve/resolv.conf file for compatibility with traditional Linux programs. This file may be symlinked from /etc/resolv.conf. systemd-resolvd should work just fine with the symlink. Also, according to nss-resolv man page, the library installed by systemd-resolvd, the host line in /etc/nsswitch,conf should look like this: > hosts: files resolve mymachines myhostname What distro are you using?
gitea-mirror commented 2026-05-05 05:47:33 -06:00
Author
Owner
Copy link

@tomgar commented on GitHub (Jun 12, 2016):

My installation is correct. I already had all of that. I'm using ArchLinux with the latest firejail. It's really easy to check what's happening with the command systemd-resolve --statistics. Run firefox or chromium inside a firejail, browse a bit and run the systemd-resolve --statistics before and after browsing: the cache size will remain the same. What's happening is that inside the firejail nss-resolve is falling back to nss-dns which just uses the /etc/resolv.conf file.

From the nss-resolve man page:
"Note that nss-resolve will chain-load nss-dns if systemd-resolved.service is not running, ensuring that basic DNS resolution continues to work if the service is down."

Nss-resolve doesn't use /etc/resolv.conf at all (just to fill up its internal resolv.conf file found inside /run), so another way to check the problem is removing /etc/resolv.conf which makes impossible to run dns queries since nss-dns won't find the resolv.conf file. Notice that a non existant /etc/resolv.conf file means that nss-dns will try to access a dns server in localhost, so to do the test if you have dnsmasq, bind or any other similar dns server, you must stop it.

Another way is running systemd-resolve itself inside firejail which says "sd_bus_open_system: Permission denied".

My guess is that something needs to be done so the nss-resolve lib inside firejail can access outside's systemd-resolved service via dbus.

<!-- gh-comment-id:225455073 --> @tomgar commented on GitHub (Jun 12, 2016): My installation is correct. I already had all of that. I'm using ArchLinux with the latest firejail. It's really easy to check what's happening with the command systemd-resolve --statistics. Run firefox or chromium inside a firejail, browse a bit and run the systemd-resolve --statistics before and after browsing: the cache size will remain the same. What's happening is that inside the firejail nss-resolve is falling back to nss-dns which just uses the /etc/resolv.conf file. From the nss-resolve man page: _"Note that nss-resolve will chain-load nss-dns if systemd-resolved.service is not running, ensuring that basic DNS resolution continues to work if the service is down."_ Nss-resolve doesn't use /etc/resolv.conf at all (just to fill up its internal resolv.conf file found inside /run), so another way to check the problem is removing /etc/resolv.conf which makes impossible to run dns queries since nss-dns won't find the resolv.conf file. Notice that a non existant /etc/resolv.conf file means that nss-dns will try to access a dns server in localhost, so to do the test if you have dnsmasq, bind or any other similar dns server, you must stop it. Another way is running systemd-resolve itself inside firejail which says "sd_bus_open_system: Permission denied". My guess is that something needs to be done so the nss-resolve lib inside firejail can access outside's systemd-resolved service via dbus.
gitea-mirror commented 2026-05-05 05:47:36 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 12, 2016):

How do you start firefox? Like "firejail firefox" or you add more options?

<!-- gh-comment-id:225457007 --> @netblue30 commented on GitHub (Jun 12, 2016): How do you start firefox? Like "firejail firefox" or you add more options?
gitea-mirror commented 2026-05-05 05:47:38 -06:00
Author
Owner
Copy link

@tomgar commented on GitHub (Jun 12, 2016):

Yep, that way and I don't have any custom firefox profile in ~/.config/firejail so I'm using the one coming from the firejail package.

<!-- gh-comment-id:225457215 --> @tomgar commented on GitHub (Jun 12, 2016): Yep, that way and I don't have any custom firefox profile in ~/.config/firejail so I'm using the one coming from the firejail package.
gitea-mirror commented 2026-05-05 05:47:39 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 12, 2016):

Ok, this is a bug, I'll look into it.

<!-- gh-comment-id:225458691 --> @netblue30 commented on GitHub (Jun 12, 2016): Ok, this is a bug, I'll look into it.
gitea-mirror commented 2026-05-05 05:47:41 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 8, 2018):

Huh, this seems to still be an issue (since I disabled systemd-resolved's cache, I removed resolv.conf to test if systemd-resolved was accessible inside the sandbox). I'm going to investigate to try to figure out what's going on.

<!-- gh-comment-id:403323566 --> @chiraag-nataraj commented on GitHub (Jul 8, 2018): Huh, this seems to still be an issue (since I disabled `systemd-resolved'`s cache, I removed `resolv.conf` to test if `systemd-resolved` was accessible inside the sandbox). I'm going to investigate to try to figure out what's going on.
gitea-mirror commented 2026-05-05 05:47:42 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 8, 2018):

Huh, never mind. It works now (at least for me). The culprit in my case was not including specific libraries in my private-lib filter.

<!-- gh-comment-id:403323816 --> @chiraag-nataraj commented on GitHub (Jul 8, 2018): Huh, never mind. It works now (at least for me). The culprit in my case was not including specific libraries in my `private-lib` filter.
gitea-mirror commented 2026-05-05 05:47:43 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 9, 2018):

@tomgar Do you still have this issue? It seems to be fixed for me (with a fairly restrictive profile involving private-lib, no less). My setup involves not listing resolv.conf in my private-etc directive and including the proper libnss_ libraries in my private-lib directive, which should break if the bug you mention is still around (as I understand it - feel free to correct me!).

<!-- gh-comment-id:403458940 --> @chiraag-nataraj commented on GitHub (Jul 9, 2018): @tomgar Do you still have this issue? It seems to be fixed for me (with a fairly restrictive profile involving `private-lib`, no less). My setup involves not listing `resolv.conf` in my `private-etc` directive and including the proper `libnss_` libraries in my `private-lib` directive, which _should_ break if the bug you mention is still around (as I understand it - feel free to correct me!).
gitea-mirror commented 2026-05-05 05:47:45 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

I'm going to go ahead and close this. @tomgar If you still have this issue, please re-open.

<!-- gh-comment-id:405118438 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): I'm going to go ahead and close this. @tomgar If you still have this issue, please re-open.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#400
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?