fdns does not properly whitelist websites with an electron app
Amir1453 opened this issue · comments
Hello everyone, I recently started using fdns with firejail to restrict access from an electron app (Obsidian). I have github.com in a whitelist folder.
When I run firefox in firejail, everything works as intended. I cannot access any site other than github. However, I can access other sites from the electron app.
fdns --monitor
does not show anything. I suspect this issue is somehow connected with electron but I was unable to find a solution.
Here is my obsidian.profile:
# Description: Markdown-based knowledge base
# This file is overwritten after every install/update
# Persistent local customizations
include obsidian.local
# Persistent global definitions
include globals.local
#noblacklist PATH
noblacklist ${HOME}/.config/obsidian
noblacklist ${HOME}/Vaults/
include disable-shell.inc
#mkdir PATH
##mkfile PATH
#whitelist PATH
whitelist ${HOME}/.config/obsidian
whitelist ${HOME}/Vaults/
whitelist ${DOCUMENTS}
whitelist ${PICTURES}
private-bin obsidian
# Redirect
include electron.profile
and electron.profile:
# Description: Build cross platform desktop apps with web technologies
# This file is overwritten after every install/update
# Persistent local customizations
include electron.local
noblacklist ${HOME}/.config/Electron
noblacklist ${HOME}/.config/electron*-flag*.conf
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Electron
whitelist ${HOME}/.config/electron*-flag*.conf
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
# Add the next line to your electron.local if your kernel allows unprivileged userns clone.
#include electron-hardened.inc.profile
apparmor
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
notv
nou2f
novideo
disable-mnt
private-cache
private-dev
private-tmp
dbus-user none
dbus-system none
What distro do you use? How does your normal DNS setup look like? Do you use systemd-resolved? If so try to disable it. Does obsidian use DoH? If so try to disable it. How did you installed and setup firejail+fdns?
Firstly, thanks a lot for your help. Turning off systemd-resolved seems to do the trick, now however I am unable to access any websites via browsers or via the ping command unless they are also run with fdns.
Is there a workaround without disabling systemd-resolved? Or any way to fix the name resolution issue without systemd-resolved?
- Configure your system to not use systemd-resolved.
- Remove it from nsswitch.conf. Your distro may overrides this on package updates
- Directly contact the upstream DNS
- Use a different DNS proxy/cache/manager like dnsmasq. Maybe netblue30/firejail#5828.
- Find out why it works with firefox and apply the same to obsidian.
blacklist
ingldconfig -p | grep libnss_resolve.so.2
should work too.
Thank you so much! The second one worked.