fdns does not properly whitelist websites with an electron app

Question

fdns does not properly whitelist websites with an electron app

Amir1453 opened this issue a year ago · comments

Hello everyone, I recently started using fdns with firejail to restrict access from an electron app (Obsidian). I have github.com in a whitelist folder.

When I run firefox in firejail, everything works as intended. I cannot access any site other than github. However, I can access other sites from the electron app.

fdns --monitor does not show anything. I suspect this issue is somehow connected with electron but I was unable to find a solution.

Here is my obsidian.profile:

# Description: Markdown-based knowledge base
# This file is overwritten after every install/update
# Persistent local customizations
include obsidian.local
# Persistent global definitions
include globals.local

#noblacklist PATH
noblacklist ${HOME}/.config/obsidian
noblacklist ${HOME}/Vaults/

include disable-shell.inc

#mkdir PATH
##mkfile PATH

#whitelist PATH
whitelist ${HOME}/.config/obsidian
whitelist ${HOME}/Vaults/
whitelist ${DOCUMENTS}
whitelist ${PICTURES}


private-bin obsidian

# Redirect
include electron.profile

and electron.profile:

# Description: Build cross platform desktop apps with web technologies
# This file is overwritten after every install/update
# Persistent local customizations
include electron.local

noblacklist ${HOME}/.config/Electron
noblacklist ${HOME}/.config/electron*-flag*.conf

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Electron
whitelist ${HOME}/.config/electron*-flag*.conf
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# Add the next line to your electron.local if your kernel allows unprivileged userns clone.
#include electron-hardened.inc.profile

apparmor
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
notv
nou2f
novideo

disable-mnt
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none

rusty-snake · Answer 1 · Fri May 19 2023 23:37:55 GMT+0800 (China Standard Time)

What distro do you use? How does your normal DNS setup look like? Do you use systemd-resolved? If so try to disable it. Does obsidian use DoH? If so try to disable it. How did you installed and setup firejail+fdns?

Amir1453 · Answer 2 · Sat May 20 2023 00:35:14 GMT+0800 (China Standard Time)

Firstly, thanks a lot for your help. Turning off systemd-resolved seems to do the trick, now however I am unable to access any websites via browsers or via the ping command unless they are also run with fdns.

Is there a workaround without disabling systemd-resolved? Or any way to fix the name resolution issue without systemd-resolved?

rusty-snake · Answer 3 · Sat May 20 2023 01:14:53 GMT+0800 (China Standard Time)

Configure your system to not use systemd-resolved.
- Remove it from nsswitch.conf. Your distro may overrides this on package updates
- Directly contact the upstream DNS
- Use a different DNS proxy/cache/manager like dnsmasq. Maybe netblue30/firejail#5828.
Find out why it works with firefox and apply the same to obsidian.
- blacklisting ldconfig -p | grep libnss_resolve.so.2 should work too.

Amir1453 · Answer 4 · Sat May 20 2023 05:35:20 GMT+0800 (China Standard Time)

Thank you so much! The second one worked.