Giters

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox

Home Page:https://firejail.wordpress.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Firejail fails to launch a program when fcopy throws an error (In my case a harmless chattr'd immutable `/etc/resolv.conf`)

ipaqmaster opened this issue · comments

commented

Description

Describe the bug

Firejail can't start if its dealing with an immutable /etc/resolv.conf due to fcopy throwing an error trying to change its ownership.

Steps to Reproduce

Steps to reproduce the behavior

Launch any program with a $PATH that causes it to use firejail while /etc/resolv.conf has been hit with chattr +i /etc/resolv.conf

  1. chattr +i /etc/resolv.conf
  2. Firejail any program with a profile involving jailing for /etc or this particular file.

Expected behavior

What you expected to happen

Launch my programs in firejail.

Actual behavior

What actually happened

Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 297689 cannot sync with peer: unexpected EOF
Peer 297690 unexpectedly exited with status 1

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Software launches without issue.

Additional context

Any other detail that may help to understand/debug the problem

Environment

  • Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
    Arch Linux

  • Firejail version (firejail --version).
    0.9.72

  • If you use a development version of firejail, also the commit from which it
    was compiled (git rev-parse HEAD).
    NA

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)
commented

I cannot reproduce on Arch Linux with firejail-git, using an ext4 file system. The private-etc option was significantly refactored after 0.9.72. Here Firejail doesn't list the requested file attributes, but it doesn't break after changing them in the real file system:

$ lsattr -l /etc/resolv.conf
/etc/resolv.conf             Extents

$ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf
/etc/resolv.conf             ---

$ sudo chattr +i /etc/resolv.conf

$ lsattr -l /etc/resolv.conf
/etc/resolv.conf             Immutable, Extents

$ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf
/etc/resolv.conf             ---

What file system are you seeing this on? Does the issue still show with firejail-git?