search

netblue30 / fdns

Firejail DNS-over-HTTPS Proxy Server
GNU General Public License v3.0
115 stars 29 forks source link

fdns does not properly whitelist websites with an electron app #81

Closed Amir1453 closed 1 year ago

Amir1453 commented 1 year ago

Hello everyone, I recently started using fdns with firejail to restrict access from an electron app (Obsidian). I have github.com in a whitelist folder.

When I run firefox in firejail, everything works as intended. I cannot access any site other than github. However, I can access other sites from the electron app.

fdns --monitor does not show anything. I suspect this issue is somehow connected with electron but I was unable to find a solution.

Here is my obsidian.profile:

# Description: Markdown-based knowledge base
# This file is overwritten after every install/update
# Persistent local customizations
include obsidian.local
# Persistent global definitions
include globals.local

#noblacklist PATH
noblacklist ${HOME}/.config/obsidian
noblacklist ${HOME}/Vaults/

include disable-shell.inc

#mkdir PATH
##mkfile PATH

#whitelist PATH
whitelist ${HOME}/.config/obsidian
whitelist ${HOME}/Vaults/
whitelist ${DOCUMENTS}
whitelist ${PICTURES}

private-bin obsidian

# Redirect
include electron.profile

and electron.profile:

# Description: Build cross platform desktop apps with web technologies
# This file is overwritten after every install/update
# Persistent local customizations
include electron.local

noblacklist ${HOME}/.config/Electron
noblacklist ${HOME}/.config/electron*-flag*.conf

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Electron
whitelist ${HOME}/.config/electron*-flag*.conf
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# Add the next line to your electron.local if your kernel allows unprivileged userns clone.
#include electron-hardened.inc.profile

apparmor
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
notv
nou2f
novideo

disable-mnt
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none
rusty-snake commented 1 year ago

What distro do you use? How does your normal DNS setup look like? Do you use systemd-resolved? If so try to disable it. Does obsidian use DoH? If so try to disable it. How did you installed and setup firejail+fdns?

Amir1453 commented 1 year ago

Firstly, thanks a lot for your help. Turning off systemd-resolved seems to do the trick, now however I am unable to access any websites via browsers or via the ping command unless they are also run with fdns.

Is there a workaround without disabling systemd-resolved? Or any way to fix the name resolution issue without systemd-resolved?

rusty-snake commented 1 year ago
  1. Configure your system to not use systemd-resolved.
  2. Find out why it works with firefox and apply the same to obsidian.
    • blacklisting ldconfig -p | grep libnss_resolve.so.2 should work too.
Amir1453 commented 1 year ago

Thank you so much! The second one worked.