Open garywill opened 5 years ago
I did strace
and found ping
,curl
don't read /etc/resolve.conf
.
host
,dig
,nslookup
does.
I guess that's one of the reasons.
Still, the problem is sandbox escaped.
@garywill IDK how curl finds out where to look-up, but I tryed with --dns=0.0.0.0
to see if the cutom dns-server is used or not. I found out that if you use --net
the --dns
is considered.
It's because of nscd.
Need --blacklist=/var/run/nscd
It's because of nscd. Need --blacklist=/var/run/nscd
@garywill Can you do a PR on the profiles that need this please?
@garywill what shows grep ^hosts /etc/nsswitch.conf
?
@rusty-snake
$ grep ^hosts /etc/nsswitch.conf
hosts: files mdns_minimal [NOTFOUND=return] dns
@glitsj16
I don't know. I know hardly nothing about firejail's profile mechanism. What profile will be accounted when --net
is used?
$ grep ^hosts /etc/nsswitch.conf hosts: files mdns_minimal [NOTFOUND=return] dns
When you change this to hosts: files mdns_minimal dns
, do you observe any changes (for the better hopefully)?
@glitsj16 Nope. Nothing different with editted nsswitch.conf
I used firejail in this way:
Set
tmp0
ip192.168.88.1
and serve DHCP and DNS usingdnsmasq
ontmp0
, and provide Internet to NATedtmp0
via iptables.If dnsmasq receives DNS query, I'll see in the log.
In firejail shows the right DNS I specified:
Problem is, in firejail
dig
andnslookup
use the DNS that mydnsmasq
provides, butcurl
and firefox still use host's DNS , as if the run not in sandbox. (In firejail Internet is provided by iptables NAT, and I banned it's access to host's DNS )