private-etc=resolv.conf will not update for changed DNS server

[haarp]

Hello,

I have witnessed this problem with Discord, but I believe it to be a generic issue.

With private-etc=resolv.conf, the jail will receive a copy of the system's resolv.conf. If the system is now moved to a different location/network with a different DNS server, the system's resolv.conf will be updated to use the new server, but the jail's resolv.conf will not. DNS requests will henceforth fail in the jail as they try to use an unreachable server.

Ideally the jail's resolv.conf should be kept in sync with the system's, but this might require special handling of this file. Alternatively, the DNS server in the jail's resolv.conf could be set to a globally reachable one instead of the local network's one, such as 1.1.1.1, with dns=1.1.1.1. But this unlikely to be in everyone's interest.

Reproduce

• firejail --noprofile --private-etc=resolv.conf bash -c 'while true; do cat /etc/resolv.conf; getent hosts google.com; sleep 5; done'
• While this runs, move the machine to a different network with different DNS resolver
• -> resolv.conf won't be updated, getent fails.

Environment Gentoo Linux, firejail-0.9.62-r1

Thanks!

[rusty-snake]

Ideally the jail's resolv.conf should be kept in sync with the system's, but this might require special handling of this file.

Instead of coping, we could bind-mount all the file.

Alternatively, the DNS server in the jail's resolv.conf could be set to a globally reachable one instead of the local network's one, such as 1.1.1.1, with dns=1.1.1.1.

Sending all the DNS-query of everybody to clownflare. bad idea. What we could do is setting it 127.0.0.1 (or what ever) and have a simple dns-forwarder there. Such as dnsmasq. Or we can use fdns, but not everyone want this.

[haarp]

Instead of coping, we could bind-mount all the file.

According to the manpage, bind-mounts only work as root, so that's unfortunately not a solution most of the time

Sending all the DNS-query of everybody to clownflare. bad idea.

Indeed. And running an additional local service is probably not a great option either. This is a bit tricky.

[rusty-snake]

Instead of coping, we could bind-mount all the file.

According to the manpage, bind-mounts only work as root, so that's unfortunately not a solution most of the time.

The --bind option is restricted to root for security reasons (btw: there is a FR to allow it for users in there home). (bind-)mounting isn't a issue since firejail is suid.

This should work I think (will test later):

--whitelist=/etc/resolv.conf

[haarp]

This should work I think (will test later):

--whitelist=/etc/resolv.conf

Just tested it, it doesn't. --whitelist doesn't seem to propagate system changes down to the whitelisted file(s), only the other way around (?)

Also, --private-etc=foo,bar,baz --whitelist=/etc/foo don't seem to work in combination, bar and baz are missing. Even weirder is the case --private-etc=bar,baz --whitelist=/etc/foo. /etc is now completely empty.

[rusty-snake]

Just tested it, it doesn't. --whitelist doesn't seem to propagate system changes down to the whitelisted file(s), only the other way around (?)

In general are changes from system to sandbox propagated. However if resolv.conf is a file (not a symlink) it can be edited (which will work) or replaced (which does not work) by the controlling program.

This means bind-mounting doesn't help either.

[smitsohu]

Also, --private-etc=foo,bar,baz --whitelist=/etc/foo don't seem to work in combination, bar and baz are missing. Even weirder is the case --private-etc=bar,baz --whitelist=/etc/foo. /etc is now completely empty.

@haarp Combining --private-etc and whitelist is possible but not very meaningful. To get you closer to where you want, just use whitelist exclusively

ignore private-etc
whitelist /etc/resolv.conf
whitelist /etc/foo
whitelist /etc/bar
whitelist /etc/baz
[...]

But as @rusty-snake says, this only works if /etc/resolv.conf is updated by writing to the file. It doesn't work if the file is updated by replacing it, which seems to be what NetworkManager does, only for example.

[msva]

isn't it still a way to somehow fix/workaround that (in case of NetworkManager)?

[rusty-snake]

If NM operates in rc-manager=symlink mode and /etc/resolv.conf is a symlink to /run/NetworkManager/resolv.conf it should work I guess.

[msva]

Well, actually, it is symlink to /run/systemd/resolve/resolv.conf. And it's content changes every time when NM connects to different networks with different DNS servers (but not inside jail).

BTW, /run/NetworkManager/resolv.conf somewhy contains an address of systemd-resolved (127.0.0.53) instead of current connection's DNS servers.