signal: cannot reconnect if started without internet connection (resolv.conf)

[rieje]

Description

Signal desktop client is unable to reconnect if it was started without internet connection. Without firejail, it will normally reconnect even if started without internet connection.

Steps to Reproduce

sudo systemctl stop NetworkManager
firejail signal-desktop
sudo systemctl start NetworkManager

You will see:

Disconnected. Check your network connection. Click to reconnect.

Even if you click to reconnect, it refuses to connect despite internet connection established. Without firejail, it will auto-reconnect without the user having to click reconnect (although that works too).

If Signal is started with connection, then restarting NetworkManager (i.e. terminating internet connection and establishing it again) will work as expected, i.e. it will be possible to re-connect. So the issue is only if Signal is started without internet connection where it will be impossible to reconnect unless you kill the Signal instance and restart.

Environment

• Arch Linux v.69
• Firejail version 0.9.68

Checklist

• [X] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [X] I can reproduce the issue without custom modifications (e.g. globals.local).
• [X] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [X] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [X] I have performed a short search for similar issues (to avoid opening a duplicate).
• [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Disabled internet connection, start capturing the log, then start internet connection. Click "reconnect", Signal fails to reconnect. Terminate Signal and uploaded logs below:

Output of LC_ALL=C firejail /usr/bin/signal-desktop. Output of LC_ALL=C firejail --debug /usr/bin/signal-desktop.

[rusty-snake]

Reading profile /home/rieje/.config/firejail/signal-desktop.local

What's in it?

[rusty-snake]

How is /etc/resolv.conf handled?

Is is a symlink? If yes, where does it point to? Which program changes it? NetworkManager? systemd-networkd?

[rieje]

~/.config/firejails/signal-desktop.local:

ignore private-tmp
ignore dbus-user none
dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher

/etc/resolv.conf is not a symlink and handled by NetworkManager.

[rusty-snake]

/etc/resolv.conf is not a symlink and handled by NetworkManager.

That's likely explains it because signal-desktop.profile uses private-etc.

If /etc/resolv.conf is a file, NetworkManager will write to resolv.conf with creat+write+rename logic. If there is no nameserver set in resolv.conf when the sandbox is started, it will end up without one.

For now you can change /etc/resolv.conf or use dns 1.2.3.4 (in signal-desktop.local).