Arch Linux: Cannot install/update AUR packages (fs_resolvconf: No such file or directory)

[curiosityseeker]

Description

See title of the issue.

Steps to Reproduce

Steps to reproduce the behavior

1. Install or update an AUR package with an AUR helper or via git clone .... and makepkg -s.
2. You'll see the following error:

   ==> Validating source files with sha256sums...
   random_package ... Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory
   Error: proc XXXXX cannot sync with peer: unexpected EOF
   Peer YYYYY unexpectedly exited with status 1
   FAILED
   ==> ERROR: One or more files did not pass the validity check!

Expected behavior

What you expected to happen

Actual behavior

What actually happened

Behavior without a profile

makepkg is not sandboxed by default, but hasher-common.profile is called.

Additional context

Commenting private-etc in hasher-common.profile fixes the issue. I haven't had the time to investigate if a more fine-grained private-etc rule can be applied.

Environment

• Arch Linux
• firejail-git
• fb49f72999a60f7a05575698b6d10e1fa00a39a4

Checklist

• [x] The issues is caused by firejail. Commenting private-etc in hasher-common.profile fixes the issue.
• [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
• [ ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

``` output goes here ```

Output of LC_ALL=C firejail --debug /path/to/program

``` output goes here ```

[kmk3]

On what directory are the AUR repos stored?

On what directory are the packages built?

[curiosityseeker]

That depends. If you install an AUR package with git clone ... and makepkg -s it's really up to you where you want to store it.

If you're using an AUR helper like paru , it is done in ~/.cache/paru.

[kmk3]

@curiosityseeker on Mar 9:

That depends. If you install an AUR package with git clone ... and makepkg -s it's really up to you where you want to store it.

Yes; I'm asking where they are on your system since that is where the errors are happening. The paths could be currently blocked by an include profile.

Also, when adding the following to ~/.config/firejail/sha256sum.local:

ignore quiet
ignore include sha256sum.local
ignore include globals.local

What is the output of makepkg?

[rusty-snake]

FTR https://github.com/netblue30/firejail/commit/7176e6324d444b681b822f2a29c15d61c7f92677

They got added to firecfg just recently.

[curiosityseeker]

Yes; I'm asking where they are on your system since that is where the errors are happening. The paths could be currently blocked by an include profile.

Well, as mentioned in the OP, I've tried both AUR helpers (-> ~/.cache) and git clone (-> individual paths in ~).

Also, when adding the following to ~/.config/firejail/sha256sum.local:

ignore quiet
ignore include sha256sum.local
ignore include globals.local

What is the output of makepkg?

EDITED: Need some more debugging.

[curiosityseeker]

Sorry for the noise. The culprit was my globals.local. I still don't understand why as it doesn't seem to include any blacklisted paths which look relevant here, though. But anyway, ignoring it solves the problem.

[glitsj16]

... Error mount: fs_etc.c:142 fs_resolvconf: No such file or directory

Hmm, longshot, but it could be #5650. Conditions seem to fit the bill, hasher-common.profile does have net none. But nobody seems to have been able to reproduce it (yet). I've been using the patch mentioned in #5650 ever since I reported the issue and it WFM on Arch Linux.

[curiosityseeker]

Update: I found the culprit. I have

dns 127.0.0.1

in my globals.local to make sure that every network request goes through dnscrypt-proxy. Removing that rule in hasher-common.local fixes the issue although I don't know why. (Note: the blocklists in dnscrypt-proxy didn't block anything related)

[glitsj16]

Update: I found the culprit. I have dns 127.0.0.1

I'm more and more convinced this is #5650. Can you try the patch from that?

[curiosityseeker]

Wow! I applied your patch, removed ignore dns 127.0.0.1 in hasher-common.local - and got no errors!

So just to make sure: hasher-common.local now contains

#ignore dns 127.0.0.1
include globals.local

include disable-common.inc

and my globals.local contains dns 127.0.0.1.

[glitsj16]

I have a pretty similar setup, also using dns 127.0.0.1 in globals.local. That seems to be a part of what triggers the bug. We'll have to ask @netblue30 and/or @smitsohu to take a closer look at my patch. As we all know my C is rather limited so there might be better fixes.

Anyway, thanks for taking the time to test!

Duplicate of #5650.

[kmk3]

Duplicate of #5650.

(Closing as a duplicate)