Open marek22k opened 11 months ago
sudo sed -i 's/^dnsmasq/# dnsmasq/' /etc/firejail/firecfg.config
The upcoming Firejail release will have override support for firecfg.config:
If you use firejail-git ftom the AUR you can have that functionality now. Dropping a file like the below will disable dnsmasq sandboxing persistently:
$ cat /etc/firejail/firecfg.d/10-disabled.conf
!dnsmasq
@glitsj16 ideally I'd like to keep using the dnsmasq profile. While this can be a temporary workaround, it does not solve the underlying issue
@ShellCode33 Agreed, the underlying issue is still not very clear (to me).
I've zero experience with libvirt/dnsmasq. Going over the referenced issue threads, I did notice https://github.com/netblue30/firejail/issues/5089#issuecomment-1094276371 mentions caps.keep chown,dac_override,net_admin,net_bind_service,net_raw,setgid,setuid
might be needed (besides whitelist /var/lib/libvirt/dnsmasq and whitelist /var/run). OP's response seems to suggest that fixes things, but the resulting commits https://github.com/netblue30/firejail/commit/ce6f792efd0af09b95050864b71f79c46359fa49 and https://github.com/netblue30/firejail/commit/f3de2e37fd0bb3eb18393961f8382ff08fe3c3fb don't touch caps.keep.
Have you tried using dnsmasq.profile with caps.keep chown,dac_override,net_admin,net_bind_service,net_raw,setgid,setuid
yet?
Follow-up
I've installed libvirt/dnsmasq on my Arch Linux box to get a better understanding of this issue. With the below it works here, without the firecfg workaround:
$ cat ~/.config/firejail/dnsmasq.local
# Firejail profile for dnsmasq
# Persistent local customizations
allusers
caps.keep chown,net_admin,net_bind_service,net_raw,setgid,setuid
ignore caps.keep
Caveats:
wheel
group, hence I didn't add myself to the libvirt
group as mentioned in the Arch wiki page for libvirt;sudo virsh net-start default
hangs on the command-line, but this doesn't seem to affect the now firejailed dnsmasq instances called by libvirt (probably another manifestation of #4440).@marek22k @ShellCode33 Can you try again with the above dnsmasq.local
and report back here please? Hopefully we're closer to fixing this properly...
Thanks for taking the time to look at it @glitsj16 !
I still have the same PATH-related error:
$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set
You said that for you virsh was just hanging, that sounds odd. Make sure the libvirtd service is running
Here's my /etc/firejail/dnsmasq.local
:
noblacklist /run/libvirt
noblacklist /usr/lib/libvirt
noblacklist /usr/local/bin/dnsmasq
noblacklist /usr/bin/dnsmasq
noblacklist /usr/bin/libvirtd
whitelist /usr/lib/libvirt
whitelist /run/libvirt
whitelist /usr/local/bin/dnsmasq
whitelist /usr/bin/dnsmasq
whitelist /usr/bin/libvirtd
noblacklist /usr/lib
noblacklist /usr/bin
noblacklist /usr/local/bin/
noblacklist /run
allusers
caps.keep chown,net_admin,net_bind_service,net_raw,setgid,setuid
ignore caps.keep
(I'm deliberately trying to be very permissive to narrow it down after, but that still doesn't work)
$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set
$ cat /etc/firejail/dnsmasq.local
allusers
caps.keep chown,net_admin,net_bind_service,net_raw,setgid,setuid
ignore caps.keep
You said that for you virsh was just hanging, that sounds odd. Make sure the libvirtd service is running
@ShellCode33 I did start libvirtd.service and virtlogd.service via systemd. Nothing special here. If you don't start those you'll indeed see errors:
$ sudo virsh net-start default
error: failed to connect to the hypervisor
error: Operation not supported: Cannot use direct socket mode if no URI is set
@ShellCode33 @marek22k Did you re-enable the dnsmasq symlink in /usr/local/bin (via firecfg or manually)? To make absolutely sure I created a wrapper script:
$ cat /usr/local/bin/dnsmasq
#!/bin/sh
#
## wrapper for dnsmasq
#+ sandbox support via firejail
### vars
_app="dnsmasq"
_bin="/usr/bin/${_app}"
# sandboxing
_bin="firejail --name=${_app}-6121 --quiet ${_bin}"
### logic
${_bin} "$@"
exit 0
Mind the --name=${_app}-6121
part. It's another assisting param to double-check if sandboxing dnsmasq is or isn't working. After issueing the virsh command you can run:
$ firejail --list | grep dnsmasq
11943:root:dnsmasq:firejail --name=dnsmasq-6121 --quiet /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
You should see the same if you added name dnsmasq-6121
(or anything you choose really) to dnsmasq.local.
Did any of you both added his user to the libvirt
group? Any polkit
stuff we're missing eyes on in this context? Check these docs for details:
https://wiki.archlinux.org/title/Libvirt#Using_libvirt_group
https://wiki.archlinux.org/title/Libvirt#Using_polkit
https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
https://wiki.archlinux.org/title/Polkit#Globally
https://wiki.archlinux.org/title/Polkit#For_specific_actions
Did you re-enable the dnsmasq symlink in /usr/local/bin (via firecfg or manually)?
Yes it is currently enabled
Did any of you both added his user to the libvirt group?
Yes my user is part of this group, but I guess it doesn't matter considering we are running virsh using sudo, therefore polkit shouldn't be at play here
I tried to put your script in place of the /usr/local/bin/dnsmasq
symlink, now virsh runs fine without error (at least it confirms this is not a PATH issue).
But now I have an apparmor denial :smiling_face_with_tear:
So I tried to disable this particular AppArmor profile, and now I observe the same behavior as you: virsh hangs.
While it's still hanging, I can see it's running within firejail:
firejail --list | grep dnsmasq
63207:root:dnsmasq-6121:firejail --name=dnsmasq-6121 --quiet /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
EDIT: even if I CTRL+C virsh, dnsmasq is still running, but it's a bit annoying because all virsh commands hang, even sudo virsh net-list
EDIT2: my dnsmasq.locale
is completely empty and it's still working. I'm starting to wonder if this is a bug in libvirt
which does not resolve the symlink properly
EDIT3:
CTRL+C doesn't work, the libvirtd daemon will error after some time.
And when it's automatically restarted by systemd, the following errors/warning are emitted:
FWIW I'm having the same issue on Arch. I don't use AppArmor.
Same issue here on Arch. Disabled dnsmasq profile in firejail. Otherwise it won't function.
Description
I cannot activate the virtual network when firejail is activated.
Steps to reproduce the behavior
sudo virsh net-start default
Expected behavior
The network starts.
Actual behavior
The network does not start.
Behavior without a profile
Since dnsmasq is called by libvirt, it is difficult to do this manually. However, running it after
firecfg --clean
works.Additional context
Already reported several times, but apparently not yet resolved:
Workaround:
Environment
firejail --version
).Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.Log
Output of
LC_ALL=C firejail /path/to/program
``` $sudo LC_ALL=C firejail /usr/bin/virsh net-start default Reading profile /etc/firejail/server.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-write-mnt.inc Reading profile /etc/firejail/disable-xdg.inc ** Note: you can use --noprofile to disable server.profile ** Parent pid 9679, child pid 9680 The new log directory is /proc/9680/root/var/log Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Child process initialized in 25.35 ms Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0) error: Failed to start network default error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set Parent is shutting down, bye... ```
Output of
LC_ALL=C firejail --debug /path/to/program
https://gist.github.com/marek22k/53c067d5a7e23121984dd8b6b74ebb5a