Error fcopy: invalid ownership for file /etc/resolv.conf (chattr +i)

ipaqmaster commented 7 months ago

Description

Describe the bug

Firejail can't start if its dealing with an immutable /etc/resolv.conf due to fcopy throwing an error trying to change its ownership.

Steps to Reproduce

Steps to reproduce the behavior

Launch any program with a $PATH that causes it to use firejail while /etc/resolv.conf has been hit with chattr +i /etc/resolv.conf

chattr +i /etc/resolv.conf
Firejail any program with a profile involving jailing for /etc or this particular file.

Expected behavior

What you expected to happen

Launch my programs in firejail.

Actual behavior

What actually happened

Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 297689 cannot sync with peer: unexpected EOF
Peer 297690 unexpectedly exited with status 1

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?_

Software launches without issue.

Additional context

Any other detail that may help to understand/debug the problem

Environment

Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") Arch Linux
Firejail version (firejail --version). 0.9.72
If you use a development version of firejail, also the commit from which it was compiled (git rev-parse HEAD). NA

Checklist

[x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
[x] I can reproduce the issue without custom modifications (e.g. globals.local).
[x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
[x] I have performed a short search for similar issues (to avoid opening a duplicate).
- [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
[ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

glitsj16 commented 7 months ago

I cannot reproduce on Arch Linux with firejail-git, using an ext4 file system. The private-etc option was significantly refactored after 0.9.72. Here Firejail doesn't list the requested file attributes, but it doesn't break after changing them in the real file system:

$ lsattr -l /etc/resolv.conf
/etc/resolv.conf             Extents

$ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf
/etc/resolv.conf             ---

$ sudo chattr +i /etc/resolv.conf

$ lsattr -l /etc/resolv.conf
/etc/resolv.conf             Immutable, Extents

$ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf
/etc/resolv.conf             ---

What file system are you seeing this on? Does the issue still show with firejail-git?

tredondo commented 2 days ago

I've just compiled from source on Fedora and I'm getting the same error:

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 1714580 cannot sync with peer: unexpected EOF
Peer 1714582 unexpectedly exited with status 1

$ ls -al /etc/resolv.conf
-rw-r--r--. 1 systemd-resolve systemd-resolve 26 Oct 29 07:10 /etc/resolv.conf

Filesystem is btrfs. The error is avoided if I include net none in the local profile.

netblue30 / firejail