search

subgraph / subgraph-os-issues

Subgraph OS issues repository
74 stars 9 forks source link

Sandbox clearnet DNS problems on Debian #337

Open taonik opened 6 years ago

taonik commented 6 years ago

I've built and installed the oz package succesfully on Debian 9.3 (no hardened kernel), I've tested it and works fine with offline apps (e.g. evince), while it's giving me hard time with the clearnet and DNS resolution.

oz-daemon version: 0.2.6-1 amd64

I know Firefox use its own internal resolver and I've read an older discussion about it, so I've tried to use curl and it seem (from the logs) that it can't resolve hostnames too, so I've tried to retrieve a page using the server IP directly and it worked, so I've a problem with the DNS resolution inside a sandbox.

What am I missing here?

taonik commented 6 years ago

I've tried to replace the clear bridge with a socket for port 53 (#99), to analyze only the resolution, but it complains "Unsupported proxy protocol specified"

curl.json:

{
"name": "curl"
, "path": "/usr/bin/curl"
, "reject_user_args": false
, "networking":{
    "type": "empty"
        , "sockets": [
        {"type":"client", "proto":"udp", "port":53}
    ]
}
, "whitelist": [
    {"path": "${HOME}/", "can_create": true}
        , {"path": "/var/lib/oz/cells.d/curl.json", "read_only": true}
]
, "shared_folders": [
]
, "blacklist": [
]
, "environment": [
]
, "seccomp": {
    "mode":"disabled"
}
}

oz-logs:

16:26:30 ▶ INFO 10a [curl] -------------------------------------------------------------------
16:26:30 ▶ INFO 10b [curl] Interface      IP                            Mask            Status
16:26:30 ▶ INFO 10c [curl] lo             127.0.0.1/8                   255.0.0.0       up                   ::1/128                                       
16:26:30 ▶ INFO 10d [curl] -------------------------------------------------------------------
16:26:30 ▶ INFO 10e [curl] Hostname set to (curl.local)
16:26:30 ▶ DEBU 10f [curl] dbus-uuid: 42fad901599232293210c7195aad41b6
16:26:30 ▶ INFO 110 oz-init (curl) is ready
16:26:30 ▶ WARN 111 Unsupported proxy protocol specified!
16:26:30 ▶ INFO 112 [curl] Run program message received: &{Args:[http://ftp.debian.org/debian] Pwd:/home/user Path:/usr/bin/curl}
16:26:30 ▶ DEBU 113 [curl] (stderr)   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
16:26:30 ▶ DEBU 114 [curl] (stderr)                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: ftp.debian.org
16:26:30 ▶ DEBU 116 [curl] Child process pid=10 exited from init with status 6
16:26:30 ▶ INFO 117 [curl] Shutting down sandbox after child exit.
16:26:30 ▶ INFO 118 [curl] oz-init exiting...
16:26:30 ▶ DEBU 119 Child process pid=7865 exited from daemon with status 0
taonik commented 6 years ago

I think I solved it. I've read in a previous discussion that oz used to depend on resolvconf package, I don't know exactly the current stage of development, but oz still rely on "/run/resolvconf" folder, so in order to make the clearnet work in Debian I have to create "/run/resolvconf" and copy ''/etc/resolv.conf" inside it, before launch oz-daemon.

I think also that the deps list provided by the docs in the section dependencies are not enough, in fact, I noticed oz and the clearnet works fine only in the VM I use to build packages, where I installed the deps listed in the section installing, while with the shorter list oz is much slower, has graphical issues and the clearnet doesn't work.