-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firefox under Firejail can't make new connections after switching network connection methods #5010
Comments
Does it work if you enter a ip address in the urlbar? |
I have a very similar (maybe same?) issue. Running "firejail firefox" has no internet connection but "firejail --noprofile firefox" does have internet. Entering that IP address in the urlbar does load a page and works as well. |
If you use openSUSE: #4954 |
I use Arch with networkd, not openSUSE. But the fix listed there worked. Whitelisted /etc/resolv.conf and all is well. Thanks! |
Where does your /etc/resolv.conf point to? We should whitelist that path too. |
It points to /run/systemd/resolve/stub-resolv.conf. This is already in the whitelist file. |
I'm having same problem after updating from firejail-0.9.64.4 to firejail-0.9.68. |
@rusty-snake https://1.1.1.1 is accessible with 0.9.68 while other sites by their names are not. Looks like a DNS problem. |
Which distro do you use? Which program manages your DNS config? Where does you |
I'll let you know if it happens again or if I'm able to replicate it. I don't remember exactly, but I do have some vague memory of trying to access a machine on my network at |
Gentoo. I believe that NetworkManager is handling my DNS configuration. resolv.conf point to correct set of DNS servers all the time. |
If this happens, can you still open |
I can reproduce this bug on Arch with FF and firejail version 0.9.68. Downgrading to 0.9.64.4 solves the issue. In my case I can open |
I encountered this bug again, and was able to load pages via IP addresses. I didn't check The DNS servers that are set for my first network configuration are only available on that network, and I switched to a second connection where I couldn't reach them. |
As a workaround it should work with echo "whitelist $(dirname "$(readlink /etc/resolv.conf))" >> whitelist-run-common.local |
BTW, I noticed an error saying "unknown option --with-whitelist" or something like this while building 0.9.68 on Gentoo. Have no clue if this related or not, just FYI. |
Aha, yup this should be fixed in Gentoo as of a few weeks ago (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0246df2ab9257ecb01fa6fc453a7c647cd1ca543). @e-pirate do you know if you were building (If that's the version you were/are building and still see that error, please file a bug over at https://bugs.gentoo.org as it's a Gentoo packaging problem for me, not a firejail problem.) |
Nop, I was building 0.9.68, because 0.9.68-r1 is marked unstable:
But I can still build 0.9.68-r1 and return to you with the result. |
Hah, right! I forgot that 0.9.68 got marked stable; as a proxy maintainer that is above my pay grade ;)
Thanks! |
I can confirm that there is no errors related to |
rusty-snake wrote:
Did this workaround work for either @e-pirate or @alexdelorenzo ? Sounds like it did for JMillz269. I can imagine some situations when it might not (generally: if the thing-managing-resolv.conf-links doesn't stick to one directory to store the pointed-to files). But I don't want to go down that rabbit hole unless confirmed we need to. |
I say we need a general solution for resolv.conf changes (see also #3649). |
No, it didn't. My
Instead, I added this to
After relaunching Firefox, and switching networks to one that can't reach my DNS servers, my I tried the same thing with Chromium, and added the whitelist line to a The |
As far as I can see this is a general issue and has nothing to do with the firefox profile or other profiles. When I run:
and open I didn't find any workaround with 0.9.68 yet. However, downgrading to 0.9.66 solves the issue. In case it matters, I'm running on Arch and |
@Nils-TUD, what happens when you view |
With Chromium it's exactly the same: it always shows the same content for |
I am having the same problem for all my firejailed applications. (I had this problem for weeks but blamed it on the applications.) As far as I can tell, I don't even have private-etc set for these profiles. This is hard to debug since Adding It almost looks like firejail is doing something magic with /etc/resolv.conf and there is no way to disable that? OTOH, in my case the DNS servers actually stay the same as I switch between Wifi and cable. And yet the applications lose connectivity. So I am not sure if DNS is the only problem and routing is not also affected? (As I said, hard to debug since none of the regular networking tools seem to work inside the jail.) |
So not to sound rude or anything, but I hope you guys realize that this is currently a big issue for VPN users. I noticed this yesterday by accident: Run firejailed Firefox or Element -> activate VPN (for example Wireguard through NetworkManager) -> Your whole DNS traffic gets leaked to your standard DNS. This is especially a problem for users with a higher threat level and it makes me a bit worried how long this issue is already open without some users realizing it. |
@DatAres37 Marking this as a bug. Hopefully that will bring this back to the attention of our devs. Thanks for your comment & patience! |
Hm, thanks, so it looks like I have to reconfigure NM and start local dns server to workaround a problem in firejail, right? Seems easier to downgrade the firejail... |
Downgrade to a vulnerable version ?! 😨 If the specific cause on your system was introduced with 0.9.70, |
…he filse were blacklisted" This reverts commit ba9c969. Fixes netblue30#5010.
I still think ba9c969 should be reverted or at least be made opt-out, it just breaks too many things... At https://github.com/RalfJung/firejail I have a version of 0.9.68 with the problematic patch reverted. Sadly that doesn't apply cleanly on 0.9.70 any more. |
I've seen that there is a release candidate for 0.9.72, but that doesn't appear to contain a fix for this bug, which is currently preventing firefox working when I use my VPN (mullvad over wireguard) -- I have to kill and reopen firefox whenever my laptop sleeps or there there are any network changes. Is there a plan to include a fix for this in 0.9.72? |
A fix is unlikely since nobody worked on it yet and it will be a lot work. Mitigations/Workarounds however should be considered.
|
I don't know the inner workings of firejail at all, but perhaps reverting ba9c969 is the best bet for the 0.9.72 release then? That seems like it would balance the work required with the gains of repairing the problematic behaviour. |
To avoid boolean confusion (`no-foo no` / `no-foo yes`) in firejail.config: etc-no-blacklisted no etc-no-blacklisted yes Commands used to search and replace: git grep -Ilz -i 'etc.no.blacklisted' -- etc src | xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \ -e 's/etc-no-blacklisted/etc-hide-blacklisted/' \ -e 's/ETC_NO_BLACKLISTED/ETC_HIDE_BLACKLISTED/' \ '{}')\" >'{}'" Added on commit ded5020 ("opt-in: skip blacklisted files in private-etc - netblue30#5010, netblue30#5230", 2023-01-15) / PR netblue30#5591.
To make it clearer. Added on commit ded5020 ("opt-in: skip blacklisted files in private-etc - netblue30#5010, netblue30#5230", 2023-01-15) / PR netblue30#5591.
Let users know that enabling this may break /etc/resolv.conf. Added on commit ded5020 ("opt-in: skip blacklisted files in private-etc - netblue30#5010, netblue30#5230", 2023-01-15) / PR netblue30#5591.
I was very excited about 0.9.72 landing so that I could go back to using my VPN, but unfortunately it appears that this has not fixed the issue described here. I have recorded a screen recording demonstrating the behaviour in case that's useful. In my firejail.conf I have |
|
Can you please make clear is 0.9.72 will work for NM managed VPNs? |
As mentioned by @rusty-snake, the original issue ("can't make new The issue with NetworkManager and VPNs might be related, but it is not the same Please open a dedicated bug report for it so that it can be properly tracked: |
Description
After using Firefox for a bit on WiFi and then experiencing a network failure, when I go to change my network connection method to Ethernet, I cannot open or refresh pages in Firefox.
Connections will time out and I'll have to close the browser and open it again in order to load or refresh pages.
Steps to Reproduce
Open Firefox with Firejail, let it run for a bit. After experiencing a network connection error, change your connection via a separate network device. Go back to Firefox and try to open "google.com".
Expected behavior
I should be able to resume using the browser after experiencing a network failure and/or network device change.
Actual behavior
After network failure/network device change, trying to open new pages or refreshing tabs results in those tabs eventually timing out without loading. The browser must exit and start again for it to work.
Behavior without a profile
This does not seem to be an error with Firejail-less Chromium or when I've tried to replicate the issue in Firefox without Firejail.
Additional context
Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)Log
Output of
LC_ALL=C firejail /path/to/program
Output of
LC_ALL=C firejail --debug /path/to/program
The text was updated successfully, but these errors were encountered: