Firejail: version 50.1 and 50.3(artful deb) won't connect to internet in Ubuntu 17.10

G'day @matteotanca
How did you install these packages? Did they come from the Ubuntu repository or did you download the firejail packages from SourceForge?
If from Ubuntu repos, did you install both firejail and firejail-profiles?

What happens if you run firejail --noprofile ping -c 10 8.8.8.8?

G'day @Fred-Barclay,

with the --noprofile option I'm able to ping and to surf. So I guess there's something wrong with Ubuntu 17.10 50.3 firejail profiles.

Thanks!

@matteotanca Please note, using --noprofile disables nearly all sandboxing features providing very little security benefit.

@SpotComms thanks, I knew, waiting a fix.

Thanks!!

Please tell a bit more about the problem.
Which application has no internet access? Does not even firejail wget debian.org work?
If so, please post the complete terminal output.

matteo@matteo-ThinkPad-W540:~$ firejail wget debian.org
--2017-10-22 12:38:03-- http://debian.org/
Risoluzione di debian.org (debian.org)... non riuscito: Nome o servizio sconosciuto.
wget: impossibile risolvere l'indirizzo dell'host "debian.org"
matteo@matteo-ThinkPad-W540:~$ firejail ping www.google.it
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

* Note: you can use --noprofile to disable default.profile *

Parent pid 30627, child pid 30628
Child process initialized in 49.89 ms
ping: socket: Operazione non permessa

Parent is shutting down, bye...
matteo@matteo-ThinkPad-W540:~$ firejail telnet www.google.it
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

* Note: you can use --noprofile to disable default.profile *

Parent pid 30679, child pid 30689
Child process initialized in 35.99 ms
telnet: could not resolve www.google.it/telnet: Name or service not known

Parent is shutting down, bye...
matteo@matteo-ThinkPad-W540:~$ firejail firefox www.google.it
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 30782, child pid 30783
Blacklist violations are logged to syslog
Child process initialized in 60.23 ms
1508668761448 FirefoxAccounts ERROR Background refresh of profile failed: {"name":"FxAccountsProfileClientError","code":null,"errno":998,"error":"NETWORK_ERROR","message":"[Exception... \"NS_ERROR_UNKNOWN_HOST\" nsresult: \"0x804b001e (NS_ERROR_UNKNOWN_HOST)\" location: \"JS frame :: resource://services-common/rest.js :: onStopRequest :: line 483\" data: no]"}
[Parent 5] WARNING: pipe error (46): Connessione interrotta dal corrispondente: file /build/firefox-9cfKiA/firefox-56.0+build6/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
/usr/share/themes/Radiance/gtk-2.0/apps/mate-panel.rc:30: error: invalid string constant "murrine-scrollbar", expected valid string constant
[Parent 5] WARNING: pipe error (58): Connessione interrotta dal corrispondente: file /build/firefox-9cfKiA/firefox-56.0+build6/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
* UTM:SVC TimerManager:registerTimer called after profile-before-change notification. Ignoring timer registration for id: telemetry_modules_ping

Parent is shutting down, bye...

I install the version 50.1 but when i upgrade Ubuntu 17.10 installs version 50.3 with profiles 50.3

matteo@matteo-ThinkPad-W540:~$ apt search firejail
Ordinamento... Fatto
Ricerca sul testo... Fatto
firejail/artful,now 0.9.50-3 amd64 [installato]
sandbox per restringere l'ambiente dell'applicazione

firejail-profiles/artful,artful,now 0.9.50-3 all [installato, automatico]
profiles for the firejail application sandbox

firetools/artful 0.9.46-3 amd64
Qt frontend for the Firejail application sandbox

Maybe this is useful too :

matteo@matteo-ThinkPad-W540:~$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 31471, child pid 31472

DNS server 8.8.8.8
DNS server 8.8.4.4

Blacklist violations are logged to syslog
Error: cannot set DNS servers, /etc/resolv.conf file is missing
Error: proc 31471 cannot sync with peer: unexpected EOF
Peer 31472 unexpectedly exited with status 1

matteo@matteo-ThinkPad-W540:~$ ls /etc/resolv.conf
/etc/resolv.conf ----> is not missing!

matteo@matteo-ThinkPad-W540:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.10
DISTRIB_CODENAME=artful
DISTRIB_DESCRIPTION="Ubuntu 17.10"

Maybe it's a problem related to systemd-resolvd in Ubuntu 17.10. Idk if other distros have the same problem.

Hope this help. Thank you!

Just to clear a bit :

• Same problem with version 50.1 without upgrade and without 50.3 profiles package.
• LTS version is working fine.
• Problem is with 50.1 and 50.3 versions in Ubuntu 17.10.

Tested with DNSSEC on and off, same behaviour.

Error: cannot set DNS servers, /etc/resolv.conf file is missing

Run "ls -l /etc/resolv.conf" and put the output here. They used to have it as a symlink to /run/resolvconf/resolv.conf, maybe they are changing to something else.

I've just set up a Ubuntu 17.10 VM, and the firejail 0.9.50-3 version in the repos won't allow me to connect to internet either. Firejail built from git connects without issue.

$ firejail wget debian.org
--2017-10-22 10:28:35--  http://debian.org/
Resolving debian.org (debian.org)... failed: Name or service not known.
wget: unable to resolve host address ‘debian.org’
$ firejail --version
firejail version 0.9.50

Compile time support:
    - AppArmor support is enabled
    - AppImage support is enabled
    - bind support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - git install support is disabled
    - networking support is enabled
    - overlayfs support is enabled
    - private-home support is enabled
    - seccomp-bpf support is enabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled
$ dpkg -l | grep firejail
ii  firejail                                   0.9.50-3                                    amd64        sandbox to restrict the application environment
ii  firejail-profiles                          0.9.50-3                                    all          profiles for the firejail application sandbox

It looks as if /etc/resolv.conf isn't symlinked to /run/resolvconf/resolv.conf any longer:

$ ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Oct 22 09:55 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

OK, the guys moved to systemd-resolvd, like Arch.

For version 0.9.50, line "blacklist /var/run/systemd" in disable-common.inc needs to be disabled:

https://github.com/netblue30/firejail/blob/0.9.50-bugfixes/etc/disable-common.inc#L130

@matteotanca, as root open /etc/firejail/disable-common.inc and comment it out (add a #).

Also, can you do a "ls -l /run/systemd/resolve/stub-resolv.conf" - probably there is some more coming.

@netblue30

OK, the guys moved to systemd-resolvd, like Arch.

Did we have trouble with firejail 0.9.50 on Arch? I know we don't now - I'm running Arch and building firejail from the latest source almost every day, and I didn't experience anything like what we're seeing on Ubuntu.

Also, not @matteotanca but here's the output on my 17.10 VM:

$ ls -l /run/systemd/resolve/stub-resolv.conf
-rw-r--r-- 1 systemd-resolve systemd-resolve 239 Oct 22 13:22 /run/systemd/resolve/stub-resolv.conf

Did we have trouble with firejail 0.9.50 on Arch?

It went down about three weeks ago, after the release of 0.9.50. These are the fixes so far on top of 0.9.50:

The main one affecting regular usage: https://github.com/netblue30/firejail/commit/1e879f1199fb3a3647a5eefd7a8f34bbdc8b8098 (issue https://github.com/netblue30/firejail/issues/1531)

dns.print never worked for systemd-resolved setup: https://github.com/netblue30/firejail/commit/02a72e1740187163209e7c3deae59b8678e0fc08

Another one: https://github.com/netblue30/firejail/commit/7b5d105a39232a8456b4e6d83d875925d7c7ab5b just fixed again to cover Ubuntu also: https://github.com/netblue30/firejail/commit/abcdd332ebe644391c5e05ce86650379ed359324 (issue https://github.com/netblue30/firejail/issues/1547)

I'll grab all of them and push a commit on 0.9.50-bugfixes branch for reference. The first one is important, the other two are corner cases.

Commenting L130 in /etc/firejail/disable-common.inc solved the issue for me.
Now I can surf.

`matteo@matteo-ThinkPad-W540:~$ firejail wget debian.org--2017-10-22 21:40:24-- http://debian.org/
Risoluzione di debian.org (debian.org)... 128.31.0.62, 130.89.148.14, 149.20.4.15, ...
Connessione a debian.org (debian.org)|128.31.0.62|:80... connesso.
Richiesta HTTP inviata, in attesa di risposta... 301 Moved Permanently
Posizione: http://www.debian.org/ [segue]
--2017-10-22 21:40:25-- http://www.debian.org/
Risoluzione di www.debian.org (www.debian.org)... 5.153.231.4, 130.89.148.14, 2001:41c8:1000:21::21:4, ...
Connessione a www.debian.org (www.debian.org)|5.153.231.4|:80... connesso.
Richiesta HTTP inviata, in attesa di risposta... 200 OK
Lunghezza: 14989 (15K) [text/html]
Salvataggio in: "index.html"

index.html 100%[===================>] 14,64K --.-KB/s in 0,09s

2017-10-22 21:40:25 (171 KB/s) - "index.html" salvato [14989/14989]
`

Thank you!

I put all the fixes for reference on 0.9.50-bugfixes branch.