This is the same case of unanswered question DNS not working in firejail
ALL SENSITIVE INFORMATION WAS MODIFIED TO A SET OF THREE OR TWO LETTERS (AAA, etc. or XX)
The case is: I have an ethernet connection on device eno1 I'll use to access company's intranet, and a Wi-fi connection on device wlp0s20f3 I'll access internet.
If I run firejail --noprofile --nonewprivs --noroot --net=eno1 --hostname=intranet --name=intranet --debug --dns=AAA.BBB.CCC.DDD, where AAA.BBB.CCC.DDD is my company's DNS server, I get no internet, no intranet although ip a shows:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 (...)
2: eth0-10765@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 (...)
This "eth0-10765@if2" is not one of Ubuntu bare metal NICs.
ip route show outputs:
default via AAA.BBB.CCC.XXX dev eth0-10765 AAA.BBB.CCC.0/24 dev eth0-10765 proto kernel scope link src AAA.BBB.CCC.ZZZ
ZZZ is to display it's not the same number as 'default via' (XXX).
This is a piece of the sandbox "boot" output:
sbox run: /run/firejail/lib/fnet ifup eth0-10765 Set caps filter 3000 ARP-scan eth0-10765, AAA.BBB.CCC.39/24 IP address range from AAA.BBB.CCC.1 to AAA.BBB.CCC.255 Trying AAA.BBB.CCC.ZZZ ... Configuring AAA.BBB.CCC.ZZZ address on interface eth0-10765 sbox run: /run/firejail/lib/fnet config interface eth0-10765 2886891220 4294967040 1500 Set caps filter 3000 Announce AAA.BBB.CCC.ZZZ ... Network namespace enabled
sbox run: /run/firejail/lib/fnet printif Set caps filter 3000 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP
::1 eth0-10765 XX:XX:XX:XX:XX:XX AAA.BBB.CCC.ZZZ 255.255.255.0 UP
XX::XX:XX:XX:XX Default gateway AAA.BBB.CCC.XXX DNS server QQQ.RRR.SSS.TTT
Drop privileges: pid 6, uid 1000, gid 1000, force_nogroups 0 Supplementary groups: 24 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1096 1048 259:6 /etc /etc ro,relatime master:1 - ext4 /dev/nvme0n1p6 rw,errors=remount-ro
ping command is not available, but I can run any browser and no internet/intranet/proxy authentication message, whatsoever.
On the other hand, if I set up a sandbox to work with wi-fi only, thus expecting an internet connection, using the command $ firejail --noprofile --nonewprivs --noroot --net=wlp0s20f3 --hostname=internet --name=internet --debug --dns=8.8.8.8 --caps.drop=all --dbus-system=none I still have no internet whatsoever on browsers!
I even tried to move the interface to the sandbox using the command
firejail --noprofile --interface=eno1 --hostname=intranet --ipc-namespace --name=intranet --debug
It really removes the interface from bare metal system and makes it available to the sandbox, but no internet nor default gateway!
This is the excerpt from the sandbox "boot":
sbox run: /run/firejail/lib/fnet ifup lo Set caps filter 3000 Configuring AAA.BBB.CCC.39 address on interface eno1 sbox run: /run/firejail/lib/fnet config interface eno1 2886891047 4294967040 1500 Set caps filter 3000 Network namespace enabled
sbox run: /run/firejail/lib/fnet printif Set caps filter 3000 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP
::1 eno1 XX:XX:XX:XX:XX:XX AAA.BBB.CCC.39 255.255.255.0 DOWN
Drop privileges: pid 5, uid 1000, gid 1000, force_nogroups 0 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1097 1048 259:6 /etc /etc ro,relatime master:1 - ext4 /dev/nvme0n1p6 rw,errors=remount-ro
Another weird thing is that inside the sandbox systemd-resolve appears to be unable to read information for eno1:
$ sudo systemd-resolve --status --no-pager
Global LLMNR setting: no MulticastDNS setting: no DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test Failed to get link data for 2: Unknown object '/org/freedesktop/resolve1/link/_32'.
All this situation makes me think something's wrong with how Ubuntu deals with namespaces, networks and interfaces and how firejail deals with the same. I have the possibility to use another distro if I can be sure this kind of operation will work. On the other hand I'm a complete newbie to namespaces but very curious and interested, it would be great if you could tip me about how to run what I'm willing using my set-up, with or without firejail.
A few more info:
$ uname -a
Linux Ubuntu 5.15.0-69-generic #76~20.04.1-Ubuntu SMP Mon Mar 20 15:54:19 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ firejail --version
firejail version 0.9.73
Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- firetunnel support is disabled
- IDS support is disabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-lib support is disabled
- private-cache and tmpfs as user enabled
- SELinux support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
