dnsmasq: libvirtd cannot start NAT interface: PATH environment variable not set

[rsramkis]

Description

The default libvirt NAT network fails to start (even after applying the dnsmasq.profile which was in fix 5089.

Appears to be related to:
#5089

Steps to Reproduce

1. Replace the dnsmasq.profile with the latest one in the repository:

https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/dnsmasq.profile

2. Open terminal and try to start the NAT network inf

sudo virsh net-start default

3. Then the following error will show:

error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

Expected behavior

1. The NAT Nework interface should start and go active.

❯ sudo virsh net-start default
Network default started

~
❯  sudo virsh net-list --all
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

Actual behavior

The NAT Network interface fails to go active when firejail is enabled.

Environment

Linux info:

OS: EndeavourOS Linux x86_64
Kernel: 5.15.37-1-lts
Shell: zsh 5.8.1
DE: GNOME 42.1
WM: Mutter

firejail --version

firejail version 0.9.68

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

---

EDIT by @rusty-snake: Fix check-boxes

[rsramkis]

Is there anything else I should get for you to help troubleshoot the cause of the issue?

[rusty-snake]

Try to comment dnsmasq.profile line for line to find more.

[rsramkis]

Hi Rusty-snake,

I'll need more guidance on what you would like me to comment out in the dnsmasq.profile.

I ran the command:

 sudo LC_ALL=C firejail /usr/bin/dnsmasq
[sudo] password for user:

dnsmasq: failed to create listening socket for port 53: Address already in use

I then grabbed the follow debug:

LC_ALL=C firejail --debug /usr/bin/dnsmasq

(See attachment)
firejail-dnsmasq-debug.txt

[rusty-snake]

1. Comment everything in dnsmasq.profile
2. Make sure sudo virsh ... works as expected.
3. Uncomment a line in dnsmasq.profile
4. Try if sudo virsh ... works.
5. Go to step 3.
6. Find the line which breaks it.

[rsramkis]

I did some testing today which leads me to believe the dnsmasq.profile is not causing the issue.

Test 1 - Firejail enabled, dnsmask.profile renamed to dnsmask.profile.old

(a) Firejail is enabled (sudo fircfg).
(b) Rename dnsmask.profile renamed to dnsmask.profile.old.
(c) Reboot Computer.
(d) Login. From Terminal run the following command to check the virtual Network status:

sudo virsh net-list --all
[sudo] password for rsruser:
 Name      State    Autostart   Persistent
--------------------------------------------
 default   inactive   yes         yes

Test 2 - Disable Firejail and verify Virtual Network Starts (active):

(a) Disable Firejail (sudo firecfg --clean).

(b) Reboot Computer and login to system.

(c) From Terminal run the following command to check the network status.

sudo virsh net-list --all
[sudo] password for user:
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

I am assuming here that renaming the profile to dnsmask.profile.old means it is not loaded at all.

I also confirmed the ~/.config/firejail only has the file steam.profile in it.

[rusty-snake]

I am assuming here that renaming the profile to dnsmask.profile.old means it is not loaded at all.

If there is no dnsmasq.profile, server.profile(root)/default.profile(non-root) is used. You can create an empty dnsmasq.profile not load anything. (I assume the dnsmas(q|m) typo is only in you post).

I also confirmed the ~/.config/firejail only has the file steam.profile in it.

~/.config/firejail of which user? If virsh starts dnsmasq as root, firejail will look into /root/.config/firejail and if it starts dnsmasq as virsh-dnsmasq-user firejail will try this home dir.

[rsramkis]

If there is no dnsmasq.profile, server.profile(root)/default.profile(non-root) is used. You can create an empty dnsmasq.profile
not load anything. (I assume the dnsmas(q|m) typo is only in you post).

My post above I spelled dnsmasq.profile wrong. Here the command showing that I have the correct name.

[root@mani firejail]# pwd
/etc/firejail

[root@mani firejail]# ls dnsmasq*
dnsmasq.profile.old

I used the su command to sign in as root. Then I went to the ~/root/.config directory and saw no ~/home/.config/firejail.

[root@mani .config]# ls
bleachbit  cpupower_gui  diffuse  geany  gtk-3.0  nautilus  pulse

I see a server.profile in the /etc/firejail directory. I will rename this server.profile.org and re-test.

[rsramkis]

I re-tested by renaming the server.profile to server.profile.org and still the virtual network failed to start when firejail was enabled. Below is the flow of the test:

[sudo] password for user:
Name:           default
UUID:           a96495c0-e476-44bc-b888-9421b7d12fd1
Active:         no
Persistent:     yes
Autostart:      yes
Bridge:         virbr0


~ took 4s
❯ sudo virsh net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

sudo firecfg --clean
Removing all firejail symlinks:
   man removed
   gnome-weather removed
   signal-desktop removed
   lomath removed
   calibre removed
   ebook-convert removed
   wireshark removed
   clamdtop removed
   inkview removed
   zaproxy removed
   bleachbit removed
   youtube-dl removed
   gnome-calculator removed
   qbittorrent removed
   strings removed
   clamscan removed
   com.github.tchx84.Flatseal removed
   mpg123-strip removed
   steam-runtime removed
   firefox removed
   gimp removed
   enchant-lsmod-2 removed
   out123 removed
   celluloid removed
   loimpress removed
   gnome-contacts removed
   enchant-2 removed
   pavucontrol removed
   ffplay removed
   flameshot removed
   gnome-font-viewer removed
   lodraw removed
   mediainfo removed
   krita removed
   vivaldi-stable removed
   steam removed
   conplay removed
   baobab removed
   mpv removed
   ffprobe removed
   gnome-nettool removed
   ebook-polish removed
   pdftotext removed
   libreoffice removed
   clamdscan removed
   gimp-2.10 removed
   gcalccmd removed
   secret-tool removed
   host removed
   xournalpp removed
   lowriter removed
   loweb removed
   clamtk removed
   mpg123 removed
   localc removed
   ssh removed
   meld removed
   ffmpegthumbnailer removed
   tracker removed
   geany removed
   dnsmasq removed
   skypeforlinux removed
   spotify removed
   display removed
   steam-native removed
   telnet removed
   drill removed
   nslookup removed
   eog removed
   lobase removed
   yelp removed
   checkbashisms removed
   gnome-logs removed
   clementine removed
   img2txt removed
   evince-thumbnailer removed
   qt-faststart removed
   file-roller removed
   dconf-editor removed
   whois removed
   ebook-meta removed
   ftp removed
   gapplication removed
   soffice removed
   evince-previewer removed
   lofromtemplate removed
   inkscape removed
   unbound removed
   wget removed
   patch removed
   freshclam removed
   mpg123-id3dump removed
   gnome-calendar removed
   ebook-edit removed
   darktable removed
   wine removed
   conky removed
   evince removed
   thunderbird removed
   ebook-viewer removed
   tshark removed
   gnome-clocks removed
   dig removed
   loffice removed
   yt-dlp removed


~
❯ sudo virsh net-start default
Network default started


~
❯ sudo virsh net-list --all
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

[rusty-snake]

I re-tested by renaming the server.profile to server.profile.org and still the virtual network failed to start when firejail was enabled. Below is the flow of the test:

1. Is dnsmasq started as root? Otherwise this test is useless.
2. IDK how firejail behaves if you remove the fallback profiles. Instead you should replace them with an empty file.