orjail: [Bug] "Replacing resolv.conf" fails without error

When /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf no replacement and dns leaking via systemd-resolved nameserver 127.0.0.53.

https://github.com/orjail/orjail/blob/a0b9e6c60b5952dcb286cceb595b29f9fd36ae95/usr/sbin/orjail#L227-L229

About this issue

Most upvoted comments

using /etc/netns/orjail/resolv.conf does not solve the issue: as pointed out here https://unix.stackexchange.com/questions/418304/why-do-linux-bind-mounts-disappear-if-the-mount-points-inode-changes:

One case where this is relevant in practice is ip-netns(8); ip netns exec works by bind mounting /etc/netns/${NAMESPACE}/resolv.conf on top of /etc/resolv.conf. If the inode of /etc/resolv.conf is altered by resolvconf(8) or systemd-resolved, the updated /etc/resolv.conf will be visible to the process running inside the namespace.

What about mount-binding the whole /etc and replacing relevant files (resolv.conf/nsswitch.conf)? This is pratically how firejail does this

This is done in 8bdfe759fb6e1ef461f7e195c54e1a56f37da0a2, I’m confident this is the way to go.

+1
lesion on Sep 17, 2021

interesting thread: https://github.com/slingamn/namespaced-openvpn/issues/7

-> https://github.com/slingamn/namespaced-openvpn#dns-hardening

+1
lesion on Sep 16, 2021
Read more comments on GitHub
← ngx-infinite-scroll: scroll is not triggered properly if scrolled quickly
venom: Cannot read property 'createWid' of undefined →