Package: firejail
Followup-For: Bug #1015151
X-Debbugs-Cc: debbug.1015...@sideload.33mail.com
When doing this upgrade:
0.9.64.4-2 → 0.9.64.4-2+deb11u1
~50+ or so other packages were upgraded at the same time which could
have theoretically changed the Tor middlebox. So more testing was
needed to confirm that the regression was actually in the firejail
pkg. The deb file for the old version was still present, so this was
run:
$ apt install /var/cache/apt/archives/firejail_0.9.64.4-2_amd64.deb
Then this was run as a test:
$ firejail --net=vnet0 --dns="$(ip address show dev vnet0 | awk
'/inet\>/{gsub(/[/].*/,""); print $2 }')" lynx -dump
'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015151'
Indeed firejail worked after the downgrade. I believe this proves the
bug was introduced in firejail version 0.9.64.4-2+deb11u1. The
following file was created to prevent the buggy version from being
reinstalled before bug 1015151 is fixed:
[/etc/apt/preferences.d/firejail]
===8<------------------------------
Package: firejail
Pin: version 0.9.64.4-2
Pin-Priority: 999
===8<------------------------------
Reproducing the bug may require the tester to create a Tor
middlebox. The Tor middlebox used in my tests followed this approach:
https://archive.softwareheritage.org/browse/origin/directory/?origin_url=https://github.com/Bylon/TOR_Middlebox
A newer approach to building a Tor middlebox is documented here:
https://archive.softwareheritage.org/browse/origin/directory/?origin_url=https://gitlab.com/BylonAkila/TOR_Middlebox.git
This article may have been inspired the above repos:
https://web.archive.org/web/20200805082619/https://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network
-- System Information:
Debian Release: 11.4
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990,
'testing'), (990, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-16-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firejail depends on:
ii libapparmor1 2.13.6-10
ii libc6 2.31-13+deb11u3
ii libselinux1 3.1-3
Versions of packages firejail recommends:
ii firejail-profiles 0.9.64.4-2+deb11u1
ii iproute2 5.10.0-4
ii iptables 1.8.7-1
ii xauth 1:1.1-1
ii xdg-dbus-proxy 0.1.2-2
ii xpra 3.0.13+dfsg1-1
ii xvfb 2:1.20.11-1+deb11u1
firejail suggests no packages.
-- Configuration Files:
/etc/firejail/firejail.config changed:
cgroup no
-- no debconf information
