Error fcopy: invalid ownership for file /etc/resolv.conf (chattr +i)

[ipaqmaster]

Description

Describe the bug

Firejail can't start if its dealing with an immutable /etc/resolv.conf due to fcopy throwing an error trying to change its ownership.

Steps to Reproduce

Steps to reproduce the behavior

Launch any program with a $PATH that causes it to use firejail while /etc/resolv.conf has been hit with chattr +i /etc/resolv.conf

1. chattr +i /etc/resolv.conf
2. Firejail any program with a profile involving jailing for /etc or this particular file.

Expected behavior

What you expected to happen

Launch my programs in firejail.

Actual behavior

What actually happened

Error fcopy: invalid ownership for file /etc/resolv.conf
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 297689 cannot sync with peer: unexpected EOF
Peer 297690 unexpectedly exited with status 1

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Software launches without issue.

Additional context

Any other detail that may help to understand/debug the problem

Environment

• Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
  Arch Linux

• Firejail version (firejail --version).
  0.9.72

• If you use a development version of firejail, also the commit from which it
  was compiled (git rev-parse HEAD).
  NA

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

[glitsj16]

I cannot reproduce on Arch Linux with firejail-git, using an ext4 file system. The private-etc option was significantly refactored after 0.9.72. Here Firejail doesn't list the requested file attributes, but it doesn't break after changing them in the real file system:

$ lsattr -l /etc/resolv.conf
/etc/resolv.conf             Extents

$ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf
/etc/resolv.conf             ---

$ sudo chattr +i /etc/resolv.conf

$ lsattr -l /etc/resolv.conf
/etc/resolv.conf             Immutable, Extents

$ firejail --quiet --noprofile --private-etc=resolv.conf lsattr -l /etc/resolv.conf
/etc/resolv.conf             ---

What file system are you seeing this on? Does the issue still show with firejail-git?