whois profile block hostname resolution via getaddrinfo (Name or service not known)

[MiltosKoutsokeras]

The whois program cannot resolve hostnames when its profile is enabled in firejail.

Bug and expected behavior

• The whois profile in /etc/firejail/whois.profile does not allow hostname resolution and getaddrinfo fails with Name or service not known.
• What did you expect to happen? whois should return the ARIN WHOIS data record, resolving the service to ask (whois.arin.net in my case) and the query object.

No profile and disabling firejail

• What changed calling firejail --noprofile /path/to/program in a terminal? Works as expected.
• What changed calling the program by path (check which <program> or firejail --list while the sandbox is running)? Running the program by path:

/usr/local/bin/whois <Query Object>

wields the same result, firejail list:

<Process ID>:<User name>::/usr/bin/firejail /usr/bin/whois <Query Object>

Running the program with original path /usr/bin/whois does not showcases the error. can be any host or IP address you would like to query, e.g. github.com.

Reproduce
Steps to reproduce the behavior:

1. Run in bash firejail whois github.com
2. See error getaddrinfo(<Whois service here>): Name or service not known

Environment

• Arch Linux
• Firejail version 0.9.64

Additional context
I think the whois program is not allowed to read the hostname resolution configuration of the system environment. Since each Linux distribution has its own setup for this (systemd, files, other) the maintainers should look into it in more detail and per environment.

Checklist

• The upstream profile (and redirect profile if exists) have no changes fixing it.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• Programs needed for interaction are listed in the profile.
• A short search for duplicates was performed.
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
• Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.

[rusty-snake]

whois github.com works for me, but fedora has an other whois implementation IIRC. Anyway if it's a config thing it's private-etc. protocol has no unix, this could also be a cause. What shows firejail --build=whois.profile whois github.com && grep private-etc whois.profile?

[glitsj16]

On my Arch box all the below commands show the getaddrinfo failure, suggesting this is not a firejail issue:

$ /usr/bin/whois github.com
$ firejail /usr/bin/whois github.com
$ firejail --noprofile /usr/bin/whois github.com

After some digging I stumbled on this. And indeed, none of the below commands show the getaddrinfo failure:

$ /usr/bin/whois namesilo.net
$ firejail /usr/bin/whois namesilo.net
$ firejail --noprofile /usr/bin/whois namesilo.net

[MiltosKoutsokeras]

It would possibly be a matter of combination between whois, resolver and maybe firejail. I noticed in my system that once firejail is not used, the whois works.

[rusty-snake]

Any progress here?

[rusty-snake]

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.