Hardcoded tc command is not found on NixOS

[Arcterus]

Description

It seems that fshaper.sh hardcodes the path to tc, which causes setting bandwidth to fail on NixOS given that it has neither /sbin nor /usr/sbin. I think this could resolved fairly easily by just letting users set a variable with the path to tc or something like that. Alternatively, you could just allow configuring the path when building the project.

Steps to Reproduce

1. Use NixOS.
2. firejail --noprofile --name=blah --net=eth0
3. firejail --bandwidth=blah set eth0 1 1

Expected behavior

The bandwidth to be set properly.

Actual behavior

An error saying that tc could not be found.

Behavior without a profile

No difference since this is an issue with the script's paths.

Additional context

This is basically the same issue as:

• Hardcoded tc command is not found on openSUSE #3620

Environment

• NixOS 24.05
• Firejail version 0.9.72

Checklist

• The issue is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail --bandwidth=blah set enp5s0 1 1

Switching to pid 5297, the first child process inside the sandbox
Error: traffic control utility (tc) not found

Output of LC_ALL=C firejail --debug --bandwidth=blah set enp5s0 1 1

Switching to pid 5297, the first child process inside the sandbox
sbox exec: /bin/sh -c /nix/store/w2wdpq3m7qlhg13pwpwq0g80jlqcvwn7-firejail-0.9.72/lib/firejail/fshaper.sh --set eth0-5296 1 1 
Set caps filter 3000
Error: traffic control utility (tc) not found

[glitsj16]

Thanks for reporting this. Can you try the below patch and report back if that fixes traffic shaping on NixOS?

$ cat nixos-fshaper.patch
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -3,13 +3,10 @@
 # Copyright (C) 2014-2024 Firejail Authors
 # License GPL v2
 
-TCFILE=""
-if [ -x "/usr/sbin/tc" ]; then
-	TCFILE="/usr/sbin/tc"
-elif [ -x "/sbin/tc" ]; then
-	TCFILE="/sbin/tc";
+if [ "$(command -v tc >/dev/null)" ]; then
+	TCFILE="$(command -v tc)"
 else
-	echo "Error: traffic control utility (tc) not found";
+	echo "Error: traffic control utility (tc) not found"
 	exit 1
 fi

[Arcterus]

No, it's still broken with that patch. I messed around with it a bit, and it looks like the PATH when that script executes is set to /no-such-path, so it can't find tc.

[glitsj16]

Thanks for testing!

Here's attempt 2:

$ cat nixos-fshaper.patch
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -7,9 +7,13 @@
 if [ -x "/usr/sbin/tc" ]; then
 	TCFILE="/usr/sbin/tc"
 elif [ -x "/sbin/tc" ]; then
-	TCFILE="/sbin/tc";
+	TCFILE="/sbin/tc"
+elif [ -x "/run/current-system/sw/bin/tc" ]; then
+    TCFILE="/run/current-system/sw/bin/tc"
+elif [ -x "$(readlink -e $(which tc))" ]; then
+    TCFILE="$(readlink -e $(which tc))"
 else
-	echo "Error: traffic control utility (tc) not found";
+	echo "Error: traffic control utility (tc) not found"
 	exit 1
 fi

HTH

[rusty-snake]

Suggestion to use PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc instead of this elif cascade.

[Arcterus]

I'll have to test it later today, but that should work given that it's basically what I did locally to get things functioning. However, I imagine the which command wouldn't be useful for anyone assuming PATH is set to /no-such-path on other distros too.