Update firejail to 0.9.66
ClosedPublic
Actions

Authored by solene on Nov 18 2021, 3:54 PM.

Details

Reviewers

JoshStrobl

Group Reviewers

Triage Team

Maniphest Tasks

T9663: Possible Apparmor/Firejail profile bug
T9988: apparmor profiles error

Commits

R756:0a5eee97749a: Update firejail to 0.9.66

Summary

Summarized changelog

Noticeable changes
- jailtest utility for testing running sandboxes
- deprecated --audit options, replaced by jailcheck utility
- filtering environment variables
- --protocol now accumulates
- added --noinput to disable /dev/input
- allow --tmpfs inside $HOME for unprivileged users
- allow AF_BLUETOOTH via --protocol=bluetooth
- whitelisting /usr/share in a large number of profiles
- Many new applications supported by firejail profiles
Fixes T9988 and T9663
Full changelog available at https://github.com/netblue30/firejail/blob/master/RELNOTES

Test Plan

firejail --noprofile --appimage Patchwork-3.18.1.AppImage
firejail --apparmor --private firefox
- check what directories are exposed when opening a file with Ctrl+O
- check that it starts from a fresh profile because of --private
firejail firefox
- check what directories are exposed when opening a file with Ctrl+O

Diff Detail

Repository

R756 firejail

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

solene created this revision.Nov 18 2021, 3:54 PM

Herald added a reviewer: Triage Team. · View Herald TranscriptNov 18 2021, 3:54 PM

solene requested review of this revision.Nov 18 2021, 3:54 PM

Harbormaster completed remote builds in B2526: Diff 29979.Nov 18 2021, 3:54 PM

Add two tasks related to apparmor errors

Harbormaster completed remote builds in B2527: Diff 29980.Nov 18 2021, 3:54 PM

Rewording

Harbormaster completed remote builds in B2528: Diff 29981.Nov 18 2021, 3:55 PM

A few comments about the update:

I had to rewrite the patch 0001 because it wasn't applying anymore
the previous patch 0002 is now upstreamed so it's not useful anymore
I dropped the test because they didn't work with the update, they seem a bit clunky: require a tty, control the terminal and the Makefile comments says they are very intrusive and a reboot is likely required after running them https://github.com/netblue30/firejail/blob/master/Makefile.in#L262
the new patch 0002 was taken from T9663 to fix an issue with an apparmor profile preventing apparmor to work when firejail is installed: https://dev.getsol.us/T9663#183597

brent added a subscriber: brent.Nov 24 2021, 3:12 PM

JoshStrobl added a subscriber: JoshStrobl.Nov 26 2021, 4:01 PM

JoshStrobl added inline comments.

files/0001-Support-a-stateless-configuration.patch
28	Could I get the raw file of where this is being applied? The diff is indicating the C file `src/firejail/checkcfg.c` and having bash calls in that is no bueno.

solene added inline comments.Nov 26 2021, 5:21 PM

files/0001-Support-a-stateless-configuration.patch
28	The patch 0001 contains changes on multiples files, this rm call is `Makefile.in`

Thanks for the clarification. Patch looks good to me, thanks for all your work on it, it is appreciated. Going to get this landed after today's sync so it has some time in unstable for testing.

This revision is now accepted and ready to land.Nov 26 2021, 7:39 PM

Closed by commit R756:0a5eee97749a: Update firejail to 0.9.66 (authored by solene, committed by JoshStrobl). · Explain WhyNov 27 2021, 12:54 PM

This revision was automatically updated to reflect the committed changes.

JoshStrobl added a commit: R756:0a5eee97749a: Update firejail to 0.9.66.