Bug 1301286

Summary: Review Request: firejail - A SUID sandbox program
Product: [Fedora] Fedora Reporter: Jamie Nguyen <jamielinux>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: alekcejk, dhiru, igeorgex, johannespfrang, mlichvar, ngompa13, package-review, ppisar, thib, yousifjkadom
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-31 03:19:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 201449    

Description Jamie Nguyen 2016-01-23 15:32:02 UTC 
Spec URL: https://jamielinux.fedorapeople.org/firejail/firejail.spec
SRPM URL: https://jamielinux.fedorapeople.org/firejail/firejail-0.9.36-1.fc23.src.rpm
Fedora Account System Username: jamielinux

Description:
Firejail is a SUID security sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications using
Linux namespaces and seccomp-bpf. It allows a process and all its descendants
to have their own private view of the globally shared kernel resources, such as
the network stack, process table, and mount table.
Comment 1 Petr Pisar 2016-02-02 15:10:51 UTC 
The firejail package must own %{_datadir}/bash-completion directory because it install files there and the directory is not owned by any dependency.
Comment 2 Jamie Nguyen 2016-02-02 15:34:02 UTC 
Thanks Petr.

Spec URL: https://jamielinux.fedorapeople.org/firejail/firejail.spec
SRPM URL: https://jamielinux.fedorapeople.org/firejail/firejail-0.9.36-2.fc23.src.rpm

* Tue Feb 02 2016 Jamie Nguyen <jamielinux> - 0.9.36-2
- own bash-completion directory
- fix libdir in disable-devel.inc
Comment 3 Dhiru Kholia 2016-03-27 09:36:28 UTC 
https://fedorapeople.org/~halfie/packages/firejail/firejail.spec

This .spec files packages Firejail 0.9.38, and it also simplifies inclusion of various profiles.

I am actually unable to run Firejail on Fedora. Running "firejail hexchat" does not launch hexchat on Fedora systems. While doing the same on Ubuntu launches hexchat just fine. How do I test this package further in Fedora?
Comment 4 Dhiru Kholia 2016-05-19 07:13:36 UTC 
Firejail packages from https://copr.fedorainfracloud.org/coprs/heikoada/firejail/ run fine on Fedora 24.

Also see https://github.com/netblue30/firejail/issues/399 page.
Comment 5 yousifjkadom@yahoo.com 2017-12-16 10:12:51 UTC 
It is very nice to see Firejail & it's GUI (firetools) available in official Fedora specially if we take in mind that Firejail is compatible with SELinux & it's much much easer to use from SELinux ......

Why such supersecure distro. like Fedora till now has no Firejail till now in their official repositories ?
Comment 6 Neal Gompa 2017-12-16 10:43:36 UTC 
Taking this review.
Comment 7 Neal Gompa 2017-12-16 10:45:10 UTC 
(In reply to Petr Pisar from comment #1)
> The firejail package must own %{_datadir}/bash-completion directory because
> it install files there and the directory is not owned by any dependency.

This is wrong. The bash-completion directory is owned by the bash-completion package, so it should be required instead.
Comment 8 Neal Gompa 2017-12-16 11:03:34 UTC 
Spec review notes:

> Source0:    https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz

Please use the scheme detailed in the guidelines: https://fedoraproject.org/wiki/Packaging:SourceURL#Git_Tags

> %setup -qn %{name}-%{version}

The "-n %{name}-%{version}" is redundant and pointless because this is already default. You can use "%setup -q" or "%autosetup" instead. Consider setting "%autosetup -p1" so that in the event you have patches, they'll be automatically applied correctly.

> sed -i -e 's#/usr/lib#%{_libdir}#g' etc/disable-devel.inc

This looks fine to me, but consider changing from hash marks to a different symbol, as it gets trick with shell evaluation. I usually use the '|' character as it is meaningless in a string and really bad syntax highlighters will highlight them, making it easier to see the separations.

> make %{?_smp_mflags}

Consider using "%make_build". It works on all currently supported Fedora and EPEL targets.

> make install DESTDIR=%{buildroot}

Consider using "%make_install".
Comment 9 Neal Gompa 2017-12-16 11:04:24 UTC 
I cannot continue the review until you publish a post with Spec and SRPM URLs with matching content. Currently the spec appears to have content that's newer than the SRPM you've published here.
Comment 10 Neal Gompa 2017-12-16 13:49:31 UTC 
(In reply to yousifjkadom from comment #5)
> It is very nice to see Firejail & it's GUI (firetools) available in official
> Fedora specially if we take in mind that Firejail is compatible with SELinux
> & it's much much easer to use from SELinux ......
> 
> Why such supersecure distro. like Fedora till now has no Firejail till now
> in their official repositories ?

Nothing gets added to the distribution unless someone is interested in bringing it in. Anyone can become a packager to add software to Fedora[1].

If there's software out there that you think would be great to have in Fedora, then by all means, make a package that conforms to our policies and guidelines[2] and submit it for review to be included in the distribution.

[1]: https://fedoraproject.org/wiki/Join_the_package_collection_maintainers
[2]: https://fedoraproject.org/wiki/Packaging:Guidelines
Comment 11 Petr Pisar 2017-12-18 08:58:01 UTC 
(In reply to Neal Gompa from comment #7)
> (In reply to Petr Pisar from comment #1)
> > The firejail package must own %{_datadir}/bash-completion directory because
> > it install files there and the directory is not owned by any dependency.
> 
> This is wrong. The bash-completion directory is owned by the bash-completion
> package, so it should be required instead.

This is wrong. Because hard-requiring bash-completion imposes enabling bash-completion for everybody. Even to those who do not want enabling it.
Comment 12 Neal Gompa 2017-12-18 11:54:04 UTC 
(In reply to Petr Pisar from comment #11)
> (In reply to Neal Gompa from comment #7)
> > (In reply to Petr Pisar from comment #1)
> > > The firejail package must own %{_datadir}/bash-completion directory because
> > > it install files there and the directory is not owned by any dependency.
> > 
> > This is wrong. The bash-completion directory is owned by the bash-completion
> > package, so it should be required instead.
> 
> This is wrong. Because hard-requiring bash-completion imposes enabling
> bash-completion for everybody. Even to those who do not want enabling it.

Is there a bash-completion-filesystem package, then? That's usually the solution for things like that.
Comment 13 Petr Pisar 2017-12-18 12:21:29 UTC 
(In reply to Neal Gompa from comment #12)
> Is there a bash-completion-filesystem package, then? That's usually the
> solution for things like that.

bash-completion-filesystem does not exist.
Comment 14 Neal Gompa 2018-03-31 03:19:58 UTC 
There's been no response in two years, dropping review and marking as DEADREVIEW.