Bug 1301286 - Review Request: firejail - A SUID sandbox program
Summary: Review Request: firejail - A SUID sandbox program
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: FE-DEADREVIEW
TreeView+ depends on / blocked
 
Reported: 2016-01-23 15:32 UTC by Jamie Nguyen
Modified: 2020-05-13 08:26 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-03-31 03:19:58 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jamie Nguyen 2016-01-23 15:32:02 UTC
Spec URL: https://jamielinux.fedorapeople.org/firejail/firejail.spec
SRPM URL: https://jamielinux.fedorapeople.org/firejail/firejail-0.9.36-1.fc23.src.rpm
Fedora Account System Username: jamielinux

Description:
Firejail is a SUID security sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications using
Linux namespaces and seccomp-bpf. It allows a process and all its descendants
to have their own private view of the globally shared kernel resources, such as
the network stack, process table, and mount table.

Comment 1 Petr Pisar 2016-02-02 15:10:51 UTC
The firejail package must own %{_datadir}/bash-completion directory because it install files there and the directory is not owned by any dependency.

Comment 2 Jamie Nguyen 2016-02-02 15:34:02 UTC
Thanks Petr.

Spec URL: https://jamielinux.fedorapeople.org/firejail/firejail.spec
SRPM URL: https://jamielinux.fedorapeople.org/firejail/firejail-0.9.36-2.fc23.src.rpm

* Tue Feb 02 2016 Jamie Nguyen <jamielinux> - 0.9.36-2
- own bash-completion directory
- fix libdir in disable-devel.inc

Comment 3 Dhiru Kholia 2016-03-27 09:36:28 UTC
https://fedorapeople.org/~halfie/packages/firejail/firejail.spec

This .spec files packages Firejail 0.9.38, and it also simplifies inclusion of various profiles.

I am actually unable to run Firejail on Fedora. Running "firejail hexchat" does not launch hexchat on Fedora systems. While doing the same on Ubuntu launches hexchat just fine. How do I test this package further in Fedora?

Comment 4 Dhiru Kholia 2016-05-19 07:13:36 UTC
Firejail packages from https://copr.fedorainfracloud.org/coprs/heikoada/firejail/ run fine on Fedora 24.

Also see https://github.com/netblue30/firejail/issues/399 page.

Comment 5 yousifjkadom@yahoo.com 2017-12-16 10:12:51 UTC
It is very nice to see Firejail & it's GUI (firetools) available in official Fedora specially if we take in mind that Firejail is compatible with SELinux & it's much much easer to use from SELinux ......

Why such supersecure distro. like Fedora till now has no Firejail till now in their official repositories ?

Comment 6 Neal Gompa 2017-12-16 10:43:36 UTC
Taking this review.

Comment 7 Neal Gompa 2017-12-16 10:45:10 UTC
(In reply to Petr Pisar from comment #1)
> The firejail package must own %{_datadir}/bash-completion directory because
> it install files there and the directory is not owned by any dependency.

This is wrong. The bash-completion directory is owned by the bash-completion package, so it should be required instead.

Comment 8 Neal Gompa 2017-12-16 11:03:34 UTC
Spec review notes:

> Source0:    https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz

Please use the scheme detailed in the guidelines: https://fedoraproject.org/wiki/Packaging:SourceURL#Git_Tags

> %setup -qn %{name}-%{version}

The "-n %{name}-%{version}" is redundant and pointless because this is already default. You can use "%setup -q" or "%autosetup" instead. Consider setting "%autosetup -p1" so that in the event you have patches, they'll be automatically applied correctly.

> sed -i -e 's#/usr/lib#%{_libdir}#g' etc/disable-devel.inc

This looks fine to me, but consider changing from hash marks to a different symbol, as it gets trick with shell evaluation. I usually use the '|' character as it is meaningless in a string and really bad syntax highlighters will highlight them, making it easier to see the separations.

> make %{?_smp_mflags}

Consider using "%make_build". It works on all currently supported Fedora and EPEL targets.

> make install DESTDIR=%{buildroot}

Consider using "%make_install".

Comment 9 Neal Gompa 2017-12-16 11:04:24 UTC
I cannot continue the review until you publish a post with Spec and SRPM URLs with matching content. Currently the spec appears to have content that's newer than the SRPM you've published here.

Comment 10 Neal Gompa 2017-12-16 13:49:31 UTC
(In reply to yousifjkadom from comment #5)
> It is very nice to see Firejail & it's GUI (firetools) available in official
> Fedora specially if we take in mind that Firejail is compatible with SELinux
> & it's much much easer to use from SELinux ......
> 
> Why such supersecure distro. like Fedora till now has no Firejail till now
> in their official repositories ?

Nothing gets added to the distribution unless someone is interested in bringing it in. Anyone can become a packager to add software to Fedora[1].

If there's software out there that you think would be great to have in Fedora, then by all means, make a package that conforms to our policies and guidelines[2] and submit it for review to be included in the distribution.

[1]: https://fedoraproject.org/wiki/Join_the_package_collection_maintainers
[2]: https://fedoraproject.org/wiki/Packaging:Guidelines

Comment 11 Petr Pisar 2017-12-18 08:58:01 UTC
(In reply to Neal Gompa from comment #7)
> (In reply to Petr Pisar from comment #1)
> > The firejail package must own %{_datadir}/bash-completion directory because
> > it install files there and the directory is not owned by any dependency.
> 
> This is wrong. The bash-completion directory is owned by the bash-completion
> package, so it should be required instead.

This is wrong. Because hard-requiring bash-completion imposes enabling bash-completion for everybody. Even to those who do not want enabling it.

Comment 12 Neal Gompa 2017-12-18 11:54:04 UTC
(In reply to Petr Pisar from comment #11)
> (In reply to Neal Gompa from comment #7)
> > (In reply to Petr Pisar from comment #1)
> > > The firejail package must own %{_datadir}/bash-completion directory because
> > > it install files there and the directory is not owned by any dependency.
> > 
> > This is wrong. The bash-completion directory is owned by the bash-completion
> > package, so it should be required instead.
> 
> This is wrong. Because hard-requiring bash-completion imposes enabling
> bash-completion for everybody. Even to those who do not want enabling it.

Is there a bash-completion-filesystem package, then? That's usually the solution for things like that.

Comment 13 Petr Pisar 2017-12-18 12:21:29 UTC
(In reply to Neal Gompa from comment #12)
> Is there a bash-completion-filesystem package, then? That's usually the
> solution for things like that.

bash-completion-filesystem does not exist.

Comment 14 Neal Gompa 2018-03-31 03:19:58 UTC
There's been no response in two years, dropping review and marking as DEADREVIEW.


Note You need to log in before you can comment on or make changes to this bug.