Bug 1301286 - Review Request: firejail - A SUID sandbox program [NEEDINFO]
Review Request: firejail - A SUID sandbox program
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FE-DEADREVIEW
  Show dependency treegraph
 
Reported: 2016-01-23 10:32 EST by Jamie Nguyen
Modified: 2018-03-30 23:19 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-03-30 23:19:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ngompa13: needinfo? (jamielinux)


Attachments (Terms of Use)

  None (edit)
Description Jamie Nguyen 2016-01-23 10:32:02 EST
Spec URL: https://jamielinux.fedorapeople.org/firejail/firejail.spec
SRPM URL: https://jamielinux.fedorapeople.org/firejail/firejail-0.9.36-1.fc23.src.rpm
Fedora Account System Username: jamielinux

Description:
Firejail is a SUID security sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications using
Linux namespaces and seccomp-bpf. It allows a process and all its descendants
to have their own private view of the globally shared kernel resources, such as
the network stack, process table, and mount table.
Comment 1 Petr Pisar 2016-02-02 10:10:51 EST
The firejail package must own %{_datadir}/bash-completion directory because it install files there and the directory is not owned by any dependency.
Comment 2 Jamie Nguyen 2016-02-02 10:34:02 EST
Thanks Petr.

Spec URL: https://jamielinux.fedorapeople.org/firejail/firejail.spec
SRPM URL: https://jamielinux.fedorapeople.org/firejail/firejail-0.9.36-2.fc23.src.rpm

* Tue Feb 02 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 0.9.36-2
- own bash-completion directory
- fix libdir in disable-devel.inc
Comment 3 Dhiru Kholia 2016-03-27 05:36:28 EDT
https://fedorapeople.org/~halfie/packages/firejail/firejail.spec

This .spec files packages Firejail 0.9.38, and it also simplifies inclusion of various profiles.

I am actually unable to run Firejail on Fedora. Running "firejail hexchat" does not launch hexchat on Fedora systems. While doing the same on Ubuntu launches hexchat just fine. How do I test this package further in Fedora?
Comment 4 Dhiru Kholia 2016-05-19 03:13:36 EDT
Firejail packages from https://copr.fedorainfracloud.org/coprs/heikoada/firejail/ run fine on Fedora 24.

Also see https://github.com/netblue30/firejail/issues/399 page.
Comment 5 yousifjkadom@yahoo.com 2017-12-16 05:12:51 EST
It is very nice to see Firejail & it's GUI (firetools) available in official Fedora specially if we take in mind that Firejail is compatible with SELinux & it's much much easer to use from SELinux ......

Why such supersecure distro. like Fedora till now has no Firejail till now in their official repositories ?
Comment 6 Neal Gompa 2017-12-16 05:43:36 EST
Taking this review.
Comment 7 Neal Gompa 2017-12-16 05:45:10 EST
(In reply to Petr Pisar from comment #1)
> The firejail package must own %{_datadir}/bash-completion directory because
> it install files there and the directory is not owned by any dependency.

This is wrong. The bash-completion directory is owned by the bash-completion package, so it should be required instead.
Comment 8 Neal Gompa 2017-12-16 06:03:34 EST
Spec review notes:

> Source0:    https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz

Please use the scheme detailed in the guidelines: https://fedoraproject.org/wiki/Packaging:SourceURL#Git_Tags

> %setup -qn %{name}-%{version}

The "-n %{name}-%{version}" is redundant and pointless because this is already default. You can use "%setup -q" or "%autosetup" instead. Consider setting "%autosetup -p1" so that in the event you have patches, they'll be automatically applied correctly.

> sed -i -e 's#/usr/lib#%{_libdir}#g' etc/disable-devel.inc

This looks fine to me, but consider changing from hash marks to a different symbol, as it gets trick with shell evaluation. I usually use the '|' character as it is meaningless in a string and really bad syntax highlighters will highlight them, making it easier to see the separations.

> make %{?_smp_mflags}

Consider using "%make_build". It works on all currently supported Fedora and EPEL targets.

> make install DESTDIR=%{buildroot}

Consider using "%make_install".
Comment 9 Neal Gompa 2017-12-16 06:04:24 EST
I cannot continue the review until you publish a post with Spec and SRPM URLs with matching content. Currently the spec appears to have content that's newer than the SRPM you've published here.
Comment 10 Neal Gompa 2017-12-16 08:49:31 EST
(In reply to yousifjkadom@yahoo.com from comment #5)
> It is very nice to see Firejail & it's GUI (firetools) available in official
> Fedora specially if we take in mind that Firejail is compatible with SELinux
> & it's much much easer to use from SELinux ......
> 
> Why such supersecure distro. like Fedora till now has no Firejail till now
> in their official repositories ?

Nothing gets added to the distribution unless someone is interested in bringing it in. Anyone can become a packager to add software to Fedora[1].

If there's software out there that you think would be great to have in Fedora, then by all means, make a package that conforms to our policies and guidelines[2] and submit it for review to be included in the distribution.

[1]: https://fedoraproject.org/wiki/Join_the_package_collection_maintainers
[2]: https://fedoraproject.org/wiki/Packaging:Guidelines
Comment 11 Petr Pisar 2017-12-18 03:58:01 EST
(In reply to Neal Gompa from comment #7)
> (In reply to Petr Pisar from comment #1)
> > The firejail package must own %{_datadir}/bash-completion directory because
> > it install files there and the directory is not owned by any dependency.
> 
> This is wrong. The bash-completion directory is owned by the bash-completion
> package, so it should be required instead.

This is wrong. Because hard-requiring bash-completion imposes enabling bash-completion for everybody. Even to those who do not want enabling it.
Comment 12 Neal Gompa 2017-12-18 06:54:04 EST
(In reply to Petr Pisar from comment #11)
> (In reply to Neal Gompa from comment #7)
> > (In reply to Petr Pisar from comment #1)
> > > The firejail package must own %{_datadir}/bash-completion directory because
> > > it install files there and the directory is not owned by any dependency.
> > 
> > This is wrong. The bash-completion directory is owned by the bash-completion
> > package, so it should be required instead.
> 
> This is wrong. Because hard-requiring bash-completion imposes enabling
> bash-completion for everybody. Even to those who do not want enabling it.

Is there a bash-completion-filesystem package, then? That's usually the solution for things like that.
Comment 13 Petr Pisar 2017-12-18 07:21:29 EST
(In reply to Neal Gompa from comment #12)
> Is there a bash-completion-filesystem package, then? That's usually the
> solution for things like that.

bash-completion-filesystem does not exist.
Comment 14 Neal Gompa 2018-03-30 23:19:58 EDT
There's been no response in two years, dropping review and marking as DEADREVIEW.

Note You need to log in before you can comment on or make changes to this bug.