Summary: | sys-apps/firejail profiles for strings and fontforge breake installation of media-libs/x264 and app-office/libreoffice | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Øyvind <oyviaase> |
Component: | Current packages | Assignee: | Hank Leininger <hlein> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jstein, proxy-maint, sam |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/24102 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 769731 |
Description
Øyvind
2019-09-19 14:04:59 UTC
steps to reproduce: 1 - install firejail 2 - run sudo firecfg to enable firejail for all supported programms 3 - try to install libreoffice or x264 This was marked "IN_PROGRESS" on 2019-09-29. Any news? Not really, hadn't found a good solution so far. Solutions or Ideas are welcome. I think this boils down to an interaction between firejail being setuid, and libsandbox.so being loaded by portage during emerges by using LD_ environment variables, which isn't allowed/respected for setuid bins. Working on a short-term fix for this, you can play along at home: edit /usr/lib64/firejail/firecfg.config, comment out the problematic items[*], and then run firecfg --clean ; firecfg ; hash -r [*] My current list is patch, strings, and fontforge; will do an emerge -e world to see what else I can identify. Once I have a somewhat-complete list, I'll modify our ebuild to disable the problematic ones by default. Upstream already has some entries commented out with notes about Arch issues, so they're receptive; I'll open an issue and PR there as well. A potential longer-term option could be to entirely bypass firejail for user portage doing builds. Combine something like a firejail group (see https://bugs.gentoo.org/663784) that excludes the portage user, set firecfg's default bindir to something like /usr/lib/firejail/bin/ (see firecfg's --bindir argument), and an env.d/ file that prepends that dir to $PATH only if the user is a member of the firejail group. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f83326db36c6215b3fb69cf9630c5e3b53d32c43 commit f83326db36c6215b3fb69cf9630c5e3b53d32c43 Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2022-02-07 04:40:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-18 02:38:46 +0000 sys-apps/firejail: version bump, remove old, Gentoo compat tweaks Upstream released a security bump. Also, added some fixes and workarounds for bits & configs that break on Gentoo. Signed-off-by: Hank Leininger <hlein@korelogic.com> Bug: https://bugs.gentoo.org/832819 Closes: https://bugs.gentoo.org/694966 Closes: https://bugs.gentoo.org/663784 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Closes: https://github.com/gentoo/gentoo/pull/24102 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/firejail/Manifest | 3 +- sys-apps/firejail/files/firecfg.config.patch | 71 ++++++++++++++++ .../firejail/files/firejail-0.9.68-envlimits.patch | 12 +++ sys-apps/firejail/files/profile_display.local | 2 + sys-apps/firejail/files/profile_patch.local | 8 ++ sys-apps/firejail/files/profile_pdftotext.local | 2 + sys-apps/firejail/files/profile_wget.local | 5 ++ sys-apps/firejail/firejail-0.9.64.4.ebuild | 99 ---------------------- ...rejail-0.9.66.ebuild => firejail-0.9.68.ebuild} | 27 +++++- sys-apps/firejail/firejail-9999.ebuild | 8 +- 10 files changed, 128 insertions(+), 109 deletions(-) |