[-]
[+]
|
Changed |
_service:tar_git:firejail.changes
|
|
[-]
[+]
|
Changed |
_service:tar_git:firejail.spec
^
|
|
[-]
[+]
|
Changed |
_service:tar_git:0001-Preserve-process-effective-group-for-privileged-grou.patch
^
|
@@ -8,7 +8,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
-index 8d8dd95f..94ae8d24 100644
+index f40cbb9de..63352dfaa 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -53,7 +53,7 @@ static inline void EUID_PRINT(void) {
@@ -20,6 +20,3 @@
}
#endif
---
-2.31.1
-
|
[-]
[+]
|
Changed |
_service:tar_git:0002-Implement-Sailfish-OS-specific-privileged-data-optio.patch
^
|
@@ -30,22 +30,22 @@
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
---
- src/firejail/firejail.h | 5 +-
+ src/firejail/firejail.h | 4 +
src/firejail/macros.c | 9 +++
- src/firejail/main.c | 112 +++++++++++++++++++++-----------------
- src/firejail/profile.c | 31 +++++++++++
- src/firejail/sandbox.c | 76 ++++++++++++++++++++++++++
+ src/firejail/main.c | 161 +++++++++++++++-----------------------
+ src/firejail/profile.c | 31 ++++++++
+ src/firejail/sandbox.c | 76 ++++++++++++++++++
src/firejail/usage.c | 1 +
- src/firejail/util.c | 23 +++++---
- src/include/euid_common.h | 86 ++++++++++++++++++++++-------
+ src/firejail/util.c | 27 ++++++-
+ src/include/euid_common.h | 86 +++++++++++++++-----
src/include/rundefs.h | 1 +
- 9 files changed, 266 insertions(+), 78 deletions(-)
+ 9 files changed, 277 insertions(+), 119 deletions(-)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
-index 9971d30b..1ea82329 100644
+index 13ee573ad..e922e9593 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
-@@ -163,6 +163,7 @@ typedef struct config_t {
+@@ -168,6 +168,7 @@ typedef struct config_t {
char *home_private_keep; // keep list for private home directory
char *etc_private_keep; // keep list for private etc directory
char *opt_private_keep; // keep list for private opt directory
@@ -53,7 +53,7 @@
char *srv_private_keep; // keep list for private srv directory
char *bin_private_keep; // keep list for private bin directory
char *bin_private_lib; // executable list sent by private-bin to private-lib
-@@ -455,6 +456,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname);
+@@ -466,6 +467,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname);
// add a profile entry in cfg.profile list; use str to populate the list
void profile_add(char *str);
void profile_add_ignore(const char *str);
@@ -61,21 +61,19 @@
char *profile_list_normalize(char *list);
char *profile_list_compress(char *list);
void profile_list_augment(char **list, const char *items);
-@@ -527,7 +529,8 @@ void update_map(char *mapping, char *map_file);
- void wait_for_other(int fd);
+@@ -560,6 +562,7 @@ void wait_for_other(int fd);
void notify_other(int fd);
uid_t pid_get_uid(pid_t pid);
--uid_t get_group_id(const char *group);
-+gid_t get_group_id(const char *group);
+ gid_t get_group_id(const char *groupname);
+uid_t get_user_id(const char *user);
- int remove_overlay_directory(void);
void flush_stdin(void);
int create_empty_dir_as_user(const char *dir, mode_t mode);
+ void create_empty_dir_as_root(const char *dir, mode_t mode);
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
-index cd29d8f8..895ec93a 100644
+index 3f9460041..ac42a77ed 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
-@@ -241,6 +241,13 @@ char *expand_macros(const char *path) {
+@@ -243,6 +243,13 @@ char *expand_macros(const char *path) {
EUID_ROOT();
return new_name;
}
@@ -89,7 +87,7 @@
else {
char *directory = resolve_macro(path);
if (directory) {
-@@ -296,6 +303,8 @@ void invalid_filename(const char *fname, int globbing) {
+@@ -276,6 +283,8 @@ void invalid_filename(const char *fname, int globbing) {
ptr = fname + 7;
else if (strncmp(ptr, "${RUNUSER}", 10) == 0)
ptr = fname + 10;
@@ -99,10 +97,10 @@
int id = macro_id(fname);
if (id != -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
-index 7a0d5283..d42791fc 100644
+index 18e9ae651..129fa9d72 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
-@@ -54,8 +54,7 @@ int __clone2(int (*fn)(void *),
+@@ -55,8 +55,7 @@ int __clone2(int (*fn)(void *),
/* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ );
#endif
@@ -112,16 +110,16 @@
#define STACK_SIZE (1024 * 1024)
#define STACK_ALIGNMENT 16
-@@ -1000,7 +999,7 @@ int main(int argc, char **argv, char **envp) {
- fix_std_streams();
+@@ -1061,7 +1060,7 @@ int main(int argc, char **argv, char **envp) {
+ orig_umask = umask(022);
// drop permissions by default and rise them when required
- EUID_INIT();
+ EUID_INIT(*argv);
EUID_USER();
- // argument count should be larger than 0
-@@ -2006,6 +2005,12 @@ int main(int argc, char **argv, char **envp) {
+ // check standard streams before opening any file
+@@ -2083,6 +2082,12 @@ int main(int argc, char **argv, char **envp) {
else
exit_err_feature("private-opt");
}
@@ -134,14 +132,14 @@
else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
if (checkcfg(CFG_PRIVATE_SRV)) {
// extract private srv list
-@@ -3061,71 +3066,76 @@ int main(int argc, char **argv, char **envp) {
+@@ -3143,124 +3148,88 @@ int main(int argc, char **argv, char **envp) {
- if (arg_noroot) {
- // update the UID and GID maps in the new child user namespace
+ if (arg_noroot) {
+ // update the UID and GID maps in the new child user namespace
- // uid
-- char *map_path;
-- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
-- errExit("asprintf");
+- char *map_path;
+- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
+- errExit("asprintf");
+ /* NB: In Linux 4.14 and earlier, id mapping data can have at
+ * maximum 5 lines - see user_namespaces (7) for details. */
+ const int id_max = 5;
@@ -166,10 +164,7 @@
+ }
+ }
+ }
-
-- char *map;
-- uid_t uid = getuid();
-- if (asprintf(&map, "%d %d 1", uid, uid) == -1)
++
+ auto char *id_map(void) {
+ char *ptr = map_data;
+ for (int i = 0; i < id_cnt; ++i) {
@@ -180,90 +175,151 @@
+ id_cnt = 0;
+ return map_data;
+ }
-+
+
+- char *map;
+- uid_t uid = getuid();
+- if (asprintf(&map, "%d %d 1", uid, uid) == -1)
+ // UIDs
+ if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
- errExit("asprintf");
-- EUID_ROOT();
-- update_map(map, map_path);
+ errExit("asprintf");
+ id_add(0);
+ id_add(euid_data.uid);
+ id_add(euid_data.privileged_uid);
-+ EUID_ROOT();
+ EUID_ROOT();
+- update_map(map, map_path);
+ update_map(id_map(), map_path);
- EUID_USER();
-- free(map);
- free(map_path);
+ EUID_USER();
+- free(map);
+ free(map_path);
-- // gid file
+- // gid file
+ // GIDs
if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
errExit("asprintf");
-- char gidmap[1024];
-- char *ptr = gidmap;
-- *ptr = '\0';
+- char gidmap[1024];
+- char *ptr = gidmap;
+- *ptr = '\0';
-
-- // add user group
-- gid_t gid = getgid();
-- sprintf(ptr, "%d %d 1\n", gid, gid);
-- ptr += strlen(ptr);
+- // add user group
+- gid_t gid = getgid();
+- sprintf(ptr, "%d %d 1\n", gid, gid);
+- ptr += strlen(ptr);
+- gid_t g;
+ id_add(0);
+ id_add(euid_data.gid);
+ id_add(euid_data.primary_gid);
+ id_add(euid_data.privileged_gid);
- if (!arg_nogroups) {
|
[-]
[+]
|
Changed |
_service:tar_git:0003-Add-profile-files-to-a-list-when-processing-argument.patch
^
|
@@ -16,10 +16,10 @@
3 files changed, 85 insertions(+)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
-index 1ea82329..28c1d81e 100644
+index e922e9593..4848c3516 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
-@@ -460,6 +460,7 @@ char *profile_list_slice(char *pos, char **ppos);
+@@ -471,6 +471,7 @@ char *profile_list_slice(char *pos, char **ppos);
char *profile_list_normalize(char *list);
char *profile_list_compress(char *list);
void profile_list_augment(char **list, const char *items);
@@ -28,10 +28,10 @@
// list.c
void list(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
-index d42791fc..5d92df2d 100644
+index 129fa9d72..6bebf3143 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
-@@ -2761,6 +2761,9 @@ int main(int argc, char **argv, char **envp) {
+@@ -2846,6 +2846,9 @@ int main(int argc, char **argv, char **envp) {
break;
}
}
@@ -42,12 +42,12 @@
// exit chroot, overlay and appimage sandboxes when caps are explicitly specified on command line
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
-index 2c226168..2c172ad1 100644
+index c5dd43521..4ca9bc2cd 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
-@@ -28,6 +28,18 @@ extern char *xephyr_screen;
-
- #define MAX_READ 8192 // line buffer for profile files
+@@ -29,6 +29,18 @@ extern char *xephyr_screen;
+ #define MAX_READ 8192 // line buffer for profile files
+ #define MAX_LIST 16384 // size limit for argument lists
+typedef struct profile_file_name_t {
+ char *fname;
@@ -64,7 +64,7 @@
// find and read the profile specified by name from dir directory
// return 1 if a profile was found
static int profile_find(const char *name, const char *dir, int add_ext) {
-@@ -1678,6 +1690,27 @@ void profile_add(char *str) {
+@@ -1722,6 +1734,27 @@ void profile_add(char *str) {
ptr->next = prf;
}
@@ -92,7 +92,7 @@
// read a profile file
static int include_level = 0;
void profile_read(const char *fname) {
-@@ -1726,6 +1759,11 @@ void profile_read(const char *fname) {
+@@ -1770,6 +1803,11 @@ void profile_read(const char *fname) {
}
}
@@ -104,7 +104,7 @@
// open profile file:
FILE *fp = fopen(fname, "re");
if (fp == NULL) {
-@@ -1817,6 +1855,49 @@ void profile_read(const char *fname) {
+@@ -1873,6 +1911,49 @@ void profile_read(const char *fname) {
fclose(fp);
}
@@ -154,6 +154,3 @@
char *profile_list_slice(char *pos, char **ppos)
{
/* Extract token from comma separated list.
---
-2.31.1
-
|
[-]
[+]
|
Changed |
_service:tar_git:0004-Implement-template-addition-for-replacing-keys-in-pr.patch
^
|
@@ -1,8 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jussi Laakkonen <jussi.laakkonen@jolla.com>
Date: Fri, 7 May 2021 18:29:29 +0300
-Subject: [PATCH] Implement template addition for replacing keys in profile
- files
+Subject: [PATCH] Implement template addition for replacing keys in profile files
Implement template addition to pass templates as key value pairs as cmd
line parameters to replace the keys in read profile file lines to allow
@@ -78,7 +77,7 @@
create mode 100644 src/firejail/template.c
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
-index 9a4cb2e6..80385376 100644
+index 66738bd4b..8160bc6be 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -41,7 +41,7 @@
@@ -91,11 +90,11 @@
static pid_t dbus_proxy_pid = 0;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
-index 28c1d81e..77e5a830 100644
+index 4848c3516..c245e40e6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
-@@ -888,6 +888,8 @@ void set_x11_run_file(pid_t pid, int display);
- void set_profile_run_file(pid_t pid, const char *fname);
+@@ -922,6 +922,8 @@ void set_sandbox_run_file(pid_t pid, pid_t child);
+ void release_sandbox_lock(void);
// dbus.c
+#define DBUS_MAX_NAME_LENGTH 255
@@ -103,9 +102,9 @@
int dbus_check_name(const char *name);
int dbus_check_call_rule(const char *name);
void dbus_check_profile(void);
-@@ -906,4 +908,10 @@ void dhcp_start(void);
- // selinux.c
- void selinux_relabel_path(const char *path, const char *inside_path);
+@@ -946,4 +948,10 @@ void run_ids(int argc, char **argv);
+ // oom.c
+ void oom_set(const char *oom_string);
+// template.c
+void check_template(char *arg);
@@ -115,10 +114,10 @@
+void template_cleanup();
#endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
-index 5d92df2d..252371be 100644
+index 6bebf3143..3edfbb09a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
-@@ -2649,6 +2649,11 @@ int main(int argc, char **argv, char **envp) {
+@@ -2764,6 +2764,11 @@ int main(int argc, char **argv, char **envp) {
exit_err_feature("networking");
}
#endif
@@ -130,7 +129,7 @@
//*************************************
// command
//*************************************
-@@ -2762,6 +2767,9 @@ int main(int argc, char **argv, char **envp) {
+@@ -2847,6 +2852,9 @@ int main(int argc, char **argv, char **envp) {
}
}
@@ -140,7 +139,7 @@
profile_read_file_list();
EUID_ASSERT();
-@@ -2893,6 +2901,9 @@ int main(int argc, char **argv, char **envp) {
+@@ -2972,6 +2980,9 @@ int main(int argc, char **argv, char **envp) {
}
EUID_ASSERT();
@@ -151,10 +150,10 @@
if (arg_x11_block)
x11_block();
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
-index 2c172ad1..9f0e5baf 100644
+index 4ca9bc2cd..55b11eb50 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
-@@ -1812,6 +1812,40 @@ void profile_read(const char *fname) {
+@@ -1868,6 +1868,40 @@ void profile_read(const char *fname) {
msg_printed = 1;
}
@@ -197,7 +196,7 @@
include_level++;
diff --git a/src/firejail/template.c b/src/firejail/template.c
new file mode 100644
-index 00000000..64bcef5e
+index 000000000..64bcef5e4
--- /dev/null
+++ b/src/firejail/template.c
@@ -0,0 +1,504 @@
@@ -706,22 +705,22 @@
+ return new_string;
+}
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
-index 098bf696..4598f3c7 100644
+index 5b376dc3c..00af44687 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
-@@ -239,6 +239,7 @@ static char *usage_str =
- " --shell=none - run the program directly without a user shell.\n"
- " --shell=program - set default user shell.\n"
+@@ -256,6 +256,7 @@ static char *usage_str =
" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
+ " --tab - enable shell tab completion in sandboxes using private or\n"
+ "\twhitelisted home directories.\n"
+ " --template=KEY:VALUE - set a template KEY with VALUE usable as ${KEY} in profiles\n"
" --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"
"\thas elapsed.\n"
" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
-index db58e091..b0ff631b 100644
+index 5b16179ac..5544b471f 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
-@@ -965,6 +965,20 @@ Always exit firejail with the first child's exit status. The default behavior is
+@@ -1013,6 +1013,20 @@ Always shut down the sandbox after the first child has terminated. The default b
Join the sandbox identified by name or start a new one.
Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
@@ -743,12 +742,12 @@
.TP
\fB/etc/firejail/appname.profile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
-index 0462705c..d6036605 100644
+index e5020e37e..1d9e9b16a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
-@@ -2573,6 +2573,23 @@ $ firejail \-\-list
+@@ -2870,6 +2870,23 @@ Enable shell tab completion in sandboxes using private or whitelisted home direc
.br
- $ firejail \-\-shutdown=3272
+ $ firejail \-\-private --tab
.TP
+\fB\-\-template=KEY:VALUE
+Define a template \fBKEY\fR with \fBVALUE\fR to have application specific \fB${KEY}\fRs in the profile files replaced with the given value. This is useful, for example, with D-Bus name ownership to make a generic ownership rule to be application specific. See \fB\&\flfirejail-profile\fR\|(5)\fR for information on how to use the template keys in profile files. Internal macros cannot be overridden with this, in such case firejail quits with an error message.
@@ -770,6 +769,3 @@
\fB\-\-timeout=hh:mm:ss
Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format.
.br
---
-2.31.1
-
|
[-]
[+]
|
Changed |
_service:tar_git:0005-Retain-symlink-chains.patch
^
|
@@ -1,4 +1,4 @@
-From 8ad599674872d433f8410e3ebd5f2d6793f431fd Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Simo Piiroinen <simo.piiroinen@jolla.com>
Date: Tue, 19 Oct 2021 11:43:31 +0300
Subject: [PATCH] Retain symlink chains
@@ -25,11 +25,11 @@
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
---
- src/fcopy/main.c | 136 +++++++++++++++++++----------------------------
- 1 file changed, 56 insertions(+), 80 deletions(-)
+ src/fcopy/main.c | 125 +++++++++++++++++++----------------------------
+ 1 file changed, 50 insertions(+), 75 deletions(-)
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
-index 31810de9..a5421500 100644
+index b0b7f7024..c99b56b7e 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -22,6 +22,7 @@
@@ -40,7 +40,7 @@
#include <fcntl.h>
#ifndef O_PATH
-@@ -180,77 +181,58 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
+@@ -181,78 +182,58 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
}
}
@@ -48,7 +48,10 @@
- assert(target);
- char *use_target = 0;
- char *proc_pid = 0;
--
++void copy_link(const char *target, const char *linkpath) {
++ int failed = 1;
++ char *linkdata = NULL;
+
- if (!(use_target = realpath(target, NULL)))
- goto done;
-
@@ -56,53 +59,82 @@
- static const char proc[] = "/proc/";
- if (strncmp(use_target, proc, sizeof(proc) - 1))
- goto done;
--
++ // if the link is already there, don't create it
++ struct stat s;
++ if (lstat(linkpath, &s) == 0)
++ goto success;
+
- int digit = use_target[sizeof(proc) - 1];
- if (digit < '1' || digit > '9')
- goto done;
--
++ // read source symlink
++ if (lstat(target, &s) == -1)
++ goto failure;
+
- // check where /proc/self points to
- static const char proc_self[] = "/proc/self";
-- if (!(proc_pid = realpath(proc_self, NULL)))
+- proc_pid = realpath(proc_self, NULL);
+- if (proc_pid == NULL)
- goto done;
--
++ if (!S_ISLNK(s.st_mode))
++ goto failure;
+
- // redirect /proc/PID/xxx -> /proc/self/XXX
- size_t pfix = strlen(proc_pid);
- if (strncmp(use_target, proc_pid, pfix))
- goto done;
--
++ ssize_t linksize = s.st_size ? (s.st_size + 1) : PATH_MAX;
++ if (!(linkdata = malloc(linksize)))
++ goto failure;
+
- if (use_target[pfix] != 0 && use_target[pfix] != '/')
- goto done;
--
++ ssize_t rc = readlink(target, linkdata, linksize);
++ if (rc < 0) {
++ if (!arg_quiet)
++ fprintf(stderr, "Error fcopy: readlink %s failed: %m\n", target);
++ goto failure;
++ }
+
- char *tmp;
- if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) {
- if (arg_debug)
- fprintf(stderr, "SYMLINK %s\n --> %s\n", use_target, tmp);
- free(use_target);
- use_target = tmp;
-- }
++ if (rc >= linksize) {
++ if (!arg_quiet)
++ fprintf(stderr, "Error fcopy: readlink %s buffer overflow\n", target);
++ goto failure;
+ }
- else
- errExit("asprintf");
--
+
-done:
- if (proc_pid)
- free(proc_pid);
- return use_target;
-}
--
++ linkdata[rc] = 0;
+
-void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) {
- (void) mode;
- (void) uid;
- (void) gid;
-+void copy_link(const char *target, const char *linkpath) {
-+ int failed = 1;
-+ char *linkdata = NULL;
++ // duplicate at the given path
++ if (symlink(linkdata, linkpath) == -1) {
++ if (!arg_quiet)
++ fprintf(stderr, "Error fcopy: creating %s symlink failed: %m\n", linkpath);
++ goto failure;
++ }
- // if the link is already there, don't create it
- struct stat s;
- if (lstat(linkpath, &s) == 0)
+- // if the link is already there, don't create it
+- struct stat s;
+- if (lstat(linkpath, &s) == 0)
- return;
--
++ if (arg_debug)
++ fprintf(stderr, "fcopy: created symlink: %s -> %s\n", linkpath, linkdata);
+
- char *rp = proc_pid_to_self(target);
- if (rp) {
- if (symlink(rp, linkpath) == -1) {
@@ -110,61 +142,24 @@
- goto errout;
- }
- free(rp);
-+ goto success;
-+
-+ // read source symlink
-+ if (lstat(target, &s) == -1)
-+ goto failure;
-+
-+ if (!S_ISLNK(s.st_mode))
-+ goto failure;
-+
-+ ssize_t linksize = s.st_size ? (s.st_size + 1) : PATH_MAX;
-+ if (!(linkdata = malloc(linksize)))
-+ goto failure;
-+
-+ ssize_t rc = readlink(target, linkdata, linksize);
-+ if (rc < 0) {
-+ if (!arg_quiet)
-+ fprintf(stderr, "Error fcopy: readlink %s failed: %m\n", target);
-+ goto failure;
-+ }
-+
-+ if (rc >= linksize) {
-+ if (!arg_quiet)
-+ fprintf(stderr, "Error fcopy: readlink %s buffer overflow\n", target);
-+ goto failure;
- }
+- }
- else
- goto errout;
-
-- return;
--errout:
-- if (!arg_quiet)
-- fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target);
-+ linkdata[rc] = 0;
-+
-+ // duplicate at the given path
-+ if (symlink(linkdata, linkpath) == -1) {
-+ if (!arg_quiet)
-+ fprintf(stderr, "Error fcopy: creating %s symlink failed: %m\n", linkpath);
-+ goto failure;
-+ }
-+
-+ if (arg_debug)
-+ fprintf(stderr, "fcopy: created symlink: %s -> %s\n", linkpath, linkdata);
-+
+success:
+ failed = 0;
+failure:
+ if (failed && !arg_quiet)
+ fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", linkpath);
-+
+
+- return;
+-errout:
+- if (!arg_quiet)
|
[-]
[+]
|
Changed |
_service:tar_git:0006-Add-xstat-tracing-and-optionally-log-only-failing-ca.patch
^
|
@@ -1,4 +1,4 @@
-From 9a868fc4de943a4ce25d137a56357ca365cfd234 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Simo Piiroinen <simo.piiroinen@jolla.com>
Date: Tue, 9 Nov 2021 16:08:37 +0200
Subject: [PATCH] Add xstat() tracing and optionally log only failing calls
@@ -22,15 +22,15 @@
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
---
- src/libtrace/libtrace.c | 860 ++++++++++++++++++++++++----------------
- 1 file changed, 509 insertions(+), 351 deletions(-)
+ src/libtrace/libtrace.c | 863 ++++++++++++++++++++++++----------------
+ 1 file changed, 524 insertions(+), 339 deletions(-)
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
-index d88512b0..d78c6d76 100644
+index aa37bb758..bce5460fa 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
-@@ -20,6 +20,8 @@
- #define _GNU_SOURCE
+@@ -21,6 +21,8 @@
+ #include <errno.h>
#include <stdio.h>
#include <stdlib.h>
+#include <stdarg.h>
@@ -38,7 +38,7 @@
#include <string.h>
#include <dlfcn.h>
#include <sys/types.h>
-@@ -30,90 +32,79 @@
+@@ -30,6 +32,9 @@
#include <arpa/inet.h>
#include <sys/un.h>
#include <sys/stat.h>
@@ -48,26 +48,10 @@
#include <syslog.h>
#include <dirent.h>
#include "../include/rundefs.h"
-
--#define tprintf(fp, args...) \
-- do { \
-- if (!fp)\
-- init(); \
-- fprintf(fp, args); \
-- } while(0)
--
--// break recursivity on fopen call
--typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode);
--static orig_fopen_t orig_fopen = NULL;
--typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
--static orig_fopen64_t orig_fopen64 = NULL;
--typedef int (*orig_access_t)(const char *pathname, int mode);
--static orig_access_t orig_access = NULL;
--
--//
--// library constructor/destructor
--//
--// Using fprintf to /dev/tty instead of printf in order to fix #561
+@@ -51,67 +56,72 @@ static orig_access_t orig_access = NULL;
+ // library constructor/destructor
+ //
+ // Using fprintf to /dev/tty instead of printf in order to fix #561
+static bool verbose = true;
static FILE *ftty = NULL;
static pid_t mypid = 0;
@@ -78,16 +62,10 @@
-void init(void) {
- if (ftty)
- return;
-+static FILE *output(void);
-
+-
- orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
- orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
-+__attribute__((format(printf, 1, 2))) static void message(const char *fmt, ...) {
-+ // We need to ensure that trace logging does not
-+ // interfere with errno that application code gets
-+ // to see
-+ int saved = errno;
-
+-
- // allow environment variable to override defaults
- char *logfile = getenv("FIREJAIL_TRACEFILE");
- if (!logfile) {
@@ -97,57 +75,38 @@
- // else log to associated tty
- logfile = "/dev/tty";
- }
-+ char *text = NULL;
-+ va_list va;
-+ va_start(va, fmt);
-+ if (vasprintf(&text, fmt, va) < 0)
-+ text = NULL;
-+ va_end(va);
-
+-
- // logfile
- unsigned cnt = 0;
- while ((ftty = orig_fopen(logfile, "a")) == NULL) {
- if (++cnt > 10) { // 10 sec
- perror("Cannot open trace log file");
- exit(1);
-- }
-- sleep(1);
-- }
-- // line buffered stream
-- setvbuf(ftty, NULL, _IOLBF, BUFSIZ);
++static FILE *output(void);
++
++__attribute__((format(printf, 1, 2))) static void message(const char *fmt, ...) {
++ // We need to ensure that trace logging does not
++ // interfere with errno that application code gets
++ // to see
++ int saved = errno;
++
++ char *text = NULL;
++ va_list va;
++ va_start(va, fmt);
++ if (vasprintf(&text, fmt, va) < 0)
++ text = NULL;
++ va_end(va);
++
+ // As the 1st output() call evaluates mypid & myname,
+ // it needs to be done before using those variables
+ FILE *file = output() ?: stderr;
-
-- // pid
-- mypid = getpid();
++
+ fprintf(file, "%u:%s:%s\n", mypid, myname, text ?: fmt);
+ free(text);
-
-- // process name
-- char *fname;
-- if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) {
-- FILE *fp = orig_fopen(fname, "r");
-- free(fname);
-- if (fp) {
-- if (fgets(myname, MAXNAME, fp) == NULL)
-- strcpy(myname, "unknown");
-- fclose(fp);
-- }
-- }
--
-- // clean '\n'
-- char *ptr = strchr(myname, '\n');
-- if (ptr)
-- *ptr = '\0';
--
--// tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);
++
+ errno = saved;
- }
-
--static void fini(void) __attribute__((destructor));
--void fini(void) {
-- fclose(ftty);
++}
++
+static void *lookup(const char *name) {
+ // Map internally used "silent" wrappers to actual
+ // functions, for example: silent_fopen() -> fopen()
@@ -164,7 +123,24 @@
+ if (write(STDERR_FILENO, txt, strlen(txt)) < 0) {
+ // dontcare
+ }
-+ }
+ }
+- sleep(1);
+- }
+- // line buffered stream
+- setvbuf(ftty, NULL, _IOLBF, BUFSIZ);
+-
+- // pid
+- mypid = getpid();
+-
+- // process name
+- char *fname;
+- if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) {
+- FILE *fp = orig_fopen(fname, "r");
+- free(fname);
+- if (fp) {
+- if (fgets(myname, MAXNAME, fp) == NULL)
+- strcpy(myname, "unknown");
+- fclose(fp);
+ auto void dump_num(unsigned num) {
+ char stk[16];
+ size_t sp = sizeof stk;
@@ -173,7 +149,7 @@
+ stk[--sp] = '0' + num % 10u;
+ } while ((num /= 10u) && sp > 0);
+ dump_str(stk + sp);
-+ }
+ }
+ dump_num(mypid);
+ dump_str(":");
+ dump_str(myname);
@@ -181,12 +157,24 @@
|
[-]
[+]
|
Added |
_service:tar_git:0007-Revert-deprecating-shell-3-5196.patch
^
|
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Suni <daniel.suni@jolla.com>
+Date: Fri, 17 Feb 2023 11:48:56 +0200
+Subject: [PATCH] Revert "deprecating --shell (3) (#5196)"
+
+This reverts commit 7ad735deafa80114a17b20790de63f7e973b1bb4.
+
+This commit makes firejail attempt to use /bin/bash to launch every process
+that uses a "--" argument. Sailjail uses this, but we do *not* want shell
+execution, since it will fail.
+
+There are a number of bug reports in firejail upstream with regards to this
+very odd feature - see e.g. https://github.com/netblue30/firejail/issues/5659
+so for now we will revert the offending commit until the dust settles upstream.
+---
+ src/firejail/sandbox.c | 6 +++---
+ test/filters/noroot.exp | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
+index 0377293de..2a3934807 100644
+--- a/src/firejail/sandbox.c
++++ b/src/firejail/sandbox.c
+@@ -537,7 +537,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
+ //****************************************
+ // start the program without using a shell
+ //****************************************
+- else if (!arg_appimage && !arg_doubledash) {
++ else if (!arg_appimage) {
+ if (arg_debug) {
+ int i;
+ for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
+@@ -569,9 +569,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
+ execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
+ }
+ //****************************************
+- // start the program using a shell
++ // start the program using a shell (appimages)
+ //****************************************
+- else { // appimage or double-dash
++ else { // appimage
+ char *arg[5];
+ int index = 0;
+ assert(cfg.usershell);
+diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
+index 942aedbcb..66e1e4e27 100755
+--- a/test/filters/noroot.exp
++++ b/test/filters/noroot.exp
+@@ -81,11 +81,11 @@ spawn $env(SHELL)
+ send -- "firejail --debug --join=test\r"
+ expect {
+ timeout {puts "TESTING ERROR 13\n";exit}
+- "Joining user namespace"
++ "User namespace detected"
+ }
+ expect {
+ timeout {puts "TESTING ERROR 14\n";exit}
+- "Child process initialized"
++ "Joining user namespace"
+ }
+ sleep 1
+
|
[-]
[+]
|
Changed |
_service
^
|
@@ -6,7 +6,7 @@
<service name="tar_git">
<param name="url">https://github.com/sailfishos/firejail.git</param>
<param name="branch">master</param>
- <param name="revision"/>
+ <param name="revision">45dc642442355edece4d629a01e7d28df20f6e17</param>
<param name="token"/>
<param name="debian">N</param>
<param name="dumb">N</param>
|
|
Changed |
_service:tar_git:firejail-0.9.72+git1.tar.bz2
^
|