Changes - SailfishOS Open Build Service

Changes of Revision 2

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

[-] [+]	Changed	_service:tar_git:firejail.changes
@@ -1,3 +1,6 @@ +* Wed Mar 22 2023 Tomi Leppänen <tomi.leppanen@jolla.com> - 0.9.72+git1 +- [firejail] Updated upstream to 0.9.72 Fixes JB#59121 + * Fri Nov 19 2021 Simo Piiroinen <simo.piiroinen@jolla.com> - 0.9.66+git3 - [libtrace] Add xstat() tracing and optionally log only failing calls Fixes JB#55650 - [libtrace] Add xstat() tracing and optionally log only failing calls. Fixes JB#55650
[-] [+]	Changed	_service:tar_git:firejail.spec ^
@@ -1,5 +1,5 @@ Name: firejail -Version: 0.9.66+git3 +Version: 0.9.72+git1 Release: 1 Summary: Linux namepaces sandbox program License: GPLv2+ @@ -11,6 +11,7 @@ Patch4: 0004-Implement-template-addition-for-replacing-keys-in-pr.patch Patch5: 0005-Retain-symlink-chains.patch Patch6: 0006-Add-xstat-tracing-and-optionally-log-only-failing-ca.patch +Patch7: 0007-Revert-deprecating-shell-3-5196.patch URL: https://github.com/sailfishos/firejail @@ -54,7 +55,7 @@ %defattr(-,root,root,-) %attr(4755, -, -) %{_bindir}/%{name} %{_bindir}/firemon -%exclude %{_libdir}/%{name}/firecfg.config +%exclude %{_sysconfdir}/%{name}/firecfg.config %{_libdir}/%{name} %dir %{_sysconfdir}/%{name} %config %{_sysconfdir}/%{name}/.config @@ -64,7 +65,7 @@ %files profiles %{_bindir}/firecfg %{_bindir}/jailcheck -%{_libdir}/%{name}/firecfg.config +%{_sysconfdir}/%{name}/firecfg.config %exclude %{_sysconfdir}/%{name}/.config %exclude %{_sysconfdir}/%{name}/disable-.inc %exclude %{_sysconfdir}/%{name}/whitelist-.inc
[-] [+]	Changed	_service:tar_git:0001-Preserve-process-effective-group-for-privileged-grou.patch ^
@@ -8,7 +8,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/include/euid_common.h b/src/include/euid_common.h -index 8d8dd95f..94ae8d24 100644 +index f40cbb9de..63352dfaa 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h @@ -53,7 +53,7 @@ static inline void EUID_PRINT(void) { @@ -20,6 +20,3 @@ } #endif --- -2.31.1 -
[-] [+]	Changed	_service:tar_git:0002-Implement-Sailfish-OS-specific-privileged-data-optio.patch ^
@@ -30,22 +30,22 @@ Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> --- - src/firejail/firejail.h \| 5 +- + src/firejail/firejail.h \| 4 + src/firejail/macros.c \| 9 +++ - src/firejail/main.c \| 112 +++++++++++++++++++++----------------- - src/firejail/profile.c \| 31 +++++++++++ - src/firejail/sandbox.c \| 76 ++++++++++++++++++++++++++ + src/firejail/main.c \| 161 +++++++++++++++----------------------- + src/firejail/profile.c \| 31 ++++++++ + src/firejail/sandbox.c \| 76 ++++++++++++++++++ src/firejail/usage.c \| 1 + - src/firejail/util.c \| 23 +++++--- - src/include/euid_common.h \| 86 ++++++++++++++++++++++------- + src/firejail/util.c \| 27 ++++++- + src/include/euid_common.h \| 86 +++++++++++++++----- src/include/rundefs.h \| 1 + - 9 files changed, 266 insertions(+), 78 deletions(-) + 9 files changed, 277 insertions(+), 119 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h -index 9971d30b..1ea82329 100644 +index 13ee573ad..e922e9593 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h -@@ -163,6 +163,7 @@ typedef struct config_t { +@@ -168,6 +168,7 @@ typedef struct config_t { char home_private_keep; // keep list for private home directory char etc_private_keep; // keep list for private etc directory char opt_private_keep; // keep list for private opt directory @@ -53,7 +53,7 @@ char srv_private_keep; // keep list for private srv directory char bin_private_keep; // keep list for private bin directory char bin_private_lib; // executable list sent by private-bin to private-lib -@@ -455,6 +456,7 @@ int profile_check_line(char ptr, int lineno, const char fname); +@@ -466,6 +467,7 @@ int profile_check_line(char ptr, int lineno, const char fname); // add a profile entry in cfg.profile list; use str to populate the list void profile_add(char str); void profile_add_ignore(const char str); @@ -61,21 +61,19 @@ char profile_list_normalize(char list); char profile_list_compress(char list); void profile_list_augment(char *list, const char items); -@@ -527,7 +529,8 @@ void update_map(char mapping, char map_file); - void wait_for_other(int fd); +@@ -560,6 +562,7 @@ void wait_for_other(int fd); void notify_other(int fd); uid_t pid_get_uid(pid_t pid); --uid_t get_group_id(const char group); -+gid_t get_group_id(const char group); + gid_t get_group_id(const char groupname); +uid_t get_user_id(const char user); - int remove_overlay_directory(void); void flush_stdin(void); int create_empty_dir_as_user(const char dir, mode_t mode); + void create_empty_dir_as_root(const char dir, mode_t mode); diff --git a/src/firejail/macros.c b/src/firejail/macros.c -index cd29d8f8..895ec93a 100644 +index 3f9460041..ac42a77ed 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c -@@ -241,6 +241,13 @@ char expand_macros(const char path) { +@@ -243,6 +243,13 @@ char expand_macros(const char path) { EUID_ROOT(); return new_name; } @@ -89,7 +87,7 @@ else { char directory = resolve_macro(path); if (directory) { -@@ -296,6 +303,8 @@ void invalid_filename(const char fname, int globbing) { +@@ -276,6 +283,8 @@ void invalid_filename(const char fname, int globbing) { ptr = fname + 7; else if (strncmp(ptr, "${RUNUSER}", 10) == 0) ptr = fname + 10; @@ -99,10 +97,10 @@ int id = macro_id(fname); if (id != -1) diff --git a/src/firejail/main.c b/src/firejail/main.c -index 7a0d5283..d42791fc 100644 +index 18e9ae651..129fa9d72 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c -@@ -54,8 +54,7 @@ int __clone2(int (fn)(void ), +@@ -55,8 +55,7 @@ int __clone2(int (fn)(void ), / pid_t ptid, struct user_desc tls, pid_t ctid / ); #endif @@ -112,16 +110,16 @@ #define STACK_SIZE (1024 * 1024) #define STACK_ALIGNMENT 16 -@@ -1000,7 +999,7 @@ int main(int argc, char argv, char envp) { - fix_std_streams(); +@@ -1061,7 +1060,7 @@ int main(int argc, char argv, char envp) { + orig_umask = umask(022); // drop permissions by default and rise them when required - EUID_INIT(); + EUID_INIT(argv); EUID_USER(); - // argument count should be larger than 0 -@@ -2006,6 +2005,12 @@ int main(int argc, char argv, char envp) { + // check standard streams before opening any file +@@ -2083,6 +2082,12 @@ int main(int argc, char argv, char envp) { else exit_err_feature("private-opt"); } @@ -134,14 +132,14 @@ else if (strncmp(argv[i], "--private-srv=", 14) == 0) { if (checkcfg(CFG_PRIVATE_SRV)) { // extract private srv list -@@ -3061,71 +3066,76 @@ int main(int argc, char argv, char envp) { +@@ -3143,124 +3148,88 @@ int main(int argc, char argv, char envp) { - if (arg_noroot) { - // update the UID and GID maps in the new child user namespace + if (arg_noroot) { + // update the UID and GID maps in the new child user namespace - // uid -- char map_path; -- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) -- errExit("asprintf"); +- char map_path; +- if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) +- errExit("asprintf"); + / NB: In Linux 4.14 and earlier, id mapping data can have at + * maximum 5 lines - see user_namespaces (7) for details. / + const int id_max = 5; @@ -166,10 +164,7 @@ + } + } + } - -- char map; -- uid_t uid = getuid(); -- if (asprintf(&map, "%d %d 1", uid, uid) == -1) ++ + auto char id_map(void) { + char ptr = map_data; + for (int i = 0; i < id_cnt; ++i) { @@ -180,90 +175,151 @@ + id_cnt = 0; + return map_data; + } -+ + +- char map; +- uid_t uid = getuid(); +- if (asprintf(&map, "%d %d 1", uid, uid) == -1) + // UIDs + if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) - errExit("asprintf"); -- EUID_ROOT(); -- update_map(map, map_path); + errExit("asprintf"); + id_add(0); + id_add(euid_data.uid); + id_add(euid_data.privileged_uid); -+ EUID_ROOT(); + EUID_ROOT(); +- update_map(map, map_path); + update_map(id_map(), map_path); - EUID_USER(); -- free(map); - free(map_path); + EUID_USER(); +- free(map); + free(map_path); -- // gid file +- // gid file + // GIDs if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1) errExit("asprintf"); -- char gidmap[1024]; -- char ptr = gidmap; -- ptr = '\0'; +- char gidmap[1024]; +- char ptr = gidmap; +- *ptr = '\0'; - -- // add user group -- gid_t gid = getgid(); -- sprintf(ptr, "%d %d 1\n", gid, gid); -- ptr += strlen(ptr); +- // add user group +- gid_t gid = getgid(); +- sprintf(ptr, "%d %d 1\n", gid, gid); +- ptr += strlen(ptr); +- gid_t g; + id_add(0); + id_add(euid_data.gid); + id_add(euid_data.primary_gid); + id_add(euid_data.privileged_gid); - if (!arg_nogroups) {
[-] [+]	Changed	_service:tar_git:0003-Add-profile-files-to-a-list-when-processing-argument.patch ^
@@ -16,10 +16,10 @@ 3 files changed, 85 insertions(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h -index 1ea82329..28c1d81e 100644 +index e922e9593..4848c3516 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h -@@ -460,6 +460,7 @@ char profile_list_slice(char pos, char *ppos); +@@ -471,6 +471,7 @@ char profile_list_slice(char pos, char ppos); char profile_list_normalize(char list); char profile_list_compress(char list); void profile_list_augment(char list, const char items); @@ -28,10 +28,10 @@ // list.c void list(void); diff --git a/src/firejail/main.c b/src/firejail/main.c -index d42791fc..5d92df2d 100644 +index 129fa9d72..6bebf3143 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c -@@ -2761,6 +2761,9 @@ int main(int argc, char argv, char envp) { +@@ -2846,6 +2846,9 @@ int main(int argc, char argv, char envp) { break; } } @@ -42,12 +42,12 @@ // exit chroot, overlay and appimage sandboxes when caps are explicitly specified on command line diff --git a/src/firejail/profile.c b/src/firejail/profile.c -index 2c226168..2c172ad1 100644 +index c5dd43521..4ca9bc2cd 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c -@@ -28,6 +28,18 @@ extern char xephyr_screen; - - #define MAX_READ 8192 // line buffer for profile files +@@ -29,6 +29,18 @@ extern char xephyr_screen; + #define MAX_READ 8192 // line buffer for profile files + #define MAX_LIST 16384 // size limit for argument lists +typedef struct profile_file_name_t { + char fname; @@ -64,7 +64,7 @@ // find and read the profile specified by name from dir directory // return 1 if a profile was found static int profile_find(const char name, const char dir, int add_ext) { -@@ -1678,6 +1690,27 @@ void profile_add(char str) { +@@ -1722,6 +1734,27 @@ void profile_add(char str) { ptr->next = prf; } @@ -92,7 +92,7 @@ // read a profile file static int include_level = 0; void profile_read(const char fname) { -@@ -1726,6 +1759,11 @@ void profile_read(const char fname) { +@@ -1770,6 +1803,11 @@ void profile_read(const char fname) { } } @@ -104,7 +104,7 @@ // open profile file: FILE fp = fopen(fname, "re"); if (fp == NULL) { -@@ -1817,6 +1855,49 @@ void profile_read(const char fname) { +@@ -1873,6 +1911,49 @@ void profile_read(const char fname) { fclose(fp); } @@ -154,6 +154,3 @@ char profile_list_slice(char pos, char ppos) { / Extract token from comma separated list. --- -2.31.1 -
[-] [+]	Changed	_service:tar_git:0004-Implement-template-addition-for-replacing-keys-in-pr.patch ^
@@ -1,8 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Jussi Laakkonen <jussi.laakkonen@jolla.com> Date: Fri, 7 May 2021 18:29:29 +0300 -Subject: [PATCH] Implement template addition for replacing keys in profile - files +Subject: [PATCH] Implement template addition for replacing keys in profile files Implement template addition to pass templates as key value pairs as cmd line parameters to replace the keys in read profile file lines to allow @@ -78,7 +77,7 @@ create mode 100644 src/firejail/template.c diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c -index 9a4cb2e6..80385376 100644 +index 66738bd4b..8160bc6be 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c @@ -41,7 +41,7 @@ @@ -91,11 +90,11 @@ static pid_t dbus_proxy_pid = 0; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h -index 28c1d81e..77e5a830 100644 +index 4848c3516..c245e40e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h -@@ -888,6 +888,8 @@ void set_x11_run_file(pid_t pid, int display); - void set_profile_run_file(pid_t pid, const char fname); +@@ -922,6 +922,8 @@ void set_sandbox_run_file(pid_t pid, pid_t child); + void release_sandbox_lock(void); // dbus.c +#define DBUS_MAX_NAME_LENGTH 255 @@ -103,9 +102,9 @@ int dbus_check_name(const char name); int dbus_check_call_rule(const char name); void dbus_check_profile(void); -@@ -906,4 +908,10 @@ void dhcp_start(void); - // selinux.c - void selinux_relabel_path(const char path, const char inside_path); +@@ -946,4 +948,10 @@ void run_ids(int argc, char argv); + // oom.c + void oom_set(const char oom_string); +// template.c +void check_template(char arg); @@ -115,10 +114,10 @@ +void template_cleanup(); #endif diff --git a/src/firejail/main.c b/src/firejail/main.c -index 5d92df2d..252371be 100644 +index 6bebf3143..3edfbb09a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c -@@ -2649,6 +2649,11 @@ int main(int argc, char argv, char envp) { +@@ -2764,6 +2764,11 @@ int main(int argc, char argv, char envp) { exit_err_feature("networking"); } #endif @@ -130,7 +129,7 @@ //********************************** // command //********************************* -@@ -2762,6 +2767,9 @@ int main(int argc, char argv, char envp) { +@@ -2847,6 +2852,9 @@ int main(int argc, char argv, char envp) { } } @@ -140,7 +139,7 @@ profile_read_file_list(); EUID_ASSERT(); -@@ -2893,6 +2901,9 @@ int main(int argc, char argv, char envp) { +@@ -2972,6 +2980,9 @@ int main(int argc, char argv, char *envp) { } EUID_ASSERT(); @@ -151,10 +150,10 @@ if (arg_x11_block) x11_block(); diff --git a/src/firejail/profile.c b/src/firejail/profile.c -index 2c172ad1..9f0e5baf 100644 +index 4ca9bc2cd..55b11eb50 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c -@@ -1812,6 +1812,40 @@ void profile_read(const char fname) { +@@ -1868,6 +1868,40 @@ void profile_read(const char fname) { msg_printed = 1; } @@ -197,7 +196,7 @@ include_level++; diff --git a/src/firejail/template.c b/src/firejail/template.c new file mode 100644 -index 00000000..64bcef5e +index 000000000..64bcef5e4 --- /dev/null +++ b/src/firejail/template.c @@ -0,0 +1,504 @@ @@ -706,22 +705,22 @@ + return new_string; +} diff --git a/src/firejail/usage.c b/src/firejail/usage.c -index 098bf696..4598f3c7 100644 +index 5b376dc3c..00af44687 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c -@@ -239,6 +239,7 @@ static char usage_str = - " --shell=none - run the program directly without a user shell.\n" - " --shell=program - set default user shell.\n" +@@ -256,6 +256,7 @@ static char *usage_str = " --shutdown=name\|pid - shutdown the sandbox identified by name or PID.\n" + " --tab - enable shell tab completion in sandboxes using private or\n" + "\twhitelisted home directories.\n" + " --template=KEY:VALUE - set a template KEY with VALUE usable as ${KEY} in profiles\n" " --timeout=hh:mm:ss - kill the sandbox automatically after the time\n" "\thas elapsed.\n" " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt -index db58e091..b0ff631b 100644 +index 5b16179ac..5544b471f 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt -@@ -965,6 +965,20 @@ Always exit firejail with the first child's exit status. The default behavior is +@@ -1013,6 +1013,20 @@ Always shut down the sandbox after the first child has terminated. The default b Join the sandbox identified by name or start a new one. Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". @@ -743,12 +742,12 @@ .TP \fB/etc/firejail/appname.profile diff --git a/src/man/firejail.txt b/src/man/firejail.txt -index 0462705c..d6036605 100644 +index e5020e37e..1d9e9b16a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt -@@ -2573,6 +2573,23 @@ $ firejail \-\-list +@@ -2870,6 +2870,23 @@ Enable shell tab completion in sandboxes using private or whitelisted home direc .br - $ firejail \-\-shutdown=3272 + $ firejail \-\-private --tab .TP +\fB\-\-template=KEY:VALUE +Define a template \fBKEY\fR with \fBVALUE\fR to have application specific \fB${KEY}\fRs in the profile files replaced with the given value. This is useful, for example, with D-Bus name ownership to make a generic ownership rule to be application specific. See \fB\&\flfirejail-profile\fR\\|(5)\fR for information on how to use the template keys in profile files. Internal macros cannot be overridden with this, in such case firejail quits with an error message. @@ -770,6 +769,3 @@ \fB\-\-timeout=hh:mm:ss Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. .br --- -2.31.1 -
[-] [+]	Changed	_service:tar_git:0005-Retain-symlink-chains.patch ^
@@ -1,4 +1,4 @@ -From 8ad599674872d433f8410e3ebd5f2d6793f431fd Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Simo Piiroinen <simo.piiroinen@jolla.com> Date: Tue, 19 Oct 2021 11:43:31 +0300 Subject: [PATCH] Retain symlink chains @@ -25,11 +25,11 @@ Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> --- - src/fcopy/main.c \| 136 +++++++++++++++++++---------------------------- - 1 file changed, 56 insertions(+), 80 deletions(-) + src/fcopy/main.c \| 125 +++++++++++++++++++---------------------------- + 1 file changed, 50 insertions(+), 75 deletions(-) diff --git a/src/fcopy/main.c b/src/fcopy/main.c -index 31810de9..a5421500 100644 +index b0b7f7024..c99b56b7e 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -22,6 +22,7 @@ @@ -40,7 +40,7 @@ #include <fcntl.h> #ifndef O_PATH -@@ -180,77 +181,58 @@ static void mkdir_attr(const char fname, mode_t mode, uid_t uid, gid_t gid) { +@@ -181,78 +182,58 @@ static void mkdir_attr(const char fname, mode_t mode, uid_t uid, gid_t gid) { } } @@ -48,7 +48,10 @@ - assert(target); - char use_target = 0; - char proc_pid = 0; -- ++void copy_link(const char target, const char linkpath) { ++ int failed = 1; ++ char linkdata = NULL; + - if (!(use_target = realpath(target, NULL))) - goto done; - @@ -56,53 +59,82 @@ - static const char proc[] = "/proc/"; - if (strncmp(use_target, proc, sizeof(proc) - 1)) - goto done; -- ++ // if the link is already there, don't create it ++ struct stat s; ++ if (lstat(linkpath, &s) == 0) ++ goto success; + - int digit = use_target[sizeof(proc) - 1]; - if (digit < '1' \|\| digit > '9') - goto done; -- ++ // read source symlink ++ if (lstat(target, &s) == -1) ++ goto failure; + - // check where /proc/self points to - static const char proc_self[] = "/proc/self"; -- if (!(proc_pid = realpath(proc_self, NULL))) +- proc_pid = realpath(proc_self, NULL); +- if (proc_pid == NULL) - goto done; -- ++ if (!S_ISLNK(s.st_mode)) ++ goto failure; + - // redirect /proc/PID/xxx -> /proc/self/XXX - size_t pfix = strlen(proc_pid); - if (strncmp(use_target, proc_pid, pfix)) - goto done; -- ++ ssize_t linksize = s.st_size ? (s.st_size + 1) : PATH_MAX; ++ if (!(linkdata = malloc(linksize))) ++ goto failure; + - if (use_target[pfix] != 0 && use_target[pfix] != '/') - goto done; -- ++ ssize_t rc = readlink(target, linkdata, linksize); ++ if (rc < 0) { ++ if (!arg_quiet) ++ fprintf(stderr, "Error fcopy: readlink %s failed: %m\n", target); ++ goto failure; ++ } + - char tmp; - if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) { - if (arg_debug) - fprintf(stderr, "SYMLINK %s\n --> %s\n", use_target, tmp); - free(use_target); - use_target = tmp; -- } ++ if (rc >= linksize) { ++ if (!arg_quiet) ++ fprintf(stderr, "Error fcopy: readlink %s buffer overflow\n", target); ++ goto failure; + } - else - errExit("asprintf"); -- + -done: - if (proc_pid) - free(proc_pid); - return use_target; -} -- ++ linkdata[rc] = 0; + -void copy_link(const char target, const char linkpath, mode_t mode, uid_t uid, gid_t gid) { - (void) mode; - (void) uid; - (void) gid; -+void copy_link(const char target, const char linkpath) { -+ int failed = 1; -+ char linkdata = NULL; ++ // duplicate at the given path ++ if (symlink(linkdata, linkpath) == -1) { ++ if (!arg_quiet) ++ fprintf(stderr, "Error fcopy: creating %s symlink failed: %m\n", linkpath); ++ goto failure; ++ } - // if the link is already there, don't create it - struct stat s; - if (lstat(linkpath, &s) == 0) +- // if the link is already there, don't create it +- struct stat s; +- if (lstat(linkpath, &s) == 0) - return; -- ++ if (arg_debug) ++ fprintf(stderr, "fcopy: created symlink: %s -> %s\n", linkpath, linkdata); + - char rp = proc_pid_to_self(target); - if (rp) { - if (symlink(rp, linkpath) == -1) { @@ -110,61 +142,24 @@ - goto errout; - } - free(rp); -+ goto success; -+ -+ // read source symlink -+ if (lstat(target, &s) == -1) -+ goto failure; -+ -+ if (!S_ISLNK(s.st_mode)) -+ goto failure; -+ -+ ssize_t linksize = s.st_size ? (s.st_size + 1) : PATH_MAX; -+ if (!(linkdata = malloc(linksize))) -+ goto failure; -+ -+ ssize_t rc = readlink(target, linkdata, linksize); -+ if (rc < 0) { -+ if (!arg_quiet) -+ fprintf(stderr, "Error fcopy: readlink %s failed: %m\n", target); -+ goto failure; -+ } -+ -+ if (rc >= linksize) { -+ if (!arg_quiet) -+ fprintf(stderr, "Error fcopy: readlink %s buffer overflow\n", target); -+ goto failure; - } +- } - else - goto errout; - -- return; --errout: -- if (!arg_quiet) -- fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target); -+ linkdata[rc] = 0; -+ -+ // duplicate at the given path -+ if (symlink(linkdata, linkpath) == -1) { -+ if (!arg_quiet) -+ fprintf(stderr, "Error fcopy: creating %s symlink failed: %m\n", linkpath); -+ goto failure; -+ } -+ -+ if (arg_debug) -+ fprintf(stderr, "fcopy: created symlink: %s -> %s\n", linkpath, linkdata); -+ +success: + failed = 0; +failure: + if (failed && !arg_quiet) + fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", linkpath); -+ + +- return; +-errout: +- if (!arg_quiet)
[-] [+]	Changed	_service:tar_git:0006-Add-xstat-tracing-and-optionally-log-only-failing-ca.patch ^
@@ -1,4 +1,4 @@ -From 9a868fc4de943a4ce25d137a56357ca365cfd234 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Simo Piiroinen <simo.piiroinen@jolla.com> Date: Tue, 9 Nov 2021 16:08:37 +0200 Subject: [PATCH] Add xstat() tracing and optionally log only failing calls @@ -22,15 +22,15 @@ Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> --- - src/libtrace/libtrace.c \| 860 ++++++++++++++++++++++++---------------- - 1 file changed, 509 insertions(+), 351 deletions(-) + src/libtrace/libtrace.c \| 863 ++++++++++++++++++++++++---------------- + 1 file changed, 524 insertions(+), 339 deletions(-) diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c -index d88512b0..d78c6d76 100644 +index aa37bb758..bce5460fa 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c -@@ -20,6 +20,8 @@ - #define _GNU_SOURCE +@@ -21,6 +21,8 @@ + #include <errno.h> #include <stdio.h> #include <stdlib.h> +#include <stdarg.h> @@ -38,7 +38,7 @@ #include <string.h> #include <dlfcn.h> #include <sys/types.h> -@@ -30,90 +32,79 @@ +@@ -30,6 +32,9 @@ #include <arpa/inet.h> #include <sys/un.h> #include <sys/stat.h> @@ -48,26 +48,10 @@ #include <syslog.h> #include <dirent.h> #include "../include/rundefs.h" - --#define tprintf(fp, args...) \ -- do { \ -- if (!fp)\ -- init(); \ -- fprintf(fp, args); \ -- } while(0) -- --// break recursivity on fopen call --typedef FILE (orig_fopen_t)(const char pathname, const char mode); --static orig_fopen_t orig_fopen = NULL; --typedef FILE (orig_fopen64_t)(const char pathname, const char mode); --static orig_fopen64_t orig_fopen64 = NULL; --typedef int (orig_access_t)(const char pathname, int mode); --static orig_access_t orig_access = NULL; -- --// --// library constructor/destructor --// --// Using fprintf to /dev/tty instead of printf in order to fix #561 +@@ -51,67 +56,72 @@ static orig_access_t orig_access = NULL; + // library constructor/destructor + // + // Using fprintf to /dev/tty instead of printf in order to fix #561 +static bool verbose = true; static FILE ftty = NULL; static pid_t mypid = 0; @@ -78,16 +62,10 @@ -void init(void) { - if (ftty) - return; -+static FILE output(void); - +- - orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); - orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); -+__attribute__((format(printf, 1, 2))) static void message(const char fmt, ...) { -+ // We need to ensure that trace logging does not -+ // interfere with errno that application code gets -+ // to see -+ int saved = errno; - +- - // allow environment variable to override defaults - char logfile = getenv("FIREJAIL_TRACEFILE"); - if (!logfile) { @@ -97,57 +75,38 @@ - // else log to associated tty - logfile = "/dev/tty"; - } -+ char text = NULL; -+ va_list va; -+ va_start(va, fmt); -+ if (vasprintf(&text, fmt, va) < 0) -+ text = NULL; -+ va_end(va); - +- - // logfile - unsigned cnt = 0; - while ((ftty = orig_fopen(logfile, "a")) == NULL) { - if (++cnt > 10) { // 10 sec - perror("Cannot open trace log file"); - exit(1); -- } -- sleep(1); -- } -- // line buffered stream -- setvbuf(ftty, NULL, _IOLBF, BUFSIZ); ++static FILE output(void); ++ ++__attribute__((format(printf, 1, 2))) static void message(const char fmt, ...) { ++ // We need to ensure that trace logging does not ++ // interfere with errno that application code gets ++ // to see ++ int saved = errno; ++ ++ char text = NULL; ++ va_list va; ++ va_start(va, fmt); ++ if (vasprintf(&text, fmt, va) < 0) ++ text = NULL; ++ va_end(va); ++ + // As the 1st output() call evaluates mypid & myname, + // it needs to be done before using those variables + FILE file = output() ?: stderr; - -- // pid -- mypid = getpid(); ++ + fprintf(file, "%u:%s:%s\n", mypid, myname, text ?: fmt); + free(text); - -- // process name -- char fname; -- if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) { -- FILE fp = orig_fopen(fname, "r"); -- free(fname); -- if (fp) { -- if (fgets(myname, MAXNAME, fp) == NULL) -- strcpy(myname, "unknown"); -- fclose(fp); -- } -- } -- -- // clean '\n' -- char ptr = strchr(myname, '\n'); -- if (ptr) -- ptr = '\0'; -- --// tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname); ++ + errno = saved; - } - --static void fini(void) __attribute__((destructor)); --void fini(void) { -- fclose(ftty); ++} ++ +static void lookup(const char name) { + // Map internally used "silent" wrappers to actual + // functions, for example: silent_fopen() -> fopen() @@ -164,7 +123,24 @@ + if (write(STDERR_FILENO, txt, strlen(txt)) < 0) { + // dontcare + } -+ } + } +- sleep(1); +- } +- // line buffered stream +- setvbuf(ftty, NULL, _IOLBF, BUFSIZ); +- +- // pid +- mypid = getpid(); +- +- // process name +- char fname; +- if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) { +- FILE *fp = orig_fopen(fname, "r"); +- free(fname); +- if (fp) { +- if (fgets(myname, MAXNAME, fp) == NULL) +- strcpy(myname, "unknown"); +- fclose(fp); + auto void dump_num(unsigned num) { + char stk[16]; + size_t sp = sizeof stk; @@ -173,7 +149,7 @@ + stk[--sp] = '0' + num % 10u; + } while ((num /= 10u) && sp > 0); + dump_str(stk + sp); -+ } + } + dump_num(mypid); + dump_str(":"); + dump_str(myname); @@ -181,12 +157,24 @@
[-] [+]	Added	_service:tar_git:0007-Revert-deprecating-shell-3-5196.patch ^
@@ -0,0 +1,62 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Suni <daniel.suni@jolla.com> +Date: Fri, 17 Feb 2023 11:48:56 +0200 +Subject: [PATCH] Revert "deprecating --shell (3) (#5196)" + +This reverts commit 7ad735deafa80114a17b20790de63f7e973b1bb4. + +This commit makes firejail attempt to use /bin/bash to launch every process +that uses a "--" argument. Sailjail uses this, but we do not want shell +execution, since it will fail. + +There are a number of bug reports in firejail upstream with regards to this +very odd feature - see e.g. https://github.com/netblue30/firejail/issues/5659 +so for now we will revert the offending commit until the dust settles upstream. +--- + src/firejail/sandbox.c \| 6 +++--- + test/filters/noroot.exp \| 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c +index 0377293de..2a3934807 100644 +--- a/src/firejail/sandbox.c ++++ b/src/firejail/sandbox.c +@@ -537,7 +537,7 @@ void start_application(int no_sandbox, int fd, char set_sandbox_status) { + //************************************* + // start the program without using a shell + //************************************** +- else if (!arg_appimage && !arg_doubledash) { ++ else if (!arg_appimage) { + if (arg_debug) { + int i; + for (i = cfg.original_program_index; i < cfg.original_argc; i++) { +@@ -569,9 +569,9 @@ void start_application(int no_sandbox, int fd, char set_sandbox_status) { + execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); + } + //************************************* +- // start the program using a shell ++ // start the program using a shell (appimages) + //************************************** +- else { // appimage or double-dash ++ else { // appimage + char *arg[5]; + int index = 0; + assert(cfg.usershell); +diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp +index 942aedbcb..66e1e4e27 100755 +--- a/test/filters/noroot.exp ++++ b/test/filters/noroot.exp +@@ -81,11 +81,11 @@ spawn $env(SHELL) + send -- "firejail --debug --join=test\r" + expect { + timeout {puts "TESTING ERROR 13\n";exit} +- "Joining user namespace" ++ "User namespace detected" + } + expect { + timeout {puts "TESTING ERROR 14\n";exit} +- "Child process initialized" ++ "Joining user namespace" + } + sleep 1 +
[-] [+]	Changed	_service ^
@@ -6,7 +6,7 @@ <service name="tar_git"> <param name="url">https://github.com/sailfishos/firejail.git</param> <param name="branch">master</param> - <param name="revision"/> + <param name="revision">45dc642442355edece4d629a01e7d28df20f6e17</param> <param name="token"/> <param name="debian">N</param> <param name="dumb">N</param>
	Changed	_service:tar_git:firejail-0.9.72+git1.tar.bz2 ^