[Buildroot] [PATCH 1/1] firejail: new package

[Buildroot] [PATCH 1/1] firejail: new package

[Chris Frederick]

Firejail Security Sandbox
https://firejail.wordpress.com/

Lightweight application sandboxing system using seccomp and kernel
namespaces.

Signed-off-by: Chris Frederick <cdf123@cdf123.net>
---
 package/Config.in              |  1 +
 package/firejail/Config.in     | 12 ++++++++++++
 package/firejail/firejail.hash |  2 ++
 package/firejail/firejail.mk   | 24 ++++++++++++++++++++++++
 4 files changed, 39 insertions(+)
 create mode 100644 package/firejail/Config.in
 create mode 100644 package/firejail/firejail.hash
 create mode 100644 package/firejail/firejail.mk

diff --git a/package/Config.in b/package/Config.in
index 9399f63..be20478 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1710,6 +1710,7 @@ menu "System tools"
 	source "package/efibootmgr/Config.in"
 	source "package/efivar/Config.in"
 	source "package/emlog/Config.in"
+	source "package/firejail/Config.in"
 	source "package/ftop/Config.in"
 	source "package/getent/Config.in"
 	source "package/htop/Config.in"
diff --git a/package/firejail/Config.in b/package/firejail/Config.in
new file mode 100644
index 0000000..8b5b66a
--- /dev/null
+++ b/package/firejail/Config.in
@@ -0,0 +1,12 @@
+config BR2_PACKAGE_FIREJAIL
+	bool "firejail"
+	help
+	  Firejail is a SUID program that reduces the risk of security
+	  breaches by restricting the running environment of untrusted
+	  applications using Linux namespaces and seccomp-bpf. It
+	  allows a process and all its descendants to have their own
+	  private view of the globally shared kernel resources, such
+	  as the network stack, process table, mount table.
+
+	  https://firejail.wordpress.com/
+
diff --git a/package/firejail/firejail.hash b/package/firejail/firejail.hash
new file mode 100644
index 0000000..dc2eb80
--- /dev/null
+++ b/package/firejail/firejail.hash
@@ -0,0 +1,2 @@
+# From http://download.sourceforge.net/firejail/firejail-0.9.42.asc
+sha256 4f3bceee973b84fdf13a5d5ab0060d140ecc8e42c19c945e7fb93f0fd8499b47  firejail-0.9.42.tar.xz
diff --git a/package/firejail/firejail.mk b/package/firejail/firejail.mk
new file mode 100644
index 0000000..ec02ea4
--- /dev/null
+++ b/package/firejail/firejail.mk
@@ -0,0 +1,24 @@
+################################################################################
+#
+# firejail
+#
+################################################################################
+
+FIREJAIL_VERSION = 0.9.42
+FIREJAIL_SITE = http://download.sourceforge.net/firejail
+FIREJAIL_SOURCE = firejail-$(FIREJAIL_VERSION).tar.xz
+FIREJAIL_LICENSE = GPLv2
+FIREJAIL_LICENSE_FILES = COPYING
+FIREJAIL_CONF_OPTS = \
+	--enable-bind \
+	--enable-busybox-workaround \
+	--enable-file-transfer \
+	--enable-network \
+	--enable-seccomp \
+	--enable-userns
+
+define FIREJAIL_PERMISSIONS
+	/usr/bin/firejail f 4755 0 0 - - - - -
+endef
+
+$(eval $(autotools-package))
-- 
2.7.3

[Buildroot] [PATCH 1/1] firejail: new package

[Thomas Petazzoni]

Hello,

Thanks for this contribution!

On Thu, 20 Oct 2016 12:54:13 -0500, Chris Frederick wrote:
> Firejail Security Sandbox
> https://firejail.wordpress.com/
> 
> Lightweight application sandboxing system using seccomp and kernel
> namespaces.
> 
> Signed-off-by: Chris Frederick <cdf123@cdf123.net>

This package does not cross-compile properly: building for an ARM
target, it produces a host binary (x86-64) in my case:

$ file output/target/usr/bin/firejail 
output/target/usr/bin/firejail: setuid ELF 64-bit LSB shared object, x86-64 [...]

In addition, it's using fork(), so you need a BR2_USE_MMU dependency,
it uses pthread so you need a BR2_TOOLCHAIN_HAS_THREADS dependency.

Also, the license is GPLv2+ apparently, not GPLv2.

Finally, please include in the same patch series a patch updating the
DEVELOPERS file for this new package addition.

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH 1/1] firejail: new package

[Chris Frederick]

Firejail Security Sandbox
https://firejail.wordpress.com/

Lightweight application sandboxing system using seccomp and kernel
namespaces.

Signed-off-by: Chris Frederick <cdf123@cdf123.net>
---
 DEVELOPERS                     |  3 +++
 package/Config.in              |  1 +
 package/firejail/Config.in     | 17 +++++++++++++++++
 package/firejail/firejail.hash |  2 ++
 package/firejail/firejail.mk   | 27 +++++++++++++++++++++++++++
 5 files changed, 50 insertions(+)
 create mode 100644 package/firejail/Config.in
 create mode 100644 package/firejail/firejail.hash
 create mode 100644 package/firejail/firejail.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 16d9b55..3dcd0e2 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -291,6 +291,9 @@ F:	package/libdvbsi/
 F:	package/libsvg/
 F:	package/libsvg-cairo/
 
+N:	Chris Frederick (chrisf at cdf123.net)
+F:	package/firejail/
+
 N:	Chris Packham <judge.packham@gmail.com>
 F:	package/eventlog/
 F:	package/micropython/
diff --git a/package/Config.in b/package/Config.in
index 9399f63..be20478 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1710,6 +1710,7 @@ menu "System tools"
 	source "package/efibootmgr/Config.in"
 	source "package/efivar/Config.in"
 	source "package/emlog/Config.in"
+	source "package/firejail/Config.in"
 	source "package/ftop/Config.in"
 	source "package/getent/Config.in"
 	source "package/htop/Config.in"
diff --git a/package/firejail/Config.in b/package/firejail/Config.in
new file mode 100644
index 0000000..45fc496
--- /dev/null
+++ b/package/firejail/Config.in
@@ -0,0 +1,17 @@
+config BR2_PACKAGE_FIREJAIL
+	bool "firejail"
+	depends on BR2_USE_MMU # fork()
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_TOOLCHAIN_USES_GLIBC
+	help
+	  Firejail is a SUID program that reduces the risk of security
+	  breaches by restricting the running environment of untrusted
+	  applications using Linux namespaces and seccomp-bpf. It
+	  allows a process and all its descendants to have their own
+	  private view of the globally shared kernel resources, such
+	  as the network stack, process table, mount table.
+
+	  https://firejail.wordpress.com/
+
+comment "firejail needs a glibc toolchain"
+	depends on !BR2_TOOLCHAIN_USES_GLIBC
diff --git a/package/firejail/firejail.hash b/package/firejail/firejail.hash
new file mode 100644
index 0000000..dc2eb80
--- /dev/null
+++ b/package/firejail/firejail.hash
@@ -0,0 +1,2 @@
+# From http://download.sourceforge.net/firejail/firejail-0.9.42.asc
+sha256 4f3bceee973b84fdf13a5d5ab0060d140ecc8e42c19c945e7fb93f0fd8499b47  firejail-0.9.42.tar.xz
diff --git a/package/firejail/firejail.mk b/package/firejail/firejail.mk
new file mode 100644
index 0000000..3926e8a
--- /dev/null
+++ b/package/firejail/firejail.mk
@@ -0,0 +1,27 @@
+################################################################################
+#
+# firejail
+#
+################################################################################
+
+FIREJAIL_VERSION = 0.9.42
+FIREJAIL_SITE = http://download.sourceforge.net/firejail
+FIREJAIL_SOURCE = firejail-$(FIREJAIL_VERSION).tar.xz
+FIREJAIL_LICENSE = GPLv2+
+FIREJAIL_LICENSE_FILES = COPYING
+FIREJAIL_MAKE_OPTS = ARCH=$(BR2_ARCH) CC="$(TARGET_CC)" \
+	USERCOMPILE="$(TARGET_CFLAGS)" USERLINK="$(TARGET_LDFLAGS)"
+
+FIREJAIL_CONF_OPTS = \
+	--enable-bind \
+	--enable-busybox-workaround \
+	--enable-file-transfer \
+	--enable-network \
+	--enable-seccomp \
+	--enable-userns
+
+define FIREJAIL_PERMISSIONS
+	/usr/bin/firejail f 4755 0 0 - - - - -
+endef
+
+$(eval $(autotools-package))
-- 
2.7.3

[Buildroot] [PATCH 1/1] firejail: new package

[Romain Naour]

Hi Chris,

Le 26/10/2016 ? 19:22, Chris Frederick a ?crit :
> Firejail Security Sandbox
> https://firejail.wordpress.com/
> 
> Lightweight application sandboxing system using seccomp and kernel
> namespaces.
> 
> Signed-off-by: Chris Frederick <cdf123@cdf123.net>
> ---
>  DEVELOPERS                     |  3 +++
>  package/Config.in              |  1 +
>  package/firejail/Config.in     | 17 +++++++++++++++++
>  package/firejail/firejail.hash |  2 ++
>  package/firejail/firejail.mk   | 27 +++++++++++++++++++++++++++
>  5 files changed, 50 insertions(+)
>  create mode 100644 package/firejail/Config.in
>  create mode 100644 package/firejail/firejail.hash
>  create mode 100644 package/firejail/firejail.mk
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 16d9b55..3dcd0e2 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -291,6 +291,9 @@ F:	package/libdvbsi/
>  F:	package/libsvg/
>  F:	package/libsvg-cairo/
>  
> +N:	Chris Frederick (chrisf at cdf123.net)
> +F:	package/firejail/
> +

We usually prefer adding a new DEVELOPERS entry in a separate patch.

>  N:	Chris Packham <judge.packham@gmail.com>
>  F:	package/eventlog/
>  F:	package/micropython/
> diff --git a/package/Config.in b/package/Config.in
> index 9399f63..be20478 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1710,6 +1710,7 @@ menu "System tools"
>  	source "package/efibootmgr/Config.in"
>  	source "package/efivar/Config.in"
>  	source "package/emlog/Config.in"
> +	source "package/firejail/Config.in"
>  	source "package/ftop/Config.in"
>  	source "package/getent/Config.in"
>  	source "package/htop/Config.in"
> diff --git a/package/firejail/Config.in b/package/firejail/Config.in
> new file mode 100644
> index 0000000..45fc496
> --- /dev/null
> +++ b/package/firejail/Config.in
> @@ -0,0 +1,17 @@
> +config BR2_PACKAGE_FIREJAIL
> +	bool "firejail"
> +	depends on BR2_USE_MMU # fork()
> +	depends on BR2_TOOLCHAIN_HAS_THREADS
> +	depends on BR2_TOOLCHAIN_USES_GLIBC

Why it depends on glibc ?

> +	help
> +	  Firejail is a SUID program that reduces the risk of security
> +	  breaches by restricting the running environment of untrusted
> +	  applications using Linux namespaces and seccomp-bpf. It
> +	  allows a process and all its descendants to have their own
> +	  private view of the globally shared kernel resources, such
> +	  as the network stack, process table, mount table.
> +
> +	  https://firejail.wordpress.com/
> +
> +comment "firejail needs a glibc toolchain"
> +	depends on !BR2_TOOLCHAIN_USES_GLIBC

Package dependencies must be propagated to the comment dependencies:

comment "firejail needs a glibc toolchain w/ threads"
	depends on BR2_USE_MMU
	depends on !BR2_TOOLCHAIN_USES_GLIBC || !BR2_TOOLCHAIN_HAS_THREADS

> diff --git a/package/firejail/firejail.hash b/package/firejail/firejail.hash
> new file mode 100644
> index 0000000..dc2eb80
> --- /dev/null
> +++ b/package/firejail/firejail.hash
> @@ -0,0 +1,2 @@
> +# From 
> +sha256 4f3bceee973b84fdf13a5d5ab0060d140ecc8e42c19c945e7fb93f0fd8499b47  firejail-0.9.42.tar.xz
> diff --git a/package/firejail/firejail.mk b/package/firejail/firejail.mk
> new file mode 100644
> index 0000000..3926e8a
> --- /dev/null
> +++ b/package/firejail/firejail.mk
> @@ -0,0 +1,27 @@
> +################################################################################
> +#
> +# firejail
> +#
> +################################################################################
> +
> +FIREJAIL_VERSION = 0.9.42
> +FIREJAIL_SITE = http://download.sourceforge.net/firejail
> +FIREJAIL_SOURCE = firejail-$(FIREJAIL_VERSION).tar.xz
> +FIREJAIL_LICENSE = GPLv2+
> +FIREJAIL_LICENSE_FILES = COPYING
> +FIREJAIL_MAKE_OPTS = ARCH=$(BR2_ARCH) CC="$(TARGET_CC)" \

ARCH is not defined in the Makefile.

> +	USERCOMPILE="$(TARGET_CFLAGS)" USERLINK="$(TARGET_LDFLAGS)"

Same of USERCOMPILE and USERLINK which are not defined in the Makefile.

Actually, setting FIREJAIL_MAKE_OPTS seems not useful at all.

> +
> +FIREJAIL_CONF_OPTS = \
> +	--enable-bind \
> +	--enable-busybox-workaround \

This option should depends on BR2_PACKAGE_BUSYBOX.

Best regards,
Romain

> +	--enable-file-transfer \
> +	--enable-network \
> +	--enable-seccomp \
> +	--enable-userns
> +
> +define FIREJAIL_PERMISSIONS
> +	/usr/bin/firejail f 4755 0 0 - - - - -
> +endef
> +
> +$(eval $(autotools-package))
> 

[Buildroot] [PATCH 1/1] firejail: new package

[Thomas Petazzoni]

Hello,

On Wed, 26 Oct 2016 12:22:32 -0500, Chris Frederick wrote:
> Firejail Security Sandbox
> https://firejail.wordpress.com/
> 
> Lightweight application sandboxing system using seccomp and kernel
> namespaces.
> 
> Signed-off-by: Chris Frederick <cdf123@cdf123.net>
> ---
>  DEVELOPERS                     |  3 +++
>  package/Config.in              |  1 +
>  package/firejail/Config.in     | 17 +++++++++++++++++
>  package/firejail/firejail.hash |  2 ++
>  package/firejail/firejail.mk   | 27 +++++++++++++++++++++++++++
>  5 files changed, 50 insertions(+)
>  create mode 100644 package/firejail/Config.in
>  create mode 100644 package/firejail/firejail.hash
>  create mode 100644 package/firejail/firejail.mk

Thanks, I've applied to the master branch, with the following changes:

    [Thomas:
     - Fix DEVELOPERS entry: use <> around the e-mail address instead of ()
     - firejail builds fine with musl, so only exclude uclibc, which fails
       to build with EM_ARM undeclared
     - Update to upstream version 0.9.44.8.
     - Remove FIREJAIL_MAKE_OPTS, as suggested by Romain Naour.
     - Pass --enable-busybox-workaround only if Busybox is enabled, as
       suggested by Romain Naour.]

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com