From 3bb61c9bf69c14ad9608536cf290b5970610beada91291c432bb65e738160118 Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Sun, 3 May 2020 13:21:47 +0000 Subject: [PATCH 1/2] Accepting request 798884 from home:jubalh:branches:Virtualization - Add firejail-0.9.62-fix-usr-etc.patch: Check /usr/etc not just /etc - Replace python interpreter line in sort.py OBS-URL: https://build.opensuse.org/request/show/798884 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=23 --- firejail-0.9.62-fix-usr-etc.patch | 78 +++++++++++++++++++++++++++++++ firejail.changes | 7 +++ firejail.spec | 5 +- 3 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 firejail-0.9.62-fix-usr-etc.patch diff --git a/firejail-0.9.62-fix-usr-etc.patch b/firejail-0.9.62-fix-usr-etc.patch new file mode 100644 index 0000000..1cb771c --- /dev/null +++ b/firejail-0.9.62-fix-usr-etc.patch @@ -0,0 +1,78 @@ +From 609be4fda2dda5557de864eba814c42fe2f40dca Mon Sep 17 00:00:00 2001 +From: smitsohu +Date: Sun, 9 Feb 2020 11:30:31 +0100 +Subject: [PATCH] openSUSE fix: mount private-etc on /usr/etc as well + +see issue #3145 +--- + src/firejail/fs_etc.c | 3 ++- + src/firejail/sandbox.c | 1 + + src/include/rundefs.h | 1 + + 3 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c +index 7b7813926..76bcb751e 100644 +--- a/src/firejail/fs_etc.c ++++ b/src/firejail/fs_etc.c +@@ -145,7 +145,8 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c + // nothing to do if directory does not exist + struct stat s; + if (stat(private_dir, &s) == -1) { +- fmessage("Cannot find %s\n", private_dir); ++ if (arg_debug) ++ printf("Cannot find %s\n", private_dir); + return; + } + +diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c +index 96ad30bed..4f53cafcc 100644 +--- a/src/firejail/sandbox.c ++++ b/src/firejail/sandbox.c +@@ -855,6 +855,7 @@ int sandbox(void* sandbox_arg) { + fwarning("private-etc feature is disabled in overlay\n"); + else { + fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); ++ fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE + // create /etc/ld.so.preload file again + if (need_preload) + fs_trace_preload(); +diff --git a/src/include/rundefs.h b/src/include/rundefs.h +index 7f9c68be2..1cfeee28d 100644 +--- a/src/include/rundefs.h ++++ b/src/include/rundefs.h +@@ -42,6 +42,7 @@ + #define RUN_NONEWPRIVS_CFG RUN_MNT_DIR "/nonewprivs" + #define RUN_HOME_DIR RUN_MNT_DIR "/home" + #define RUN_ETC_DIR RUN_MNT_DIR "/etc" ++#define RUN_USR_ETC_DIR RUN_MNT_DIR "/usretc" + #define RUN_OPT_DIR RUN_MNT_DIR "/opt" + #define RUN_SRV_DIR RUN_MNT_DIR "/srv" + #define RUN_BIN_DIR RUN_MNT_DIR "/bin" +From cd184e9919bb67fb88ee6208c395682f5f0ba764 Mon Sep 17 00:00:00 2001 +From: smitsohu +Date: Sun, 9 Feb 2020 11:33:57 +0100 +Subject: [PATCH] openSUSE fix: search login.defs in /usr/etc, too + +see issue #3145 +--- + src/lib/firejail_user.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c +index dbf2ca94b..2e03ce0e0 100644 +--- a/src/lib/firejail_user.c ++++ b/src/lib/firejail_user.c +@@ -43,8 +43,11 @@ static void init_uid_gid_min(void) { + + // read the real values from login.def + FILE *fp = fopen("/etc/login.defs", "r"); +- if (!fp) +- goto errexit; ++ if (!fp) { ++ fp = fopen("/usr/etc/login.defs", "r"); // openSUSE ++ if (!fp) ++ goto errexit; ++ } + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { diff --git a/firejail.changes b/firejail.changes index cff506a..708a603 100644 --- a/firejail.changes +++ b/firejail.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Apr 29 11:30:38 UTC 2020 - Michael Vetter + +- Add firejail-0.9.62-fix-usr-etc.patch: + Check /usr/etc not just /etc +- Replace python interpreter line in sort.py + ------------------------------------------------------------------- Tue Feb 11 22:32:46 UTC 2020 - Marcus Rueckert diff --git a/firejail.spec b/firejail.spec index 6da8918..4685888 100644 --- a/firejail.spec +++ b/firejail.spec @@ -25,6 +25,8 @@ Group: Productivity/Security URL: https://firejail.wordpress.com/ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc +# https://github.com/netblue30/firejail/issues/3145 +Patch0: firejail-0.9.62-fix-usr-etc.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libapparmor-devel @@ -42,7 +44,8 @@ Linux namespace support. It supports sandboxing specific users upon login. %prep %setup -q -sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py +%patch0 -p1 +sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py %build %configure --docdir=%{_docdir}/%{name} \ From b9023df37f3bee7027a2590ce5026b8be49c9c35d390ad0c45e217a182b8023d Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Sun, 3 May 2020 13:23:47 +0000 Subject: [PATCH 2/2] add patch tag line in specfile OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=24 --- firejail.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firejail.spec b/firejail.spec index 4685888..46137ce 100644 --- a/firejail.spec +++ b/firejail.spec @@ -25,7 +25,7 @@ Group: Productivity/Security URL: https://firejail.wordpress.com/ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc -# https://github.com/netblue30/firejail/issues/3145 +# PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file Patch0: firejail-0.9.62-fix-usr-etc.patch BuildRequires: fdupes BuildRequires: gcc-c++