Release 0.9.74 discussion

[kmk3]

Release links:

• Project board: https://github.com/users/netblue30/projects/1
• GitHub Release: (Unreleased)

Discussion for the previous release:

• Release 0.9.72 discussion #5192

Discussion for the next release:

• (None)

Discussions for this release:

• private-etc rework #5610 / [meta] private-etc rework #6400
• Fixing the DNS resolv.conf issue #5607
• UTS namespaces support (e4f9f36) - discussion inline here
• landlock #6065 / feature: add Landlock support #6078
• Remove symlink restriction for ~/.asoundrc - see Why does firejail fail to execute if ~/.asoundrc is a symlink? #5709
• Reorganize github automatic testing - discussion inline here
• ci: whitelist paths, reorganize workflows & speed-up tests #5960
• Add a macro for the current working directory #5713

Note by netblue30: I'll document below some of the main features going into the next release. Any other ideas, add them below.

[netblue30]

private-etc rework

We'll include in private-etc by default some common files used by most programs. On private-etc line in our profiles we only need to add specific files required by the application. We are already doing something similar with private-tmp where we bring in by default /tmp/.X11-unix, and also when whitelisting the home directory. These are the common files I have for now:

dynamic linker: ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
system: passwd,nsswitch.conf

apps trying to load the local user configuration end up opening passwd and nsswitch in order to figure out the user home directory.

miscellaneous: alternatives,fonts,locale,locale.alias,locale.conf,locale.gen, localtime

alternatives directory is something specific to Debian/Ubuntu

sound: alsa,asound.conf,pulse,machine-id

We bring these files in only if --nosound is not on command line. machine-id is required by pulseaudio, and can be disabled by --machine-id

network: resolv.conf,hostname,hosts,protocols

All of them deal with DNS setting, we bring them in only if --net=none is not on command line.

Groups added on private-etc line in the profile:

TLS-CA: ca-certificates,ca-certificates.conf,crypto-policies,pki,ssl
GNOME: xdg,drirc,dconf,gtk-2.0,gtk-3.0
KDE: xdg,drirc,kde4rc,kde5rc

We'll add more to the list as we find them. At minimum, this should solve most console utilities, I'm not sure what's required for X11. I'll put the code in directly on the main branch in the next few weeks, it will work with the old profiles - we have about 550 private-etc profiles in this moment. Then, we modify all profiles automatically with a small script or program.

Discussion here: #5610

[netblue30]

resolv.conf fixes

private-etc rework modifies resolv.conf logic heavily, we'll wait until is done.

Discussion here: #5607

[netblue30]

UTS namespaces support

Adding support for host namespaces (man 7 uts_namespaces) by default for every sandbox. A random hostname is assigned, and reflected in /etc/hostname. Note: --hostname option is currently broken.

[glitsj16]

About the note that --hostname is currently broken. It works fine for me on latest git build:

$ pacman firejail
firejail-git 0.9.73.r9171.27aaa07ef-1

$ firejail --quiet --noblacklist=/usr/bin/hostname --hostname=foo hostname
foo

Perhaps the option is broken with code that implements this randomization (which didn't hit the repo yet)?

[netblue30]

That part is working. What's broken is /etc/hostname:

$  firejail --quiet --hostname=foo cat /etc/hostname
$ 

[glitsj16]

Oh I see. Thanks for clearing that up!

[rusty-snake]

FTR: As I remember hostname had trouble with x11 under some conditions. Do we introduce it as default w/o opt-out?

[netblue30]

Landlock support.

I'll start by re-merging #5315 from @ChrysoliteAzalea. Probably there will be some small changes. A Linux kernel 5.13 or newer will be detected at run time. Disable the feature and print a warning if the kernel is older.

Discussion here: #5354

[kmk3]

@netblue30 on Feb 16:

UTS namespaces support

Adding support for host namespaces (man 7 uts_namespaces) by default for
every sandbox. A random hostname is assigned, and reflected in /etc/hostname.
Note: --hostname option is currently broken.

I'm not sure what exactly this would entail code-wise, but could you use
separate branches for new features?

CI has been very unstable in this release (especially in the last two weeks)
and some of the CI checks that have been disabled in this release are still
disabled (like sort.py).

Using topic branches and pull requests makes it easier to discuss improvements
and catch issues before they land on master.

(Note that issues on master affect not only contributors, but also every user
of firejail-git)

Example of creating a new topic branch:

git stash # (just in case there are uncommitted changes)
git checkout master
git branch add-utsn

Example of using the created topic branch:

git checkout add-utsn
# (make commits)
git push origin

To create a pull request:

• Go to https://github.com/netblue30/firejail/compare
• Select "master" on the left dropdown ("base:")
• Select your branch on the right dropdown ("compare:")
• Click on "Create pull request"

Then you can keep making more commits and pushing them; the pull request will
automatically be updated with them.

If you have any questions/issues with git, please let me know.

[netblue30]

Yes, I'll keep this in mind.

The code is pretty well segregated into different features, with very few .c files sitting on the common path. Most of the time you end up adding or fixing functionality to one file (fs_hostname.c) or adding a new one (landlock.c). There could be some breakage on the common path but that's easy to test. As a rule, the browser should still be working before checkin.

After checkin the code goes to CI here on github. The most important test there is "run sysutils test" in "building_and_test" section. It runs firejail live on about 15 system utilities. It would be nice if we can add some more programs there, unfortunately we cannot test x11 apps.

[netblue30]

Reorganize testing (github workflows)

I'm trying to bring up under github workflows most of the tests we have today. The tests will break from time to time, but is should not affect the functionality. So far according to gcov instrumentation we are at about 60% test coverage.

firejail suid executable has about 13183 lines of code as counted by gcov.