Relocate firecfg.config to /etc/firejail/

[hlein]

This should make it easier for users, and distributions, to customize
which programs they want firejail to wrap.

Signed-off-by: Hank Leininger [email protected]
Closes: #408
Bug: #2097
Bug: #2829
Bug: #3665

[hlein]

N.B. my testing and initial patch was actually against release 0.9.66, but I think this does the right things.

[kmk3]

There are a few more places to change:

diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index b8fdbcda0..1a05efd29 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -181,7 +181,7 @@ static void set_links_firecfg(void) {
        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
                errExit("asprintf");

-       // parse /usr/lib/firejail/firecfg.cfg file
+       // parse /etc/firejail/firecfg.config file
        FILE *fp = fopen(cfgfile, "r");
        if (!fp) {
                perror("fopen");
@@ -440,7 +440,7 @@ int main(int argc, char **argv) {
        // clear all symlinks
        clean();

-       // set new symlinks based on /usr/lib/firejail/firecfg.cfg
+       // set new symlinks based on /etc/firejail/firecfg.config
        set_links_firecfg();

        if (getuid() == 0) {

Misc: The filename is misspelled in these comments as well.

[kmk3]

Suggested change

	// parse /etc/firejail/firecfg.cfg file
	// parse /etc/firejail/firecfg.config file

The filename is currently misspelled.

Misc: I noticed it by searching with git grep -F 'firecfg.'.

[hlein]

Aha, good catch, I will clean up these misspellings of firecfg.config and update their paths too.

[hlein]

Aha, good catch, I will clean up these misspellings of firecfg.config and update their paths too.

Done, I think.

[kmk3]

@hlein on Nov 6:

Aha, good catch, I will clean up these misspellings of firecfg.config and
update their paths too.

Thanks.

From the new commit message:

Also fixed some firecfg.cfg -> firecfg.config references.

One minor non-blocking nitpick: I'd s/fixed/fix/ to make it more similar to
this:

• https://chris.beams.io/posts/git-commit/

[topimiettinen]

This reminds me that Firejails should support this kind of administrative hierarchy:

• /usr/lib/firejail/profiles or /usr/share/firejail/profiles is for distros, based on our set of profiles
• /etc/firejail/profiles can be used by local system admin to override distro defaults, initially completely empty
• $XDG_CONFIG_HOME/firejail/profiles (or $HOME/.config/firejail/profiles) can be used by users to override system admin when allowed, initially doesn't exist

Finally, users can override their own config files and other configs with command line switches and environment variables, again when allowed.

In theory, there could be another element for dynamic config generation in /run/firejail/profiles, for example in case the version of the kernel or loading of kernel modules could influence the configs somehow (optimize allowed system calls in seccomp lists? only allow some apps when a USB key is plugged in, kill the app when unplugged?).

[kmk3]

LGTM.

[netblue30]

Thanks!

[kmk3]

Note: This could be considered a breaking change and is probably relevant to
packagers either way, so I added it to the RELNOTES on commit c374c0c
("RELNOTES: mention move of firecfg.config to /etc/firejail/").

By the way, on the note I included the PR number to make it easier to find.
Let me know if this is undesirable for some reason (and feel free to edit the
note). If not, maybe this could be done by default (where applicable) on the
notes of future releases, but that's probably worth its own discussion.