profiles: ephemeral: use new private-etc @groups syntax #5642
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
all merged, thanks! |
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Feb 7, 2023
This reverts commit 5d0822c and later commits that touch the same files (which is necessary in order to revert the commit in question). There seems to be a non-trivial amount of changes done in error in the big refactor from commit 5d0822c ("private-etc: big profile changes", 2023-02-05). For example, there are profiles for CLI programs (including man.profile) and servers that now contain the @X11 group: $ git grep -l '^private-etc .*@X11' -- etc # [...] etc/profile-a-l/email-common.profile:private-etc @tls-ca,@X11,gnupg,hosts.conf,mailname,timezone etc/profile-m-z/man.profile:private-etc @X11,groff,man_db.conf,manpath.config,sysless etc/profile-m-z/mutt.profile:private-etc @tls-ca,@X11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo etc/profile-m-z/neomutt.profile:private-etc @tls-ca,@X11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver etc/profile-m-z/nextcloud.profile:private-etc @tls-ca,@X11,Nextcloud,host.conf,os-release etc/profile-m-z/nodejs-common.profile:private-etc @tls-ca,@X11,host.conf,mime.types,rpc,services Note: These are just the ones that I immediately noticed; it is possible that there are many that I missed. Part of the issue is that the groups appear to be inconsistent and rather broad. For exmaple, paths related to 3D graphics (vulkan) and audio (openal) are in the @games group, which are not used only by games and not all games use those standards/libraries. As another example, the @X11 group contains paths related to GTK, KDE and GPU hardware acceleration, even though those are not necessarily tied to X11 (and even though hardware acceleration may be used by headless programs). Replacing the known paths with groups that are not very granular results in loss of information about what exactly a profile actually needs and so makes the profiles less self-documenting. Note also that a given path could potentially belong to multiple groups, which would preclude using the "etc-cleanup" tool (in its current form at least), as it would not know which is the correct group to replace the path with. Command used to revert the changes: $ git revert \ 1be9bb3 \ e889db0 \ e6f2374 \ acb0154 \ 740f502 \ 5649bd4 \ 2e4e9d1 \ 0f996ea \ 5d0822c Note: This reverts commits from PRs netblue30#5641 netblue30#5642 netblue30#5643, most of which are later re-applied. Relates to netblue30#5610.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Feb 7, 2023
This reverts commit 5d0822c and later commits that touch the same files (which is necessary in order to revert the commit in question). There seems to be a non-trivial amount of changes done in error in the big refactor from commit 5d0822c ("private-etc: big profile changes", 2023-02-05). For example, there are profiles for CLI programs (including man.profile) and servers that now contain the @X11 group: $ git grep -l '^private-etc .*@X11' -- etc # [...] etc/profile-a-l/email-common.profile:private-etc @tls-ca,@X11,gnupg,hosts.conf,mailname,timezone etc/profile-m-z/man.profile:private-etc @X11,groff,man_db.conf,manpath.config,sysless etc/profile-m-z/mutt.profile:private-etc @tls-ca,@X11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo etc/profile-m-z/neomutt.profile:private-etc @tls-ca,@X11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver etc/profile-m-z/nextcloud.profile:private-etc @tls-ca,@X11,Nextcloud,host.conf,os-release etc/profile-m-z/nodejs-common.profile:private-etc @tls-ca,@X11,host.conf,mime.types,rpc,services Note: These are just the ones that I immediately noticed; it is possible that there are many that I missed. Part of the issue is that the groups appear to be inconsistent and rather broad. For example, paths related to 3D graphics (vulkan) and audio (openal) are in the @games group, which are not used only by games and not all games use those standards/libraries. As another example, the @X11 group contains paths related to GTK, KDE and GPU hardware acceleration, even though those are not necessarily tied to X11 (and even though hardware acceleration may be used by headless programs). Replacing the known paths with groups that are not very granular results in loss of information about what exactly a profile actually needs and so makes the profiles less self-documenting. Note also that a given path could potentially belong to multiple groups, which would preclude using the "etc-cleanup" tool (in its current form at least), as it would not know which is the correct group to replace the path with. Command used to revert the changes: $ git revert \ 1be9bb3 \ e889db0 \ e6f2374 \ acb0154 \ 740f502 \ 5649bd4 \ 2e4e9d1 \ 0f996ea \ 5d0822c Note: This reverts commits from PRs netblue30#5641 netblue30#5642 netblue30#5643, most of which are later re-applied. Relates to netblue30#5610.
kmk3
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Only changed the syntax to adhere to the @groups work and kept private-etc disabled.
Relates to #5610.
See the commit comment.