[firejail] Updated upstream to 0.9.72 Fixes JB#59121

[dsuni]

No description provided.

[Thaodan]

dsuni ***@***.***> writes:

@dsuni commented on this pull request. > @@ -48,6 +50,7 @@ Requires: %{name} = %{version}-%{release} %make_install rm -rf %{buildroot}%{_datadir}/bash-completion rm -rf %{buildroot}%{_datadir}/zsh/site-functions/_firejail +install %{buildroot}/etc/firejail/firecfg.config %{buildroot}/usr/lib64/firejail/ Not sure how relevant the file is to our usecase, but at least src/firecfg/main.c still contains code for parsing this file...

Not exactly sure but it could be that only the file in /usr/lib is needed and the file in /etc is optional in case the settings needs to be adjusted by the user of the device (user as in the system administrator on a regular desktop system). In our case we skip the file in etc in this case.

[Tomin1]

Went through the privileged data patch and wrote some comments about the things I'd change. I think the simpler patches are good as they are. The remaining two big patches are such messy (as changes to patch files can be sometimes), that I'd need to have a separate look at them.

[Tomin1]

I think that INVALID_GID return value and adding that FIXME comment about those new groups would be something to do still. (The comment being something like // FIXME: Add missing debian specific groups, see JB#xxxxx.) I checked the rest of the patches and I think they are fine.

[Thaodan]

Tomi Leppänen ***@***.***> writes:

@Tomin1 commented on this pull request. I think that `INVALID_GID` return value and adding that FIXME comment about those new groups would be something to do still. (The comment being something like `// FIXME: Add missing debian specific groups, see JB#xxxxx`.) I checked the rest of the patches and I think they are fine.

We don't use the Debian Groups, the other groups used here should be replaced by systemd uaccess permissions.

[Tomin1]

We don't use the Debian Groups, the other groups used here should be
replaced by systemd uaccess permissions.

I don't really care if the comment says, that is it about debian or that we should use some other mechanism, as long as it makes clear that we dropped code that is not relevant for us and we have it documented somewhere. So in short, some comment, some bug reference and I'm happy.

Something else strange that I noticed: This is built on top of commit 48a57d6 and not master (5b4cdb3). There is not real difference between those as it's just a merge commit that it's missing, so it can be just rebased there without changes. Also those new commits should be squashed of course.

[Tomin1]

This is still on top of 48a57d6 and not master / 5b4cdb3 / 0.9.66+git3.

firejail (update_upstream_jb59121) [128]> git log --oneline
6704180 (HEAD -> update_upstream_jb59121, dsuni/update_upstream_jb59121) [firejail] Updated upstream to 0.9.72 Fixes JB#59121
48a57d6 (spiiroin/jb55650_libtrace_xstat, jb55650_libtrace_xstat) [libtrace] Add xstat() tracing and optionally log only failing calls. Fixes JB#55650
bedab8e (tag: 0.9.66+git2) Merge pull request #15 from spiiroin/jb55981_retain_symlink_chains

Otherwise I think it's good.

[dsuni]

This is still on top of 48a57d6 and not master / 5b4cdb3 / 0.9.66+git3.

Fixed.

[Tomin1]

LGTM.