[Buildroot] [PATCH 1/1] firejail: new package
Romain Naour
romain.naour at gmail.com
Sat Jan 28 14:35:43 UTC 2017
Hi Chris,
Le 26/10/2016 à 19:22, Chris Frederick a écrit :
> Firejail Security Sandbox
> https://firejail.wordpress.com/
>
> Lightweight application sandboxing system using seccomp and kernel
> namespaces.
>
> Signed-off-by: Chris Frederick <cdf123 at cdf123.net>
> ---
> DEVELOPERS | 3 +++
> package/Config.in | 1 +
> package/firejail/Config.in | 17 +++++++++++++++++
> package/firejail/firejail.hash | 2 ++
> package/firejail/firejail.mk | 27 +++++++++++++++++++++++++++
> 5 files changed, 50 insertions(+)
> create mode 100644 package/firejail/Config.in
> create mode 100644 package/firejail/firejail.hash
> create mode 100644 package/firejail/firejail.mk
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 16d9b55..3dcd0e2 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -291,6 +291,9 @@ F: package/libdvbsi/
> F: package/libsvg/
> F: package/libsvg-cairo/
>
> +N: Chris Frederick (chrisf at cdf123.net)
> +F: package/firejail/
> +
We usually prefer adding a new DEVELOPERS entry in a separate patch.
> N: Chris Packham <judge.packham at gmail.com>
> F: package/eventlog/
> F: package/micropython/
> diff --git a/package/Config.in b/package/Config.in
> index 9399f63..be20478 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1710,6 +1710,7 @@ menu "System tools"
> source "package/efibootmgr/Config.in"
> source "package/efivar/Config.in"
> source "package/emlog/Config.in"
> + source "package/firejail/Config.in"
> source "package/ftop/Config.in"
> source "package/getent/Config.in"
> source "package/htop/Config.in"
> diff --git a/package/firejail/Config.in b/package/firejail/Config.in
> new file mode 100644
> index 0000000..45fc496
> --- /dev/null
> +++ b/package/firejail/Config.in
> @@ -0,0 +1,17 @@
> +config BR2_PACKAGE_FIREJAIL
> + bool "firejail"
> + depends on BR2_USE_MMU # fork()
> + depends on BR2_TOOLCHAIN_HAS_THREADS
> + depends on BR2_TOOLCHAIN_USES_GLIBC
Why it depends on glibc ?
> + help
> + Firejail is a SUID program that reduces the risk of security
> + breaches by restricting the running environment of untrusted
> + applications using Linux namespaces and seccomp-bpf. It
> + allows a process and all its descendants to have their own
> + private view of the globally shared kernel resources, such
> + as the network stack, process table, mount table.
> +
> + https://firejail.wordpress.com/
> +
> +comment "firejail needs a glibc toolchain"
> + depends on !BR2_TOOLCHAIN_USES_GLIBC
Package dependencies must be propagated to the comment dependencies:
comment "firejail needs a glibc toolchain w/ threads"
depends on BR2_USE_MMU
depends on !BR2_TOOLCHAIN_USES_GLIBC || !BR2_TOOLCHAIN_HAS_THREADS
> diff --git a/package/firejail/firejail.hash b/package/firejail/firejail.hash
> new file mode 100644
> index 0000000..dc2eb80
> --- /dev/null
> +++ b/package/firejail/firejail.hash
> @@ -0,0 +1,2 @@
> +# From
> +sha256 4f3bceee973b84fdf13a5d5ab0060d140ecc8e42c19c945e7fb93f0fd8499b47 firejail-0.9.42.tar.xz
> diff --git a/package/firejail/firejail.mk b/package/firejail/firejail.mk
> new file mode 100644
> index 0000000..3926e8a
> --- /dev/null
> +++ b/package/firejail/firejail.mk
> @@ -0,0 +1,27 @@
> +################################################################################
> +#
> +# firejail
> +#
> +################################################################################
> +
> +FIREJAIL_VERSION = 0.9.42
> +FIREJAIL_SITE = http://download.sourceforge.net/firejail
> +FIREJAIL_SOURCE = firejail-$(FIREJAIL_VERSION).tar.xz
> +FIREJAIL_LICENSE = GPLv2+
> +FIREJAIL_LICENSE_FILES = COPYING
> +FIREJAIL_MAKE_OPTS = ARCH=$(BR2_ARCH) CC="$(TARGET_CC)" \
ARCH is not defined in the Makefile.
> + USERCOMPILE="$(TARGET_CFLAGS)" USERLINK="$(TARGET_LDFLAGS)"
Same of USERCOMPILE and USERLINK which are not defined in the Makefile.
Actually, setting FIREJAIL_MAKE_OPTS seems not useful at all.
> +
> +FIREJAIL_CONF_OPTS = \
> + --enable-bind \
> + --enable-busybox-workaround \
This option should depends on BR2_PACKAGE_BUSYBOX.
Best regards,
Romain
> + --enable-file-transfer \
> + --enable-network \
> + --enable-seccomp \
> + --enable-userns
> +
> +define FIREJAIL_PERMISSIONS
> + /usr/bin/firejail f 4755 0 0 - - - - -
> +endef
> +
> +$(eval $(autotools-package))
>
More information about the buildroot
mailing list