firejail: 0.9.70 -> 0.9.72

[onny]

Description of changes

Changelog https://github.com/netblue30/firejail/releases/tag/0.9.72

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[onny]

Result of nixpkgs-review pr 211245 run on x86_64-linux 1

2 packages built:

• firejail
• orjail

[dcarosone]

Still investigating cause, but this seems to have broken my firejail of firefox somehow. Firejail emits a bunch of various warnings (most of which have been there forever, one of which might be new, or at least I don't recognise - something about stacking profiles) and then at the end gets a "no such file or directory" trying to start the child.

I rolled back for now and will look into it more later as well as read firejail changelogs (maybe I have to adapt something in my config?), just noting here in case others find something similar.

[onny]

Thanks for noticing. Got issues here two and going two investigate this, possibly git bisecting or something like this.

[revuwa]

Same here, after upgrading to new version (0.9.72) none of my firejailed apps will start anymore.
Three different errors appear, (just four examples, each):

1. mpv | tenacity | mediainfo | zathura | ...
   Cannot start application: Permission denied
2. chromium | imv | gimp | keepassxc | ...
   Cannot start application: No such file or directory
3. nano | nvim | fzf | file | ...
   fish: Unknown command: --
fish:
--
^^

The last one could be related to:

- modif: set --shell=none as the default
- modif: removed --shell= command

Source (changelog): https://github.com/netblue30/firejail/releases/tag/0.9.72
Because I use the Fish shell, and there "was" some trouble with this point -> netblue30/firejail#5445

Interesting` is, that all of my wrapped apps:

programs.firejail = {
    enable = true;
    wrappedBinaries = { ...

won't work since firejail 0.9.72, but if I manually run them like:
firejail nvim
most of them work with the current version, too 🤷‍♂️

As workaround I temporary switched back to previous version (over configuration.nix):

  nixpkgs.overlays = [
    (self: super: {
      firejail = super.firejail.overrideAttrs (old: {
        version = "0.9.70";
        src = super.fetchFromGitHub {
          owner = "netblue30";
          repo = "firejail";
          rev = "0.9.70";
          sha256  = "sha256-x1txt0uER66bZN6BD6c/31Zu6fPPwC9kl/3bxEE6Ce8=";
        };
      });
    })
  ];

which still works fine.

Hope this helps someone somehow...

[onny]

I'm going to revert this PR and trying to find the culprit using git bisect

[rusty-snake]

@onny The cause for this is very likely the fact that specifying the the end-of-option indicator -- causes firejail to start the program via $SHELL -c <PROGRAM> rather than using execve(<PROGRAM>) as it does w/o end-of-option indicator.

See also:

• End-of-options indicator "--" leads to invalid shell invocation (fish shell) netblue30/firejail#5599
• Using end-of-options indicator "--" and blacklisting $SHELL causes Cannot start application netblue30/firejail#5605
• End-of-options indicator "--" breaks firejail when login shell is set to /sbin/nologin netblue30/firejail#5606

[onny]

@rusty-snake Do you have a patch which we can apply? I tried the latest firejail master branch which is working for some wrappedBinaries but for example still fails for librewolf:

#! /nix/store/qqa28hmysc23yy081d178jfd9a1yk8aw-bash-5.2-p15/bin/bash -e
exec /run/wrappers/bin/firejail '--net=tornet' '--dns=46.182.19.48' '--ignore=private-dev' '--env=GTK_THEME=Adwaita:dark' '--env=MOZ_ENABLE_WAYLAND=1' '--dbus-user.talk=org.freedesktop.Notifications' '--profile=/nix/store/v0phcgd2bd8sjcnw5b0w2v3jl9w2p2gy-firejail-0.9.73/etc/firejail/librewolf.profile' -- /nix/store/sn35if55flrlx3rlp620r70pg9a0iq7n-librewolf-109.0.1-2/bin/librewolf "$@"

Results in

[...]
Cannot start application: No such file or directory

I also tried to revert a potential regression

substituteInPlace src/firejail/main.c \
  --replace 'int arg_shell_none = 1' 'int arg_shell_none = 0'

Still no luck :(

[onny]

Reverting this specific commit netblue30/firejail@7ad735d fixes the issue for me

Changing line https://github.com/netblue30/firejail/blob/7ad735deafa80114a17b20790de63f7e973b1bb4/src/firejail/sandbox.c#L531

	else if (!arg_appimage && !arg_doubledash) {

to

	else if (!arg_appimage) {

fixes it :)