You are not logged in.

#1 2017-10-14 06:55:01

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

[Solved] Firejail, makepkg & 'libfakeroot.so'

In the last few days, I have noticed that every time I use makepkg I get the following error when it tries to compress a package

ERROR: ld.so: object 'libfakeroot.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

For example, in the following test I use "cower" because it is fairly simple, and, to eliminate any problems with firejail, I wrap the entire makepkg process with firejail --noprofile

[stupidme@mine cower]
$ firejail --noprofile makepkg 
Parent pid 14631, child pid 14632
Child process initialized in 27.91 ms
==> Making package: cower 17-2 (Sat 14 Oct 07:28:03 BST 2017)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found cower-17.tar.gz
  -> Found cower-17.tar.gz.sig
==> Validating source files with md5sums...
    cower-17.tar.gz ... Passed
    cower-17.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
    cower-17.tar.gz ... Passed
==> Extracting sources...
  -> Extracting cower-17.tar.gz with bsdtar
==> Starting build()...
cc -Wclobbered -Wempty-body -Wfloat-equal -Wignored-qualifiers -Wmissing-declarations -Wmissing-parameter-type -Wsign-compare -Wmissing-prototypes -Wold-style-declaration -Wtype-limits -Woverride-init -Wunused -Wstrict-prototypes -Wuninitialized -std=c99 -g -pthread -pedantic -Wall -Wextra -fstack-protector-strong -O2 -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_GNU_SOURCE -DCOWER_VERSION=\"17\" -D_FORTIFY_SOURCE=2  -c -o cower.o src/cower.c
src/cower.c: In function ‘parse_options’:
src/cower.c:1194:23: warning: this statement may fall through [-Wimplicit-fallthrough=]
         cfg.sortorder = SORT_REVERSE;
         ~~~~~~~~~~~~~~^~~~~~~~~~~~~~
src/cower.c:1195:7: note: here
       case OP_SORT:
       ^~~~
cc -Wclobbered -Wempty-body -Wfloat-equal -Wignored-qualifiers -Wmissing-declarations -Wmissing-parameter-type -Wsign-compare -Wmissing-prototypes -Wold-style-declaration -Wtype-limits -Woverride-init -Wunused -Wstrict-prototypes -Wuninitialized -std=c99 -g -pthread -pedantic -Wall -Wextra -fstack-protector-strong -O2 -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_GNU_SOURCE -DCOWER_VERSION=\"17\" -D_FORTIFY_SOURCE=2  -c -o aur.o src/aur.c
cc -Wclobbered -Wempty-body -Wfloat-equal -Wignored-qualifiers -Wmissing-declarations -Wmissing-parameter-type -Wsign-compare -Wmissing-prototypes -Wold-style-declaration -Wtype-limits -Woverride-init -Wunused -Wstrict-prototypes -Wuninitialized -std=c99 -g -pthread -pedantic -Wall -Wextra -fstack-protector-strong -O2 -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_GNU_SOURCE -DCOWER_VERSION=\"17\" -D_FORTIFY_SOURCE=2  -c -o package.o src/package.c
cc -pthread  -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now  cower.o aur.o package.o  -lcurl -lalpm -lyajl -larchive -o cower
pod2man --section=1 --center="Cower Manual" --name="COWER" --release="cower 17" README.pod cower.1
==> Entering fakeroot environment...
==> Starting package()...
install -D -m755 cower "/home/stupidme/Git/Cower/cower/pkg/cower/usr/bin/cower"
install -D -m644 cower.1 "/home/stupidme/Git/Cower/cower/pkg/cower/usr/share/man/man1/cower.1"
install -D -m644 extra/bash_completion "/home/stupidme/Git/Cower/cower/pkg/cower/usr/share/bash-completion/completions/cower"
install -D -m644 extra/zsh_completion "/home/stupidme/Git/Cower/cower/pkg/cower/usr/share/zsh/site-functions/_cower"
install -D -m644 config "/home/stupidme/Git/Cower/cower/pkg/cower/usr/share/doc/cower/config"
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
ERROR: ld.so: object 'libfakeroot.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
Warning: an existing sandbox was detected. /usr/bin/gzip will run without any additional sandboxing features
==> Checking for packaging issue...
==> Creating package "cower"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
ERROR: ld.so: object 'libfakeroot.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
Warning: an existing sandbox was detected. /usr/bin/xz will run without any additional sandboxing features
==> Leaving fakeroot environment.
==> Finished making: cower 17-2 (Sat 14 Oct 07:28:04 BST 2017)

Parent is shutting down, bye...
[stupidme@mine cower]$ 

As you can see, it enters and leaves the fakeroot enviroment without any problems, and, once installed, it doesn't appear to have any deleterious effects on the package. For  example, yesterday I used the linux-hardened 4.13.6 PCKGBUILD to build and install linux-harened-apparmor 4.13.6, which, apart from the above error messages, installed fine and boots with out any problems being reported.

Does anyone have any ideas about what the problem is? Further, how concerned should I be?

Edited to correct punctuation
Edited title to better reflect the nature of the problem. Fix to follow shortly after a final test

Last edited by IrvineHimself (2017-10-15 16:52:37)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#2 2017-10-14 07:22:05

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

pacman -Qi fakeroot

Offline

#3 2017-10-14 07:30:40

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

[stupidme@mine ~]$ pacman -Qi fakeroot
Name            : fakeroot
Version         : 1.22-1
Description     : Tool for simulating superuser privileges
Architecture    : x86_64
URL             : http://packages.debian.org/fakeroot
Licenses        : GPL
Groups          : base-devel
Provides        : None
Depends On      : glibc  filesystem  sed  util-linux  sh
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 124.00 KiB
Packager        : Bartlomiej Piotrowski <bpiotrowski@archlinux.org>
Build Date      : Fri 18 Aug 2017 07:16:23 BST
Install Date    : Sat 14 Oct 2017 07:16:29 BST
Install Reason  : Explicitly installed
Install Script  : Yes
Validated By    : Signature

[stupidme@mine ~]$ 

It's "explicitly installed" because, before posting, I re-installed it.

Last edited by IrvineHimself (2017-10-14 07:36:24)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#4 2017-10-14 07:57:44

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Does it work w/o firejail?

Offline

#5 2017-10-14 10:36:18

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

No, my first thought was that it was related to a firejail profile so I tried physically deleting the curl, gzip, tar and xy symlinks  to firejail in /usr/local/bin, but it didn't make any difference.

Wrapping makepkg in firejail --noprofile, should ensure that any symlinked profile is disabled.


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#6 2017-10-14 10:55:03

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Sorry, I have that completely wrong. I just double checked by deleting the gzip and xz symlinks for  a second time, and it works. I am not sure why it didn't seem to make any difference the first time I deleted them.

I apologise profusely for wasting your time. If I figure out what local exception is needed to make the profiles work, I will post the solution, but for the moment I will mark this as solved.


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#7 2017-10-16 00:14:56

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Okay, I have went fairly deeply into this, and, in a nutshell, makepkg is using some kind of symlink with the gzip and xz compression utilities. It’s difficult to say exactly, because it traps errors and only prints them out at the end of subroutines. Ie, where an error is reported may not be where an error occurred.

The nearest I can get to the actual error is:

  -> Compressing man and info pages...
gzip: run_symlink.c:104: run_symlink: Assertion `getenv("LD_PRELOAD") == NULL' failed.
/usr/share/makepkg/tidy/zipman.sh: line 33:   615 Aborted                 (core dumped) gzip -9 -n -f "$file"
==> ERROR: A failure occurred in ().
    Aborting...

What this boils down to is that even empty symlinked firejail gzip/xz profiles which do absolutely nothing will break makepkg.

Possible solutions:
1) As far as I can gather, you could just ignore the warning: Running test like namcap, pacman -Qip, pacman -Qlp pacman -Qkk on the linux-hardened-apparmor package I built does not report any problems and everything seems to work as expected.

2) Alternatively, I have written and tested this makepkg profile for firejail:

# Firejail profile for makepkg
# This homegrown profile will be automatically replaced if an officially maintained profile becomes available.

# I disable internet connectivity and enable apparmor confinement globally
# So, I need to enable internet connectivity for makepkg either here or in makepkg.local
ignore net

# Additionally, official kernel builds break if firejail  apparmor confinement is enabled, and, since
# I use these builds as the basis for my own kernels, I need to disable apparmor confinement
ignore apparmor
# Note, in general, most package builds probably wont have a problem with  apparmor confinement

# Persistent local customizations
include /etc/firejail/makepkg.local
# Persistent global definitions
include /etc/firejail/globals.local

# Deny access to everything in ${HOME} except my build folder and ${HOME}/.gnupg
whitelist ~/Git
whitelist ~/.gnupg

# Severely restrict access to ${HOME}/.gnupg
noblacklist ~/.gnupg
read-only ~/.gnupg/gpg.conf
read-only ~/.gnupg/trustdb.gpg
read-only ~/.gnupg/pubring.kbx
blacklist ~/.gnupg/random_seed
blacklist ~/.gnupg/pubring.kbx~
blacklist ~/.gnupg/private-keys-v1.d
blacklist ~/.gnupg/crls.d
blacklist ~/.gnupg/openpgp-revocs.d


# Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only}
noblacklist /var/lib/pacman

# From now on it’s just a basic common or garden firejail profile

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
nonewprivs
# noroot is only disabled to allow the creation of package headers from an official PKGBUILD. So, if your not 
# actively compiling kernels or don't need the headers package, it, like apparmor, could probably be enabled. 
#noroot
nosound
notv
novideo
protocol unix,inet,inet6
seccomp
shell none

disable-mnt
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

Note: The profile is intended to severely restrict the capabilities of makepkg. To put it succinctly, while most of the makepkg options will work, root privileges are disabled. This, along with seccomp being enabled, means that, once you are satisfied the built package is not malicious, the actual installation will need to be a separate process with pacman -U

Simialarly, there are known issues  with makepkg and gpg-signing. As a result packages will most likely have to be signed outside the firejail with gpg --detach-sign name.pkg.tar.xz


Further, We still have the problem with the symlinking gzip, xz partially breaking makepkg.

For the purposes of my current project, which is to “sandbox everything”, I wrote the following MakePckgFix shell as a wrapper to run makepkg with the above firejail profile:

#!/bin/bash

# Quick and dirty fix to the problem of firejailing [b]gzip[/b] and [b]xz[/b] breaking makepkg
#

echo "Need to remove firejail /usr/local/bin symlinks as root"
sudo rm /usr/local/bin/xz
sudo rm /usr/local/bin/gzip
echo
echo "Running firejail makepkg as $USER "
firejail makepkg $1 $2 $3 $4
echo
echo "Reinstalling firejail /usr/local/bin symlinks as root"
sudo ln -s /usr/bin/firejail /usr/local/bin/xz
sudo ln -s /usr/bin/firejail /usr/local/bin/gzip
echo
echo "Bye :)"

So, putting all this together, and, as above, using the “cower package” as a test: Running MakePckgFix gives the following output:

[stupidme@mine cower]$ MakePckgFix
Need to remove firejail /usr/local/bin symlinks as root
[sudo] password for root: 

Running firejail makepkg as stupidme 
Reading profile /etc/firejail/makepkg.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 27663, child pid 27664
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 34.34 ms
==> Making package: cower 17-2 (Sun 15 Oct 16:46:25 BST 2017)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading cower-17.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 25661  100 25661    0     0  25661      0  0:00:01  0:00:01 --:--:-- 18716
  -> Downloading cower-17.tar.gz.sig...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   310  100   310    0     0    310      0  0:00:01 --:--:--  0:00:01   383
==> Validating source files with md5sums...
    cower-17.tar.gz ... Passed
    cower-17.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
    cower-17.tar.gz ... Passed
==> Extracting sources...
  -> Extracting cower-17.tar.gz with bsdtar
==> Starting build()...
cc -Wclobbered -Wempty-body -Wfloat-equal -Wignored-qualifiers -Wmissing-declarations -Wmissing-parameter-type -Wsign-compare -Wmissing-prototypes -Wold-style-declaration -Wtype-limits -Woverride-init -Wunused -Wstrict-prototypes -Wuninitialized -std=c99 -g -pthread -pedantic -Wall -Wextra -fstack-protector-strong -O2 -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_GNU_SOURCE -DCOWER_VERSION=\"17\" -D_FORTIFY_SOURCE=2  -c -o cower.o src/cower.c
src/cower.c: In function ‘parse_options’:
src/cower.c:1194:23: warning: this statement may fall through [-Wimplicit-fallthrough=]
         cfg.sortorder = SORT_REVERSE;
         ~~~~~~~~~~~~~~^~~~~~~~~~~~~~
src/cower.c:1195:7: note: here
       case OP_SORT:
       ^~~~
cc -Wclobbered -Wempty-body -Wfloat-equal -Wignored-qualifiers -Wmissing-declarations -Wmissing-parameter-type -Wsign-compare -Wmissing-prototypes -Wold-style-declaration -Wtype-limits -Woverride-init -Wunused -Wstrict-prototypes -Wuninitialized -std=c99 -g -pthread -pedantic -Wall -Wextra -fstack-protector-strong -O2 -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_GNU_SOURCE -DCOWER_VERSION=\"17\" -D_FORTIFY_SOURCE=2  -c -o aur.o src/aur.c
cc -Wclobbered -Wempty-body -Wfloat-equal -Wignored-qualifiers -Wmissing-declarations -Wmissing-parameter-type -Wsign-compare -Wmissing-prototypes -Wold-style-declaration -Wtype-limits -Woverride-init -Wunused -Wstrict-prototypes -Wuninitialized -std=c99 -g -pthread -pedantic -Wall -Wextra -fstack-protector-strong -O2 -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_GNU_SOURCE -DCOWER_VERSION=\"17\" -D_FORTIFY_SOURCE=2  -c -o package.o src/package.c
cc -pthread  -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now  cower.o aur.o package.o  -lcurl -lalpm -lyajl -larchive -o cower
pod2man --section=1 --center="Cower Manual" --name="COWER" --release="cower 17" README.pod cower.1
==> Entering fakeroot environment...
==> Starting package()...
install -D -m755 cower "/home/stupidme/Git/Cower/cower/pkg/cower/usr/bin/cower"
install -D -m644 cower.1 "/home/stupidme/Git/Cower/cower/pkg/cower/usr/share/man/man1/cower.1"
install -D -m644 extra/bash_completion "/home/stupidme/Git/Cower/cower/pkg/cower/usr/share/bash-completion/completions/cower"
install -D -m644 extra/zsh_completion "/home/stupidme/Git/Cower/cower/pkg/cower/usr/share/zsh/site-functions/_cower"
install -D -m644 config "/home/stupidme/Git/Cower/cower/pkg/cower/usr/share/doc/cower/config"
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issue...
==> Creating package "cower"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: cower 17-2 (Sun 15 Oct 16:46:29 BST 2017)

Parent is shutting down, bye...

Reinstalling firejail /usr/local/bin symlinks as root

Bye :)
[stupidme@mine cower]$ 

Note, the above shell is only needed if you wish to symlink the gzip and xz file compression utilities, otherwise the makepkg firejail profile can used directly with makepkg. If so, you can even symlink makepkg directly to firejail in usr/local/bin.

Anyway, as a final test of the above, I used the makepkg.profile along with the  MakePckgFix shell to rebuild  my linux-hardened-apparmor 4.13.6 package from the official linux-hardened 4.13.6 package build. As you may have guessed,  it compiled without any warnings and installed without problems.

On a final note, I haven’t yet got around to firejailing bsdtar, but I have a suspicion that it may have similar problems and, as a result, will also need to be added to MakePckgFix

All the best
Irvine

Last edited by IrvineHimself (2017-10-16 00:26:38)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#8 2017-10-16 06:52:17

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

You should probably add this to the firejail wiki (link this post) or suggest the profile to the firejail package maintainer (downstream patch since makepkg is Arch specific)

Offline

#9 2017-10-16 09:37:28

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Instead of removing the symlinks, you could try to modify $PATH, and remove any paths for /usr/local/...


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#10 2017-10-16 13:43:11

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

@progandy
You misunderstand, the symlinks are not only intentional, but deliberately created by the users of firejail. They are needed to launch the respective firejail sandbox without explicitly calling firejail. So, even without a firejail profile, when makepckg, launches curl to connect to a website, the connection is automatically sandboxed to protect against malicious content and/or actors. (Needless to say, in the case of curl this does not cause any problems.)

The compression utilities gzip and xv, can be invoked by many applications, or even explicitly, and are, "in fact", a potential point of entry for an attacker. The symlinks ensure that the decompression of any content is fully sandboxed, even if firejail is not invoked.

See https://wiki.archlinux.org/index.php/Fi … by_default

@Seth
As a result of my current project to "sandbox everything", I have already contributed a few profiles, (like conky,) which will be available in the next release of firejail. You can get them pre-release here.

I have only just woken up after 'la sieste', and will edit the wiki accordingly.  As far as submitting the makepkg.profile to be included as a downstream patch, I don't have a problem with that. However, since I originally posted it as an example which fellow Archers could modify it to their own needs, I will need to edit the profile slightly to make it more portable.

I will post the completely portable version, along with customisation notes, after I have finished waking up.

Irvine
Edited for more precise language

Last edited by IrvineHimself (2017-10-16 13:53:04)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#11 2017-10-16 14:48:49

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

IrvineHimself wrote:

@progandy
You misunderstand, the symlinks are not only intentional, but deliberately created by the users of firejail. They are needed to launch the respective firejail sandbox without explicitly calling firejail. So, even without a firejail profile, when makepckg, launches curl to connect to a website, the connection is automatically sandboxed to protect against malicious content and/or actors. (Needless to say, in the case of curl this does not cause any problems.)

I understand that, but is it necessary to wrap commands in a firejail symlink when you already run the parent makepkg in a firejail profile?


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#12 2017-10-16 15:18:47

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Well, yes if you want gzip and xz to be sandboxed when invoked by potentially un-sandboxed applications other than makepkg. The whole point is to try and lower the attack surface by identifying attack vectors and, subsequently, limit the potential for damage.

I accept that for me this is primarily an academic exercise, but, as the recent UK ransom-ware attack has shown, it can literally have life or death consequences.

Edit:
I should add, that in this regard, makepkg could be construed as behaving badly. Normally,  when an application is running inside a firejail sandbox, calls to individually sandboxed subsystems are treated as being part of the original sandbox. For example, if you open a magnet link inside Firefox, then even though Transmission has its own firejail profile, it will run inside the Firefox sandbox.  The problem with makepkg is not in the sandbox, but in how it handles the symlink,

Last edited by IrvineHimself (2017-10-16 15:35:14)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#13 2017-10-16 15:39:13

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

IrvineHimself wrote:

Well, yes if you want gzip and xz to be sandboxed when invoked by potentially un-sandboxed applications other than makepkg. The whole point is to try and lower the attack surface by identifying attack vectors and, subsequently, limit the potential for damage.

Maybe I wasn't clear. I did not mean to permanently alter the path, but do it only for the makepkg call.

env PATH=$PATH_WITHOUT_LOCAL firejail makepkg ... 

You could also set PATH in the firejail profile or makepkg.conf.

Edit:

I should add, that in this regard, makepkg could be construed as behaving badly

I don't know if that is the fault of makepkg. It may simply be that firejail symlinks and fakeroot are incompatible.

Last edited by progandy (2017-10-16 15:41:32)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#14 2017-10-16 16:01:53

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Sorry, I completely misunderstood you. That actually makes a lot of sense and is a better solution than my quick and dirty fix.

I will need to test this, but, noting that, in ARCH, /usr/local/sbin and /usr/local/bin are the same, my MakePckgFix would become something like:

TmpPath=$(echo $PATH | cut -d':' -f3-)
env Path="$TmpPath" firejail makepkg $1 $2 $3 $4

Edit:   

.... It may simply be that firejail symlinks and fakeroot are incompatible

I completely agree, the 'off the cuff' remark was meant more to illustrate how  other sandboxed applications handle symlinked subsystems.

Last edited by IrvineHimself (2017-10-16 16:11:08)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#15 2017-10-16 17:55:45

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Okay, I've made the makepkg.profile portable, along with some in-line notation on strengthening the profile by whitelisting the users $BuildFolder in makepkg.local. (Note, whitelisting your $BuildFolder also means you have to whitelist ~/.gnupg). In addition, I have rewritten and tested MakePckgFix in line with @progandy's suggestion concerning the $PATH variable. I also took the opportunity to make some other refinements so that it can now replicate more refined firejail commands such as firejail --seccomp --profile=PathToProfile --ignore=apparmor makepkg -s

makepkg.profile

# Firejail profile for makepkg
# This file is overwritten after every install/update

# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
# for a detailed accounting of potential pitfalls and their solutions when firejailing makepkg

# This profile could be significantly strengthened by adding the following to makepkg.local
# whitelist ~/<Your Build Folder>
# whitelist ~/.gnupg

# Edit: the profile needs to run with the "quiet" option, otherwise it screws up "makepkg --printsrcinfo > .SRCINFO" when pushing to the AUR
quiet

# Persistent local customizations
include /etc/firejail/makepkg.local
# Persistent global definitions
include /etc/firejail/globals.local

# Enable severely restricted access to ${HOME}/.gnupg
noblacklist ~/.gnupg
read-only ~/.gnupg/gpg.conf
read-only ~/.gnupg/trustdb.gpg
read-only ~/.gnupg/pubring.kbx
blacklist ~/.gnupg/random_seed
blacklist ~/.gnupg/pubring.kbx~
blacklist ~/.gnupg/private-keys-v1.d
blacklist ~/.gnupg/crls.d
blacklist ~/.gnupg/openpgp-revocs.d

# Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only}
noblacklist /var/lib/pacman

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
nonewprivs
# noroot is only disabled to allow the creation of package headers from an official pckgbuild.
#noroot
nosound
notv
novideo
protocol unix,inet,inet6
seccomp
shell none

disable-mnt
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

My personal makepkg.local

# Firejail  makepkg.local

# enable internet connectivity
ignore net

# apparmor breaks official kernel pckgbuilds
ignore apparmor

# Deny access to everything in ${HOME} except my build folder and ${HOME}/.gnupg
whitelist ~/Git
whitelist ~/.gnupg

And finally, the improved MakePckgFix

#!/bin/bash

# More sophisticated fix to the problem of firejailing gzip and xz breaking makepckg

declare -a Prefix
declare -a Arg
IndexP=0
IndexA=0
for Var in "$@" ; do
    if [[ "$Var" = "--"* ]] ; then
            Prefix[IndexP]=$Var
            ((IndexP++))
        else
                Arg[IndexA]=$Var
                ((IndexA++))
    fi
done

export PATH=$(echo $PATH | cut -d':' -f3-)
firejail ${Prefix[*]} makepkg ${Arg[*]}

echo "Bye :)"

Anyway, I'm off to submit the profile to the packager with a request that he/she include it as a downstream patch.

Irvine

Editited the profile to add the "quiet" option, otherwise it will screw up "makepkg --printsrcinfo > .SRCINFO" when pushing to the AUR

Last edited by IrvineHimself (2017-10-29 19:11:05)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#16 2017-10-16 19:46:53

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Nice. I think you can get rid of MakePckgFix if you append this to /etc/makepkg.conf

# append to makepkg.conf:
PATH=":$PATH"
PATH="${PATH/:\/usr\/local\/bin:/:}"
PATH="${PATH/:\/usr\/local\/sbin:/:}"
export PATH="${PATH#:}"

Last edited by progandy (2017-10-16 19:48:25)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#17 2017-10-17 04:17:20

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

@progandy That is absolutely BRILLIANT!!!

It is just so elegant, and, as an added bonus, you can even symlink makepkg to  automatically run inside a sandbox. smile

WARNING:  I don't actually use it myself, but even without testing, I can virtually guarantee that sandboxing makepkg will screw up Yaourt.

Last edited by IrvineHimself (2017-10-17 04:21:22)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#18 2017-10-18 06:04:46

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: [Solved] Firejail, makepkg & 'libfakeroot.so'

Since it is relevant and closes the makepkg/AUR circle, I will post this newly completed, but fully tested,  cower profile here:

# Firejail profile for cower
# This file is overwritten after every install/update

# This profile could be significantly strengthened by adding the following to cower.local
# whitelist ~/<Your Build Folder>
# whitelist ~/.config/cower/config

# Persistent local customizations
include /etc/firejail/cower.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ~/.config/cower/config
read-only ~/.config/cower/config

noblacklist /var/lib/pacman

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix,inet,inet6
seccomp
shell none

disable-mnt
private-bin cower
private-dev
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

My cower.local profile is:

# Firejail  cower.local

ignore net
whitelist ~/Git/Cower
whitelist ~/.config/cower/config

All the best
Irvine

Ps, I will probably be submitting most of the profiles I develop as part of my "sandbox everything" project to the Firejail development team for inclusion in the upstream package, but this one is really quite distro specific.

Last edited by IrvineHimself (2017-10-18 06:18:04)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

Board footer

Powered by FluxBB