From: Chris Frederick Date: Wed, 26 Oct 2016 17:22:32 +0000 (-0500) Subject: firejail: new package X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=0524f90a2fbdd05ed5b633a30979773f9904b156;p=buildroot.git firejail: new package Firejail Security Sandbox https://firejail.wordpress.com/ Lightweight application sandboxing system using seccomp and kernel namespaces. Signed-off-by: Chris Frederick [Thomas: - Fix DEVELOPERS entry: use <> around the e-mail address instead of () - firejail builds fine with musl, so only exclude uclibc, which fails to build with EM_ARM undeclared - Update to upstream version 0.9.44.8. - Remove FIREJAIL_MAKE_OPTS, as suggested by Romain Naour. - Pass --enable-busybox-workaround only if Busybox is enabled, as suggested by Romain Naour.] Signed-off-by: Thomas Petazzoni --- diff --git a/DEVELOPERS b/DEVELOPERS index ff72ca12b4..6c74cac84d 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -299,6 +299,9 @@ F: package/libdvbsi/ F: package/libsvg/ F: package/libsvg-cairo/ +N: Chris Frederick +F: package/firejail/ + N: Chris Packham F: package/eventlog/ F: package/micropython/ diff --git a/package/Config.in b/package/Config.in index cfe7fc608f..9eb6a22f42 100644 --- a/package/Config.in +++ b/package/Config.in @@ -1774,6 +1774,7 @@ menu "System tools" source "package/efibootmgr/Config.in" source "package/efivar/Config.in" source "package/emlog/Config.in" + source "package/firejail/Config.in" source "package/ftop/Config.in" source "package/getent/Config.in" source "package/htop/Config.in" diff --git a/package/firejail/Config.in b/package/firejail/Config.in new file mode 100644 index 0000000000..8c5338ea90 --- /dev/null +++ b/package/firejail/Config.in @@ -0,0 +1,19 @@ +config BR2_PACKAGE_FIREJAIL + bool "firejail" + depends on BR2_USE_MMU # fork() + depends on BR2_TOOLCHAIN_HAS_THREADS + # uClibc: error: ‘EM_ARM’ undeclared + depends on !BR2_TOOLCHAIN_USES_UCLIBC + help + Firejail is a SUID program that reduces the risk of security + breaches by restricting the running environment of untrusted + applications using Linux namespaces and seccomp-bpf. It + allows a process and all its descendants to have their own + private view of the globally shared kernel resources, such + as the network stack, process table, mount table. + + https://firejail.wordpress.com/ + +comment "firejail needs a glibc or musl toolchain w/ threads" + depends on BR2_USE_MMU + depends on !BR2_TOOLCHAIN_USES_UCLIBC || !BR2_TOOLCHAIN_HAS_THREADS diff --git a/package/firejail/firejail.hash b/package/firejail/firejail.hash new file mode 100644 index 0000000000..0cb86b45a4 --- /dev/null +++ b/package/firejail/firejail.hash @@ -0,0 +1,3 @@ +# From https://sourceforge.net/projects/firejail/files/firejail/ +md5 7e6dca7202b1d70105b39646755cc620 firejail-0.9.44.8.tar.xz +sha1 019423df0aee84d474f9fcd1f6a871a2fe8aa9a5 firejail-0.9.44.8.tar.xz diff --git a/package/firejail/firejail.mk b/package/firejail/firejail.mk new file mode 100644 index 0000000000..c1fab29f28 --- /dev/null +++ b/package/firejail/firejail.mk @@ -0,0 +1,28 @@ +################################################################################ +# +# firejail +# +################################################################################ + +FIREJAIL_VERSION = 0.9.44.8 +FIREJAIL_SITE = http://download.sourceforge.net/firejail +FIREJAIL_SOURCE = firejail-$(FIREJAIL_VERSION).tar.xz +FIREJAIL_LICENSE = GPLv2+ +FIREJAIL_LICENSE_FILES = COPYING + +FIREJAIL_CONF_OPTS = \ + --enable-bind \ + --enable-file-transfer \ + --enable-network \ + --enable-seccomp \ + --enable-userns + +ifeq ($(BR2_PACKAGE_BUSYBOX),y) +FIREJAIL_CONF_OPTS += --enable-busybox-workaround +endif + +define FIREJAIL_PERMISSIONS + /usr/bin/firejail f 4755 0 0 - - - - - +endef + +$(eval $(autotools-package))