Firejail 0.9.68 has been released today (February 6): https://github.com/netblue30/firejail/releases/tag/0.9.68 It fixes a security issue: https://github.com/netblue30/firejail/issues/4780 We should backport the fix to Mageia 8: https://github.com/netblue30/firejail/commit/d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f
Whiteboard: (none) => MGA8TOO
new version pushed in mga9. For mageia what about updating to the new version too ?
CC: (none) => mageiaVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
IIRC, there was a reason we didn't upgrade it before, some removed features or something.
patch added in mga8: src: - firejail-0.9.64-1.2.mga8
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
Mageia 8 Test copied from Dave H in https://bugs.mageia.org/show_bug.cgi?id=27059#c4 : The main use of firejail is used to limit which files on the local system can be accessed. $ echo test>test $ firefox ~/test & shows the contents of the file file:///home/dave/test After closing the tab and firefox ... $ firejail firefox ~/test & shows ... File not found So far so good - BUT: If i in firefox tell it to enter /// it lists my root! And I can browse the file system I can also tell it to list ///home/morgan Neither is in a whitelist line in /etc/firejail/firefox.profile It was also the same before update, so no regression from previous version on my system, but still something is wrong, IMO. According to Herman V in https://bugs.mageia.org/show_bug.cgi?id=27059#c3 that version blocked /// if i understand him correctly, and I remember one test I did myself long ago with that result. I am not sure about if home was blocked in earlier version.
CC: (none) => fri
(In reply to David Walser from comment #2) > IIRC, there was a reason we didn't upgrade it before, some removed features > or something. I remember for mga7 we kept it at .56 due to dropped support of snap, possibly more, but we advanced firejail to .64 (64.4 overlayfs fix) in mga8 Bug 28322 and I cant see something that seem important that got dropped since then. But more eyes should check. https://github.com/netblue30/firejail/releases
Ahh, that's probably what I was remembering.
(In reply to Morgan Leijström from comment #4) > Mageia 8 > Test copied from Dave H in https://bugs.mageia.org/show_bug.cgi?id=27059#c4 : > > The main use of firejail is used to limit which files on the local system can > be accessed. > > $ echo test>test > > $ firefox ~/test & > shows the contents of the file file:///home/dave/test > After closing the tab and firefox ... > > $ firejail firefox ~/test & > > shows ... > File not found > > > So far so good - BUT: > If i in firefox tell it to enter /// it lists my root! > And I can browse the file system The parent directories must be accessible or the lower level directories would not be able to be accessed. > I can also tell it to list ///home/morgan However the list of files/directories in /home/morgan is restricted. See "grep HOME /etc/firejail/*|grep firefox" > Neither is in a whitelist line in /etc/firejail/firefox.profile The files in / are neither in a whitelist or blacklist, so apparently are allowed. That's an oversight in the default profile for firefox, imho.
CC: (none) => davidwhodgins
Validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0055.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED