Using firejail from git

There are different reasons why you want to install firejail form its git source. You want to have the latest profiles and features, or you want to contribute to firejail.

• Makefile
• Fedora

Makefile

The easiest way to install firejail from git is to clone it and use configure+make to build and install it:

git clone https://github.com/netblue30/firejail.git
cd firejail
./configure --prefix=/usr
make
sudo make install

See ./configure --help for additional flags like --enable-apparmor.

Pros

• simple
• work on any distro

Cons

• it is general dis-advised to bypass you package-manager when installing software
• uninstalling can be complicated if you delete the repo or run ./configure with other flags

Fedora

maintained by @rusty-snake

Fedora use rpm packages to install software, it also use SELinux by default. That's why we want to build a rpm and enable SELinux-labeling support in firejail.

• First you need to install some packages to build the rpm and clone the firejail git-repo:

$ sudo install rpmbuild libselinux-devel
$ git clone "https://github.com/netblue30/firejail.git" firejail

• You also need a spec file for firejail.

firejail.spec example

Name:           firejail
Version:        0.9.63
Release:        1.gitbc3f74f2%{?dist}
Summary:        Linux namespaces sandbox program

License:        GPLv2+
URL:            https://github.com/netblue30/firejail
Source0:        %{name}.tar.gz

BuildRequires: libselinux-devel

%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.


%prep
%autosetup -c


%build
%configure --enable-selinux
%make_build


%install
make install-strip DESTDIR=%{buildroot}


%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING

• In order to build a rpm you need some directories, you can setup these directories using rpmdev-setuptree, but we are going here to setup these directories in a custom place.

TOPDIR=$(mktemp -dt firejail-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)

mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"

This creates a directory named firejail-build.XXXXXX (where the Xs are random) under $TMPDIR or /tmp as fallback. And the sub-directories as defined by the corresponding rpm macros.

• You can then create the spec file in $SPECDIR and create a tar.gz archive with the source-code.

$ tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create --gzip --file "$SOURCEDIR/firejail.tar.gz" .

• And then you can start building the rpm:

$ rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/firejail.spec

• Once finish, you can install it:

$ sudo dnf install "$RPMDIR"/x86_64/firejail-*.rpm

That's it!

Automation

You don't want to do these setps every time, you let a shell-script do the work for you.

build-firejail-rpm.sh

#!/bin/bash

set -e

NAME=firejail
VERSION=$(grep "PACKAGE_VERSION=.*" configure | grep -oE "([[:digit:]]|\.)*")
COMMIT=$(git rev-parse --short HEAD)

installed_release=$(rpm -q --qf="%{RELEASE}" $NAME ||:)
if [ -z "$installed_release" ]; then
        RELEASE=1
else
        RELEASE=$(($(grep -oE "^[[:digit:]]+" <<<"$installed_release") + 1))
fi

TOPDIR=$(mktemp -dt $NAME-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)

mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"

cleanup() {
        rm -rf "$TOPDIR"
}
trap cleanup EXIT

cat <<EOF > "$SPECDIR/$NAME.spec"
Name:           $NAME
Version:        $VERSION
Release:        $RELEASE.git$COMMIT%{?dist}
Summary:        Linux namespaces sandbox program

License:        GPLv2+
URL:            https://github.com/netblue30/firejail
Source0:        %{name}.tar.gz

BuildRequires: libselinux-devel

%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.


%prep
%autosetup -c


%build
%configure --enable-selinux
%make_build


%install
make install-strip DESTDIR=%{buildroot}


%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING
EOF

tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create --gzip --file "$SOURCEDIR/$NAME.tar.gz" .

rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/$NAME.spec

RPM="$NAME-$VERSION-$RELEASE.git$COMMIT$(rpm -E %{?dist}).$(rpm -E %_arch).rpm"

mv "$RPMDIR/$(rpm -E %_arch)/$RPM" .

sudo dnf install "$RPM"

rm "$RPM"

Resources

• https://docs.fedoraproject.org/en-US/quick-docs/creating-rpm-packages/
• https://fedoramagazine.org/how-rpm-packages-are-made-the-spec-file/
• https://rpm-packaging-guide.github.io/