[GH-ISSUE #2739] Add automated CI checks and git hooks

gitea-mirror commented

2026-05-05 08:23:29 -06:00

Owner

Originally created by @jose1711 on GitHub (Jun 2, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2739

It would be nice to have automated checks for things that tend to repeat in new profile submissions:

header present (with description, persistent globals and local include)
items sorted inside profile sections
sections are divided using a single '\n' character
firecfg.section, disable-programs.inc and similar files being sorted

Originally created by @jose1711 on GitHub (Jun 2, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2739 It would be nice to have automated checks for things that tend to repeat in new profile submissions: - header present (with description, persistent globals and local include) - items sorted inside profile sections - sections are divided using a single '\n' character - `firecfg.section`, `disable-programs.inc` and similar files being sorted

gitea-mirror

2026-05-05 08:23:29 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 08:23:32 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 2, 2019):

I had a similar idea a few days ago and started to write it in rust, but I'm actually thinking if it's still necessary if you prominently recommend the profile.template for it (e.g. use GH pull request templates (and provieder there a checklist), CONTRIBUTIN.md, manpage (see my comment in the add template issue)), because it will never be possible to check it with human inteliegenz (e.g. include disable-xdg.inc in an image-viewer-profile but not noblacklist ${PICTURES})

EDIT: The most review comments are ordering (which can prevent with the profile.template and/or GH pull request templates with checklist) and the second most are special thing that can only found with human intelligence.

@rusty-snake commented on GitHub (Jun 2, 2019): I had a similar idea a few days ago and started to write it in rust, but I'm actually thinking if it's still necessary if you prominently recommend the profile.template for it (e.g. use GH pull request templates (and provieder there a checklist), CONTRIBUTIN.md, manpage (see my comment in the add template issue)), because it will never be possible to check it with human inteliegenz (e.g. `include disable-xdg.inc` in an image-viewer-profile but not `noblacklist ${PICTURES}`) EDIT: The most review comments are ordering (which can prevent with the profile.template and/or GH pull request templates with checklist) and the second most are special thing that can only found with human intelligence.

gitea-mirror commented

2026-05-05 08:23:33 -06:00

Author

Owner

@jose1711 commented on GitHub (Jun 2, 2019):

I agree for the most part - I wonder though how is this GH pull request template supposed to work. Is it difficult to implement?

@jose1711 commented on GitHub (Jun 2, 2019): I agree for the most part - I wonder though how is this GH pull request template supposed to work. Is it difficult to implement?

gitea-mirror commented

2026-05-05 08:23:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 3, 2019):

Its a issue template but for pull request, see https://help.github.com/en/articles/about-issue-and-pull-request-templates.

@rusty-snake commented on GitHub (Jun 3, 2019): Its a issue template but for pull request, see https://help.github.com/en/articles/about-issue-and-pull-request-templates.

gitea-mirror commented

2026-05-05 08:23:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 4, 2019):

With this script you get alphabetical sorted private-etc and private-bin lines. I will add support for automaticaly fixing profile.

#!/usr/bin/env python3
from sys import argv

with open(argv[1], "r") as profile:
    for line in profile:
        if line[:11] == "private-etc":
            print("private-etc", ",".join(sorted(line[12:-1].split(","),
                key=lambda s: s.casefold())))
        elif line[:11] == "private-bin":
            print("private-bin", ",".join(sorted(line[12:-1].split(","),
                key=lambda s: s.casefold())))

Or if you prever to use a shell:

echo "alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl" | sed "s/,/\n/g" | sort - | awk '{printf $1 ","}END{print ""}'

@rusty-snake commented on GitHub (Jun 4, 2019): With this script you get alphabetical sorted `private-etc` and `private-bin` lines. I will add support for automaticaly fixing profile. ```python3 #!/usr/bin/env python3 from sys import argv with open(argv[1], "r") as profile: for line in profile: if line[:11] == "private-etc": print("private-etc", ",".join(sorted(line[12:-1].split(","), key=lambda s: s.casefold()))) elif line[:11] == "private-bin": print("private-bin", ",".join(sorted(line[12:-1].split(","), key=lambda s: s.casefold()))) ``` Or if you prever to use a shell: ```bash echo "alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl" | sed "s/,/\n/g" | sort - | awk '{printf $1 ","}END{print ""}' ```

gitea-mirror commented

2026-05-05 08:23:36 -06:00

Author

Owner

@jose1711 commented on GitHub (Jun 4, 2019):

note that [12:-1] means excluding the last character. not sure if you want that.

@jose1711 commented on GitHub (Jun 4, 2019): note that `[12:-1] ` means *excluding* the last character. not sure if you want that.

gitea-mirror commented

2026-05-05 08:23:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 4, 2019):

@jose1711 thanks. The last character is \n. I test this code, it works.

@rusty-snake commented on GitHub (Jun 4, 2019): @jose1711 thanks. The last character is `\n`. I test this code, it works.

gitea-mirror commented

2026-05-05 08:23:38 -06:00

Author

Owner

@jose1711 commented on GitHub (Jun 4, 2019):

ok, but what if private-etc is the last line and is not terminated with \n? like so:
echo -n 'private-etc foo,bar' > profile
then I get this:

./fix_sorting profile                          
private-etc ba,foo

@jose1711 commented on GitHub (Jun 4, 2019): ok, but what if `private-etc` is the last line and is not terminated with `\n`? like so: `echo -n 'private-etc foo,bar' > profile` then I get this: ``` ./fix_sorting profile private-etc ba,foo ```

gitea-mirror commented

2026-05-05 08:23:38 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 7, 2019):

@jose1711 Most profiles end with a newline, but you're right that we have to consider the missing of it.

New version, with support for automatic fixing several profiles.
https://gist.github.com/rusty-snake/a1010a3daf3c54e93dfe03f2f5ce3d96

Issues:

~~"[ Fixed ] {filename}" is always printed, even if nothing was fixed.~~ Fixed, only if no private-etc or private-bin is present. Readly Fixed.
~~All files will be rewritten.~~ Fixed, only if no private-etc or private-bin is present. Readly Fixed.
Names starting with two uppercase letters are not handled correctly. Sure? No
Names containing an uppercase letter are not handled correctly (e.g. QOwnNotes). was never an issue
Handling of special characters (e.g. _ - . ). ignoring is fine

TODOs:

~~private-lib~~ Done, ~~#private-etc, # private-etc, #private-bin, # private-bin~~ Won't fix, ~~protocol~~ Done

@rusty-snake commented on GitHub (Jun 7, 2019): @jose1711 Most profiles end with a newline, but you're right that we have to consider the missing of it. *** New version, with support for automatic fixing several profiles. https://gist.github.com/rusty-snake/a1010a3daf3c54e93dfe03f2f5ce3d96 Issues: * ~"[ Fixed ] {filename}" is always printed, even if nothing was fixed.~ ~_Fixed, only if no `private-etc` or `private-bin` is present._ _Readly Fixed_.~ * ~All files will be rewritten.~ ~_Fixed, only if no `private-etc` or `private-bin` is present._ _Readly Fixed_.~ * ~Names starting with two uppercase letters are not handled correctly. _Sure? No_~ * ~Names containing an uppercase letter are not handled correctly (e.g. `QOwnNotes`). _was never an issue_~ * ~Handling of special characters (e.g. _ - . ). _ignoring is fine_~ TODOs: * ~`private-lib`~ _Done_, ~`#private-etc`, `# private-etc`, `#private-bin`, `# private-bin`~ _Won't fix_, ~`protocol`~ _Done_

gitea-mirror commented

2026-05-05 08:23:39 -06:00

Author

Owner

@ghost commented on GitHub (Jun 17, 2019):

@rusty-snake Can't track the item right now (you referred to my fork of your sort.py script), but if you like to integrate sorting caps.{drop,keep} and seccomp.{drop,keep}, go right ahead. You did a great job creating that tool. The better it can cover this wide array of firejail options, the more changes there are this gets into CI. My personal little profile regression tester caught the first one just a few minutes ago 😄. Cheers!

@ghost commented on GitHub (Jun 17, 2019): @rusty-snake Can't track the item right now (you referred to my fork of your sort.py script), but if you like to integrate sorting caps.{drop,keep} and seccomp.{drop,keep}, go right ahead. You did a great job creating that tool. The better it can cover this wide array of firejail options, the more changes there are this gets into CI. My personal little profile regression tester caught the first one just a few minutes ago :smile:. Cheers!

gitea-mirror commented

2026-05-05 08:23:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 17, 2019):

@glitsj16 I already add caps.{drop,keep} and seccomp.{drop,keep}. All supported options are: private-bin, private-etc, private-lib, seccomp.drop, seccomp.keep, caps.drop, caps.keep, protocol.

@rusty-snake commented on GitHub (Jun 17, 2019): @glitsj16 I already add caps.{drop,keep} and seccomp.{drop,keep}. All supported options are: private-bin, private-etc, private-lib, seccomp.drop, seccomp.keep, caps.drop, caps.keep, protocol.

gitea-mirror commented

2026-05-05 08:23:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 1, 2020):

Is there anything else we want to do here?

@rusty-snake commented on GitHub (Feb 1, 2020): Is there anything else we want to do here?

gitea-mirror commented

2026-05-05 08:23:41 -06:00

Author

Owner

@matu3ba commented on GitHub (Apr 9, 2020):

@rusty-snake Is fetching the program binary with checking, if the program runs and kill it afterwards possible?

@matu3ba commented on GitHub (Apr 9, 2020): @rusty-snake Is fetching the program binary with checking, if the program runs and kill it afterwards possible?

gitea-mirror commented

2026-05-05 08:23:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 9, 2020):

You mean checking if firejail runs? The are a lot of test under test.

@rusty-snake commented on GitHub (Apr 9, 2020): You mean checking if firejail runs? The are a lot of test under test.

gitea-mirror commented

2026-05-05 08:23:42 -06:00

Author

Owner

@matu3ba commented on GitHub (Apr 11, 2020):

@rusty-snake Does this include checking meaningful shell options as well? I dont see according shell commands for firejail execution in the .travis-ci and .gitlab-ci.
They should be able to simulate all .local and .global configurations.

@matu3ba commented on GitHub (Apr 11, 2020): @rusty-snake Does this include checking meaningful shell options as well? I dont see according shell commands for firejail execution in the `.travis-ci` and `.gitlab-ci`. They should be able to simulate all `.local` and `.global` configurations.

gitea-mirror commented

2026-05-05 08:23:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 11, 2020):

in the travis.yml is make test-travis which runs the test under test.

@rusty-snake commented on GitHub (Apr 11, 2020): in the travis.yml is `make test-travis` which runs the test under [test](https://github.com/netblue30/firejail/tree/master/test).

gitea-mirror referenced this issue

2026-05-05 09:44:02 -06:00

[GH-ISSUE #5803] ssh: Couldn't open /dev/null: Permission denied #3096

Rows
Columns

[GH-ISSUE #2739] Add automated CI checks and git hooks #1725