Firejail: Add automated CI checks and git hooks

I had a similar idea a few days ago and started to write it in rust, but I'm actually thinking if it's still necessary if you prominently recommend the profile.template for it (e.g. use GH pull request templates (and provieder there a checklist), CONTRIBUTIN.md, manpage (see my comment in the add template issue)), because it will never be possible to check it with human inteliegenz (e.g. include disable-xdg.inc in an image-viewer-profile but not noblacklist ${PICTURES})

EDIT: The most review comments are ordering (which can prevent with the profile.template and/or GH pull request templates with checklist) and the second most are special thing that can only found with human intelligence.

I agree for the most part - I wonder though how is this GH pull request template supposed to work. Is it difficult to implement?

Its a issue template but for pull request, see https://help.github.com/en/articles/about-issue-and-pull-request-templates.

With this script you get alphabetical sorted private-etc and private-bin lines. I will add support for automaticaly fixing profile.

#!/usr/bin/env python3
from sys import argv

with open(argv[1], "r") as profile:
    for line in profile:
        if line[:11] == "private-etc":
            print("private-etc", ",".join(sorted(line[12:-1].split(","),
                key=lambda s: s.casefold())))
        elif line[:11] == "private-bin":
            print("private-bin", ",".join(sorted(line[12:-1].split(","),
                key=lambda s: s.casefold())))

Or if you prever to use a shell:

echo "alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl" | sed "s/,/\n/g" | sort - | awk '{printf $1 ","}END{print ""}'

note that [12:-1] means excluding the last character. not sure if you want that.

@jose1711 thanks. The last character is \n. I test this code, it works.

ok, but what if private-etc is the last line and is not terminated with \n? like so:
echo -n 'private-etc foo,bar' > profile
then I get this:

./fix_sorting profile                          
private-etc ba,foo

@jose1711 Most profiles end with a newline, but you're right that we have to consider the missing of it.

New version, with support for automatic fixing several profiles.
https://gist.github.com/rusty-snake/a1010a3daf3c54e93dfe03f2f5ce3d96

Issues:

• ~"[ Fixed ] {filename}" is always printed, even if nothing was fixed.~ ~_Fixed, only if no private-etc or private-bin is present._ _Readly Fixed_.~
• ~All files will be rewritten.~ ~_Fixed, only if no private-etc or private-bin is present._ _Readly Fixed_.~
• ~Names starting with two uppercase letters are not handled correctly. _Sure? No_~
• ~Names containing an uppercase letter are not handled correctly (e.g. QOwnNotes). _was never an issue_~
• ~Handling of special characters (e.g. _ - . ). _ignoring is fine_~

TODOs:

• ~private-lib~ _Done_, ~#private-etc, # private-etc, #private-bin, # private-bin~ _Won't fix_, ~protocol~ _Done_

@rusty-snake Can't track the item right now (you referred to my fork of your sort.py script), but if you like to integrate sorting caps.{drop,keep} and seccomp.{drop,keep}, go right ahead. You did a great job creating that tool. The better it can cover this wide array of firejail options, the more changes there are this gets into CI. My personal little profile regression tester caught the first one just a few minutes ago :smile:. Cheers!

@glitsj16 I already add caps.{drop,keep} and seccomp.{drop,keep}. All supported options are: private-bin, private-etc, private-lib, seccomp.drop, seccomp.keep, caps.drop, caps.keep, protocol.

Is there anything else we want to do here?

@rusty-snake Is fetching the program binary with checking, if the program runs and kill it afterwards possible?

You mean checking if firejail runs? The are a lot of test under test.

@rusty-snake Does this include checking meaningful shell options as well? I dont see according shell commands for firejail execution in the .travis-ci and .gitlab-ci.
They should be able to simulate all .local and .global configurations.

in the travis.yml is make test-travis which runs the test under test.