Improve profile PRs (Related to #2739) (#2784)

* add contrib/sort.py and .github/pull_request_temp… * Add usage to sort.py * Install sort.py if contrib-install is set * sort.py: 0644 -> 0755 * Update sort.py * Update pull_request_template.md * Remove checkboxes from PR-Template * Update sort.py * Add examples to sort.py * Update pull_request_template.md Fix path to sort.py, it depend on the distro. * Update pull_request_template.md * Update pull_request_template.md add hint about template
author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-06-24 17:13:29 +0000
committer: GitHub <noreply@github.com> 2019-06-24 17:13:29 +0000
commit: 85e664520271128110718cc741579587b3917048 (patch)
tree: d6f73acb1f61d93dc9a5ff6c7812010082201bb3
parent: disable firetunnel at config time (#2793) (diff)
download: firejail-85e664520271128110718cc741579587b3917048.tar.gz
firejail-85e664520271128110718cc741579587b3917048.tar.zst
firejail-85e664520271128110718cc741579587b3917048.zip
3 files changed, 133 insertions, 0 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 000000000..28ee1c436
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,17 @@
+If you make a PR for new profiles or changeing profiles please do the following:
+ - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
+   Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository.
+ - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
+ The path to it depends on your distro:
+ 
+   | Distro | Path |
+   | ------ | ---- |
+   | Arch/Fedora | `/lib64/firejail/sort.py` |
+   | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
+   | local git clone | `contrib/sort.py` |
+   Note also that the sort.py script exists only since firejail `0.9.61`.
+If you have no idea how to do one of these, you can open the PR anyway.
+See also [CONTRIBUTING.md](/CONTRIBUTING.md).
diff --git a/Makefile.in b/Makefile.in
index 9d0dd69b1..9d21419bc 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -115,6 +115,7 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
        install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/sort.py $(DESTDIR)/$(libdir)/firejail/.
 endif
        # documents
        install -m 0755 -d $(DESTDIR)/$(DOCDIR)
diff --git a/contrib/sort.py b/contrib/sort.py
new file mode 100755
index 000000000..d0fcabac2
--- /dev/null
+++ b/contrib/sort.py
@@ -0,0 +1,115 @@
+#!/usr/bin/env python3
+"""
+Sort the items of multi-item options in profiles, the following options are supported:
+  private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol
+Usage:
+    $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ]
+Keep in mind that this will overwrite your profile(s).
+Examples:
+    $ ./sort.py MyAwesomeProfile.profile
+    $ ./sort.py new_profile.profile second_new_profile.profile
+    $ ./sort.py ~/.config/firejail/*.{profile,inc,local}
+    $ sudo ./sort.py /etc/firejail/*.{profile,inc,local}
+Exit-Codes:
+  0: No Error; No Profile Fixed.
+  1: Error, one or more profiles were not processed correctly.
+  101: No Error; One or more profile were fixed.
+"""
+# Requirements:
+#  python >= 3.6
+from sys import argv
+def sort_alphabetical(raw_items):
+    items = raw_items.split(",")
+    items.sort(key=lambda s: s.casefold())
+    return ",".join(items)
+def sort_protocol(protocols):
+    """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet"""
+    # shortcut for common protocol lines
+    if protocols in ("unix", "unix,inet,inet6"):
+        return protocols
+    fixed_protocols = ""
+    present_protocols = {
+        "unix": False,
+        "inet": False,
+        "inet6": False,
+        "netlink": False,
+        "packet": False,
+    }
+    for protocol in protocols.split(","):
+        if protocol == "unix":
+            present_protocols["unix"] = True
+        elif protocol == "inet":
+            present_protocols["inet"] = True
+        elif protocol == "inet6":
+            present_protocols["inet6"] = True
+        elif protocol == "netlink":
+            present_protocols["netlink"] = True
+        elif protocol == "packet":
+            present_protocols["packet"] = True
+    if present_protocols["unix"]:
+        fixed_protocols += "unix,"
+    if present_protocols["inet"]:
+        fixed_protocols += "inet,"
+    if present_protocols["inet6"]:
+        fixed_protocols += "inet6,"
+    if present_protocols["netlink"]:
+        fixed_protocols += "netlink,"
+    if present_protocols["packet"]:
+        fixed_protocols += "packet,"
+    return fixed_protocols[:-1]
+def fix_profile(filename):
+    with open(filename, "r+") as profile:
+        lines = profile.read().split("\n")
+        was_fixed = False
+        fixed_profile = []
+        for line in lines:
+            if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
+                fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
+            elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
+                fixed_line = f"{line[:13]}{sort_alphabetical(line[13:])}"
+            elif line[:10] in ("caps.drop ", "caps.keep "):
+                fixed_line = f"{line[:10]}{sort_alphabetical(line[10:])}"
+            elif line[:8] == "protocol":
+                fixed_line = f"protocol {sort_protocol(line[9:])}"
+            else:
+                fixed_line = line
+            if fixed_line != line:
+                was_fixed = True
+            fixed_profile.append(fixed_line)
+        if was_fixed:
+            profile.seek(0)
+            profile.truncate()
+            profile.write("\n".join(fixed_profile))
+            profile.flush()
+            print(f"[ Fixed ] {filename}")
+            return 101
+        return 0
+def main(args):
+    exit_code = 0
+    for filename in args:
+        try:
+            if exit_code not in (1, 101):
+                exit_code = fix_profile(filename)
+            else:
+                fix_profile(filename)
+        except FileNotFoundError:
+            print(f"[ Error ] Can't find {filename}")
+            exit_code = 1
+        except PermissionError:
+            print(f"[ Error ] Can't read/write {filename}")
+            exit_code = 1
+        except:
+            print(f"[ Error ] An error occurred while processing {filename}")
+            exit_code = 1
+    return exit_code
+if __name__ == "__main__":
+    exit(main(argv[1:]))
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-06-24 17:13:29 +0000
committer	GitHub <noreply@github.com>	2019-06-24 17:13:29 +0000
commit	85e664520271128110718cc741579587b3917048 (patch)
tree	d6f73acb1f61d93dc9a5ff6c7812010082201bb3
parent	disable firetunnel at config time (#2793) (diff)
download	firejail-85e664520271128110718cc741579587b3917048.tar.gz firejail-85e664520271128110718cc741579587b3917048.tar.zst firejail-85e664520271128110718cc741579587b3917048.zip

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..28ee1c436 --- /dev/null +++ b/.github/pull_request_template.md
@@ -0,0 +1,17 @@
		1	If you make a PR for new profiles or changeing profiles please do the following:
		2	- The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
		3	Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository.
		4	- Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).
		5	The path to it depends on your distro:
		6
		7	\| Distro \| Path \|
		8	\| ------ \| ---- \|
		9	\| Arch/Fedora \| `/lib64/firejail/sort.py` \|
		10	\| Debian/Ubuntu/Mint \| `/usr/lib/x86_64-linux-gnu/firejail/sort.py` \|
		11	\| local git clone \| `contrib/sort.py` \|
		12
		13	Note also that the sort.py script exists only since firejail `0.9.61`.
		14
		15	If you have no idea how to do one of these, you can open the PR anyway.
		16
		17	See also [CONTRIBUTING.md](/CONTRIBUTING.md).


diff --git a/Makefile.in b/Makefile.in index 9d0dd69b1..9d21419bc 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -115,6 +115,7 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
115	install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.	115	install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
116	install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.	116	install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
117	install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/.	117	install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/.
		118	install -c -m 0755 contrib/sort.py $(DESTDIR)/$(libdir)/firejail/.
118	endif	119	endif
119	# documents	120	# documents
120	install -m 0755 -d $(DESTDIR)/$(DOCDIR)	121	install -m 0755 -d $(DESTDIR)/$(DOCDIR)


diff --git a/contrib/sort.py b/contrib/sort.py new file mode 100755 index 000000000..d0fcabac2 --- /dev/null +++ b/contrib/sort.py
@@ -0,0 +1,115 @@
		1	#!/usr/bin/env python3
		2	"""
		3	Sort the items of multi-item options in profiles, the following options are supported:
		4	private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol
		5
		6	Usage:
		7	$ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ]
		8	Keep in mind that this will overwrite your profile(s).
		9
		10	Examples:
		11	$ ./sort.py MyAwesomeProfile.profile
		12	$ ./sort.py new_profile.profile second_new_profile.profile
		13	$ ./sort.py ~/.config/firejail/*.{profile,inc,local}
		14	$ sudo ./sort.py /etc/firejail/*.{profile,inc,local}
		15
		16	Exit-Codes:
		17	0: No Error; No Profile Fixed.
		18	1: Error, one or more profiles were not processed correctly.
		19	101: No Error; One or more profile were fixed.
		20	"""
		21
		22	# Requirements:
		23	# python >= 3.6
		24	from sys import argv
		25
		26	def sort_alphabetical(raw_items):
		27	items = raw_items.split(",")
		28	items.sort(key=lambda s: s.casefold())
		29	return ",".join(items)
		30
		31	def sort_protocol(protocols):
		32	"""sort the given protocole into this scheme: unix,inet,inet6,netlink,packet"""
		33	# shortcut for common protocol lines
		34	if protocols in ("unix", "unix,inet,inet6"):
		35	return protocols
		36	fixed_protocols = ""
		37	present_protocols = {
		38	"unix": False,
		39	"inet": False,
		40	"inet6": False,
		41	"netlink": False,
		42	"packet": False,
		43	}
		44	for protocol in protocols.split(","):
		45	if protocol == "unix":
		46	present_protocols["unix"] = True
		47	elif protocol == "inet":
		48	present_protocols["inet"] = True
		49	elif protocol == "inet6":
		50	present_protocols["inet6"] = True
		51	elif protocol == "netlink":
		52	present_protocols["netlink"] = True
		53	elif protocol == "packet":
		54	present_protocols["packet"] = True
		55	if present_protocols["unix"]:
		56	fixed_protocols += "unix,"
		57	if present_protocols["inet"]:
		58	fixed_protocols += "inet,"
		59	if present_protocols["inet6"]:
		60	fixed_protocols += "inet6,"
		61	if present_protocols["netlink"]:
		62	fixed_protocols += "netlink,"
		63	if present_protocols["packet"]:
		64	fixed_protocols += "packet,"
		65	return fixed_protocols[:-1]
		66
		67	def fix_profile(filename):
		68	with open(filename, "r+") as profile:
		69	lines = profile.read().split("\n")
		70	was_fixed = False
		71	fixed_profile = []
		72	for line in lines:
		73	if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
		74	fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
		75	elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
		76	fixed_line = f"{line[:13]}{sort_alphabetical(line[13:])}"
		77	elif line[:10] in ("caps.drop ", "caps.keep "):
		78	fixed_line = f"{line[:10]}{sort_alphabetical(line[10:])}"
		79	elif line[:8] == "protocol":
		80	fixed_line = f"protocol {sort_protocol(line[9:])}"
		81	else:
		82	fixed_line = line
		83	if fixed_line != line:
		84	was_fixed = True
		85	fixed_profile.append(fixed_line)
		86	if was_fixed:
		87	profile.seek(0)
		88	profile.truncate()
		89	profile.write("\n".join(fixed_profile))
		90	profile.flush()
		91	print(f"[ Fixed ] {filename}")
		92	return 101
		93	return 0
		94
		95	def main(args):
		96	exit_code = 0
		97	for filename in args:
		98	try:
		99	if exit_code not in (1, 101):
		100	exit_code = fix_profile(filename)
		101	else:
		102	fix_profile(filename)
		103	except FileNotFoundError:
		104	print(f"[ Error ] Can't find {filename}")
		105	exit_code = 1
		106	except PermissionError:
		107	print(f"[ Error ] Can't read/write {filename}")
		108	exit_code = 1
		109	except:
		110	print(f"[ Error ] An error occurred while processing {filename}")
		111	exit_code = 1
		112	return exit_code
		113
		114	if __name__ == "__main__":
		115	exit(main(argv[1:]))