clone-firejail.howto

#!/bin/sh
#
## build & install firejail from git via checkinstall
#+ assumptions:
#+ expects presence of $HOME/Downloads/deb.control.firejail
#+ which offers a template for creating a nice .deb
#+ content is in comment attched to this gist

### vars
package="firejail"
repo_url="https://github.com/netblue30/firejail.git"


### logic
cd "$HOME"

# compile in tmpfs
bz_tmpfs="/tmp/bz-${package}"
[ ! -d ${bz_tmpfs} ] && mkdir -p ${bz_tmpfs}

cd "$bz_tmpfs"
git clone "$repo_url"

if [ ! $? -eq 0 ]; then
    echo "O.o --> repo cloning failed - aborting"
    exit 1
fi

cd "$package"

# patches go here

# helpers
thisRelease="$(printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" | sed 's/^v//;s/-/./g')"
thisVersion="$(grep -m 1 firejail ./RELNOTES | awk '{split($0,a," "); print a[2]}' | sed 's/(//' | sed 's/)//')"
thisDebVersion="$thisVersion-$thisRelease"

# configure & compile
./configure --prefix=/usr --enable-apparmor
make || exit 1

# initial deb
sudo checkinstall -y --pkgname "$package" --pkgversion "$thisVersion" --pkgrelease "$thisRelease" --install=no

### deb re-assembling magic
dpkg-deb --extract ./*.deb ./tbotnik
dpkg-deb --control ./*.deb ./tbotnik/DEBIAN

# move our template control file into place & modify the version #
cat "${HOME}/Downloads/deb.control.${package}" | sed "s/<version>/${thisDebVersion}/g" > ./tbotnik/DEBIAN/control

# add firejail profiles to DEBIAN/conffiles
ls -1 ./tbotnik/etc/firejail/ > ./tbotnik/DEBIAN/conffiles
sed -i -e 's/^/\/etc\/firejail\//' ./tbotnik/DEBIAN/conffiles

# correct the doc files
rm ./tbotnik/usr/share/doc/firejail/COPYING ./tbotnik/usr/share/doc/firejail/*.md

# gzip the changelog
gzip -c ./tbotnik/usr/share/doc/firejail/RELNOTES > ./tbotnik/usr/share/doc/firejail/changelog.Debian.gz
rm ./tbotnik/usr/share/doc/firejail/RELNOTES

# strip binaries & libs
strip ./tbotnik/usr/bin/firejail
strip ./tbotnik/usr/lib/firejail/libtrace.so

# set correct file ownership inside the deb
sudo chown -R root:root ./tbotnik
# the above drops the setuid root on firejail's binary!
#+ make sure to correct that
sudo chmod 4755 ./tbotnik/usr/bin/firejail

# re-assemble the deb in our Downloads folder
dpkg-deb -b ./tbotnik $HOME/Downloads

### install & notification
if [ $? -eq 0 ]; then
    echo "installing.."
    sudo dpkg -i ${HOME}/Downloads/${package}_*.deb
    if [ $? -eq 0 ]; then
        echo ""
        echo "${package} upgraded"
        rm -f ${HOME}/Downloads/${package}_*.deb > /dev/null 2>&1 &
    else
        echo ""
        echo "${package} ready for manual install via dpkg in ~/Downloads"
    fi
else
    echo ""
    echo "${package} build error"
    exit 1
fi

### post-install commands
cd "$HOME"
# remove tmpfs buildzone
sudo rm -fr "$bz_tmpfs" &

exit 0

Package: firejail
Version:
Architecture: amd64
Maintainer: netblue30 netblue30@yahoo.com
Installed-Size: 272
Depends: libc6
Section: admin
Priority: extra
Homepage: http://github.com/netblue30/firejail
Description: Linux namepaces sandbox program.
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces and seccmp-bpf. It includes sandbox profiles for
Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission
and VLC.
.
Firejail also expands the restricted shell facility found in bash by
adding Linux namespace support. It also supports sandboxing SSH users
upon login.

@TBotNik You'll need to chmod +x the script (rename it to whatever you want) and put the content of the above comment into $HOME/Downloads/deb.control.firejail or edit path of where you put that inside the script.

Regards