Busybox

[reinerh]

I just saw and #3411 and remembered that BusyBox also has a built-in shell.
But in addition to that it also has a bunch of other programs (busybox --list).
So BusyBox might be used to run programs that would otherwise be blocked.
What about blocking it by default? In the case it is needed, one can unblock it again.

[glitsj16]

What about blocking it by default? In the case it is needed, one can unblock it again.

Nice catch. We could add it to disable-common.inc, which should provide broader blocking coverage than #3411 would IMO. Being a utility for rescue and embedded systems the impact of blocking busybox by default should be (very) minimal. Plus we can do that straight-away, no need to wait until @rusty-snake is ready to merge his disable-shell.inc work.

[reinerh]

Added in 5e2d5aa.

[xplshn]

Nice catch. We could add it to disable-common.inc, which should provide broader blocking coverage than #3411 would IMO. Being a utility for rescue and embedded systems the impact of blocking busybox by default should be (very) minimal. Plus we can do that straight-away, no need to wait until @rusty-snake is ready to merge his disable-shell.inc work.

... How can I build firejail in Alpine?

[kmk3]

... How can I build firejail in Alpine?

It's described in README.md:

• https://github.com/netblue30/firejail?tab=readme-ov-file#other

See also the alpine CI job:

• firejail/.gitlab-ci.yml

  Lines 95 to 110 in 2301ab2

  	build_src_package:
  	image: alpine:latest
  	timeout: 10 minutes
  	script:
  	- apk update
  	- apk upgrade
  	- apk add build-base linux-headers gawk
  	- ./ci/printenv.sh
  	# Note: Do not use ` --enable-fatal-warnings` because the build
  	# currently produces warnings on Alpine (see #6224).
  	- >
  	./configure --prefix=/usr
  	|| (cat config.log; exit 1)
  	- make
  	- make install-strip
  	- make print-version

[xplshn]

Sorry, didn't catch it. THanks!