community/firejail: concept is fundamentally flawed, inappropriate for inclusion in Alpine
In IRC, the firejail package recently came up, so I decided to take a look.
I found that firejail
is built with options=suid
, because it needs SUID to set up the sandbox.
At the same time, the security record of firejail
is quite poor, there have been numerous CVEs.
Additionally, the user who discussed firejail
noted that many default profiles are broken anyway.
Given the fact that it is built SUID and executes arbitrary programs, any violation of the sandbox is potentially a privilege escalation directly to root.
Accordingly, without a plan to mitigate this, and fix the broken profiles, I would prefer to see this package excluded from 3.14 release. Shipping "security" tools which are based on an insecure design is extremely flawed conceptually.
An alternative that would be acceptable is bubblejail, which is built on top of bubblewrap. Bubblewrap does not require SUID privilege to operate, as it uses unprivileged user namespaces to set up the sandbox.