patch: makepkg failures on Manjaro (pamac and cli)

[netcarver]

Finally tracked down an issue I've been having with updating or installing some (but not all) AUR packages on my home manjaro desktop. Looking back, the failures of the packages to update is correlated to when I installed firejail on the system - but I didn't make the connection at the time.

It seems that the AURs that fail to update all have calls to patch in the PKGBUILD script. On my home system I was getting errors like this when patch was invoked in the build script...

/usr/bin/patch: **** Can't change to directory /var/tmp/pamac-build-home/slack-desktop/pkg/slack-desktop : No such file or directory

...despite the directory being present and having the correct permissions for my home user to access it.

If I edit the script and replace the patch calls with explicit calls to /usr/bin/patch, then the pamac gui or a cli invocation of makepkg both work fine, and I can build and install the updated AURs.

I suspect that the issue lies in the need to whitelist the /var/tmp/pamac-build-home/* directory tree so I tried adding this to my /etc/firejail/patch.local file...

whitelist /var/tmp/pamac-build-home/*

... but this doesn't seem to work, I still need to edit my PKGBUILD files to call the non-jailed version of patch. At least I have a way to update these AURs - but I'd like to get to the point where I don't need to manually edit these files.

Could anyone suggest what else I might try - or what I might be doing wrong here? Thank you!

[rusty-snake]

Related: #5723

[glitsj16]

firejail/etc/inc/disable-exec.inc

Lines 11 to 13 in f1218ef

	# /var is noexec by default for unprivileged users
	# except there is a writable-var option, so just in case:
	noexec /var

Have you tried overriding the above yet by adding this to patch.local?

ignore noexec /var
writable-var

[netcarver]

I've tried the patch.local file in both /etc/firejail/patch.local and ~/.config/firejail/patch.local with the same result.

[glitsj16]

/var/tmp is already whitelisted in whitelist-var-common.inc so you shouldn't have to specify any additional sub-directories like whitelist /var/tmp/pamac-build-home/*.

Not sure how to handle this specific problem though, mostly due to not being familiar with Manjaro. Come to think of it, we have in fact several profiles that might affect this: one for makepkg, one for patch and a few for pamac. Firecfg only enables desktop integration for patch by default, so I'm assuming you don't use makepkg nor pamac via firejail.

What does your /etc/makepkg.conf look like, especially the BUILDDIR environment variable? I would try to set pamac's AUR preferences to the exact same path.

[netcarver]

@glitsj16 Thank you for the feedback.

I believe pamac just hands off AUR builds to makepkg - but don't know for sure. However, I ended up manually running makepkg from the command line within the /var/tmp/pamac-build-home/slack-desktop folder.

Neither makepkg or pamac have links in /usr/local/bin, though the link for patch is present there. For reference, here's the content of the /etc/firejail/makepkg.config file

# Firejail profile for makepkg
# Description: A utility to automate the building of Arch Linux packages
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include makepkg.local
# Persistent global definitions
include globals.local

blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*

# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
# for potential issues and their solutions when Firejailing makepkg

# This profile could be significantly strengthened by adding the following to makepkg.local
# whitelist ${HOME}/<Your Build Folder>
# whitelist ${HOME}/.gnupg

# Enable severely restricted access to ${HOME}/.gnupg
noblacklist ${HOME}/.gnupg
read-only ${HOME}/.gnupg/gpg.conf
read-only ${HOME}/.gnupg/trustdb.gpg
read-only ${HOME}/.gnupg/pubring.kbx
# Firejail profile for makepkg
# Description: A utility to automate the building of Arch Linux packages
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include makepkg.local
# Persistent global definitions
include globals.local

blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*

# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
# for potential issues and their solutions when Firejailing makepkg

# This profile could be significantly strengthened by adding the following to makepkg.local
# whitelist ${HOME}/<Your Build Folder>
# whitelist ${HOME}/.gnupg

# Enable severely restricted access to ${HOME}/.gnupg
noblacklist ${HOME}/.gnupg
read-only ${HOME}/.gnupg/gpg.conf
read-only ${HOME}/.gnupg/trustdb.gpg
read-only ${HOME}/.gnupg/pubring.kbx
# Firejail profile for makepkg
# Description: A utility to automate the building of Arch Linux packages
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include makepkg.local
# Persistent global definitions
include globals.local

blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*

# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
# for potential issues and their solutions when Firejailing makepkg

# This profile could be significantly strengthened by adding the following to makepkg.local
# whitelist ${HOME}/<Your Build Folder>
# whitelist ${HOME}/.gnupg

# Enable severely restricted access to ${HOME}/.gnupg
noblacklist ${HOME}/.gnupg
read-only ${HOME}/.gnupg/gpg.conf
read-only ${HOME}/.gnupg/trustdb.gpg
read-only ${HOME}/.gnupg/pubring.kbx
blacklist ${HOME}/.gnupg/random_seed
blacklist ${HOME}/.gnupg/pubring.kbx~
blacklist ${HOME}/.gnupg/private-keys-v1.d
blacklist ${HOME}/.gnupg/crls.d
blacklist ${HOME}/.gnupg/openpgp-revocs.d

# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
noblacklist /var/lib/pacman

include disable-common.inc
include disable-exec.inc
include disable-programs.inc

caps.drop all
machine-id
ipc-namespace
netfilter
no3d
nodvd
nogroups
nonewprivs
# noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD.
#noroot
nosound
nou2f
notv
novideo
protocol unix,inet,inet6
seccomp
tracelog

disable-mnt
private-cache
private-tmp

memory-deny-write-execute
restrict-namespaces

[netcarver]

For now, I'm just going to delete the link to patch from /usr/bin/local - which will allow me to stop editing AUR build scripts.

[glitsj16]

I believe pamac just hands off AUR builds to makepkg - but don't know for sure.

It does, but with a 'twist': pamac uses its own set of paths by default, like /var/tmp/pamac-build-home. I've played around with a Manjaro ISO yesterday to familiarize with its AUR package build routine in tandem with firejail. Like hinted to before, these (still unexplained) patch failures can quite easily be worked around. Setting BuildDir location to a dedicated path under your ${HOME} - either via GUI > Preferences or directly in /etc/pamac.conf - does work just fine with a firejailed patch according to my testing. Doing the same in /etc/makepkg.conf makes for a better AUR build experience with Firejail.

For now, I'm just going to delete the link to patch from /usr/bin/local - which will allow me to stop editing AUR build scripts.

I can definately understand that kind of decision. Perhaps we should consider dropping patch from firecfg.config, as more users (like @kmk3) experience problems with it apparently. Thanks for bringing this to our attention.

[kmk3]

Relates to:

• Patch fails to run in Artix Linux #4039

Note: I also disable firejail for patch on Artix to avoid failures when
building AUR packages.

[glitsj16]

If you find the time to elaborate on what goes wrong with AUR build routines with Firejail on Artix, please do (either here or in a dedicated thread). I wouldn't mind putting together a few pointers in a wiki page on this topic.