diff options
| author | Kr1ss | 2020-07-10 23:36:57 +0200 |
|---|---|---|
| committer | Kr1ss | 2020-07-10 23:36:57 +0200 |
| commit | 226625d2214eb5f8477abcdcd24dd5d9f0fbe6a8 (patch) | |
| tree | be5cdd197fb1dc2c3bf2bc8cd498224797225b9e | |
| download | aur-226625d2214eb5f8477abcdcd24dd5d9f0fbe6a8.tar.gz | |
initial upload: firejail-no-apparmor 0.9.62-1
| -rw-r--r-- | .SRCINFO | 20 | ||||
| -rw-r--r-- | PKGBUILD | 42 | ||||
| -rw-r--r-- | RELNOTES | 869 |
3 files changed, 931 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..a0f5b0f95a03 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,20 @@ +pkgbase = firejail-no-apparmor + pkgdesc = Linux namespaces sandbox program, compiled without dependency to apparmor + pkgver = 0.9.62 + pkgrel = 1 + url = https://github.com/netblue30/firejail + changelog = RELNOTES + arch = x86_64 + license = GPL2 + provides = firejail + conflicts = firejail + backup = etc/firejail/login.users + backup = etc/firejail/firejail.config + source = https://sourceforge.net/projects/firejail/files/firejail/firejail-0.9.62.tar.xz + source = https://sourceforge.net/projects/firejail/files/firejail/firejail-0.9.62.tar.xz.asc + validpgpkeys = F951164995F5C4006A73411E2CCB36ADFC5849A7 + sha256sums = 0568081ce950c5240e1b2fca7014b798f589657249e17283a14e20e41f8d5ae0 + sha256sums = SKIP + +pkgname = firejail-no-apparmor + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..13afc118227a --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,42 @@ +# Maintainer : Kr1ss $(echo \<kr1ss+x-yandex+com\>|sed s/\+/./g\;s/\-/@/) +# Contributor : Sergej Pupykin <arch+pub@sergej.pp.ru> +# Contributor : ajs124 < aur AT ajs124 DOT de > + + +_pkgname=firejail +pkgname="$_pkgname-no-apparmor" + +pkgver=0.9.62 +pkgrel=1 + +pkgdesc='Linux namespaces sandbox program, compiled without dependency to apparmor' +arch=('x86_64') +license=('GPL2') +url="https://github.com/netblue30/$_pkgname" + +provides=("$_pkgname") +conflicts=("$_pkgname") + +changelog=RELNOTES +backup=("etc/$_pkgname/login.users" + "etc/$_pkgname/$_pkgname.config") +#source=($_pkgname-$pkgver.tar.gz::$url/archive/$pkgver.tar.gz) +source=("https://sourceforge.net/projects/$_pkgname/files/$_pkgname/$_pkgname-$pkgver.tar.xz"{,.asc}) +sha256sums=('0568081ce950c5240e1b2fca7014b798f589657249e17283a14e20e41f8d5ae0' + 'SKIP') +validpgpkeys=('F951164995F5C4006A73411E2CCB36ADFC5849A7') + + +build() { + cd "$_pkgname-$pkgver" + ./configure --prefix=/usr + make +} + +package() { + cd "$_pkgname-$pkgver" + make DESTDIR="$pkgdir" install +} + + +# vim: ts=4 sw=4 noet ft=PKGBUILD: diff --git a/RELNOTES b/RELNOTES new file mode 100644 index 000000000000..e19470475b05 --- /dev/null +++ b/RELNOTES @@ -0,0 +1,869 @@ +firejail (0.9.62) baseline; urgency=low + * added file-copy-limit in /etc/firejail/firejail.config + * profile templates (/usr/share/doc/firejail) + * allow-debuggers support in profiles + * several seccomp enhancements + * compiler flags autodetection + * move chroot entirely from path based to file descriptor based mounts + * whitelisting /usr/share in a large number of profiles + * new scripts in conrib: gdb-firejail.sh and sort.py + * enhancement: whitelist /usr/share in some profiles + * added signal mediation to apparmor profile + * new conditions: HAS_X11, HAS_NET + * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks + * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder + * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli + * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123 + * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123 + * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss + * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt + * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird, + * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, + * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless + * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra + * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity + * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc + * new profiles: electron-mail, gist, gist-paste + -- netblue30 <netblue30@yahoo.com> Sat, 28 Dec 2019 08:00:00 -0500 + +firejail (0.9.60) baseline; urgency=low + * security bug reported by Austin Morton: + Seccomp filters are copied into /run/firejail/mnt, and are writable + within the jail. A malicious process can modify files from inside the + jail. Processes that are later joined to the jail will not have seccomp + filters applied. + * memory-deny-write-execute now also blocks memfd_create + * add private-cwd option to control working directory within jail + * blocking system D-Bus socket with --nodbus + * bringing back Centos 6 support + * drop support for flatpak/snap packages + * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 + * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer + * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring + * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool + * new profiles: netactview, redshift, devhelp, assogiate, subdownloader + * new profiles: font-manager, exfalso, gconf-editor, dconf-editor + * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings + * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag + * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles + * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus + * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt + * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem + * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt + * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker + * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell + * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap + * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata + -- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500 + +firejail (0.9.58,2) baseline; urgency=low + * cgroup flag in /etc/firejail/firejail.config file + * name-change flag in /etc/firejail.config file + * --name rework + * new profiles: klavaro, vscodium + * browser profiles fixes + * various other bugfixes + -- netblue30 <netblue30@yahoo.com> Fri, 8 Feb 2019 08:00:00 -0500 + +firejail (0.9.58) baseline; urgency=low + * --disable-mnt rework + * --net.print command + * GitLab CI/CD integration: disto specific builds + * profile parser enhancements and conditional handling support + for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F + * profile name support + * added explicit nonewprivs support to join option + * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms + * new profiles: devilspie, devilspie2, easystroke, github-desktop, min + * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat + * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep + * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat + * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore + * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh + * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie + * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley + * new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland + * new profiles: supertuxkart, ghostwriter, gajim-history-manager + * bugfixes + -- netblue30 <netblue30@yahoo.com> Sat, 26 Jan 2019 08:00:00 -0500 + +firejail (0.9.56) baseline; urgency=low + * modif: removed CFG_CHROOT_DESKTOP configuration option + * modif: removed compile time --enable-network=restricted + * modif: removed compile time --disable-bind + * modif: --net=none allowed even if networking was disabled at compile + time or at run time + * modif: allow system users to run the sandbox + * support wireless devices in --net option + * support tap devices in --net option (tunneling support) + * allow IP address configuration if the parent interface specified + by --net is not configured (--netmask) + * support for firetunnel utility + * disable U2F devices (--nou2f) + * add --private-cache to support private ~/.cache + * support full paths in private-lib + * globbing support in private-lib + * support for local user directories in firecfg (--bindir) + * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, + * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, + * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, + * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, + * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois, + * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3 + * new profiles: start-tor-browser.desktop + -- netblue30 <netblue30@yahoo.com> Tue, 18 Sep 2018 08:00:00 -0500 + +firejail (0.9.54) baseline; urgency=low + * modif: --force removed + * modif: --csh, --zsh removed + * modif: --debug-check-filename removed + * modif: --git-install and --git-uninstall removed + * modif: support for private-bin, private-lib and shell none has been + disabled while running AppImage archives in order to be able to use + our regular profile files with AppImages. + * modif: restrictions for /proc, /sys and /run/user directories + are moved from AppArmor profile into firejail executable + * modif: unifying Chromium and Firefox browsers profiles. + All users of Firefox-based browsers who use addons and plugins + that read/write from ${HOME} will need to uncomment the includes for + firefox-common-addons.inc in firefox-common.profile. + * modif: split disable-devel.inc into disable-devel and + disable-interpreters.inc + * Firejail user access database (/etc/firejail/firejail.users, + man firejail-users) + * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) + * Spectre mitigation patch for gcc and clang compiler + * D-Bus handling (--nodbus) + * AppArmor support for overlayfs and chroot sandboxes + * AppArmor support for AppImages + * Enable AppArmor by default for a large number of programs + * firejail --apparmor.print option + * firemon --apparmor option + * apparmor yes/no flag in /etc/firejail/firejail.config + * seccomp syscall list update for glibc 2.26-10 + * seccomp disassembler for --seccomp.print option + * seccomp machine code optimizer for default seccomp filters + * IPv6 DNS support + * whitelist support for overlay and chroot sandboxes + * private-dev support for overlay and chroot sandboxes + * private-tmp support for overlay and chroot sandboxes + * added sandbox name support in firemon + * firemon/prctl enhancements + * noblacklist support for /sys/module directory + * whitelist support for /sys/module directory + * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, + * new profiles: discord-canary, pycharm-community, pycharm-professional, + * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, + * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes, + * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, + * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud, + * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, + * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, + * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, + * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind, + * new profiles: qmmp, sayonara + -- netblue30 <netblue30@yahoo.com> Wed, 16 May 2018 08:00:00 -0500 + +firejail (0.9.52) baseline; urgency=low + * modif: --allow-private-blacklists was deprecated; blacklisting, + read-only, read-write, tmpfs and noexec are allowed in + private home directories + * modif: remount-proc-sys deprecated from firejail.config + * modif: follow-symlink-private-bin deprecated from firejail.config + * modif: --profile-path was deprecated + * enhancement: support Firejail user config directory in firecfg + * enhancement: disable DBus activation in firecfg + * enhancement; enumerate root directories in apparmor profile + * enhancement: /etc and /usr/share whitelisting support + * enhancement: globbing support for --private-bin + * feature: systemd-resolved integration + * feature: whitelisting /var directory in most profiles + * feature: GTK2, GTK3 and Qt4 private-lib support + * feature: --debug-private-lib + * feature: test deployment of private-lib for the following + applications: evince, galculator, gnome-calculator, + leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu, + atril, mate-color-select, tar, file, strings, gpicview, + eom, eog, gedit, pluma + * feature: --writable-run-user + * feature: --rlimit-as + * feature: --rlimit-cpu + * feature: --timeout + * feature: profile build tool (--build) + * feature: --netfilter.print + * feature: --netfilter6.print + * feature: netfilter template support + * new profiles: upstreamed many profiles from the following sources: + https://github.com/chiraag-nataraj/firejail-profiles, + https://github.com/nyancat18/fe, + https://aur.archlinux.org/packages/firejail-profiles. + * new profiles: terasology, surf, rocketchat, clamscan, clamdscan, + clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5, + brackets, calligra, calligraauthor, calligraconverter, calligraflow, + calligraplan, calligraplanwork, calligrasheets, calligrastage, + calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, + google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, + mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en, + Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish, + cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, + xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass, + kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report + cower (Arch), kdeinit4 + -- netblue30 <netblue30@yahoo.com> Thu, 7 Dec 2017 08:00:00 -0500 + +firejail (0.9.50) baseline; urgency=low + * modif: --output split in two commands, --output and --output-stderr + * feature: per-profile disable-mnt (--disable-mnt) + * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) + * feature: private /lib directory (--private-lib) + * feature: disable CDROM/DVD drive (--nodvd) + * feature: disable DVB devices (--notv) + * feature: --profile.print + * enhancement: print all seccomp filters under --debug + * enhancement: /proc/sys mounting + * enhancement: rework IP address assignment for --net options + * enhancement: support for newer Xpra versions (2.1+) - + set xpra-attach yes in /etc/firejail/firejail.config + * enhancement: all profiles use a standard layout style + * enhancement: create /usr/local for firecfg if the directory doesn't exist + * enhancement: allow full paths in --private-bin + * seccomp feature: --memory-deny-write-execute + * seccomp feature: seccomp post-exec + * seccomp feature: block secondary architecture (--seccomp.block_secondary) + * seccomp feature: seccomp syscall groups + * seccomp enhancement: print all seccomp filters under --debug + * seccomp enhancement: default seccomp list update + * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, + * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, + * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, + * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux + * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, + * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter + * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball + * new profiles: sqlitebrowse, Yandex Browser, minetest + * bugfixes + -- netblue30 <netblue30@yahoo.com> Sat, 30 Sep 2017 08:00:00 -0500 + +firejail (0.9.50~rc1) baseline; urgency=low + * release pending! + * modif: --output split in two commands, --output and --output-stderr + * feature: per-profile disable-mnt (--disable-mnt) + * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) + * feature: private /lib directory (--private-lib) + * feature: disable CDROM/DVD drive (--nodvd) + * feature: disable DVB devices (--notv) + * feature: --profile.print + * enhancement: print all seccomp filters under --debug + * enhancement: /proc/sys mounting + * enhancement: rework IP address assignment for --net options + * enhancement: support for newer Xpra versions (2.1+) - + set xpra-attach yes in /etc/firejail/firejail.config + * enhancement: all profiles use a standard layout style + * enhancement: create /usr/local for firecfg if the directory doesn't exist + * enhancement: allow full paths in --private-bin + * seccomp feature: --memory-deny-write-execute + * seccomp feature: seccomp post-exec + * seccomp feature: block secondary architecture (--seccomp.block_secondary) + * seccomp feature: seccomp syscall groups + * seccomp enhancement: print all seccomp filters under --debug + * seccomp enhancement: default seccomp list update + * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, + * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, + * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, + * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux + * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, + * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter + * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball + * new profiles: sqlitebrowse, Yandex Browser, minetest + * bugfixes + -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 + +firejail (0.9.48) baseline; urgency=low + * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent; + please use ~/Downloads directory for saving files + * modifs: AppArmor made optional; a warning is printed on the screen + if the sandbox fails to load the AppArmor profile + * feature: --novideo + * feature: drop discretionary access control capabilities for + root sandboxes + * feature: added /etc/firejail/globals.local for global customizations + * feature: profile support in overlayfs mode + * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake + * bugfixes + -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 08:00:00 -0500 + +firejail (0.9.46) baseline; urgency=low + * security: split most of networking code in a separate executable + * security: split seccomp filter code configuration in a separate executable + * security: split file copying in private option in a separate executable + * feature: disable gnupg and systemd directories under /run/user + * feature: test coverage (gcov) support + * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) + * feature: private /opt directory (--private-opt, profile support) + * feature: private /srv directory (--private-srv, profile support) + * feature: spoof machine-id (--machine-id, profile support) + * feature: allow blacklists under --private (--allow-private-blacklist, + profile support) + * feature: user-defined /etc/hosts file (--hosts-file, profile support) + * feature: support for the real /var/log directory (--writable-var-log, + profile support) + * feature: config support for firejail prompt in terminals + * feature: AppImage type 2 support + * feature: pass command line arguments to appimages + * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come + * feature: added a number of Python scripts for handling sandboxes + * feature: allow local customization using .local files under /etc/firejail + * feature: follow-symlink-as-user runtime config option in + /etc/firejail/firejail.config + * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config + * feature: xvfb X11 server support (--x11=xvfb) + * feature: allow /tmp directory in mkdir and mkfile profile commands + * feature: implemented --noblacklist command, profile support + * feature: config support to disable access to /mnt and /media (disable-mnt) + * feature: config support to disable join (join) + * feature: disabled Go, Rust, and OpenSSL in disable-devel.conf + * feature: support overlay, overlay-named and overlay-tmpfs in profile files + * feature: allow PulseAudio sockets in --private-tmp + * feature: --fix-sound support in firecfg + * feature: added support for sandboxing Xpra, Xvfb and Xephyr in + independent sandboxes when started with firejail --x11 + * feature: enable automatic X server sandboxing for --x11=xpra + and --x11=xephyr + * feature: support for Xpra extra params in firejail config file + * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire, + * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, + * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, + * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, + * new profiles: Xonotic, wireshark, keepassx2, QupZilla, FossaMail, + * new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa, + * new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, + * new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking, + * new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, + * new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, + * new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin, + * new profiles: mate-calc, mate-dictionary, mate-color-select, caja, + * new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes + * new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr + * new profiles: Blender, 2048-qt + * bugfixes + -- netblue30 <netblue30@yahoo.com> Sun, 14 May 2017 08:00:00 -0500 + +firejail (0.9.44.10) baseline; urgency=low + * security: when using --x11=xorg and --net, incorrect processing of + the return code of /usr/bin/xauth could end up in starting the + sandbox without X11 security extension installed. Problem found/fixed + by Zack Weinberg + * bugfix: ~/.pki directory whitelisted and later blacklisted. This affects + most browsers, and disables the custom certificates installed by the user + * bugfix: firecfg config fix + * bugfix: gajim security profile fix + * bugfix: man page fix + * bugfix: force-nonewprivs fix for /etc/firejail/firejail.config + * bugfix: xephyr-extra-params fix for /etc/firejail/firejail.config + * bugfix: memory corruption in noblacklist processing + * bugfix: --quiet fix for Arch and Fedora systems + * bugfix: updated Keepass(x) profiles + * bugfix: firemon --nowrap problem + * bugfix: document firemon --nowrap in man page and in --help option + * bugfix: bash completion for --noblacklist command + * bugfix: vlc profile fix + * bugfix: fixed handling of .local profile files when the software is + installed in ~/.local directory + * bugfix: temporarily remove private-tmp from all profiles, until a fix for + .Xauthority file handling in KDE becomes available + * maintenance: --output cleanup + * maintenance: updated copyright statement in all files + -- netblue30 <netblue30@yahoo.com> Sat, 18 Mar 2017 10:00:00 -0500 + +firejail (0.9.44.8) baseline; urgency=low + * bugfix: fix broken PulseAudio support + -- netblue30 <netblue30@yahoo.com> Wed, 18 Jan 2017 10:00:00 -0500 + +firejail (0.9.44.6) baseline; urgency=low + * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week, + new CVE code assigned after release: CVE-2017-5940 + * security: major cleanup of file copying code + * security: tightening the rules for --chroot and --overlay features + * bugfix: ported Gentoo compile patch + * bugfix: Nvidia drivers bug in --private-dev + * bugfix: fix ASSERT_PERMS_FD macro + * feature: allow local customization using .local files under /etc/firejail + backported from our development branch + * feature: spoof machine-id backported from our development branch + -- netblue30 <netblue30@yahoo.com> Sun, 15 Jan 2017 10:00:00 -0500 + +firejail (0.9.44.4) baseline; urgency=low + * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) + * security: disabled --allow-debuggers when running on kernel + versions prior to 4.8; a kernel bug in ptrace system call + allows a full bypass of seccomp filter; problem reported by Lizzie Dixon + (CVE-2017-5206) + * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) + -- netblue30 <netblue30@yahoo.com> Sat, 7 Jan 2017 10:00:00 -0500 + +firejail (0.9.44.2) baseline; urgency=low + * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) + * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson + * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) + * security: several security enhancements + * bugfix: crashing VLC by pressing Ctrl-O + * bugfix: use user configured icons in KDE + * bugfix: mkdir and mkfile are not applied to private directories + * bugfix: cannot open files on Deluge running under KDE + * bugfix: --private=dir where dir is the user home directory + * bugfix: cannot start Vivaldi browser + * bugfix: cannot start mupdf + * bugfix: ssh profile problems + * bugfix: --quiet + * bugfix: quiet in git profile + * bugfix: memory corruption + -- netblue30 <netblue30@yahoo.com> Fri, 2 Dec 2016 08:00:00 -0500 + +firejail (0.9.44) baseline; urgency=low + * CVE-2016-9016 submitted by Aleksey Manevich + * modifs: removed man firejail-config + * modifs: --private-tmp whitelists /tmp/.X11-unix directory + * modifs: Nvidia drivers added to --private-dev + * modifs: /srv supported by --whitelist + * feature: allow user access to /sys/fs (--noblacklist=/sys/fs) + * feature: support starting/joining sandbox is a single command + (--join-or-start) + * feature: X11 detection support for --audit + * feature: assign a name to the interface connected to the bridge + (--veth-name) + * feature: all user home directories are visible (--allusers) + * feature: add files to sandbox container (--put) + * feature: blocking x11 (--x11=block) + * feature: X11 security extension (--x11=xorg) + * feature: disable 3D hardware acceleration (--no3d) + * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands + * feature: move files in sandbox (--put) + * feature: accept wildcard patterns in user name field of restricted + shell login feature + * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape + * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, + * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot + * new profiles: Flowblade, Eye of GNOME (eog), Evolution + * bugfixes + -- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500 + +firejail (0.9.42) baseline; urgency=low + * security: --whitelist deleted files, submitted by Vasya Novikov + * security: disable x32 ABI in seccomp, submitted by Jann Horn + * security: tighten --chroot, submitted by Jann Horn + * security: terminal sandbox escape, submitted by Stephan Sokolow + * security: several TOCTOU fixes submitted by Aleksey Manevich + * modifs: bringing back --private-home option + * modifs: deprecated --user option, please use "sudo -u username firejail" + * modifs: allow symlinks in home directory for --whitelist option + * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" + * modifs: recursive mkdir + * modifs: include /dev/snd in --private-dev + * modifs: seccomp filter update + * modifs: release archives moved to .xz format + * feature: AppImage support (--appimage) + * feature: AppArmor support (--apparmor) + * feature: Ubuntu snap support (/etc/firejail/snap.profile) + * feature: Sandbox auditing support (--audit) + * feature: remove environment variable (--rmenv) + * feature: noexec support (--noexec) + * feature: clean local overlay storage directory (--overlay-clean) + * feature: store and reuse overlay (--overlay-named) + * feature: allow debugging inside the sandbox with gdb and strace + (--allow-debuggers) + * feature: mkfile profile command + * feature: quiet profile command + * feature: x11 profile command + * feature: option to fix desktop files (firecfg --fix) + * compile time: Busybox support (--enable-busybox-workaround) + * compile time: disable overlayfs (--disable-overlayfs) + * compile time: disable whitelisting (--disable-whitelist) + * compile time: disable global config (--disable-globalcfg) + * run time: enable/disable overlayfs (overlayfs yes/no) + * run time: enable/disable quiet as default (quiet-by-default yes/no) + * run time: user-defined network filter (netfilter-default) + * run time: enable/disable whitelisting (whitelist yes/no) + * run time: enable/disable remounting of /proc and /sys + (remount-proc-sys yes/no) + * run time: enable/disable chroot desktop features (chroot-desktop yes/no) + * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice + * profiles: pix, audacity, xz, xzdec, gzip, cpio, less + * profiles: Atom Beta, Atom, jitsi, eom, uudeview + * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, + * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox + * bugfixes + -- netblue30 <netblue30@yahoo.com> Thu, 8 Sept 2016 08:00:00 -0500 + +firejail (0.9.40) baseline; urgency=low + * added --nice option + * added --x11 option + * added --x11=xpra option + * added --x11=xephyr option + * added --cpu.print option + * added filetransfer options --ls and --get + * added --writable-etc and --writable-var options + * added --read-only option + * added mkdir, ipc-namespace, and nosound profile commands + * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands + * --version also prints compile options + * --output option also redirects stderr + * added compile-time option to restrict --net= to root only + * run time config support, man firejail-config + * added firecfg utility + * AppArmor fixes + * default seccomp filter update + * disable STUN/WebRTC in default netfilter configuration + * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril + * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars + * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq + * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 + * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player + * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox + * new profiles: generic Ubuntu snap application profile, xplayer + * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation + * new profiles: Brave, Gitter + * generic.profile renamed default.profile + * build rpm packages using "make rpms" + * bugfixes + -- netblue30 <netblue30@yahoo.com> Sun, 29 May 2016 08:00:00 -0500 + +firejail (0.9.38.10) baseline; urgency=low + * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week + new CVE code assigned after release: CVE-2017-5940 + * security: tightening the rules for --chroot + * bugfix: ported Gentoo compile patch + * bugfix: fix ASSERT_PERMS_FD macro + -- netblue30 <netblue30@yahoo.com> Sun, 15 Jan 2017 10:00:00 -0500 + +firejail (0.9.38.8) baseline; urgency=low + * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) + -- netblue30 <netblue30@yahoo.com> Sat, 7 Jan 2017 10:00:00 -0500 + +firejail (0.9.38.6) baseline; urgency=low + * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) + * bugfix: crashing VLC by pressing Ctrl-O + -- netblue30 <netblue30@yahoo.com> Fri, 16 Dec 2016 10:00:00 -0500 + +firejail (0.9.38.4) baseline; urgency=low + * CVE-2016-7545 submitted by Aleksey Manevich + * bugfixes + -- netblue30 <netblue30@yahoo.com> Mon, 10 Oct 2016 10:00:00 -0500 + +firejail (0.9.38.2) baseline; urgency=low + * security: --whitelist deleted files, submitted by Vasya Novikov + * security: disable x32 ABI, submitted by Jann Horn + * security: tighten --chroot, submitted by Jann Horn + * security: terminal sandbox escape, submitted by Stephan Sokolow + * feature: clean local overlay storage directory (--overlay-clean) + * bugfixes + -- netblue30 <netblue30@yahoo.com> Tue, 23 Aug 2016 10:00:00 -0500 + +firejail (0.9.38) baseline; urgency=low + * IPv6 support (--ip6 and --netfilter6) + * --join command enhancement (--join-network, --join-filesystem) + * added --user command + * added --disable-network and --disable-userns compile time flags + * Centos 6 support + * symlink invocation + * added KMail, Seamonkey, Telegram, Mathematica, uGet, + * and mupen64plus profiles + * --chroot in user mode allowed only if seccomp support is available + * in current Linux kernel (CVE-2016-10123) + * deprecated --private-home feature + * the first protocol list installed takes precedence + * --tmpfs option allowed only running as root (CVE-2016-10117) + * added --private-tmp option + * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121) + * bugfixes + -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 + +firejail (0.9.36) baseline; urgency=low + * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, + parole and rtorrent profiles + * Google Chrome profile rework + * added google-chrome-stable profile + * added google-chrome-beta profile + * added google-chrome-unstable profile + * Opera profile rework + * added opera-beta profile + * added --noblacklist option + * added --profile-path option + * added --force option + * whitelist command enhancements + * prevent user name enumeration + * added /etc/firejail/nolocal.net network filter + * added /etc/firejail/webserver.net network filter + * blacklisting firejail configuration by default + * allow default gateway configuration for --interface option + * --debug enhancements: --debug-check-filenames, --debug-blacklists, + --debug-whitelists + * filesystem log + * libtrace enhancements, tracing opendir call + * added --tracelog option + * added "name" command to profile files + * added "hostname" command to profile files + * added automated feature testing framework + * Debian reproducible build + * bugfixes + -- netblue30 <netblue30@yahoo.com> Sun, 27 Dec 2015 09:00:00 -0500 + +firejail (0.9.34) baseline; urgency=low + * added --ignore option + * added --protocol option + * support dual i386/amd64 seccomp filters + * added Google Chrome profile + * added Steam, Skype, Wine and Conkeror profiles + * bugfixes + -- netblue30 <netblue30@yahoo.com> Sat, 7 Nov 2015 08:00:00 -0500 + +firejail (0.9.32) baseline; urgency=low + * added --interface option + * added --mtu option + * added --private-bin option + * added --nosound option + * added --hostname option + * added --quiet option + * added seccomp errno support + * added FBReader default profile + * added Spotify default profile + * lots of default security profile changes + * fixed a security problem on multi-user systems + * bugfixes + -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2015 08:00:00 -0500 + + +firejail (0.9.30) baseline; urgency=low + * added a disable-history.inc profile as a result of Firefox PDF.js exploit; + disable-history.inc included in all default profiles + * Firefox PDF.js exploit (CVE-2015-4495) fixes + * added --private-etc option + * added --env option + * added --whitelist option + * support ${HOME} token in include directive in profile files + * --private.keep is transitioned to --private-home + * support ~ and blanks in blacklist option + * support "net none" command in profile files + * using /etc/firejail/generic.profile by default for user sessions + * using /etc/firejail/server.profile by default for root sessions + * added build --enable-fatal-warnings configure option + * added persistence to --overlay option + * added --overlay-tmpfs option + * make install-strip implemented, make install renamed + * bugfixes + -- netblue30 <netblue30@yahoo.com> Mon, 14 Sept 2015 08:00:00 -0500 + +firejail (0.9.28) baseline; urgency=low + * network scanning, --scan option + * interface MAC address support, --mac option + * IP address range, --iprange option + * traffic shaping, --bandwidth option + * reworked printing of network status at startup + * man pages rework + * added firejail-login man page + * added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default + profiles + * added an /etc/firejail/disable-common.inc file to hold common directory + blacklists + * blacklist Opera and Chrome/Chromium config directories in profile files + * support noroot option for profile files + * enabled noroot in default profile files + * bugfixes + -- netblue30 <netblue30@yahoo.com> Sat, 1 Aug 2015 08:00:00 -0500 + +firejail (0.9.26) baseline; urgency=low + * private dev directory + * private.keep option for whitelisting home files in a new private directory + * user namespaces support, noroot option + * added Deluge and qBittorent profiles + * bugfixes + -- netblue30 <netblue30@yahoo.com> Thu, 30 Apr 2015 08:00:00 -0500 + + +firejail (0.9.24) baseline; urgency=low + * whitelist and blacklist seccomp filters + * doubledash option + * --shell=none support + * netfilter file support in profile files + * dns server support in profile files + * added --dns.print option + * added default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem. + * added --caps.drop=all in default profiles + * new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp + * clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init + * Bugfix: using /proc/sys/kernel/pid_max for the max number of pids + * two build patches from Reiner Herman (tickets 11, 12) + * man page patch from Reiner Herman (ticket 13) + * output patch (ticket 15) from sshirokov + + -- netblue30 <netblue30@yahoo.com> Sun, 5 Apr 2015 08:00:00 -0500 + +firejail (0.9.22) baseline; urgency=low + * Replaced --noip option with --ip=none + * Container stdout logging and log rotation + * Added process_vm_readv, process_vm_writev and mknod to + * default seccomp blacklist + * Added CAP_MKNOD to default caps blacklist + * Blacklist and whitelist custom Linux capabilities filters + * macvlan device driver support for --net option + * DNS server support, --dns option + * Netfilter support + * Monitor network statistics, --netstats option + * Added profile for Mozilla Thunderbird/Icedove + * - --overlay support for Linux kernels 3.18+ + * Bugfix: preserve .Xauthority file in private mode (test with ssh -X) + * Bugfix: check uid/gid for cgroup + + -- netblue30 <netblue30@yahoo.com> Mon, 9 Mar 2015 09:00:00 -0500 + +firejail (0.9.20) baseline; urgency=low + * utmp, btmp and wtmp enhancements + * create empty /var/log/wtmp and /var/log/btmp files in sandbox + * generate a new /var/run/utmp file in sandbox + * CPU affinity, --cpu option + * Linux control groups support, --cgroup option + * Opera web browser support + * VLC support + * Added "empty" attribute to seccomp command to remove the default + * syscall list form seccomp blacklist + * Added --nogroups option to disable supplementary groups for regular + * users. root user always runs without supplementary groups. + * firemon enhancements + * display the command that started the sandbox + * added --caps option to display capabilities for all sandboxes + * added --cgroup option to display the control groups for all sandboxes + * added --cpu option to display CPU affinity for all sandboxes + * added --seccomp option to display seccomp setting for all sandboxes + * New compile time options: --disable-chroot, --disable-bind + * bugfixes + + -- netblue30 <netblue30@yahoo.com> Mon, 02 Feb 2015 08:00:00 -0500 + +firejail (0.9.18) baseline; urgency=low + * Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls + * Support for tracing setreuid, setregid, setresuid, setresguid syscalls + * Added profiles for transmission-gtk and transmission-qt + * bugfixes + + -- netblue30 <netblue30@yahoo.com> Fri, 25 Dec 2014 10:00:00 -0500 + +firejail (0.9.16) baseline; urgency=low + * Configurable private home directory + * Configurable default user shell + * Software configuration support for --docdir and DESTDIR + * Profile file support for include, caps, seccomp and private keywords + * Dropbox profile file + * Linux capabilities and seccomp filters enabled by default for Firefox, + Midori, Evince and Dropbox + * bugfixes + + -- netblue30 <netblue30@yahoo.com> Tue, 4 Nov 2014 10:00:00 -0500 + +firejail (0.9.14) baseline; urgency=low + * Linux capabilities and seccomp filters are automatically enabled in + chroot mode (--chroot option) if the sandbox is started as regular user + * Added support for user defined seccomp blacklists + * Added syscall trace support + * Added --tmpfs option + * Added --balcklist option + * Added --read-only option + * Added --bind option + * Logging enhancements + * --overlay option was reactivated + * Added firemon support to print the ARP table for each sandbox + * Added firemon support to print the route table for each sandbox + * Added firemon support to print interface information for each sandbox + * bugfixes + + -- netblue30 <netblue30@yahoo.com> Tue, 15 Oct 2014 10:00:00 -0500 + +firejail (0.9.12.2) baseline; urgency=low + * Fix for pulseaudio problems + * --overlay option was temporarily disabled in this build + + -- netblue30 <netblue30@yahoo.com> Mon, 29 Sept 2014 07:00:00 -0500 + +firejail (0.9.12.1) baseline; urgency=low + * Fix for pulseaudio problems + * --overlay option was temporarily disabled in this build + + -- netblue30 <netblue30@yahoo.com> Mon, 22 Sept 2014 09:00:00 -0500 + +firejail (0.9.12) baseline; urgency=low + * Added capabilities support + * Added support for CentOS 7 + * bugfixes + + -- netblue30 <netblue30@yahoo.com> Mon, 15 Sept 2014 10:00:00 -0500 + +firejail (0.9.10) baseline; urgency=low + * Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot + * Fixed --top option CPU utilization calculation + * Implemented --tree option in firejail and firemon + * Implemented --join=name option + * Implemented --shutdown option + * Preserve the current working directory if possible + * Cppcheck and clang errors cleanup + * Added a Chromium web browser profile + + -- netblue30 <netblue30@yahoo.com> Thu, 28 Aug 2014 07:00:00 -0500 + +firejail (0.9.8.1) baseline; urgency=low + * FIxed a number of bugs introduced in 0.9.8 + + -- netblue30 <netblue30@yahoo.com> Fri, 25 Jul 2014 07:25:00 -0500 + +firejail (0.9.8) baseline; urgency=low + * Implemented nowrap mode for firejail --list command option + * Added --top option in both firejail and firemon + * seccomp filter support + * Added pid support for firemon + * bugfixes + + -- netblue30 <netblue30@yahoo.com> Tue, 24 Jul 2014 08:51:00 -0500 + +firejail (0.9.6) baseline; urgency=low + + * Mounting tmpfs on top of /var/log, required by several server programs + * Server fixes for /var/lib and /var/cache + * Private mode fixes + * csh and zsh default shell support + * Chroot mode fixes + * Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd, + + -- netblue30 <netblue30@yahoo.com> Sat, 7 Jun 2014 09:00:00 -0500 + +firejail (0.9.4) baseline; urgency=low + + * Fixed resolv.conf on Ubuntu systems using DHCP + * Fixed resolv.conf on Debian systems using resolvconf package + * Fixed /var/lock directory + * Fixed /var/tmp directory + * Fixed symbolic links in profile files + * Added profiles for evince, midori + + -- netblue30 <netblue30@yahoo.com> Sun, 4 May 2014 08:00:00 -0500 + +firejail (0.9.2) baseline; urgency=low + + * Checking IP address passed with --ip option using ARP; exit if the address + is already present + * Using a lock file during ARP address assignment in order to removed a race + condition. + * Several fixes to --private option; it also mounts a tmpfs filesystem on top + of /tmp + * Added user access check for profile file + * Added --defaultgw option + * Added support of --noip option; it is necessary for DHCP setups + * Added syslog support + * Added support for "tmpfs" and "read-only" profile commands + * Added an expect-based testing framework for the project + * Added bash completion support + * Added support for multiple networks + + -- netblue30 <netblue30@yahoo.com> Fri, 25 Apr 2014 08:00:00 -0500 + +firejail (0.9) baseline; urgency=low + + * First beta version + + -- netblue30 <netblue30@yahoo.com> Sat, 12 Apr 2014 09:00:00 -0500 |