2016-05-24 07:12:25 +02:00
|
|
|
#
|
|
|
|
|
# spec file for package firejail
|
|
|
|
|
#
|
2022-02-06 22:09:45 +01:00
|
|
|
# Copyright (c) 2022 SUSE LLC
|
2016-05-24 07:12:25 +02:00
|
|
|
#
|
|
|
|
|
# All modifications and additions to the file contributed by third parties
|
|
|
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
|
|
|
# upon. The license for this file, and modifications and additions to the
|
|
|
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
|
|
|
# license for the pristine package is not an Open Source License, in which
|
|
|
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
|
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
|
|
|
# published by the Open Source Initiative.
|
|
|
|
|
|
- update to version 0.9.56:
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=14
2018-09-22 11:20:11 +02:00
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
2016-05-24 07:12:25 +02:00
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Name: firejail
|
2022-06-14 22:25:23 +02:00
|
|
|
Version: 0.9.70
|
2016-05-24 07:12:25 +02:00
|
|
|
Release: 0
|
|
|
|
|
Summary: Linux namepaces sandbox program
|
- update to version 0.9.56:
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=14
2018-09-22 11:20:11 +02:00
|
|
|
License: GPL-2.0-only
|
2016-05-24 07:12:25 +02:00
|
|
|
Group: Productivity/Security
|
2021-02-08 08:37:21 +01:00
|
|
|
URL: https://firejail.wordpress.com
|
Accepting request 867564 from home:13ilya:branches:Virtualization
- Update to 0.9.64.2:
* allow --tmpfs inside $HOME for unprivileged users
* --disable-usertmpfs compile time option
* allow AF_BLUETOOTH via --protocol=bluetooth
* setup guide for new users: contrib/firejail-welcome.sh
* implement netns in profiles
* added nolocal6.net IPv6 network filter
* new profiles: spectacle, chromium-browser-privacy,
gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer,
gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu,
authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg,
mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.
OBS-URL: https://build.opensuse.org/request/show/867564
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=36
2021-01-28 20:02:27 +01:00
|
|
|
Source0: https://github.com/netblue30/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
|
|
|
|
|
Source1: https://github.com/netblue30/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc
|
2021-07-18 14:48:18 +02:00
|
|
|
# https://firejail.wordpress.com/download-2/
|
|
|
|
|
Source2: %{name}.keyring
|
- update to version 0.9.56:
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=14
2018-09-22 11:20:11 +02:00
|
|
|
BuildRequires: fdupes
|
2016-05-24 07:12:25 +02:00
|
|
|
BuildRequires: gcc-c++
|
Accepting request 522777 from home:avindra
- Update to version 0.9.50:
* New features:
- per-profile disable-mnt (--disable-mnt)
- per-profile support to set X11 Xephyr screen size (--xephyr-screen)
- private /lib directory (--private-lib)
- disable CDROM/DVD drive (--nodvd)
- disable DVB devices (--notv)
- --profile.print
* modif: --output split in two commands, --output and --output-stderr
* set xpra-attach yes in /etc/firejail/firejail.config
* Enhancements:
- print all seccomp filters under --debug
- /proc/sys mounting
- rework IP address assingment for --net options
- support for newer Xpra versions (2.1+) -
- all profiles use a standard layout style
- create /usr/local for firecfg if the directory doesn't exist
- allow full paths in --private-bin
* New seccomp features:
- --memory-deny-write-execute
- seccomp post-exec
- block secondary architecture (--seccomp.block_secondary)
- seccomp syscall groups
- print all seccomp filters under --debug
- default seccomp list update
* new profiles:
curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Android Studio, electron, riot-web, Extreme Tux Racer,
Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
hashcat, obs, picard, remmina, sdat2img, soundconverter
truecraft, gnome-twitch, tuxguitar, musescore, neverball
sqlitebrowse, Yandex Browser, minetest
OBS-URL: https://build.opensuse.org/request/show/522777
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=8
2017-09-13 11:08:57 +02:00
|
|
|
BuildRequires: libapparmor-devel
|
2021-07-18 14:48:18 +02:00
|
|
|
Requires(post): permissions
|
2018-08-26 12:45:50 +02:00
|
|
|
Requires(pre): shadow
|
2016-05-24 07:12:25 +02:00
|
|
|
|
|
|
|
|
%description
|
|
|
|
|
Firejail is a SUID sandbox program that reduces the risk of security
|
|
|
|
|
breaches by restricting the running environment of untrusted applications
|
|
|
|
|
using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
|
|
|
|
|
many existing applications like Iceweasel/Mozilla Firefox and Chromium.
|
|
|
|
|
|
Accepting request 522777 from home:avindra
- Update to version 0.9.50:
* New features:
- per-profile disable-mnt (--disable-mnt)
- per-profile support to set X11 Xephyr screen size (--xephyr-screen)
- private /lib directory (--private-lib)
- disable CDROM/DVD drive (--nodvd)
- disable DVB devices (--notv)
- --profile.print
* modif: --output split in two commands, --output and --output-stderr
* set xpra-attach yes in /etc/firejail/firejail.config
* Enhancements:
- print all seccomp filters under --debug
- /proc/sys mounting
- rework IP address assingment for --net options
- support for newer Xpra versions (2.1+) -
- all profiles use a standard layout style
- create /usr/local for firecfg if the directory doesn't exist
- allow full paths in --private-bin
* New seccomp features:
- --memory-deny-write-execute
- seccomp post-exec
- block secondary architecture (--seccomp.block_secondary)
- seccomp syscall groups
- print all seccomp filters under --debug
- default seccomp list update
* new profiles:
curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Android Studio, electron, riot-web, Extreme Tux Racer,
Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
hashcat, obs, picard, remmina, sdat2img, soundconverter
truecraft, gnome-twitch, tuxguitar, musescore, neverball
sqlitebrowse, Yandex Browser, minetest
OBS-URL: https://build.opensuse.org/request/show/522777
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=8
2017-09-13 11:08:57 +02:00
|
|
|
Firejail also expands the restricted shell facility found in bash by adding
|
2016-05-24 07:12:25 +02:00
|
|
|
Linux namespace support. It supports sandboxing specific users upon login.
|
|
|
|
|
|
2021-07-18 20:36:27 +02:00
|
|
|
%package bash-completion
|
|
|
|
|
Summary: Firejail Bash completion
|
|
|
|
|
Group: System/Shells
|
|
|
|
|
Requires: %{name} = %{version}
|
|
|
|
|
Requires: bash-completion
|
|
|
|
|
Supplements: (%{name} and bash-completion)
|
|
|
|
|
|
|
|
|
|
%description bash-completion
|
|
|
|
|
Optional dependency offering bash completion for firejail
|
|
|
|
|
|
|
|
|
|
%package zsh-completion
|
|
|
|
|
Summary: Firejail zsh completion
|
|
|
|
|
Group: System/Shells
|
|
|
|
|
Requires: %{name} = %{version}
|
|
|
|
|
Requires: zsh
|
|
|
|
|
Supplements: (%{name} and zsh)
|
|
|
|
|
|
|
|
|
|
%description zsh-completion
|
|
|
|
|
Optional dependency offering zsh completion for firejail
|
|
|
|
|
|
2016-05-24 07:12:25 +02:00
|
|
|
%prep
|
|
|
|
|
%setup -q
|
2020-11-02 21:06:56 +01:00
|
|
|
sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py contrib/fix_private-bin.py contrib/jail_prober.py
|
2016-05-24 07:12:25 +02:00
|
|
|
|
|
|
|
|
%build
|
2016-10-13 10:58:49 +02:00
|
|
|
%configure --docdir=%{_docdir}/%{name} \
|
|
|
|
|
--enable-apparmor
|
2021-07-18 14:48:18 +02:00
|
|
|
%make_build
|
2016-05-24 07:12:25 +02:00
|
|
|
|
2018-08-26 12:45:50 +02:00
|
|
|
%pre
|
|
|
|
|
getent group firejail >/dev/null || groupadd -r firejail
|
|
|
|
|
exit 0
|
|
|
|
|
|
2016-05-24 07:12:25 +02:00
|
|
|
%install
|
Accepting request 522777 from home:avindra
- Update to version 0.9.50:
* New features:
- per-profile disable-mnt (--disable-mnt)
- per-profile support to set X11 Xephyr screen size (--xephyr-screen)
- private /lib directory (--private-lib)
- disable CDROM/DVD drive (--nodvd)
- disable DVB devices (--notv)
- --profile.print
* modif: --output split in two commands, --output and --output-stderr
* set xpra-attach yes in /etc/firejail/firejail.config
* Enhancements:
- print all seccomp filters under --debug
- /proc/sys mounting
- rework IP address assingment for --net options
- support for newer Xpra versions (2.1+) -
- all profiles use a standard layout style
- create /usr/local for firecfg if the directory doesn't exist
- allow full paths in --private-bin
* New seccomp features:
- --memory-deny-write-execute
- seccomp post-exec
- block secondary architecture (--seccomp.block_secondary)
- seccomp syscall groups
- print all seccomp filters under --debug
- default seccomp list update
* new profiles:
curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Android Studio, electron, riot-web, Extreme Tux Racer,
Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
hashcat, obs, picard, remmina, sdat2img, soundconverter
truecraft, gnome-twitch, tuxguitar, musescore, neverball
sqlitebrowse, Yandex Browser, minetest
OBS-URL: https://build.opensuse.org/request/show/522777
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=8
2017-09-13 11:08:57 +02:00
|
|
|
%make_install
|
2021-07-18 20:36:27 +02:00
|
|
|
rm %{buildroot}%{_docdir}/firejail/COPYING
|
2018-08-26 12:45:50 +02:00
|
|
|
%fdupes -s %{buildroot}
|
2016-05-24 07:12:25 +02:00
|
|
|
|
|
|
|
|
%post
|
|
|
|
|
%set_permissions %{_bindir}/firejail
|
|
|
|
|
|
|
|
|
|
%verifyscript
|
|
|
|
|
%verify_permissions -e %{_bindir}/firejail
|
|
|
|
|
|
|
|
|
|
%files
|
- Update to version 0.9.64:
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=32
2020-11-01 18:53:52 +01:00
|
|
|
%license COPYING
|
2018-08-26 12:45:50 +02:00
|
|
|
%attr(4750,root,firejail) %verify(not user group mode) %{_bindir}/firejail
|
Accepting request 400690 from home:tiwai:branches:Virtualization
- Update to version 0.9.40:
* Added firecfg utility
* New options: -nice, -cpu.print, -writable-etc, -writable-var,
-read-only
* X11 support: -x11 option (-x11=xpra, -x11=xephr)
* Filetransfer options: –ls and –get
* Added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile
commands
* Run time config support, man firejail-config
* AppArmor fixes
* Default seccomp filter update
* Disable STUN/WebRTC in default netfilter configuration
* Lots of new profiles
OBS-URL: https://build.opensuse.org/request/show/400690
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=2
2016-06-08 19:13:02 +02:00
|
|
|
%{_bindir}/firecfg
|
2016-05-24 07:12:25 +02:00
|
|
|
%{_bindir}/firemon
|
2021-07-18 14:48:18 +02:00
|
|
|
%{_bindir}/jailcheck
|
2016-05-24 07:12:25 +02:00
|
|
|
%{_libdir}/%{name}
|
|
|
|
|
%doc %{_docdir}/%{name}
|
|
|
|
|
%{_mandir}/man1/*
|
|
|
|
|
%{_mandir}/man5/*
|
|
|
|
|
%dir %{_sysconfdir}/%{name}
|
|
|
|
|
%config %{_sysconfdir}/%{name}/*
|
2018-08-26 12:45:50 +02:00
|
|
|
%config %{_sysconfdir}/apparmor.d/firejail-default
|
2020-08-19 08:28:03 +02:00
|
|
|
%config %{_sysconfdir}/apparmor.d/local/firejail-default
|
2018-08-26 12:45:50 +02:00
|
|
|
%dir %{_sysconfdir}/apparmor.d
|
|
|
|
|
%dir %{_sysconfdir}/apparmor.d/local
|
2022-02-14 12:13:24 +01:00
|
|
|
%dir %{_sysconfdir}/apparmor.d/abstractions
|
|
|
|
|
%dir %{_sysconfdir}/apparmor.d/abstractions/base.d
|
2020-11-02 23:09:54 +01:00
|
|
|
%dir %{_datadir}/vim
|
- Update to version 0.9.64:
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=32
2020-11-01 18:53:52 +01:00
|
|
|
%dir %{_datadir}/vim/vimfiles
|
|
|
|
|
%dir %{_datadir}/vim/vimfiles/ftdetect
|
|
|
|
|
%dir %{_datadir}/vim/vimfiles/syntax
|
|
|
|
|
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
|
|
|
|
|
%{_datadir}/vim/vimfiles/syntax/firejail.vim
|
2016-05-24 07:12:25 +02:00
|
|
|
|
2021-07-18 20:36:27 +02:00
|
|
|
%files bash-completion
|
|
|
|
|
%license COPYING
|
|
|
|
|
%dir %{_datadir}/bash-completion
|
|
|
|
|
%dir %{_datadir}/bash-completion/completions
|
|
|
|
|
%{_datadir}/bash-completion/completions/*
|
|
|
|
|
|
|
|
|
|
%files zsh-completion
|
|
|
|
|
%license COPYING
|
|
|
|
|
%dir %{_datarootdir}/zsh
|
|
|
|
|
%dir %{_datarootdir}/zsh/site-functions/
|
|
|
|
|
%{_datadir}/zsh/site-functions/_firejail
|
2022-02-06 22:09:45 +01:00
|
|
|
/etc/apparmor.d/abstractions/base.d/firejail-base
|
2021-07-18 20:36:27 +02:00
|
|
|
|
2016-05-24 07:12:25 +02:00
|
|
|
%changelog
|
