firejail/firejail.changes

-------------------------------------------------------------------
Sun Apr  9 14:43:39 UTC 2023 - Sebastian Wagner <sebix@sebix.at>

- update to version 0.9.72:
  * modif: move hardcoded apps recognized by default in uiapps file
  * modif: remove sandbox edit dialog and replace it with uiapps file
  * feature: added uiapps file for default and user apps configuration
  * feature: added a system network monitor in sandbox stats
  * feature: added apparmor support in firejail-ui
  * feature: added bluetooth support in firejail-ui
  * feature: print final sandbox configuration in firejail-ui
  * bugfixes

-------------------------------------------------------------------
Tue Jun 14 20:21:18 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>

- remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch
  as they are integrated upstream
- update to version 0.9.70:
 - security: CVE-2022-31214 - root escalation in --join logic
 - Reported by Matthias Gerstner, working exploit code was provided to our
 - development team. In the same time frame, the problem was independently
 - reported by Birk Blechschmidt. Full working exploit code was also provided.
 - feature: enable shell tab completion with --tab (#4936)
 - feature: disable user profiles at compile time (#4990)
 - feature: Allow resolution of .local names with avahi-daemon in the apparmor
 - profile (#5088)
 - feature: always log seccomp errors (#5110)
 - feature: firecfg --guide, guided user configuration (#5111)
 - feature: --oom, kernel OutOfMemory-killer (#5122)
 - modif: --ids feature needs to be enabled at compile time (#5155)
 - modif: --nettrace only available to root user
 - rework: whitelist restructuring (#4985)
 - rework: firemon, speed up and lots of fixes
 - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
 - bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
 - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
 - bugfix: fix printing in evince (#5011)
 - bugfix: gcov: fix gcov functions always declared as dummy (#5028)
 - bugfix: Stop warning on safe supplementary group clean (#5114)
 - build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
 - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154)
 - ci: replace centos (EOL) with almalinux (#4912)
 - ci: fix --version not printing compile-time features (#5147)
 - ci: print version after install & fix apparmor support on build_apparmor
 - (#5148)
 - docs: Refer to firejail.config in configuration files (#4916)
 - docs: firejail.config: add warning about allow-tray (#4946)
 - docs: mention that the protocol command accumulates (#5043)
 - docs: mention inconsistent homedir bug involving --private=dir (#5052)
 - docs: mention capabilities(7) on --caps (#5078)
 - new profiles: onionshare, onionshare-cli, opera-developer, songrec
 - new profiles: node-gyp, npx, semver, ping-hardened
 - removed profiles: nvm

-------------------------------------------------------------------
Wed Jun  8 21:08:03 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>

- fix bsc#1199148 CVE-2022-31214 by adding patch fix-CVE-2022-31214.patch
  using commits from upstream.

-------------------------------------------------------------------
Mon Feb 28 19:38:38 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>

- add fix-internet-access.patch to fix boo#1196542

-------------------------------------------------------------------
Sun Feb  6 21:09:00 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>

- update to firejail 0.9.68:
 - security: on Ubuntu, the PPA is now recommended over the distro package
 - (see README.md) (#4748)
 - security: bugfix: private-cwd leaks access to the entire filesystem
 - (#4780); reported by Hugo Osvaldo Barrera
 - feature: remove (some) environment variables with auth-tokens (#4157)
 - feature: ALLOW_TRAY condition (#4510 #4599)
 - feature: add basic Firejail support to AppArmor base abstraction (#3226
 - #4628)
 - feature: intrusion detection system (--ids-init, --ids-check)
 - feature: deterministic shutdown command (--deterministic-exit-code,
 - --deterministic-shutdown) (#928 #3042 #4635)
 - feature: noprinters command (#4607 #4827)
 - feature: network monitor (--nettrace)
 - feature: network locker (--netlock) (#4848)
 - feature: whitelist-ro profile command (#4740)
 - feature: disable pipewire with --nosound (#4855)
 - feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
 - feature: Allow apostrophe in whitelist and blacklist (#4614)
 - feature: AppImage support in --build command (#4878)
 - modifs: exit code: distinguish fatal signals by adding 128 (#4533)
 - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
 - modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
 - modifs: nogroups now stopped causing certain system groups to be dropped,
 - which are now controlled by the relevant "no" options instead (such as
 - nosound -> drop audio group), which fixes device access issues on systems
 - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
 - removal: --disable-whitelist at compile time
 - removal: whitelist=yes/no in /etc/firejail/firejail.config
 - bugfix: Fix sndio support (#4362 #4365)
 - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
 - bugfix: --build clears the environment (#4460 #4467)
 - bugfix: firejail hangs with net parameter (#3958 #4476)
 - bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
 - bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
 - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
 - bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
 - bugfix: Firejail rejects empty arguments (#4395)
 - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
 - bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
 - bugfix: private-etc does not work with symlinks (#4887)
 - bugfix: Hardware key not detected on keepassxc (#4883)
 - build: allow building with address sanitizer (#4594)
 - build: Stop linking pthread (#4695)
 - build: Configure cleanup and improvements (#4712)
 - ci: add profile checks for sorting disable-programs.inc and
 - firecfg.config and for the required arguments in private-etc (#2739 #4643)
 - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
 - docs: Add new command checklist to CONTRIBUTING.md (#4413)
 - docs: Rework bug report issue template and add both a question and a
 - feature request template (#4479 #4515 #4561)
 - docs: fix contradictory descriptions of machine-id ("preserves" vs
 - "spoofs") (#4689)
 - docs: Document that private-bin and private-etc always accumulate (#4078)
 - new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
 - new includes: disable-proc.inc (#4521)
 - removed includes: disable-passwordmgr.inc (#4454 #4461)
 - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
 - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
 - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
 - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
 - new profiles: imv, retroarch, torbrowser, CachyBrowser,
 - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
 - new profiles: Seafile, neovim, com.github.tchx84.Flatseal

-------------------------------------------------------------------
Sun Jul 18 16:45:49 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>

- firejail 0.9.66:
  * deprecated --audit options, relpaced by jailcheck utility
  * deprecated follow-symlink-as-user from firejail.config
  * new firejail.config settings: private-bin, private-etc
  * new firejail.config settings: private-opt, private-srv
  * new firejail.config settings: whitelist-disable-topdir
  * new firejail.config settings: seccomp-filter-add
  * removed kcmp syscall from seccomp default filter
  * rename --noautopulse to keep-config-pulse
  * filtering environment variables
  * zsh completion
  * command line: --mkdir, --mkfile
  * --protocol now accumulates
  * jailtest utility for testing running sandboxes
  * faccessat2 syscall support
  * --private-dev keeps /dev/input
  * added --noinput to disable /dev/input
  * add support for subdirs in --private-etc
  * subdirs support in private-etc
  * input devices support in private-dev, --no-input
  * support trailing comments on profile lines
  * many new profiles
- split shell completion into standard subpackages

-------------------------------------------------------------------
Sun Feb  7 23:09:58 UTC 2021 - Илья Индиго <ilya@ilya.pp.ua>

- Update to 0.9.64.4:
  * disabled overlayfs, pending multiple fixes
  * fixed launch firefox for open url in telegram-desktop.profile

-------------------------------------------------------------------
Thu Jan 28 18:35:06 UTC 2021 - Илья Индиго <ilya@ilya.pp.ua>

- Update to 0.9.64.2:
  * allow --tmpfs inside $HOME for unprivileged users
  * --disable-usertmpfs compile time option
  * allow AF_BLUETOOTH via --protocol=bluetooth
  * setup guide for new users: contrib/firejail-welcome.sh
  * implement netns in profiles
  * added nolocal6.net IPv6 network filter
  * new profiles: spectacle, chromium-browser-privacy,
    gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer,
    gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu,
    authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg,
    mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.

-------------------------------------------------------------------
Mon Nov  2 19:44:51 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>

- packaging fixes

-------------------------------------------------------------------
Sun Nov  1 16:58:56 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>

- Update to version 0.9.64:
  * replaced --nowrap option with --wrap in firemon
  * The blocking action of seccomp filters has been changed from
    killing the process to returning EPERM to the caller. To get the
    previous behaviour, use --seccomp-error-action=kill or
    syscall:kill syntax when constructing filters, or override in
    /etc/firejail/firejail.config file.
  * Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
    xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
    With this version nodbus is deprecated, in favor of dbus-user none and
    dbus-system none and will be removed in a future version.
  * DHCP client support
  * firecfg only fix dektop-files if started with sudo
  * SELinux labeling support
  * custom 32-bit seccomp filter support
  * restrict ${RUNUSER} in several profiles
  * blacklist shells such as bash in several profiles
  * whitelist globbing
  * mkdir and mkfile support for /run/user directory
  * support ignore for include
  * --include on the command line
  * splitting up media players whitelists in whitelist-players.inc
  * new condition: HAS_NOSOUND
  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
  * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
  * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
  * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
  * new profiles: presentations18, presentations18free, textmaker18, teams
  * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
  * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
  * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
  * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
  * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
  * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
  * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
  * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
  * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
  * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
  * new profiles: swell-foop, fdns, five-or-more, steam-runtime
  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
  * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
  * new profiles: gapplication, openarena_ded, element-desktop, cawbird
  * new profiles: freetube, strawberry, jitsi-meet-desktop
  * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
  * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
  * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
  * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
  * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
  * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
  * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
  * new profiles: qrencode, ytmdesktop, twitch
  * new profiles: xournalpp, chromium-freeworld, equalx
- remove firejail-0.9.62-fix-usr-etc.patch, included upstream
- remove firejail-apparmor-3.0.diff, included upstream

-------------------------------------------------------------------
Mon Oct 26 22:34:02 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>

- Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with
  AppArmor 3.0 (add missing include <tunables/global>)

-------------------------------------------------------------------
Wed Aug 19 06:15:16 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>

- Update to 0.9.62.4
  * fix AppArmor broken in the previous release
  * miscellaneous fixes

-------------------------------------------------------------------
Thu Aug 13 06:13:57 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>

- Update to 0.9.62.2
  * fix CVE-2020-17367
  * fix CVE-2020-17368
  * additional hardening and bug fixes
- Remove fix-CVE-2020-17368.patch
- Remove fix-CVE-2020-17367.patch

-------------------------------------------------------------------
Sat Aug  8 16:56:43 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>

- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986

-------------------------------------------------------------------
Wed Apr 29 11:30:38 UTC 2020 - Michael Vetter <mvetter@suse.com>

- Add firejail-0.9.62-fix-usr-etc.patch:
  Check /usr/etc not just /etc
- Replace python interpreter line in sort.py

-------------------------------------------------------------------
Tue Feb 11 22:32:46 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- update to version 0.9.62 
  * added file-copy-limit in /etc/firejail/firejail.config
  * profile templates (/usr/share/doc/firejail)
  * allow-debuggers support in profiles
  * several seccomp enhancements
  * compiler flags autodetection
  * move chroot entirely from path based to file descriptor based mounts
  * whitelisting /usr/share in a large number of profiles
  * new scripts in conrib: gdb-firejail.sh and sort.py
  * enhancement: whitelist /usr/share in some profiles
  * added signal mediation to apparmor profile
  * new conditions: HAS_X11, HAS_NET
  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
  * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
  * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
  * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
  * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
  * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
  * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
  * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
  * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
  * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
  * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
  * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
  * new profiles: electron-mail, gist, gist-paste

-------------------------------------------------------------------
Sun Jun  2 16:30:42 UTC 2019 - Sebastian Wagner <sebix+novell.com@sebix.at>

- update to version 0.9.60:
 * security bug reported by Austin Morton:
   Seccomp filters are copied into /run/firejail/mnt, and are writable
   within the jail. A malicious process can modify files from inside the
   jail. Processes that are later joined to the jail will not have seccomp
   filters applied.
   CVE-2019-12589
   boo#1137139
 * memory-deny-write-execute now also blocks memfd_create
 * add private-cwd option to control working directory within jail
 * blocking system D-Bus socket with --nodbus
 * bringing back Centos 6 support
 * drop support for flatpak/snap packages
 * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
 * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
 * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
 * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
 * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
 * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
 * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
 * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
 * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
 * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
 * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
 * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
 * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
 * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
 * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
 * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
 * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata

-------------------------------------------------------------------
Fri Feb  1 07:29:32 UTC 2019 - info@paolostivanin.com

-  update to version 0.9.58:
  * --disable-mnt rework
  * --net.print command
  * GitLab CI/CD integration: disto specific builds
  * profile parser enhancements and conditional handling support
     for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F
  * profile name support
  * added explicit nonewprivs support to join option
  * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
  * new profiles: devilspie, devilspie2, easystroke, github-desktop, min
  * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
  * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
  * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
  * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
  * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
  * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
  * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley
  * new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland
  * new profiles: supertuxkart, ghostwriter, gajim-history-manager
  * bugfixes

-------------------------------------------------------------------
Sat Sep 22 09:11:21 UTC 2018 - Sebastian Wagner <sebix+novell.com@sebix.at>

- update to version 0.9.56:
  * modif: removed CFG_CHROOT_DESKTOP configuration option
  * modif: removed compile time --enable-network=restricted
  * modif: removed compile time --disable-bind
  * modif: --net=none allowed even if networking was disabled at compile
     time or at run time
  * modif: allow system users to run the sandbox
  * support wireless devices in --net option
  * support tap devices in --net option (tunneling support)
  * allow IP address configuration if the parent interface specified
     by --net is not configured (--netmask)
  * support for firetunnel utility
  * disable U2F devices (--nou2f)
  * add --private-cache to support private ~/.cache
  * support full paths in private-lib
  * globbing support in private-lib
  * support for local user directories in firecfg (--bindir)
  * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
  * new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
  * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
  * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
  * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
  * new profiles: start-tor-browser.desktop

-------------------------------------------------------------------
Tue Sep 11 08:12:48 UTC 2018 - Markos Chandras <mchandras@suse.de>

- Drop ldconfig calls since firejail libraries are installed in their
  own subdirectory which is not scanned by ldconfig.

-------------------------------------------------------------------
Mon Sep 10 08:58:32 UTC 2018 - Markos Chandras <mchandras@suse.de>

- Remove the rpmlintrc file since the warnings are no longer relevant.

-------------------------------------------------------------------
Thu Aug 23 19:34:44 UTC 2018 - sebix+novell.com@sebix.at

- Changed the permissions of the firejail executable to 4750.
  Setuid mode is used, but only allowed for users in the newly
  created group 'firejail' (boo#1059013).
- Update to version 0.9.54:
  * modif: --force removed
  * modif: --csh, --zsh removed
  * modif: --debug-check-filename removed
  * modif: --git-install and --git-uninstall removed
  * modif: support for private-bin, private-lib and shell none has been
     disabled while running AppImage archives in order to be able to use
     our regular profile files with AppImages.
  * modif: restrictions for /proc, /sys and /run/user directories
     are moved from AppArmor profile into firejail executable
  * modif: unifying Chromium and Firefox browsers profiles.
     All users of Firefox-based browsers who use addons and plugins
     that read/write from ${HOME} will need to uncomment the includes for
     firefox-common-addons.inc in firefox-common.profile.
  * modif: split disable-devel.inc into disable-devel and
     disable-interpreters.inc
  * Firejail user access database (/etc/firejail/firejail.users,
     man firejail-users)
  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
  * Spectre mitigation patch for gcc and clang compiler
  * D-Bus handling (--nodbus)
  * AppArmor support for overlayfs and chroot sandboxes
  * AppArmor support for AppImages
  * Enable AppArmor by default for a large number of programs
  * firejail --apparmor.print option
  * firemon --apparmor option
  * apparmor yes/no flag in /etc/firejail/firejail.config
  * seccomp syscall list update for glibc 2.26-10
  * seccomp disassembler for --seccomp.print option
  * seccomp machine code optimizer for default seccomp filters
  * IPv6 DNS support
  * whitelist support for overlay and chroot sandboxes
  * private-dev support for overlay and chroot sandboxes
  * private-tmp support for overlay and chroot sandboxes
  * added sandbox name support in firemon
  * firemon/prctl enhancements
  * noblacklist support for /sys/module directory
  * whitelist support for /sys/module directory
  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
  * new profiles: discord-canary, pycharm-community, pycharm-professional,
  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
  * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
  * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
  * new profiles: qmmp, sayonara

-------------------------------------------------------------------
Wed Dec 13 00:54:11 UTC 2017 - avindra@opensuse.org

- Update to version 0.9.52:
  * New features
    + systemd-resolved integration
    + whitelisted /var in most profiles
    + GTK2, GTK3 and Qt4 private-lib support
    + --debug-private-lib
    + test deployment of private-lib for the some apps: evince,
      galculator, gnome-calculator, leafpad, mousepad,
      transmission-gtk, xcalc, xmr-stak-cpu, atril,
      mate-color-select, tar, file, strings, gpicview, eom, eog,
      gedit, pluma
    + netfilter template support
    + various new arguments
      * --writable-run-user
      * --rlimit-as
      * --rlimit-cpu
      * --timeout
      * --build (profile build tool)
      * --netfilter.print
      * --netfilter6.print
  * deprecations in modif 
    + --allow-private-blacklists (blacklisting, read-only,
      read-write, tmpfs and noexec are allowed in private home
      directories
    + remount-proc-sys (firejail.config)
    + follow-symlink-private-bin (firejail.config)
    + --profile-path
  * enhancements
    + support Firejail user config directory in firecfg
    + disable DBus activation in firecfg
    + enumerate root directories in apparmor profile
    + /etc and /usr/share whitelisting support
    + globbing support for --private-bin
  * new profiles: upstreamed profiles from 3 sources:
    + https://github.com/chiraag-nataraj/firejail-profiles
    + https://github.com/nyancat18/fe
    + https://aur.archlinux.org/packages/firejail-profiles
  * new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
    clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
    brackets, calligra, calligraauthor, calligraconverter,
    calligraflow, calligraplan, calligraplanwork, calligrasheets,
    calligrastage, calligrawords, cin, dooble, dooble-qt4,
    fetchmail, freecad, freecadcmd, google-earth,imagej, karbon,
    1kdenlive, krita, linphone, lmms, macrofusion, mpd, natron,
    Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
    Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg,
    bluefish, cinelerra, openshot-qt, pinta, uefitool, aosp,
    pdfmod, gnome-ring, xcalc, zaproxy, kopete, cliqz,
    signal-desktop, kget, nheko, Enpass, kwin_x11, krunner, ping,
    bsdtar, makepkg (Arch), archaudit-report cower (Arch), kdeinit4
- Add full link to source tarball from sourceforge
- Add asc file

-------------------------------------------------------------------
Sat Sep  9 14:40:29 UTC 2017 - aavindraa@gmail.com

- Update to version 0.9.50:
  * New features:
    - per-profile disable-mnt (--disable-mnt)
    - per-profile support to set X11 Xephyr screen size (--xephyr-screen)
    - private /lib directory (--private-lib)
    - disable CDROM/DVD drive (--nodvd)
    - disable DVB devices (--notv)
    - --profile.print
  * modif: --output split in two commands, --output and --output-stderr
  * set xpra-attach yes in /etc/firejail/firejail.config
  * Enhancements:
    - print all seccomp filters under --debug
    - /proc/sys mounting
    - rework IP address assingment for --net options
    - support for newer Xpra versions (2.1+) -
    - all profiles use a standard layout style
    - create /usr/local for firecfg if the directory doesn't exist
    - allow full paths in --private-bin
   * New seccomp features:
    - --memory-deny-write-execute
    - seccomp post-exec
    - block secondary architecture (--seccomp.block_secondary)
    - seccomp syscall groups
    - print all seccomp filters under --debug
    - default seccomp list update
  * new profiles:
    curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
    Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
    Android Studio, electron, riot-web, Extreme Tux Racer,
    Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
    telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
    hashcat, obs, picard, remmina, sdat2img, soundconverter
    truecraft, gnome-twitch, tuxguitar, musescore, neverball
    sqlitebrowse, Yandex Browser, minetest

-------------------------------------------------------------------
Tue Aug 15 15:47:49 CEST 2017 - tiwai@suse.de

- Update to version 0.9.48:
  * modifs: whitelisted Transmission, Deluge, qBitTorrent,
    KTorrent;
    please use ~/Downloads directory for saving files
  * modifs: AppArmor made optional; a warning is printed on the
    screen if the sandbox fails to load the AppArmor profile
  * feature: --novideo
  * feature: drop discretionary access control capabilities for
    root sandboxes
  * feature: added /etc/firejail/globals.local for global
    customizations
  * feature: profile support in overlayfs mode
  * new profiles: vym, darktable, Waterfox, digiKam, Catfish,
    HandBrake
  * bugfixes

-------------------------------------------------------------------
Mon Jan 16 16:33:59 CET 2017 - tiwai@suse.de

- Update to version 0.9.44.4:
  * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
  * disabled --allow-debuggers when running on kernel versions prior
    to 4.8; a kernel bug in ptrace system call allows a full bypass
    of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
  * root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
  * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
  * major cleanup of file copying code
  * tightening the rules for --chroot and --overlay features
  * ported Gentoo compile patch
  * Nvidia drivers bug in --private-dev
  * fix ASSERT_PERMS_FD macro
  * allow local customization using .local files under /etc/firejail
    backported from our development branch
  * spoof machine-id backported from our development branch
- Remove obsoleted patches:
  firejail-CVE-2017-5180-fix1.patch
  firejail-CVE-2017-5180-fix2.patch

-------------------------------------------------------------------
Thu Jan  5 10:38:43 CET 2017 - tiwai@suse.de

- Update to version 0.9.44.2:
  Security fixes:
  * overwrite /etc/resolv.conf found by Martin Carpenter
  * TOCTOU exploit for –get and –put found by Daniel Hodson
  * invalid environment exploit found by Martin Carpenter
  * several security enhancements
  Bugfixes:
  * crashing VLC by pressing Ctrl-O
  * use user configured icons in KDE
  * mkdir and mkfile are not applied to private directories
  * cannot open files on Deluge running under KDE
  * –private=dir where dir is the user home directory
  * cannot start Vivaldi browser
  * cannot start mupdf
  * ssh profile problems
  * –quiet
  * quiet in git profile
  * memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
  firejail-CVE-2017-5180-fix1.patch
  firejail-CVE-2017-5180-fix2.patch

-------------------------------------------------------------------
Thu Oct 27 17:49:48 CEST 2016 - tiwai@suse.de

- Update to version 0.9.44:
  * CVE-2016-7545 submitted by Aleksey Manevich
  Modifications:
  * removed man firejail-config
  * –private-tmp whitelists /tmp/.X11-unix directory
  * Nvidia drivers added to –private-dev
  * /srv supported by –whitelist
  New features:
  * allow user access to /sys/fs (–noblacklist=/sys/fs)
  * support starting/joining sandbox is a single command (–join-or-start)
  * X11 detection support for –audit
  * assign a name to the interface connected to the bridge (–veth-name)
  * all user home directories are visible (–allusers)
  * add files to sandbox container (–put)
  * blocking x11 (–x11=block)
  * X11 security extension (–x11=xorg)
  * disable 3D hardware acceleration (–no3d)
  * x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
  * move files in sandbox (–put)
  * accept wildcard patterns in user name field of restricted shell login feature
  New profiles:
  * qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
  * feh, ranger, zathura, 7z, keepass, keepassx,
  * claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
  * Flowblade, Eye of GNOME (eog), Evolution

-------------------------------------------------------------------
Fri Sep 30 10:56:58 CEST 2016 - tiwai@suse.de

- Update to version 0.9.42:
  Security fixes:
  * –whitelist deleted files
  * disable x32 ABI in seccomp
  * tighten –chroot
  * terminal sandbox escape
  * several TOCTOU fixes
  Behavior changes:
  * bringing back –private-home option
  * deprecated –user option, please use “sudo -u username firejail”
  * allow symlinks in home directory for –whitelist option
  * Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes”
  * recursive mkdir
  * include /dev/snd in –private-dev
  * seccomp filter update
  * release archives moved to .xz format
  New features:
  * AppImage support (–appimage)
  * AppArmor support (–apparmor)
  * Ubuntu snap support (/etc/firejail/snap.profile)
  * Sandbox auditing support (–audit)
  * remove environment variable (–rmenv)
  * noexec support (–noexec)
  * clean local overlay storage directory (–overlay-clean)
  * store and reuse overlay (–overlay-named)
  * allow debugging inside the sandbox with gdb and strace (–allow-debuggers)
  * mkfile profile command
  * quiet profile command
  * x11 profile command
  * option to fix desktop files (firecfg –fix)
  Build options:
  * Busybox support (–enable-busybox-workaround)
  * disable overlayfs (–disable-overlayfs)
  * disable whitlisting (–disable-whitelist)
  * disable global config (–disable-globalcfg)
  Runtime options:
  * enable/disable overlayfs (overlayfs yes/no)
  * enable/disable quiet as default (quiet-by-default yes/no)
  * user-defined network filter (netfilter-default)
  * enable/disable whitelisting (whitelist yes/no)
  * enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
  * enable/disable chroot desktop features (chroot-desktop yes/no)
  New/updated profiels:
  * Gitter, gThumb, mpv, Franz messenger, LibreOffice
  * pix, audacity, xz, xzdec, gzip, cpio, less
  * Atom Beta, Atom, jitsi, eom, uudeview
  * tar (gtar), unzip, unrar, file, skypeforlinux,
  * inox, Slack, gnome-chess. Gajim IM client, DOSBox
- Enable apparmor support

-------------------------------------------------------------------
Wed Jun  8 15:20:43 CEST 2016 - tiwai@suse.de

- Update to version 0.9.40:
  * Added firecfg utility
  * New options: -nice, -cpu.print, -writable-etc, -writable-var,
    -read-only
  * X11 support: -x11 option (-x11=xpra, -x11=xephr)
  * Filetransfer options: –ls and –get
  * Added mkdir, ipc-namespace, and nosound profile commands
  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile
    commands
  * Run time config support, man firejail-config
  * AppArmor fixes
  * Default seccomp filter update
  * Disable STUN/WebRTC in default netfilter configuration
  * Lots of new profiles

-------------------------------------------------------------------
Tue May 17 17:13:03 CEST 2016 - tiwai@suse.de

- initial package: 0.9.38