2016-05-24 07:12:25 +02:00
#
# spec file for package firejail
#
2022-02-06 22:09:45 +01:00
# Copyright (c) 2022 SUSE LLC
2016-05-24 07:12:25 +02:00
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
- update to version 0.9.56:
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=14
2018-09-22 11:20:11 +02:00
# Please submit bugfixes or comments via https://bugs.opensuse.org/
2016-05-24 07:12:25 +02:00
#
Name : firejail
2022-02-06 22:09:45 +01:00
Version : 0.9.68
2016-05-24 07:12:25 +02:00
Release : 0
Summary : Linux namepaces sandbox program
- update to version 0.9.56:
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=14
2018-09-22 11:20:11 +02:00
License : GPL-2.0-only
2016-05-24 07:12:25 +02:00
Group : Productivity/Security
2021-02-08 08:37:21 +01:00
URL : https://firejail.wordpress.com
Accepting request 867564 from home:13ilya:branches:Virtualization
- Update to 0.9.64.2:
* allow --tmpfs inside $HOME for unprivileged users
* --disable-usertmpfs compile time option
* allow AF_BLUETOOTH via --protocol=bluetooth
* setup guide for new users: contrib/firejail-welcome.sh
* implement netns in profiles
* added nolocal6.net IPv6 network filter
* new profiles: spectacle, chromium-browser-privacy,
gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer,
gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu,
authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg,
mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.
OBS-URL: https://build.opensuse.org/request/show/867564
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=36
2021-01-28 20:02:27 +01:00
Source0 : https://github.com/netblue30/%{name} /releases/download/%{version} /%{name} -%{version} .tar.xz
Source1 : https://github.com/netblue30/%{name} /releases/download/%{version} /%{name} -%{version} .tar.xz.asc
2021-07-18 14:48:18 +02:00
# https://firejail.wordpress.com/download-2/
Source2 : %{name} .keyring
2022-02-28 20:39:03 +01:00
# PATCH-FIX-UPSTREAM fix-internet-access.patch -- from https://github.com/netblue30/firejail/commit/bb334a8fd4f0911a8dfa1538d02fbd0574b81333.patch
Patch0 : fix-internet-access.patch
2022-06-08 23:08:53 +02:00
# PATCH-FIX-UPSTREAM fix-CVE-2022-31214.patch -- from https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50 and https://github.com/netblue30/firejail/commit/dab835e7a0eb287822016f5ae4e87f46e1d363e7.patch and https://github.com/netblue30/firejail/commit/1884ea22a90d225950d81c804f1771b42ae55f54
Patch1 : fix-CVE-2022-31214.patch
- update to version 0.9.56:
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=14
2018-09-22 11:20:11 +02:00
BuildRequires : fdupes
2016-05-24 07:12:25 +02:00
BuildRequires : gcc-c++
Accepting request 522777 from home:avindra
- Update to version 0.9.50:
* New features:
- per-profile disable-mnt (--disable-mnt)
- per-profile support to set X11 Xephyr screen size (--xephyr-screen)
- private /lib directory (--private-lib)
- disable CDROM/DVD drive (--nodvd)
- disable DVB devices (--notv)
- --profile.print
* modif: --output split in two commands, --output and --output-stderr
* set xpra-attach yes in /etc/firejail/firejail.config
* Enhancements:
- print all seccomp filters under --debug
- /proc/sys mounting
- rework IP address assingment for --net options
- support for newer Xpra versions (2.1+) -
- all profiles use a standard layout style
- create /usr/local for firecfg if the directory doesn't exist
- allow full paths in --private-bin
* New seccomp features:
- --memory-deny-write-execute
- seccomp post-exec
- block secondary architecture (--seccomp.block_secondary)
- seccomp syscall groups
- print all seccomp filters under --debug
- default seccomp list update
* new profiles:
curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Android Studio, electron, riot-web, Extreme Tux Racer,
Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
hashcat, obs, picard, remmina, sdat2img, soundconverter
truecraft, gnome-twitch, tuxguitar, musescore, neverball
sqlitebrowse, Yandex Browser, minetest
OBS-URL: https://build.opensuse.org/request/show/522777
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=8
2017-09-13 11:08:57 +02:00
BuildRequires : libapparmor-devel
2021-07-18 14:48:18 +02:00
Requires(post) : permissions
2018-08-26 12:45:50 +02:00
Requires(pre) : shadow
2016-05-24 07:12:25 +02:00
%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
many existing applications like Iceweasel/Mozilla Firefox and Chromium.
Accepting request 522777 from home:avindra
- Update to version 0.9.50:
* New features:
- per-profile disable-mnt (--disable-mnt)
- per-profile support to set X11 Xephyr screen size (--xephyr-screen)
- private /lib directory (--private-lib)
- disable CDROM/DVD drive (--nodvd)
- disable DVB devices (--notv)
- --profile.print
* modif: --output split in two commands, --output and --output-stderr
* set xpra-attach yes in /etc/firejail/firejail.config
* Enhancements:
- print all seccomp filters under --debug
- /proc/sys mounting
- rework IP address assingment for --net options
- support for newer Xpra versions (2.1+) -
- all profiles use a standard layout style
- create /usr/local for firecfg if the directory doesn't exist
- allow full paths in --private-bin
* New seccomp features:
- --memory-deny-write-execute
- seccomp post-exec
- block secondary architecture (--seccomp.block_secondary)
- seccomp syscall groups
- print all seccomp filters under --debug
- default seccomp list update
* new profiles:
curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Android Studio, electron, riot-web, Extreme Tux Racer,
Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
hashcat, obs, picard, remmina, sdat2img, soundconverter
truecraft, gnome-twitch, tuxguitar, musescore, neverball
sqlitebrowse, Yandex Browser, minetest
OBS-URL: https://build.opensuse.org/request/show/522777
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=8
2017-09-13 11:08:57 +02:00
Firejail also expands the restricted shell facility found in bash by adding
2016-05-24 07:12:25 +02:00
Linux namespace support. It supports sandboxing specific users upon login.
2021-07-18 20:36:27 +02:00
%package bash-completion
Summary : Firejail Bash completion
Group : System/Shells
Requires : %{name} = %{version}
Requires : bash-completion
Supplements: (%{name} and bash-completion)
%description bash-completion
Optional dependency offering bash completion for firejail
%package zsh-completion
Summary : Firejail zsh completion
Group : System/Shells
Requires : %{name} = %{version}
Requires : zsh
Supplements: (%{name} and zsh)
%description zsh-completion
Optional dependency offering zsh completion for firejail
2016-05-24 07:12:25 +02:00
%prep
%setup -q
2020-11-02 21:06:56 +01:00
sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py contrib/fix_private-bin.py contrib/jail_prober.py
2022-02-28 20:39:03 +01:00
%patch0 -p1
2022-06-08 23:08:53 +02:00
%patch1 -p1
2016-05-24 07:12:25 +02:00
%build
2016-10-13 10:58:49 +02:00
%configure --docdir=%{_docdir} /%{name} \
--enable-apparmor
2021-07-18 14:48:18 +02:00
%make_build
2016-05-24 07:12:25 +02:00
2018-08-26 12:45:50 +02:00
%pre
getent group firejail >/dev/null || groupadd -r firejail
exit 0
2016-05-24 07:12:25 +02:00
%install
Accepting request 522777 from home:avindra
- Update to version 0.9.50:
* New features:
- per-profile disable-mnt (--disable-mnt)
- per-profile support to set X11 Xephyr screen size (--xephyr-screen)
- private /lib directory (--private-lib)
- disable CDROM/DVD drive (--nodvd)
- disable DVB devices (--notv)
- --profile.print
* modif: --output split in two commands, --output and --output-stderr
* set xpra-attach yes in /etc/firejail/firejail.config
* Enhancements:
- print all seccomp filters under --debug
- /proc/sys mounting
- rework IP address assingment for --net options
- support for newer Xpra versions (2.1+) -
- all profiles use a standard layout style
- create /usr/local for firecfg if the directory doesn't exist
- allow full paths in --private-bin
* New seccomp features:
- --memory-deny-write-execute
- seccomp post-exec
- block secondary architecture (--seccomp.block_secondary)
- seccomp syscall groups
- print all seccomp filters under --debug
- default seccomp list update
* new profiles:
curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Android Studio, electron, riot-web, Extreme Tux Racer,
Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
hashcat, obs, picard, remmina, sdat2img, soundconverter
truecraft, gnome-twitch, tuxguitar, musescore, neverball
sqlitebrowse, Yandex Browser, minetest
OBS-URL: https://build.opensuse.org/request/show/522777
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=8
2017-09-13 11:08:57 +02:00
%make_install
2021-07-18 20:36:27 +02:00
rm %{buildroot} %{_docdir} /firejail/COPYING
2018-08-26 12:45:50 +02:00
%fdupes -s %{buildroot}
2016-05-24 07:12:25 +02:00
%post
%set_permissions %{_bindir} /firejail
%verify script
%verify _permissions -e %{_bindir} /firejail
%files
- Update to version 0.9.64:
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=32
2020-11-01 18:53:52 +01:00
%license COPYING
2018-08-26 12:45:50 +02:00
%attr (4750,root,firejail) %verify (not user group mode) %{_bindir} /firejail
Accepting request 400690 from home:tiwai:branches:Virtualization
- Update to version 0.9.40:
* Added firecfg utility
* New options: -nice, -cpu.print, -writable-etc, -writable-var,
-read-only
* X11 support: -x11 option (-x11=xpra, -x11=xephr)
* Filetransfer options: –ls and –get
* Added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile
commands
* Run time config support, man firejail-config
* AppArmor fixes
* Default seccomp filter update
* Disable STUN/WebRTC in default netfilter configuration
* Lots of new profiles
OBS-URL: https://build.opensuse.org/request/show/400690
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=2
2016-06-08 19:13:02 +02:00
%{_bindir} /firecfg
2016-05-24 07:12:25 +02:00
%{_bindir} /firemon
2021-07-18 14:48:18 +02:00
%{_bindir} /jailcheck
2016-05-24 07:12:25 +02:00
%{_libdir} /%{name}
%doc %{_docdir} /%{name}
%{_mandir} /man1/*
%{_mandir} /man5/*
%dir %{_sysconfdir} /%{name}
%config %{_sysconfdir} /%{name} /*
2018-08-26 12:45:50 +02:00
%config %{_sysconfdir} /apparmor.d/firejail-default
2020-08-19 08:28:03 +02:00
%config %{_sysconfdir} /apparmor.d/local/firejail-default
2018-08-26 12:45:50 +02:00
%dir %{_sysconfdir} /apparmor.d
%dir %{_sysconfdir} /apparmor.d/local
2022-02-14 12:13:24 +01:00
%dir %{_sysconfdir} /apparmor.d/abstractions
%dir %{_sysconfdir} /apparmor.d/abstractions/base.d
2020-11-02 23:09:54 +01:00
%dir %{_datadir} /vim
- Update to version 0.9.64:
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=32
2020-11-01 18:53:52 +01:00
%dir %{_datadir} /vim/vimfiles
%dir %{_datadir} /vim/vimfiles/ftdetect
%dir %{_datadir} /vim/vimfiles/syntax
%{_datadir} /vim/vimfiles/ftdetect/firejail.vim
%{_datadir} /vim/vimfiles/syntax/firejail.vim
2016-05-24 07:12:25 +02:00
2021-07-18 20:36:27 +02:00
%files bash-completion
%license COPYING
%dir %{_datadir} /bash-completion
%dir %{_datadir} /bash-completion/completions
%{_datadir} /bash-completion/completions/*
%files zsh-completion
%license COPYING
%dir %{_datarootdir} /zsh
%dir %{_datarootdir} /zsh/site-functions/
%{_datadir} /zsh/site-functions/_firejail
2022-02-06 22:09:45 +01:00
/etc/apparmor.d/abstractions/base.d/firejail-base
2021-07-18 20:36:27 +02:00
2016-05-24 07:12:25 +02:00
%changelog
