- Update to version 0.9.64:

* replaced --nowrap option with --wrap in firemon
  * The blocking action of seccomp filters has been changed from
    killing the process to returning EPERM to the caller. To get the
    previous behaviour, use --seccomp-error-action=kill or
    syscall:kill syntax when constructing filters, or override in
    /etc/firejail/firejail.config file.
  * Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
    xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
    With this version nodbus is deprecated, in favor of dbus-user none and
    dbus-system none and will be removed in a future version.
  * DHCP client support
  * firecfg only fix dektop-files if started with sudo
  * SELinux labeling support
  * custom 32-bit seccomp filter support
  * restrict ${RUNUSER} in several profiles
  * blacklist shells such as bash in several profiles
  * whitelist globbing
  * mkdir and mkfile support for /run/user directory
  * support ignore for include
  * --include on the command line
  * splitting up media players whitelists in whitelist-players.inc
  * new condition: HAS_NOSOUND
  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
  * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
  * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
  * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
  * new profiles: presentations18, presentations18free, textmaker18, teams
  * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX

OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=32

firejail-0.9.62-fix-usr-etc.patch

@@ -1,78 +0,0 @@
-From 609be4fda2dda5557de864eba814c42fe2f40dca Mon Sep 17 00:00:00 2001
-From: smitsohu <smitsohu@gmail.com>
-Date: Sun, 9 Feb 2020 11:30:31 +0100
-Subject: [PATCH] openSUSE fix: mount private-etc on /usr/etc as well
-
-see issue #3145
----
- src/firejail/fs_etc.c  | 3 ++-
- src/firejail/sandbox.c | 1 +
- src/include/rundefs.h  | 1 +
- 3 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
-index 7b7813926..76bcb751e 100644
---- a/src/firejail/fs_etc.c
-+++ b/src/firejail/fs_etc.c
-@@ -145,7 +145,8 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
- 	// nothing to do if directory does not exist
- 	struct stat s;
- 	if (stat(private_dir, &s) == -1) {
--		fmessage("Cannot find %s\n", private_dir);
-+		if (arg_debug)
-+			printf("Cannot find %s\n", private_dir);
- 		return;
- 	}
- 
-diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
-index 96ad30bed..4f53cafcc 100644
---- a/src/firejail/sandbox.c
-+++ b/src/firejail/sandbox.c
-@@ -855,6 +855,7 @@ int sandbox(void* sandbox_arg) {
- 			fwarning("private-etc feature is disabled in overlay\n");
- 		else {
- 			fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
-+			fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE
- 			// create /etc/ld.so.preload file again
- 			if (need_preload)
- 				fs_trace_preload();
-diff --git a/src/include/rundefs.h b/src/include/rundefs.h
-index 7f9c68be2..1cfeee28d 100644
---- a/src/include/rundefs.h
-+++ b/src/include/rundefs.h
-@@ -42,6 +42,7 @@
- #define RUN_NONEWPRIVS_CFG		RUN_MNT_DIR "/nonewprivs"
- #define RUN_HOME_DIR			RUN_MNT_DIR "/home"
- #define RUN_ETC_DIR			RUN_MNT_DIR "/etc"
-+#define RUN_USR_ETC_DIR		RUN_MNT_DIR "/usretc"
- #define RUN_OPT_DIR			RUN_MNT_DIR "/opt"
- #define RUN_SRV_DIR			RUN_MNT_DIR "/srv"
- #define RUN_BIN_DIR			RUN_MNT_DIR "/bin"
-From cd184e9919bb67fb88ee6208c395682f5f0ba764 Mon Sep 17 00:00:00 2001
-From: smitsohu <smitsohu@gmail.com>
-Date: Sun, 9 Feb 2020 11:33:57 +0100
-Subject: [PATCH] openSUSE fix: search login.defs in /usr/etc, too
-
-see issue #3145
----
- src/lib/firejail_user.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
-index dbf2ca94b..2e03ce0e0 100644
---- a/src/lib/firejail_user.c
-+++ b/src/lib/firejail_user.c
-@@ -43,8 +43,11 @@ static void init_uid_gid_min(void) {
- 
- 	// read the real values from login.def
- 	FILE *fp = fopen("/etc/login.defs", "r");
--	if (!fp)
--		goto errexit;
-+	if (!fp) {
-+		fp = fopen("/usr/etc/login.defs", "r"); // openSUSE
-+		if (!fp)
-+			goto errexit;
-+	}
- 
- 	char buf[MAXBUF];
- 	while (fgets(buf, MAXBUF, fp)) {

firejail-0.9.62.4.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2a2738bded0d4c96ea17094dacdba175516a193d50ce3e743fce7ac1ade7260c
-size 382780

firejail-0.9.62.4.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl86gd4ACgkQLMs2rfxY
-SadQgAf+PMlVCZ+CYNxPoKVV+iXntZTbYrHkfcofVqY4A6ADKUelDb/BEHuuoR5R
-92FMUnN3bh11sMG/NAwqOX5kCNtl33EMYf9xv5dVAf/H5GZjNjYak93Lpu9wJFOD
-NWSAqIqEEWzCov5mJ5+yLdtCJ+Cvx7cMrumod26MzFnGVxXXGvaq8mljGQt7Muxy
-pVEyDwcHIjKKYjSvzP3o1038NuI8My9Gl7Wz/ZCGhkUL1j9u0kYktk7gt3/fE/ju
-QM3f7ZmCsJIrCmHF++3Va1a/U3z6UQaxNTmJ0XyqqzdZ6xv1+WuGXPAfwgdLaxht
-RxipeRnr6o/MaeNGOGPNhiNF+4vY4A==
-=A5n+
------END PGP SIGNATURE-----

firejail-0.9.64.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e53bab074e6c97609a3486d2055e44094025e32b217f374c06dd9e3285e7f2fd
+size 419464

firejail-0.9.64.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl+RloMACgkQLMs2rfxY
+Sadk1wf+OLyTh2JJrZtUztKOxltQVbQ9srPFBxAn2Y/ax4ulv7E9gnEtayuRTNOn
+GFNoHf2db4M2i15JS9iLAyfjn0vjbp47O4Hk+5ir3DVsptWVm2anAtwH3Q0wXZaK
+Q43E9m++imClKs0WMLWfepVXs6QF3o8hfGKZmv/jjnepgDf/ceD7lN8EHpen2QuE
++dcQOpqCLPEGLOsLXugT4lH/9YoYvpHXPEzKvaYpv6BS2PPhwgM3RbLfeQiBlFn2
+DMkeNEp4YUvYnKP9zdGVRpXf2rRBK4izDf39IIb+WTZbUWSMDpZp+ppv5RJ37uah
+rgLsqFF+0wAwZqPOsakx4ikjKSWFVA==
+=jU+V
+-----END PGP SIGNATURE-----

firejail-apparmor-3.0.diff

@@ -1,37 +0,0 @@
-Note: this patch is backported/modified - upstream moved the AppArmor profile
-to etc/apparmor/firejail-default in the meantime
--- cboltz, 2020-10-26
-
-
-
-commit bba750c73469ea315d859464ddd19e495d830a72
-Author: Kristóf Marussy <kristof@marussy.com>
-Date:   Sat Oct 10 13:27:42 2020 +0200
-
-    Fix AppArmor 3.0 support (closes #3659)
-    
-    AppArmor introduces the @{run} variable, which is used in
-    <abstractions/dbus-strict> and <abstractions/dbus-session-strict> among
-    other places. Thus, we follow suit of the built-in profiles and #include
-    <tunables/global>, which includes <tunables/run> in AppArmor 3.0,
-    defining the variable.
-    
-    As <tunables/global> exists in previous versions of AppArmor, too, this
-    patch does not introduce a backward-compatibility issue with Apparmor
-    2.x.
-
-diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
-index 68e20d9b..e396ae7d 100644
---- a/etc/firejail-default
-+++ b/etc/firejail-default
-@@ -2,6 +2,10 @@
- # Generic Firejail AppArmor profile
- #########################################
- 
-+# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
-+# and <abstractions/dbus-session-strict>.
-+#include <tunables/global>
-+
- ##########
- # A simple PID declaration based on Ubuntu's @{pid}
- # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.

firejail.changes

@@ -1,3 +1,62 @@
+-------------------------------------------------------------------
+Sun Nov  1 16:58:56 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>
+
+- Update to version 0.9.64:
+  * replaced --nowrap option with --wrap in firemon
+  * The blocking action of seccomp filters has been changed from
+    killing the process to returning EPERM to the caller. To get the
+    previous behaviour, use --seccomp-error-action=kill or
+    syscall:kill syntax when constructing filters, or override in
+    /etc/firejail/firejail.config file.
+  * Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
+    xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
+    With this version nodbus is deprecated, in favor of dbus-user none and
+    dbus-system none and will be removed in a future version.
+  * DHCP client support
+  * firecfg only fix dektop-files if started with sudo
+  * SELinux labeling support
+  * custom 32-bit seccomp filter support
+  * restrict ${RUNUSER} in several profiles
+  * blacklist shells such as bash in several profiles
+  * whitelist globbing
+  * mkdir and mkfile support for /run/user directory
+  * support ignore for include
+  * --include on the command line
+  * splitting up media players whitelists in whitelist-players.inc
+  * new condition: HAS_NOSOUND
+  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
+  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
+  * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
+  * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
+  * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
+  * new profiles: presentations18, presentations18free, textmaker18, teams
+  * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
+  * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
+  * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
+  * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
+  * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
+  * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
+  * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
+  * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
+  * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
+  * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
+  * new profiles: swell-foop, fdns, five-or-more, steam-runtime
+  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
+  * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
+  * new profiles: gapplication, openarena_ded, element-desktop, cawbird
+  * new profiles: freetube, strawberry, jitsi-meet-desktop
+  * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
+  * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
+  * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
+  * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
+  * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
+  * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
+  * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
+  * new profiles: qrencode, ytmdesktop, twitch
+  * new profiles: xournalpp, chromium-freeworld, equalx
+- remove firejail-0.9.62-fix-usr-etc.patch, included upstream
+- remove firejail-apparmor-3.0.diff, included upstream
+
 -------------------------------------------------------------------
 Mon Oct 26 22:34:02 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 

firejail.spec

@@ -17,7 +17,7 @@
 
 
 Name:           firejail
-Version:        0.9.62.4
+Version:        0.9.64
 Release:        0
 Summary:        Linux namepaces sandbox program
 License:        GPL-2.0-only
@@ -25,10 +25,6 @@ Group:          Productivity/Security
 URL:            https://firejail.wordpress.com/
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz
 Source1:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc
-# PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file
-Patch0:         firejail-0.9.62-fix-usr-etc.patch
-# PATCH-FIX-UPSTREAM firejail-apparmor-3.0.diff -- https://github.com/netblue30/firejail/issues/3659
-Patch1:         firejail-apparmor-3.0.diff
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libapparmor-devel
@@ -46,8 +42,6 @@ Linux namespace support. It supports sandboxing specific users upon login.
 
 %prep
 %setup -q
-%patch0 -p1
-%patch1 -p1
 sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py
 
 %build
@@ -70,6 +64,7 @@ exit 0
 %verify_permissions -e %{_bindir}/firejail
 
 %files
+%license COPYING
 %attr(4750,root,firejail) %verify(not user group mode) %{_bindir}/firejail
 %{_bindir}/firecfg
 %{_bindir}/firemon
@@ -84,5 +79,10 @@ exit 0
 %config %{_sysconfdir}/apparmor.d/local/firejail-default
 %dir %{_sysconfdir}/apparmor.d
 %dir %{_sysconfdir}/apparmor.d/local
+%dir %{_datadir}/vim/vimfiles
+%dir %{_datadir}/vim/vimfiles/ftdetect
+%dir %{_datadir}/vim/vimfiles/syntax
+%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
+%{_datadir}/vim/vimfiles/syntax/firejail.vim
 
 %changelog