From 7ad2a2419aeec6a37bfc5766aa90426140f454ccab8703a289804e34e07a6db9 Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Sun, 1 Nov 2020 17:53:52 +0000 Subject: [PATCH] - Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=32 --- firejail-0.9.62-fix-usr-etc.patch | 78 ------------------------------- firejail-0.9.62.4.tar.xz | 3 -- firejail-0.9.62.4.tar.xz.asc | 11 ----- firejail-0.9.64.tar.xz | 3 ++ firejail-0.9.64.tar.xz.asc | 11 +++++ firejail-apparmor-3.0.diff | 37 --------------- firejail.changes | 59 +++++++++++++++++++++++ firejail.spec | 14 +++--- 8 files changed, 80 insertions(+), 136 deletions(-) delete mode 100644 firejail-0.9.62-fix-usr-etc.patch delete mode 100644 firejail-0.9.62.4.tar.xz delete mode 100644 firejail-0.9.62.4.tar.xz.asc create mode 100644 firejail-0.9.64.tar.xz create mode 100644 firejail-0.9.64.tar.xz.asc delete mode 100644 firejail-apparmor-3.0.diff diff --git a/firejail-0.9.62-fix-usr-etc.patch b/firejail-0.9.62-fix-usr-etc.patch deleted file mode 100644 index 1cb771c..0000000 --- a/firejail-0.9.62-fix-usr-etc.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 609be4fda2dda5557de864eba814c42fe2f40dca Mon Sep 17 00:00:00 2001 -From: smitsohu -Date: Sun, 9 Feb 2020 11:30:31 +0100 -Subject: [PATCH] openSUSE fix: mount private-etc on /usr/etc as well - -see issue #3145 ---- - src/firejail/fs_etc.c | 3 ++- - src/firejail/sandbox.c | 1 + - src/include/rundefs.h | 1 + - 3 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c -index 7b7813926..76bcb751e 100644 ---- a/src/firejail/fs_etc.c -+++ b/src/firejail/fs_etc.c -@@ -145,7 +145,8 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c - // nothing to do if directory does not exist - struct stat s; - if (stat(private_dir, &s) == -1) { -- fmessage("Cannot find %s\n", private_dir); -+ if (arg_debug) -+ printf("Cannot find %s\n", private_dir); - return; - } - -diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c -index 96ad30bed..4f53cafcc 100644 ---- a/src/firejail/sandbox.c -+++ b/src/firejail/sandbox.c -@@ -855,6 +855,7 @@ int sandbox(void* sandbox_arg) { - fwarning("private-etc feature is disabled in overlay\n"); - else { - fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); -+ fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE - // create /etc/ld.so.preload file again - if (need_preload) - fs_trace_preload(); -diff --git a/src/include/rundefs.h b/src/include/rundefs.h -index 7f9c68be2..1cfeee28d 100644 ---- a/src/include/rundefs.h -+++ b/src/include/rundefs.h -@@ -42,6 +42,7 @@ - #define RUN_NONEWPRIVS_CFG RUN_MNT_DIR "/nonewprivs" - #define RUN_HOME_DIR RUN_MNT_DIR "/home" - #define RUN_ETC_DIR RUN_MNT_DIR "/etc" -+#define RUN_USR_ETC_DIR RUN_MNT_DIR "/usretc" - #define RUN_OPT_DIR RUN_MNT_DIR "/opt" - #define RUN_SRV_DIR RUN_MNT_DIR "/srv" - #define RUN_BIN_DIR RUN_MNT_DIR "/bin" -From cd184e9919bb67fb88ee6208c395682f5f0ba764 Mon Sep 17 00:00:00 2001 -From: smitsohu -Date: Sun, 9 Feb 2020 11:33:57 +0100 -Subject: [PATCH] openSUSE fix: search login.defs in /usr/etc, too - -see issue #3145 ---- - src/lib/firejail_user.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c -index dbf2ca94b..2e03ce0e0 100644 ---- a/src/lib/firejail_user.c -+++ b/src/lib/firejail_user.c -@@ -43,8 +43,11 @@ static void init_uid_gid_min(void) { - - // read the real values from login.def - FILE *fp = fopen("/etc/login.defs", "r"); -- if (!fp) -- goto errexit; -+ if (!fp) { -+ fp = fopen("/usr/etc/login.defs", "r"); // openSUSE -+ if (!fp) -+ goto errexit; -+ } - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { diff --git a/firejail-0.9.62.4.tar.xz b/firejail-0.9.62.4.tar.xz deleted file mode 100644 index ac11ff8..0000000 --- a/firejail-0.9.62.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2a2738bded0d4c96ea17094dacdba175516a193d50ce3e743fce7ac1ade7260c -size 382780 diff --git a/firejail-0.9.62.4.tar.xz.asc b/firejail-0.9.62.4.tar.xz.asc deleted file mode 100644 index ef9f743..0000000 --- a/firejail-0.9.62.4.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl86gd4ACgkQLMs2rfxY -SadQgAf+PMlVCZ+CYNxPoKVV+iXntZTbYrHkfcofVqY4A6ADKUelDb/BEHuuoR5R -92FMUnN3bh11sMG/NAwqOX5kCNtl33EMYf9xv5dVAf/H5GZjNjYak93Lpu9wJFOD -NWSAqIqEEWzCov5mJ5+yLdtCJ+Cvx7cMrumod26MzFnGVxXXGvaq8mljGQt7Muxy -pVEyDwcHIjKKYjSvzP3o1038NuI8My9Gl7Wz/ZCGhkUL1j9u0kYktk7gt3/fE/ju -QM3f7ZmCsJIrCmHF++3Va1a/U3z6UQaxNTmJ0XyqqzdZ6xv1+WuGXPAfwgdLaxht -RxipeRnr6o/MaeNGOGPNhiNF+4vY4A== -=A5n+ ------END PGP SIGNATURE----- diff --git a/firejail-0.9.64.tar.xz b/firejail-0.9.64.tar.xz new file mode 100644 index 0000000..98e03fc --- /dev/null +++ b/firejail-0.9.64.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e53bab074e6c97609a3486d2055e44094025e32b217f374c06dd9e3285e7f2fd +size 419464 diff --git a/firejail-0.9.64.tar.xz.asc b/firejail-0.9.64.tar.xz.asc new file mode 100644 index 0000000..fe7aa3d --- /dev/null +++ b/firejail-0.9.64.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl+RloMACgkQLMs2rfxY +Sadk1wf+OLyTh2JJrZtUztKOxltQVbQ9srPFBxAn2Y/ax4ulv7E9gnEtayuRTNOn +GFNoHf2db4M2i15JS9iLAyfjn0vjbp47O4Hk+5ir3DVsptWVm2anAtwH3Q0wXZaK +Q43E9m++imClKs0WMLWfepVXs6QF3o8hfGKZmv/jjnepgDf/ceD7lN8EHpen2QuE ++dcQOpqCLPEGLOsLXugT4lH/9YoYvpHXPEzKvaYpv6BS2PPhwgM3RbLfeQiBlFn2 +DMkeNEp4YUvYnKP9zdGVRpXf2rRBK4izDf39IIb+WTZbUWSMDpZp+ppv5RJ37uah +rgLsqFF+0wAwZqPOsakx4ikjKSWFVA== +=jU+V +-----END PGP SIGNATURE----- diff --git a/firejail-apparmor-3.0.diff b/firejail-apparmor-3.0.diff deleted file mode 100644 index cf2833b..0000000 --- a/firejail-apparmor-3.0.diff +++ /dev/null @@ -1,37 +0,0 @@ -Note: this patch is backported/modified - upstream moved the AppArmor profile -to etc/apparmor/firejail-default in the meantime --- cboltz, 2020-10-26 - - - -commit bba750c73469ea315d859464ddd19e495d830a72 -Author: Kristóf Marussy -Date: Sat Oct 10 13:27:42 2020 +0200 - - Fix AppArmor 3.0 support (closes #3659) - - AppArmor introduces the @{run} variable, which is used in - and among - other places. Thus, we follow suit of the built-in profiles and #include - , which includes in AppArmor 3.0, - defining the variable. - - As exists in previous versions of AppArmor, too, this - patch does not introduce a backward-compatibility issue with Apparmor - 2.x. - -diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default -index 68e20d9b..e396ae7d 100644 ---- a/etc/firejail-default -+++ b/etc/firejail-default -@@ -2,6 +2,10 @@ - # Generic Firejail AppArmor profile - ######################################### - -+# AppArmor 3.0 uses the @{run} variable in -+# and . -+#include -+ - ########## - # A simple PID declaration based on Ubuntu's @{pid} - # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. diff --git a/firejail.changes b/firejail.changes index e6e915e..3b34970 100644 --- a/firejail.changes +++ b/firejail.changes @@ -1,3 +1,62 @@ +------------------------------------------------------------------- +Sun Nov 1 16:58:56 UTC 2020 - Sebastian Wagner + +- Update to version 0.9.64: + * replaced --nowrap option with --wrap in firemon + * The blocking action of seccomp filters has been changed from + killing the process to returning EPERM to the caller. To get the + previous behaviour, use --seccomp-error-action=kill or + syscall:kill syntax when constructing filters, or override in + /etc/firejail/firejail.config file. + * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. + xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. + With this version nodbus is deprecated, in favor of dbus-user none and + dbus-system none and will be removed in a future version. + * DHCP client support + * firecfg only fix dektop-files if started with sudo + * SELinux labeling support + * custom 32-bit seccomp filter support + * restrict ${RUNUSER} in several profiles + * blacklist shells such as bash in several profiles + * whitelist globbing + * mkdir and mkfile support for /run/user directory + * support ignore for include + * --include on the command line + * splitting up media players whitelists in whitelist-players.inc + * new condition: HAS_NOSOUND + * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster + * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl + * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 + * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool + * new profiles: desktopeditors, impressive, planmaker18, planmaker18free + * new profiles: presentations18, presentations18free, textmaker18, teams + * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX + * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro + * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command + * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux + * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row + * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin + * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars + * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless + * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers + * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski + * new profiles: swell-foop, fdns, five-or-more, steam-runtime + * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im + * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper + * new profiles: gapplication, openarena_ded, element-desktop, cawbird + * new profiles: freetube, strawberry, jitsi-meet-desktop + * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash + * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx + * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar + * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube + * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi + * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube + * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send + * new profiles: qrencode, ytmdesktop, twitch + * new profiles: xournalpp, chromium-freeworld, equalx +- remove firejail-0.9.62-fix-usr-etc.patch, included upstream +- remove firejail-apparmor-3.0.diff, included upstream + ------------------------------------------------------------------- Mon Oct 26 22:34:02 UTC 2020 - Christian Boltz diff --git a/firejail.spec b/firejail.spec index d2a30b0..65163c2 100644 --- a/firejail.spec +++ b/firejail.spec @@ -17,7 +17,7 @@ Name: firejail -Version: 0.9.62.4 +Version: 0.9.64 Release: 0 Summary: Linux namepaces sandbox program License: GPL-2.0-only @@ -25,10 +25,6 @@ Group: Productivity/Security URL: https://firejail.wordpress.com/ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc -# PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file -Patch0: firejail-0.9.62-fix-usr-etc.patch -# PATCH-FIX-UPSTREAM firejail-apparmor-3.0.diff -- https://github.com/netblue30/firejail/issues/3659 -Patch1: firejail-apparmor-3.0.diff BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libapparmor-devel @@ -46,8 +42,6 @@ Linux namespace support. It supports sandboxing specific users upon login. %prep %setup -q -%patch0 -p1 -%patch1 -p1 sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py %build @@ -70,6 +64,7 @@ exit 0 %verify_permissions -e %{_bindir}/firejail %files +%license COPYING %attr(4750,root,firejail) %verify(not user group mode) %{_bindir}/firejail %{_bindir}/firecfg %{_bindir}/firemon @@ -84,5 +79,10 @@ exit 0 %config %{_sysconfdir}/apparmor.d/local/firejail-default %dir %{_sysconfdir}/apparmor.d %dir %{_sysconfdir}/apparmor.d/local +%dir %{_datadir}/vim/vimfiles +%dir %{_datadir}/vim/vimfiles/ftdetect +%dir %{_datadir}/vim/vimfiles/syntax +%{_datadir}/vim/vimfiles/ftdetect/firejail.vim +%{_datadir}/vim/vimfiles/syntax/firejail.vim %changelog