pool/firejail
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Load/reload AppArmor profiles when installing the package (boo#1235142#c1)

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=53
This commit is contained in:
Sebastian Wagner 2025-01-10 06:33:14 +00:00 committed by Git OBS Bridge
commit 90c0107930
8 changed files with 949 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

3
firejail-0.9.72.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:82e177c48cfc87f62b088b55efc53ff4612b9740aab5ea35cbf2395e83efe7f4
size 503192

11
firejail-0.9.72.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAmPFc+MACgkQLMs2rfxY
SacfywgAnwZQTaBTK/bwUgcu3vBeptFtmiAgCRYSbabCXoX2HvssAO3h5Jk8Vxt7
nsauL0Opxw01yocAXD03aS9ShMSB5zzhbk+Svlu6yieIvw4mYCyZbho4baAZA83H
Q7V+HH3CEN1fyRwyA8gcYqEjdrf9fd6EbzoOkokTfg98b+hx5ad08o652G8X3GHI
aYV+Gdc5NJ2ChRo07XeeIfIHHfIBWWrcxhXGhvWHovNaqA0+h+vAZ4RvLvY2pd3J
yq0r+68NciUsoOyJBQvopmFG/xH+fRBDgbui8JP3tyoUr/82BEgPpA89rUiGrft3
lvssRZ9TsjS7lbpd/YdEXqqE/aQcQg==
=skSG
-----END PGP SIGNATURE-----

2
firejail-group.conf Normal file
View File

@ -0,0 +1,2 @@
#Type Name ID
g firejail -

741
firejail.changes Normal file
View File

@ -0,0 +1,741 @@
-------------------------------------------------------------------
Thu Jan 9 21:42:45 UTC 2025 - Christian Boltz <suse-beta@cboltz.de>
- Load/reload AppArmor profiles when installing the package (boo#1235142#c1)
-------------------------------------------------------------------
Sun Feb 4 19:16:55 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
- Use sysuser-tools to generate firejail group
-------------------------------------------------------------------
Sun Apr 9 14:43:39 UTC 2023 - Sebastian Wagner <sebix@sebix.at>
- update to version 0.9.72:
* modif: move hardcoded apps recognized by default in uiapps file
* modif: remove sandbox edit dialog and replace it with uiapps file
* feature: added uiapps file for default and user apps configuration
* feature: added a system network monitor in sandbox stats
* feature: added apparmor support in firejail-ui
* feature: added bluetooth support in firejail-ui
* feature: print final sandbox configuration in firejail-ui
* bugfixes
-------------------------------------------------------------------
Tue Jun 14 20:21:18 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>
- remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch
as they are integrated upstream
- update to version 0.9.70:
- security: CVE-2022-31214 - root escalation in --join logic
- Reported by Matthias Gerstner, working exploit code was provided to our
- development team. In the same time frame, the problem was independently
- reported by Birk Blechschmidt. Full working exploit code was also provided.
- feature: enable shell tab completion with --tab (#4936)
- feature: disable user profiles at compile time (#4990)
- feature: Allow resolution of .local names with avahi-daemon in the apparmor
- profile (#5088)
- feature: always log seccomp errors (#5110)
- feature: firecfg --guide, guided user configuration (#5111)
- feature: --oom, kernel OutOfMemory-killer (#5122)
- modif: --ids feature needs to be enabled at compile time (#5155)
- modif: --nettrace only available to root user
- rework: whitelist restructuring (#4985)
- rework: firemon, speed up and lots of fixes
- bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
- bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
- bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
- bugfix: fix printing in evince (#5011)
- bugfix: gcov: fix gcov functions always declared as dummy (#5028)
- bugfix: Stop warning on safe supplementary group clean (#5114)
- build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
- build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154)
- ci: replace centos (EOL) with almalinux (#4912)
- ci: fix --version not printing compile-time features (#5147)
- ci: print version after install & fix apparmor support on build_apparmor
- (#5148)
- docs: Refer to firejail.config in configuration files (#4916)
- docs: firejail.config: add warning about allow-tray (#4946)
- docs: mention that the protocol command accumulates (#5043)
- docs: mention inconsistent homedir bug involving --private=dir (#5052)
- docs: mention capabilities(7) on --caps (#5078)
- new profiles: onionshare, onionshare-cli, opera-developer, songrec
- new profiles: node-gyp, npx, semver, ping-hardened
- removed profiles: nvm
-------------------------------------------------------------------
Wed Jun 8 21:08:03 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>
- fix bsc#1199148 CVE-2022-31214 by adding patch fix-CVE-2022-31214.patch
using commits from upstream.
-------------------------------------------------------------------
Mon Feb 28 19:38:38 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>
- add fix-internet-access.patch to fix boo#1196542
-------------------------------------------------------------------
Sun Feb 6 21:09:00 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>
- update to firejail 0.9.68:
- security: on Ubuntu, the PPA is now recommended over the distro package
- (see README.md) (#4748)
- security: bugfix: private-cwd leaks access to the entire filesystem
- (#4780); reported by Hugo Osvaldo Barrera
- feature: remove (some) environment variables with auth-tokens (#4157)
- feature: ALLOW_TRAY condition (#4510 #4599)
- feature: add basic Firejail support to AppArmor base abstraction (#3226
- #4628)
- feature: intrusion detection system (--ids-init, --ids-check)
- feature: deterministic shutdown command (--deterministic-exit-code,
- --deterministic-shutdown) (#928 #3042 #4635)
- feature: noprinters command (#4607 #4827)
- feature: network monitor (--nettrace)
- feature: network locker (--netlock) (#4848)
- feature: whitelist-ro profile command (#4740)
- feature: disable pipewire with --nosound (#4855)
- feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
- feature: Allow apostrophe in whitelist and blacklist (#4614)
- feature: AppImage support in --build command (#4878)
- modifs: exit code: distinguish fatal signals by adding 128 (#4533)
- modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
- modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
- modifs: nogroups now stopped causing certain system groups to be dropped,
- which are now controlled by the relevant "no" options instead (such as
- nosound -> drop audio group), which fixes device access issues on systems
- not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
- removal: --disable-whitelist at compile time
- removal: whitelist=yes/no in /etc/firejail/firejail.config
- bugfix: Fix sndio support (#4362 #4365)
- bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
- bugfix: --build clears the environment (#4460 #4467)
- bugfix: firejail hangs with net parameter (#3958 #4476)
- bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
- bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
- bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
- bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
- bugfix: Firejail rejects empty arguments (#4395)
- bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
- bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
- bugfix: private-etc does not work with symlinks (#4887)
- bugfix: Hardware key not detected on keepassxc (#4883)
- build: allow building with address sanitizer (#4594)
- build: Stop linking pthread (#4695)
- build: Configure cleanup and improvements (#4712)
- ci: add profile checks for sorting disable-programs.inc and
- firecfg.config and for the required arguments in private-etc (#2739 #4643)
- ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
- docs: Add new command checklist to CONTRIBUTING.md (#4413)
- docs: Rework bug report issue template and add both a question and a
- feature request template (#4479 #4515 #4561)
- docs: fix contradictory descriptions of machine-id ("preserves" vs
- "spoofs") (#4689)
- docs: Document that private-bin and private-etc always accumulate (#4078)
- new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
- new includes: disable-proc.inc (#4521)
- removed includes: disable-passwordmgr.inc (#4454 #4461)
- new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
- new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
- new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
- new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
- new profiles: imv, retroarch, torbrowser, CachyBrowser,
- new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
- new profiles: Seafile, neovim, com.github.tchx84.Flatseal
-------------------------------------------------------------------
Sun Jul 18 16:45:49 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
- firejail 0.9.66:
* deprecated --audit options, relpaced by jailcheck utility
* deprecated follow-symlink-as-user from firejail.config
* new firejail.config settings: private-bin, private-etc
* new firejail.config settings: private-opt, private-srv
* new firejail.config settings: whitelist-disable-topdir
* new firejail.config settings: seccomp-filter-add
* removed kcmp syscall from seccomp default filter
* rename --noautopulse to keep-config-pulse
* filtering environment variables
* zsh completion
* command line: --mkdir, --mkfile
* --protocol now accumulates
* jailtest utility for testing running sandboxes
* faccessat2 syscall support
* --private-dev keeps /dev/input
* added --noinput to disable /dev/input
* add support for subdirs in --private-etc
* subdirs support in private-etc
* input devices support in private-dev, --no-input
* support trailing comments on profile lines
* many new profiles
- split shell completion into standard subpackages
-------------------------------------------------------------------
Sun Feb 7 23:09:58 UTC 2021 - Илья Индиго <ilya@ilya.pp.ua>
- Update to 0.9.64.4:
* disabled overlayfs, pending multiple fixes
* fixed launch firefox for open url in telegram-desktop.profile
-------------------------------------------------------------------
Thu Jan 28 18:35:06 UTC 2021 - Илья Индиго <ilya@ilya.pp.ua>
- Update to 0.9.64.2:
* allow --tmpfs inside $HOME for unprivileged users
* --disable-usertmpfs compile time option
* allow AF_BLUETOOTH via --protocol=bluetooth
* setup guide for new users: contrib/firejail-welcome.sh
* implement netns in profiles
* added nolocal6.net IPv6 network filter
* new profiles: spectacle, chromium-browser-privacy,
gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer,
gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu,
authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg,
mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.
-------------------------------------------------------------------
Mon Nov 2 19:44:51 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>
- packaging fixes
-------------------------------------------------------------------
Sun Nov 1 16:58:56 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>
- Update to version 0.9.64:
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
* new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
* new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
* new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
* new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
* new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
* new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
* new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
* new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
* new profiles: swell-foop, fdns, five-or-more, steam-runtime
* new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
* new profiles: gapplication, openarena_ded, element-desktop, cawbird
* new profiles: freetube, strawberry, jitsi-meet-desktop
* new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
* new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
* new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
* new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
* new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
* new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
* new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
* new profiles: qrencode, ytmdesktop, twitch
* new profiles: xournalpp, chromium-freeworld, equalx
- remove firejail-0.9.62-fix-usr-etc.patch, included upstream
- remove firejail-apparmor-3.0.diff, included upstream
-------------------------------------------------------------------
Mon Oct 26 22:34:02 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
- Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with
AppArmor 3.0 (add missing include <tunables/global>)
-------------------------------------------------------------------
Wed Aug 19 06:15:16 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
- Update to 0.9.62.4
* fix AppArmor broken in the previous release
* miscellaneous fixes
-------------------------------------------------------------------
Thu Aug 13 06:13:57 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
- Update to 0.9.62.2
* fix CVE-2020-17367
* fix CVE-2020-17368
* additional hardening and bug fixes
- Remove fix-CVE-2020-17368.patch
- Remove fix-CVE-2020-17367.patch
-------------------------------------------------------------------
Sat Aug 8 16:56:43 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>
- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986
-------------------------------------------------------------------
Wed Apr 29 11:30:38 UTC 2020 - Michael Vetter <mvetter@suse.com>
- Add firejail-0.9.62-fix-usr-etc.patch:
Check /usr/etc not just /etc
- Replace python interpreter line in sort.py
-------------------------------------------------------------------
Tue Feb 11 22:32:46 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- update to version 0.9.62
* added file-copy-limit in /etc/firejail/firejail.config
* profile templates (/usr/share/doc/firejail)
* allow-debuggers support in profiles
* several seccomp enhancements
* compiler flags autodetection
* move chroot entirely from path based to file descriptor based mounts
* whitelisting /usr/share in a large number of profiles
* new scripts in conrib: gdb-firejail.sh and sort.py
* enhancement: whitelist /usr/share in some profiles
* added signal mediation to apparmor profile
* new conditions: HAS_X11, HAS_NET
* new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
* new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
* new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
* new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
* new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
* new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
* new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
* new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
* new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
* new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
* new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
* new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
* new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
* new profiles: electron-mail, gist, gist-paste
-------------------------------------------------------------------
Sun Jun 2 16:30:42 UTC 2019 - Sebastian Wagner <sebix+novell.com@sebix.at>
- update to version 0.9.60:
* security bug reported by Austin Morton:
Seccomp filters are copied into /run/firejail/mnt, and are writable
within the jail. A malicious process can modify files from inside the
jail. Processes that are later joined to the jail will not have seccomp
filters applied.
CVE-2019-12589
boo#1137139
* memory-deny-write-execute now also blocks memfd_create
* add private-cwd option to control working directory within jail
* blocking system D-Bus socket with --nodbus
* bringing back Centos 6 support
* drop support for flatpak/snap packages
* new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
* new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
* new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
* new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
* new profiles: netactview, redshift, devhelp, assogiate, subdownloader
* new profiles: font-manager, exfalso, gconf-editor, dconf-editor
* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
* new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
* new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
* new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
* new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
* new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
* new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
* new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
* new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
* new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
* new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
-------------------------------------------------------------------
Fri Feb 1 07:29:32 UTC 2019 - info@paolostivanin.com
- update to version 0.9.58:
* --disable-mnt rework
* --net.print command
* GitLab CI/CD integration: disto specific builds
* profile parser enhancements and conditional handling support
for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F
* profile name support
* added explicit nonewprivs support to join option
* new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
* new profiles: devilspie, devilspie2, easystroke, github-desktop, min
* new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
* new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
* new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
* new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
* new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
* new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
* new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley
* new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland
* new profiles: supertuxkart, ghostwriter, gajim-history-manager
* bugfixes
-------------------------------------------------------------------
Sat Sep 22 09:11:21 UTC 2018 - Sebastian Wagner <sebix+novell.com@sebix.at>
- update to version 0.9.56:
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
-------------------------------------------------------------------
Tue Sep 11 08:12:48 UTC 2018 - Markos Chandras <mchandras@suse.de>
- Drop ldconfig calls since firejail libraries are installed in their
own subdirectory which is not scanned by ldconfig.
-------------------------------------------------------------------
Mon Sep 10 08:58:32 UTC 2018 - Markos Chandras <mchandras@suse.de>
- Remove the rpmlintrc file since the warnings are no longer relevant.
-------------------------------------------------------------------
Thu Aug 23 19:34:44 UTC 2018 - sebix+novell.com@sebix.at
- Changed the permissions of the firejail executable to 4750.
Setuid mode is used, but only allowed for users in the newly
created group 'firejail' (boo#1059013).
- Update to version 0.9.54:
* modif: --force removed
* modif: --csh, --zsh removed
* modif: --debug-check-filename removed
* modif: --git-install and --git-uninstall removed
* modif: support for private-bin, private-lib and shell none has been
disabled while running AppImage archives in order to be able to use
our regular profile files with AppImages.
* modif: restrictions for /proc, /sys and /run/user directories
are moved from AppArmor profile into firejail executable
* modif: unifying Chromium and Firefox browsers profiles.
All users of Firefox-based browsers who use addons and plugins
that read/write from ${HOME} will need to uncomment the includes for
firefox-common-addons.inc in firefox-common.profile.
* modif: split disable-devel.inc into disable-devel and
disable-interpreters.inc
* Firejail user access database (/etc/firejail/firejail.users,
man firejail-users)
* add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
* Spectre mitigation patch for gcc and clang compiler
* D-Bus handling (--nodbus)
* AppArmor support for overlayfs and chroot sandboxes
* AppArmor support for AppImages
* Enable AppArmor by default for a large number of programs
* firejail --apparmor.print option
* firemon --apparmor option
* apparmor yes/no flag in /etc/firejail/firejail.config
* seccomp syscall list update for glibc 2.26-10
* seccomp disassembler for --seccomp.print option
* seccomp machine code optimizer for default seccomp filters
* IPv6 DNS support
* whitelist support for overlay and chroot sandboxes
* private-dev support for overlay and chroot sandboxes
* private-tmp support for overlay and chroot sandboxes
* added sandbox name support in firemon
* firemon/prctl enhancements
* noblacklist support for /sys/module directory
* whitelist support for /sys/module directory
* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
* new profiles: discord-canary, pycharm-community, pycharm-professional,
* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
* new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
* new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
* new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
* new profiles: qmmp, sayonara
-------------------------------------------------------------------
Wed Dec 13 00:54:11 UTC 2017 - avindra@opensuse.org
- Update to version 0.9.52:
* New features
+ systemd-resolved integration
+ whitelisted /var in most profiles
+ GTK2, GTK3 and Qt4 private-lib support
+ --debug-private-lib
+ test deployment of private-lib for the some apps: evince,
galculator, gnome-calculator, leafpad, mousepad,
transmission-gtk, xcalc, xmr-stak-cpu, atril,
mate-color-select, tar, file, strings, gpicview, eom, eog,
gedit, pluma
+ netfilter template support
+ various new arguments
* --writable-run-user
* --rlimit-as
* --rlimit-cpu
* --timeout
* --build (profile build tool)
* --netfilter.print
* --netfilter6.print
* deprecations in modif
+ --allow-private-blacklists (blacklisting, read-only,
read-write, tmpfs and noexec are allowed in private home
directories
+ remount-proc-sys (firejail.config)
+ follow-symlink-private-bin (firejail.config)
+ --profile-path
* enhancements
+ support Firejail user config directory in firecfg
+ disable DBus activation in firecfg
+ enumerate root directories in apparmor profile
+ /etc and /usr/share whitelisting support
+ globbing support for --private-bin
* new profiles: upstreamed profiles from 3 sources:
+ https://github.com/chiraag-nataraj/firejail-profiles
+ https://github.com/nyancat18/fe
+ https://aur.archlinux.org/packages/firejail-profiles
* new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
brackets, calligra, calligraauthor, calligraconverter,
calligraflow, calligraplan, calligraplanwork, calligrasheets,
calligrastage, calligrawords, cin, dooble, dooble-qt4,
fetchmail, freecad, freecadcmd, google-earth,imagej, karbon,
1kdenlive, krita, linphone, lmms, macrofusion, mpd, natron,
Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg,
bluefish, cinelerra, openshot-qt, pinta, uefitool, aosp,
pdfmod, gnome-ring, xcalc, zaproxy, kopete, cliqz,
signal-desktop, kget, nheko, Enpass, kwin_x11, krunner, ping,
bsdtar, makepkg (Arch), archaudit-report cower (Arch), kdeinit4
- Add full link to source tarball from sourceforge
- Add asc file
-------------------------------------------------------------------
Sat Sep 9 14:40:29 UTC 2017 - aavindraa@gmail.com
- Update to version 0.9.50:
* New features:
- per-profile disable-mnt (--disable-mnt)
- per-profile support to set X11 Xephyr screen size (--xephyr-screen)
- private /lib directory (--private-lib)
- disable CDROM/DVD drive (--nodvd)
- disable DVB devices (--notv)
- --profile.print
* modif: --output split in two commands, --output and --output-stderr
* set xpra-attach yes in /etc/firejail/firejail.config
* Enhancements:
- print all seccomp filters under --debug
- /proc/sys mounting
- rework IP address assingment for --net options
- support for newer Xpra versions (2.1+) -
- all profiles use a standard layout style
- create /usr/local for firecfg if the directory doesn't exist
- allow full paths in --private-bin
* New seccomp features:
- --memory-deny-write-execute
- seccomp post-exec
- block secondary architecture (--seccomp.block_secondary)
- seccomp syscall groups
- print all seccomp filters under --debug
- default seccomp list update
* new profiles:
curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Android Studio, electron, riot-web, Extreme Tux Racer,
Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
hashcat, obs, picard, remmina, sdat2img, soundconverter
truecraft, gnome-twitch, tuxguitar, musescore, neverball
sqlitebrowse, Yandex Browser, minetest
-------------------------------------------------------------------
Tue Aug 15 15:47:49 CEST 2017 - tiwai@suse.de
- Update to version 0.9.48:
* modifs: whitelisted Transmission, Deluge, qBitTorrent,
KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the
screen if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global
customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish,
HandBrake
* bugfixes
-------------------------------------------------------------------
Mon Jan 16 16:33:59 CET 2017 - tiwai@suse.de
- Update to version 0.9.44.4:
* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* disabled --allow-debuggers when running on kernel versions prior
to 4.8; a kernel bug in ptrace system call allows a full bypass
of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
* root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
* new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
* major cleanup of file copying code
* tightening the rules for --chroot and --overlay features
* ported Gentoo compile patch
* Nvidia drivers bug in --private-dev
* fix ASSERT_PERMS_FD macro
* allow local customization using .local files under /etc/firejail
backported from our development branch
* spoof machine-id backported from our development branch
- Remove obsoleted patches:
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
-------------------------------------------------------------------
Thu Jan 5 10:38:43 CET 2017 - tiwai@suse.de
- Update to version 0.9.44.2:
Security fixes:
* overwrite /etc/resolv.conf found by Martin Carpenter
* TOCTOU exploit for get and put found by Daniel Hodson
* invalid environment exploit found by Martin Carpenter
* several security enhancements
Bugfixes:
* crashing VLC by pressing Ctrl-O
* use user configured icons in KDE
* mkdir and mkfile are not applied to private directories
* cannot open files on Deluge running under KDE
* private=dir where dir is the user home directory
* cannot start Vivaldi browser
* cannot start mupdf
* ssh profile problems
* quiet
* quiet in git profile
* memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
-------------------------------------------------------------------
Thu Oct 27 17:49:48 CEST 2016 - tiwai@suse.de
- Update to version 0.9.44:
* CVE-2016-7545 submitted by Aleksey Manevich
Modifications:
* removed man firejail-config
* private-tmp whitelists /tmp/.X11-unix directory
* Nvidia drivers added to private-dev
* /srv supported by whitelist
New features:
* allow user access to /sys/fs (noblacklist=/sys/fs)
* support starting/joining sandbox is a single command (join-or-start)
* X11 detection support for audit
* assign a name to the interface connected to the bridge (veth-name)
* all user home directories are visible (allusers)
* add files to sandbox container (put)
* blocking x11 (x11=block)
* X11 security extension (x11=xorg)
* disable 3D hardware acceleration (no3d)
* x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* move files in sandbox (put)
* accept wildcard patterns in user name field of restricted shell login feature
New profiles:
* qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* feh, ranger, zathura, 7z, keepass, keepassx,
* claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* Flowblade, Eye of GNOME (eog), Evolution
-------------------------------------------------------------------
Fri Sep 30 10:56:58 CEST 2016 - tiwai@suse.de
- Update to version 0.9.42:
Security fixes:
* whitelist deleted files
* disable x32 ABI in seccomp
* tighten chroot
* terminal sandbox escape
* several TOCTOU fixes
Behavior changes:
* bringing back private-home option
* deprecated user option, please use “sudo -u username firejail”
* allow symlinks in home directory for whitelist option
* Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes”
* recursive mkdir
* include /dev/snd in private-dev
* seccomp filter update
* release archives moved to .xz format
New features:
* AppImage support (appimage)
* AppArmor support (apparmor)
* Ubuntu snap support (/etc/firejail/snap.profile)
* Sandbox auditing support (audit)
* remove environment variable (rmenv)
* noexec support (noexec)
* clean local overlay storage directory (overlay-clean)
* store and reuse overlay (overlay-named)
* allow debugging inside the sandbox with gdb and strace (allow-debuggers)
* mkfile profile command
* quiet profile command
* x11 profile command
* option to fix desktop files (firecfg fix)
Build options:
* Busybox support (enable-busybox-workaround)
* disable overlayfs (disable-overlayfs)
* disable whitlisting (disable-whitelist)
* disable global config (disable-globalcfg)
Runtime options:
* enable/disable overlayfs (overlayfs yes/no)
* enable/disable quiet as default (quiet-by-default yes/no)
* user-defined network filter (netfilter-default)
* enable/disable whitelisting (whitelist yes/no)
* enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
* enable/disable chroot desktop features (chroot-desktop yes/no)
New/updated profiels:
* Gitter, gThumb, mpv, Franz messenger, LibreOffice
* pix, audacity, xz, xzdec, gzip, cpio, less
* Atom Beta, Atom, jitsi, eom, uudeview
* tar (gtar), unzip, unrar, file, skypeforlinux,
* inox, Slack, gnome-chess. Gajim IM client, DOSBox
- Enable apparmor support
-------------------------------------------------------------------
Wed Jun 8 15:20:43 CEST 2016 - tiwai@suse.de
- Update to version 0.9.40:
* Added firecfg utility
* New options: -nice, -cpu.print, -writable-etc, -writable-var,
-read-only
* X11 support: -x11 option (-x11=xpra, -x11=xephr)
* Filetransfer options: ls and get
* Added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile
commands
* Run time config support, man firejail-config
* AppArmor fixes
* Default seccomp filter update
* Disable STUN/WebRTC in default netfilter configuration
* Lots of new profiles
-------------------------------------------------------------------
Tue May 17 17:13:03 CEST 2016 - tiwai@suse.de
- initial package: 0.9.38

30
firejail.keyring Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQENBFRaIzYBCACvfLk+0CpSK+03h0svI3XfbSuGppB1jSd70QoX6jgjcJ6ble+G
V8gQEd8hU6Rhw4oa6klY+sVY2Si+7ZLaGQAiucERNG0aJA23gYVw91OyaARNZ1SZ
8Ju7GowCxLOT6Ie8RyWCCv1yXGxQT36j2I1Z9/UvYHvIJISZ48K4Dk8OuF5lcCH7
jN5X/7pqhmBKKx3Ve4UWmiKjisZcEdhJ9U5nyrHNSngPYSia+YIK/wG4nqY3ooZi
HvLA21HeaVBaILmRuRCO7akqxFB9SfJTHDqC0czZ0/3NJ3AyQv/qEkIkxGOHogKx
hNqGUBxYhba9Hl9Sl3IX72aQ28CxUngpXLNJABEBAAG0LG5ldGJsdWUgKGZpcmVq
YWlsIGtleSkgPG5ldGJsdWUzMEB5YWhvby5jb20+iQE4BBMBAgAiBQJUWiM2AhsD
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAsyzat/FhJp7daB/0UlljRMtJ7
/Ht9gDcQm1pqsShGw29QtLSxDWV7A250GdveGNs2yZTCJQIyoK1Pa+Q5GOUwv0I2
VOxqTgnG3j1pCtcCbb7rkRQa6dix71IgKG+F4wUlWLdgaVsH7h1MtVobZ+nNSQAY
Bl+9vd9cKuyIYI+e6pdlLP/yCT78ehI/wVDD2V/w3ixnvnSLIgoRQRX9gAbRIf3i
/cXpyVn7wLYNMUwBrH3hPDTJPTdNih75ZcMMBWDnkt+IMijtxM++4J+45odoPKb6
bCvq0e0WtWmscOx/jN5cgOyC/87lcQuHSyjiSJowJzJUnO0sL9r1X1RFsU+XhGfN
8Ml/9flP/ojYuQENBFRaIzYBCADCE9S6rB7FI4z07H0PZ97XKh5U7r5hIxWrt1nC
yzD/Hprfy9ZZRJklAa+XlMMIPHHv3h8JEL2B5TWKxCa7KbNYfoLoLGywp6aIw6+X
kDhKXesEDN5WFUCW186hlmEExgNpOGZlbBLqJnaFfxhunSGgdHd5YHiASkts5Uwd
zzo2uFMcn0q0HlLLGAVwI787P6xAsAvgf4BCFuc4XGCWl8XDQbChZ8LC/ovHPq4Q
H8g6cIzya6f5E/VT2+dYGpME0bPmjTm0ZzvTHWfjw+B2d5AO5mNQiewHejnPxrcq
qJkO+Y6S80R/JPfmOI3RCHcoyB+QJ1I2I4yQ6G5dFwKl/IknABEBAAGJAR8EGAEC
AAkFAlRaIzYCGwwACgkQLMs2rfxYSad2pAf8CaKsDD1yj1mvYcUX1chrUlYmZVuR
PSFKf90OETlGSCYqdi4yyeJJnis4HBDcGPa+hFpLVksJlRCKqKQiqjndaNHhRgyM
ZouoeJvBiwCdwpQmZHgpgTv1V8n4PJ4anqISC5/ZGN9HDJ68gDx2hzeuilc+6umK
E99f7Qo8rdaeu5IGhujQhxnemAyTBNGZh3tABZcni5m7uVJKihdDUogghXSnIBxh
ilSqRQrPqyCjic8MUB9S+eBQC4Z67i9YqJaBfb80x9HqINLncGFDHKIajwy8f7Sh
k67z733GYXrAnyHsia4IF4UGRLW4+1xtKE9xmUThmwMdkgqtJ9eqBpAF9A==
=/BT3
-----END PGP PUBLIC KEY BLOCK-----

138
firejail.spec Normal file
View File

@ -0,0 +1,138 @@
#
# spec file for package firejail
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: firejail
Version: 0.9.72
Release: 0
Summary: Linux namepaces sandbox program
License: GPL-2.0-only
Group: Productivity/Security
URL: https://firejail.wordpress.com
Source0: https://github.com/netblue30/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
Source1: https://github.com/netblue30/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc
# https://firejail.wordpress.com/download-2/
Source2: %{name}.keyring
Source3: %{name}-group.conf
BuildRequires: apparmor-rpm-macros
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: libapparmor-devel
BuildRequires: sysuser-tools
BuildRequires: xz
Requires(post): permissions
%sysusers_requires
%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
many existing applications like Iceweasel/Mozilla Firefox and Chromium.
Firejail also expands the restricted shell facility found in bash by adding
Linux namespace support. It supports sandboxing specific users upon login.
%package bash-completion
Summary: Firejail Bash completion
Group: System/Shells
Requires: %{name} = %{version}
Requires: bash-completion
Supplements: (%{name} and bash-completion)
BuildArch: noarch
%description bash-completion
Optional dependency offering bash completion for firejail
%package zsh-completion
Summary: Firejail zsh completion
Group: System/Shells
Requires: %{name} = %{version}
Requires: zsh
Supplements: (%{name} and zsh)
BuildArch: noarch
%description zsh-completion
Optional dependency offering zsh completion for firejail
%prep
%autosetup
sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py contrib/fix_private-bin.py contrib/jail_prober.py
%build
%sysusers_generate_pre %{SOURCE3} %{name} %{name}-group.conf
%configure --docdir=%{_docdir}/%{name} \
--enable-apparmor
%make_build
%install
%make_install
install -D -m 644 %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}-group.conf
rm %{buildroot}%{_docdir}/firejail/COPYING
%fdupes -s %{buildroot}
%pre -f %{name}.pre
%post
%set_permissions %{_bindir}/firejail
%apparmor_reload %{_sysconfdir}/apparmor.d/firejail-default
%verifyscript
%verify_permissions -e %{_bindir}/firejail
%files
%license COPYING
%attr(4750,root,firejail) %verify(not user group mode) %{_bindir}/firejail
%{_bindir}/firecfg
%{_bindir}/firemon
%{_bindir}/jailcheck
%{_libdir}/%{name}
%doc %{_docdir}/%{name}
%{_mandir}/man1/*
%{_mandir}/man5/*
%dir %{_sysconfdir}/%{name}
%config %{_sysconfdir}/%{name}/*
%config %{_sysconfdir}/apparmor.d/firejail-default
%config %{_sysconfdir}/apparmor.d/local/firejail-default
%dir %{_sysconfdir}/apparmor.d
%dir %{_sysconfdir}/apparmor.d/local
%dir %{_sysconfdir}/apparmor.d/abstractions
%dir %{_sysconfdir}/apparmor.d/abstractions/base.d
%dir %{_datadir}/vim
%dir %{_datadir}/vim/vimfiles
%dir %{_datadir}/vim/vimfiles/ftdetect
%dir %{_datadir}/vim/vimfiles/syntax
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%dir %{_datadir}/gtksourceview-5
%dir %{_datadir}/gtksourceview-5/language-specs
%{_datadir}/gtksourceview-5/language-specs/firejail-profile.lang
%config /etc/apparmor.d/abstractions/base.d/firejail-base
%{_sysusersdir}/%{name}-group.conf
%files bash-completion
%license COPYING
%dir %{_datadir}/bash-completion
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/*
%files zsh-completion
%license COPYING
%dir %{_datarootdir}/zsh
%dir %{_datarootdir}/zsh/site-functions/
%{_datadir}/zsh/site-functions/_firejail
%changelog