- Changed the permissions of the firejail executable to 4750.

Setuid mode is used, but only allowed for users in the newly
  created group 'firejail' (boo#1059013).
- Update to version 0.9.54:
  * modif: --force removed
  * modif: --csh, --zsh removed
  * modif: --debug-check-filename removed
  * modif: --git-install and --git-uninstall removed
  * modif: support for private-bin, private-lib and shell none has been
     disabled while running AppImage archives in order to be able to use
     our regular profile files with AppImages.
  * modif: restrictions for /proc, /sys and /run/user directories
     are moved from AppArmor profile into firejail executable
  * modif: unifying Chromium and Firefox browsers profiles.
     All users of Firefox-based browsers who use addons and plugins
     that read/write from ${HOME} will need to uncomment the includes for
     firefox-common-addons.inc in firefox-common.profile.
  * modif: split disable-devel.inc into disable-devel and
     disable-interpreters.inc
  * Firejail user access database (/etc/firejail/firejail.users,
     man firejail-users)
  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
  * Spectre mitigation patch for gcc and clang compiler
  * D-Bus handling (--nodbus)
  * AppArmor support for overlayfs and chroot sandboxes
  * AppArmor support for AppImages
  * Enable AppArmor by default for a large number of programs
  * firejail --apparmor.print option
  * firemon --apparmor option
  * apparmor yes/no flag in /etc/firejail/firejail.config

OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=10

firejail-0.9.52.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:da14c93ebc0e8deb420ab9979d1c006ecc98b5b310b27cae43f0c623c9471471
-size 299396

firejail-0.9.52.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAlov3ecACgkQLMs2rfxY
-Sacd1wgAj56JTfDnNkG5LcUfeONcRqd430QzV8QH1eK8mQrAHwkQYhikxvG0J4/R
-LndJ1OsrDy+QokXWlWGpp+zSj/FMnCYZs28DKm7jMyKHagdcB96QYaz+jVDQERtx
-e6rxTWiz6J/kVXx+7yG8UxSXMzP1ScmsmpleaIKPQWQbhrUw0rSp8lNIEuvegCdB
-uXThrWvL/9raonWfaES4fJw7LO90BfA3CGJsmUGaibXi2K4Fjorugbn0bikiQQMI
-0Y2/7a9cSa4qtRmvOL3b5hScr2Vc1vLEwsssrjQMhLSwf2wcBGqcgLVoP5sc5ZWQ
-js8LbOhwgosJouLCQswqGnZbsdMo8Q==
-=3zHj
------END PGP SIGNATURE-----

firejail-0.9.54.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce996854278863f3e91ff185198c7cc1377fb70053d37a43e3b1ef1021c57756
+size 315884

firejail-0.9.54.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAlr8NyMACgkQLMs2rfxY
+Sadqpgf/fUTS0ITcZaMzBFQgWd2dvFBusAGD8HDkxgp7ITy8/t9i49Ix/0KJAzdE
+vrQmJ2+5emBVjG9R50t/1G+JxNMMg5e8mK2/XA4kHFVqtmws/E3islC169fOVObV
+EE4Gi6N6pTKoLholrLdZuvS7GyPCp3pf6WWLZkpCOAx73j3RCdIiXdP1iSf2uZLQ
+/5+QBIQO8g+E1RpLls18QyNuQz4kw988w9/6dzvha5lFB5DMdPgjEzAL50B6Etiq
+pLtziooy58kWiFpTfDRi3//xfpTSIYa0QIwFyy4sUUbiifv+Lvqe42cqD+AK9/6H
+1rLWthvezOS4aSizp+ApGlQaFrOI8w==
+=fc0E
+-----END PGP SIGNATURE-----

firejail.changes

@@ -1,3 +1,59 @@
+-------------------------------------------------------------------
+Thu Aug 23 19:34:44 UTC 2018 - sebix+novell.com@sebix.at
+
+- Changed the permissions of the firejail executable to 4750.
+  Setuid mode is used, but only allowed for users in the newly
+  created group 'firejail' (boo#1059013).
+- Update to version 0.9.54:
+  * modif: --force removed
+  * modif: --csh, --zsh removed
+  * modif: --debug-check-filename removed
+  * modif: --git-install and --git-uninstall removed
+  * modif: support for private-bin, private-lib and shell none has been
+     disabled while running AppImage archives in order to be able to use
+     our regular profile files with AppImages.
+  * modif: restrictions for /proc, /sys and /run/user directories
+     are moved from AppArmor profile into firejail executable
+  * modif: unifying Chromium and Firefox browsers profiles.
+     All users of Firefox-based browsers who use addons and plugins
+     that read/write from ${HOME} will need to uncomment the includes for
+     firefox-common-addons.inc in firefox-common.profile.
+  * modif: split disable-devel.inc into disable-devel and
+     disable-interpreters.inc
+  * Firejail user access database (/etc/firejail/firejail.users,
+     man firejail-users)
+  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
+  * Spectre mitigation patch for gcc and clang compiler
+  * D-Bus handling (--nodbus)
+  * AppArmor support for overlayfs and chroot sandboxes
+  * AppArmor support for AppImages
+  * Enable AppArmor by default for a large number of programs
+  * firejail --apparmor.print option
+  * firemon --apparmor option
+  * apparmor yes/no flag in /etc/firejail/firejail.config
+  * seccomp syscall list update for glibc 2.26-10
+  * seccomp disassembler for --seccomp.print option
+  * seccomp machine code optimizer for default seccomp filters
+  * IPv6 DNS support
+  * whitelist support for overlay and chroot sandboxes
+  * private-dev support for overlay and chroot sandboxes
+  * private-tmp support for overlay and chroot sandboxes
+  * added sandbox name support in firemon
+  * firemon/prctl enhancements
+  * noblacklist support for /sys/module directory
+  * whitelist support for /sys/module directory
+  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
+  * new profiles: discord-canary, pycharm-community, pycharm-professional,
+  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
+  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
+  * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
+  * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
+  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
+  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
+  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
+  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
+  * new profiles: qmmp, sayonara
+
 -------------------------------------------------------------------
 Wed Dec 13 00:54:11 UTC 2017 - avindra@opensuse.org
 

firejail.spec

@@ -17,7 +17,7 @@
 
 
 Name:           firejail
-Version:        0.9.52
+Version:        0.9.54
 Release:        0
 Summary:        Linux namepaces sandbox program
 License:        GPL-2.0
@@ -28,7 +28,9 @@ Source1:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.
 Source2:        %{name}.rpmlintrc
 BuildRequires:  gcc-c++
 BuildRequires:  libapparmor-devel
-Requires(pre):  permissions
+BuildRequires:  fdupes
+Requires(pre):  shadow
+PreReq:         permissions
 
 %description
 Firejail is a SUID sandbox program that reduces the risk of security
@@ -41,14 +43,20 @@ Linux namespace support. It supports sandboxing specific users upon login.
 
 %prep
 %setup -q
+sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py
 
 %build
 %configure --docdir=%{_docdir}/%{name} \
 	   --enable-apparmor
 make %{?_smp_mflags} VERBOSE=1
 
+%pre
+getent group firejail >/dev/null || groupadd -r firejail
+exit 0
+
 %install
 %make_install
+%fdupes -s %{buildroot}
 
 %post
 /sbin/ldconfig
@@ -60,7 +68,7 @@ make %{?_smp_mflags} VERBOSE=1
 %postun -p /sbin/ldconfig
 
 %files
-%verify(not user group mode) %{_bindir}/firejail
+%attr(4750,root,firejail) %verify(not user group mode) %{_bindir}/firejail
 %{_bindir}/firecfg
 %{_bindir}/firemon
 %{_datadir}/bash-completion
@@ -70,6 +78,9 @@ make %{?_smp_mflags} VERBOSE=1
 %{_mandir}/man5/*
 %dir %{_sysconfdir}/%{name}
 %config %{_sysconfdir}/%{name}/*
-%{_sysconfdir}/apparmor.d
+%config %{_sysconfdir}/apparmor.d/firejail-default
+%config %{_sysconfdir}/apparmor.d/local/firejail-local
+%dir %{_sysconfdir}/apparmor.d
+%dir %{_sysconfdir}/apparmor.d/local
 
 %changelog