- update to firejail 0.9.68:

- security: on Ubuntu, the PPA is now recommended over the distro package
 - (see README.md) (#4748)
 - security: bugfix: private-cwd leaks access to the entire filesystem
 - (#4780); reported by Hugo Osvaldo Barrera
 - feature: remove (some) environment variables with auth-tokens (#4157)
 - feature: ALLOW_TRAY condition (#4510 #4599)
 - feature: add basic Firejail support to AppArmor base abstraction (#3226
 - #4628)
 - feature: intrusion detection system (--ids-init, --ids-check)
 - feature: deterministic shutdown command (--deterministic-exit-code,
 - --deterministic-shutdown) (#928 #3042 #4635)
 - feature: noprinters command (#4607 #4827)
 - feature: network monitor (--nettrace)
 - feature: network locker (--netlock) (#4848)
 - feature: whitelist-ro profile command (#4740)
 - feature: disable pipewire with --nosound (#4855)
 - feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
 - feature: Allow apostrophe in whitelist and blacklist (#4614)
 - feature: AppImage support in --build command (#4878)
 - modifs: exit code: distinguish fatal signals by adding 128 (#4533)
 - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
 - modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
 - modifs: nogroups now stopped causing certain system groups to be dropped,
 - which are now controlled by the relevant "no" options instead (such as
 - nosound -> drop audio group), which fixes device access issues on systems
 - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
 - removal: --disable-whitelist at compile time
 - removal: whitelist=yes/no in /etc/firejail/firejail.config
 - bugfix: Fix sndio support (#4362 #4365)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=42

firejail-0.9.66.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8a849ea2f3922901033a407b9498d48915260e7c3381f6cf151c51a73c952d0f
-size 449992

firejail-0.9.66.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAmDbUqwACgkQLMs2rfxY
-SaeDMQf/W9LgIG/QsVz3Xl442zT4gijZGK6llnT5Ca5eDkqLCizCPbRdDJ54eldF
-kfLQiy21K7KTnrr9S5Y5UFy4452q4ewKIVe/PCfN++f38cN40tWefyBsO5hgJq6Z
-t61bx54+5RxJl9qz5cm8eJFvXi1G9rkZPcVn4KBjUoY5vbyirElfHdgH6KcCPN3J
-benndbPlXfzw4673P7LqNRsbri8wLsM20KoeBahIMj0SUQ6hOOTItKYxUtx19N93
-gXB/Sa9JTVGVK9PYhRZiuLeCXBe76PkNV6WJngFDQ8GyYG+AnRETBXiTzkR7Jxcn
-hhoGnbOKRdIvXKcDXHdeAd2nxOJm5g==
-=pisc
------END PGP SIGNATURE-----

firejail-0.9.68.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a322395597d89d2e5ea21fb11cb3f2afc44b00fca5439bf44c7636c5cffa652f
+size 477332

firejail-0.9.68.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAmH/zu0ACgkQLMs2rfxY
+Saf2WAf/UI98s9MugTAq45CIuxaqzhbbGc435Lwo2NgS2LCYKoJOmes6UdyLPUa1
+aawBImtfqTyOXWrWnKjYBl7fIVATKpP7Ddm2+y6RJ+px/4dRUWNLVqEvka5BLYNS
+HrYP84a1vxqeg0LVOMcmD701mTmbT68jwpjD2Ai2ZkiRGXS5KfBWIRL+WR7PAorj
+jDxqUSorEF8x316d+0doy9NyeCXS5A1aqTmjnTxZ3RBfkg+Zq33S+x+2ktepdnDH
+q/Fv9W4C/GVoXBj6PKtk4JXFUJIeYUYCXE9sq2bpCEAdom5J+EpUMo+42G1/xLYL
+mFP0G113+ciMoLWkjJMNQH6KbFjCsQ==
+=6MJb
+-----END PGP SIGNATURE-----

firejail.changes

@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Sun Feb  6 21:09:00 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>
+
+- update to firejail 0.9.68:
+ - security: on Ubuntu, the PPA is now recommended over the distro package
+ - (see README.md) (#4748)
+ - security: bugfix: private-cwd leaks access to the entire filesystem
+ - (#4780); reported by Hugo Osvaldo Barrera
+ - feature: remove (some) environment variables with auth-tokens (#4157)
+ - feature: ALLOW_TRAY condition (#4510 #4599)
+ - feature: add basic Firejail support to AppArmor base abstraction (#3226
+ - #4628)
+ - feature: intrusion detection system (--ids-init, --ids-check)
+ - feature: deterministic shutdown command (--deterministic-exit-code,
+ - --deterministic-shutdown) (#928 #3042 #4635)
+ - feature: noprinters command (#4607 #4827)
+ - feature: network monitor (--nettrace)
+ - feature: network locker (--netlock) (#4848)
+ - feature: whitelist-ro profile command (#4740)
+ - feature: disable pipewire with --nosound (#4855)
+ - feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
+ - feature: Allow apostrophe in whitelist and blacklist (#4614)
+ - feature: AppImage support in --build command (#4878)
+ - modifs: exit code: distinguish fatal signals by adding 128 (#4533)
+ - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
+ - modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
+ - modifs: nogroups now stopped causing certain system groups to be dropped,
+ - which are now controlled by the relevant "no" options instead (such as
+ - nosound -> drop audio group), which fixes device access issues on systems
+ - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
+ - removal: --disable-whitelist at compile time
+ - removal: whitelist=yes/no in /etc/firejail/firejail.config
+ - bugfix: Fix sndio support (#4362 #4365)
+ - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
+ - bugfix: --build clears the environment (#4460 #4467)
+ - bugfix: firejail hangs with net parameter (#3958 #4476)
+ - bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
+ - bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
+ - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
+ - bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
+ - bugfix: Firejail rejects empty arguments (#4395)
+ - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
+ - bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
+ - bugfix: private-etc does not work with symlinks (#4887)
+ - bugfix: Hardware key not detected on keepassxc (#4883)
+ - build: allow building with address sanitizer (#4594)
+ - build: Stop linking pthread (#4695)
+ - build: Configure cleanup and improvements (#4712)
+ - ci: add profile checks for sorting disable-programs.inc and
+ - firecfg.config and for the required arguments in private-etc (#2739 #4643)
+ - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
+ - docs: Add new command checklist to CONTRIBUTING.md (#4413)
+ - docs: Rework bug report issue template and add both a question and a
+ - feature request template (#4479 #4515 #4561)
+ - docs: fix contradictory descriptions of machine-id ("preserves" vs
+ - "spoofs") (#4689)
+ - docs: Document that private-bin and private-etc always accumulate (#4078)
+ - new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
+ - new includes: disable-proc.inc (#4521)
+ - removed includes: disable-passwordmgr.inc (#4454 #4461)
+ - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
+ - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
+ - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
+ - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
+ - new profiles: imv, retroarch, torbrowser, CachyBrowser,
+ - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
+ - new profiles: Seafile, neovim, com.github.tchx84.Flatseal
+
 -------------------------------------------------------------------
 Sun Jul 18 16:45:49 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
 

firejail.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package firejail
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           firejail
-Version:        0.9.66
+Version:        0.9.68
 Release:        0
 Summary:        Linux namepaces sandbox program
 License:        GPL-2.0-only
@@ -120,5 +120,6 @@ rm %{buildroot}%{_docdir}/firejail/COPYING
 %dir %{_datarootdir}/zsh
 %dir %{_datarootdir}/zsh/site-functions/
 %{_datadir}/zsh/site-functions/_firejail
+/etc/apparmor.d/abstractions/base.d/firejail-base
 
 %changelog