- update to version 0.9.60:
* security bug reported by Austin Morton:
Seccomp filters are copied into /run/firejail/mnt, and are writable
within the jail. A malicious process can modify files from inside the
jail. Processes that are later joined to the jail will not have seccomp
filters applied.
CVE-2019-12589
boo#1137139
* memory-deny-write-execute now also blocks memfd_create
* add private-cwd option to control working directory within jail
* blocking system D-Bus socket with --nodbus
* bringing back Centos 6 support
* drop support for flatpak/snap packages
* new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
* new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
* new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
* new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
* new profiles: netactview, redshift, devhelp, assogiate, subdownloader
* new profiles: font-manager, exfalso, gconf-editor, dconf-editor
* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
* new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
* new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
* new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
* new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
* new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
* new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
* new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
* new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
* new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
* new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
OBS-URL: https://build.opensuse.org/request/show/707400
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firejail?expand=0&rev=4
* security bug reported by Austin Morton:
Seccomp filters are copied into /run/firejail/mnt, and are writable
within the jail. A malicious process can modify files from inside the
jail. Processes that are later joined to the jail will not have seccomp
filters applied.
* memory-deny-write-execute now also blocks memfd_create
* add private-cwd option to control working directory within jail
* blocking system D-Bus socket with --nodbus
* bringing back Centos 6 support
* drop support for flatpak/snap packages
* new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
* new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
* new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
* new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
* new profiles: netactview, redshift, devhelp, assogiate, subdownloader
* new profiles: font-manager, exfalso, gconf-editor, dconf-editor
* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
* new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
* new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
* new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
* new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
* new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
* new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
* new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
* new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
* new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
* new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=18
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=14
Setuid mode is used, but only allowed for users in the newly
created group 'firejail' (boo#1059013).
- Update to version 0.9.54:
* modif: --force removed
* modif: --csh, --zsh removed
* modif: --debug-check-filename removed
* modif: --git-install and --git-uninstall removed
* modif: support for private-bin, private-lib and shell none has been
disabled while running AppImage archives in order to be able to use
our regular profile files with AppImages.
* modif: restrictions for /proc, /sys and /run/user directories
are moved from AppArmor profile into firejail executable
* modif: unifying Chromium and Firefox browsers profiles.
All users of Firefox-based browsers who use addons and plugins
that read/write from ${HOME} will need to uncomment the includes for
firefox-common-addons.inc in firefox-common.profile.
* modif: split disable-devel.inc into disable-devel and
disable-interpreters.inc
* Firejail user access database (/etc/firejail/firejail.users,
man firejail-users)
* add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
* Spectre mitigation patch for gcc and clang compiler
* D-Bus handling (--nodbus)
* AppArmor support for overlayfs and chroot sandboxes
* AppArmor support for AppImages
* Enable AppArmor by default for a large number of programs
* firejail --apparmor.print option
* firemon --apparmor option
* apparmor yes/no flag in /etc/firejail/firejail.config
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=10
- Update to version 0.9.48:
* modifs: whitelisted Transmission, Deluge, qBitTorrent,
KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the
screen if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global
customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish,
HandBrake
* bugfixes
OBS-URL: https://build.opensuse.org/request/show/517016
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=7
* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* disabled --allow-debuggers when running on kernel versions prior
to 4.8; a kernel bug in ptrace system call allows a full bypass
of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
* root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
* new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
* major cleanup of file copying code
* tightening the rules for --chroot and --overlay features
* ported Gentoo compile patch
* Nvidia drivers bug in --private-dev
* fix ASSERT_PERMS_FD macro
* allow local customization using .local files under /etc/firejail
backported from our development branch
* spoof machine-id backported from our development branch
- Remove obsoleted patches:
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=6
- Update to version 0.9.44.2:
Security fixes:
* overwrite /etc/resolv.conf found by Martin Carpenter
* TOCTOU exploit for –get and –put found by Daniel Hodson
* invalid environment exploit found by Martin Carpenter
* several security enhancements
Bugfixes:
* crashing VLC by pressing Ctrl-O
* use user configured icons in KDE
* mkdir and mkfile are not applied to private directories
* cannot open files on Deluge running under KDE
* –private=dir where dir is the user home directory
* cannot start Vivaldi browser
* cannot start mupdf
* ssh profile problems
* –quiet
* quiet in git profile
* memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
OBS-URL: https://build.opensuse.org/request/show/448835
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=5
- Update to version 0.9.44:
* CVE-2016-7545 submitted by Aleksey Manevich
Modifications:
* removed man firejail-config
* –private-tmp whitelists /tmp/.X11-unix directory
* Nvidia drivers added to –private-dev
* /srv supported by –whitelist
New features:
* allow user access to /sys/fs (–noblacklist=/sys/fs)
* support starting/joining sandbox is a single command (–join-or-start)
* X11 detection support for –audit
* assign a name to the interface connected to the bridge (–veth-name)
* all user home directories are visible (–allusers)
* add files to sandbox container (–put)
* blocking x11 (–x11=block)
* X11 security extension (–x11=xorg)
* disable 3D hardware acceleration (–no3d)
* x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* move files in sandbox (–put)
* accept wildcard patterns in user name field of restricted shell login feature
New profiles:
* qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* feh, ranger, zathura, 7z, keepass, keepassx,
* claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* Flowblade, Eye of GNOME (eog), Evolution
OBS-URL: https://build.opensuse.org/request/show/437560
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=4
