* security: fix sscanf rv checks (CodeQL) (#6184)
* feature: private-etc rework: improve handling of /etc/resolv.conf and add
* private-etc groups (#6400#5518#5608#5609#5629#5638#5641#5642#5643
* #5650#5681#5737#5844#5989#6016#6104#5655#6435#6514#6515)
* feature: Add "keep-shell-rc" command and option (#1127#5634)
* feature: Print the argument when failing with "too long arguments" (#5677)
* feature: a random hostname is assigned to each sandbox unless
* overwritten using --hostname command
* feature: add IPv6 support for --net.print option
* feature: QUIC (HTTP/3) support in --nettrace
* feature: add seccomp filters for --restrict-namespaces
* feature: stats support for --nettrace
* feature: add doas support in firecfg and jailcheck (#5899#5900)
* feature: firecfg: add firecfg.d & add ignore command (#2097#5245#5876
* #6153#6268)
* feature: expand simple macros in more commands (--chroot= --netfilter=
* --netfilter6= --trace=) (#6032#6109)
* feature: add Landlock support (#5269#6078#6115#6125#6187#6195#6200
* #6228#6260#6302#6305)
* feature: add support for comm, coredump, and prctl procevents in firemon
* (#6414#6415)
* feature: add notpm command & keep tpm devices in private-dev (#6379#6390)
* feature: fshaper.sh: support tc on NixOS (#6426#6431)
* feature: add aarch64 syscalls (#5821#6574)
* feature: add --disable-sandbox-check configure flag (#6592)
* feature: block /dev/ntsync & add keep-dev-ntsync command (#6655#6660)
* modif: Stop forwarding own double-dash to the shell (#5599#5600)
* modif: Prevent sandbox name (--name=) and host name (--hostname=)
* from containing only digits (#5578#5741)
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=55
* modif: move hardcoded apps recognized by default in uiapps file
* modif: remove sandbox edit dialog and replace it with uiapps file
* feature: added uiapps file for default and user apps configuration
* feature: added a system network monitor in sandbox stats
* feature: added apparmor support in firejail-ui
* feature: added bluetooth support in firejail-ui
* feature: print final sandbox configuration in firejail-ui
* bugfixes
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=49
as they are integrated upstream
- update to version 0.9.70:
- security: CVE-2022-31214 - root escalation in --join logic
- Reported by Matthias Gerstner, working exploit code was provided to our
- development team. In the same time frame, the problem was independently
- reported by Birk Blechschmidt. Full working exploit code was also provided.
- feature: enable shell tab completion with --tab (#4936)
- feature: disable user profiles at compile time (#4990)
- feature: Allow resolution of .local names with avahi-daemon in the apparmor
- profile (#5088)
- feature: always log seccomp errors (#5110)
- feature: firecfg --guide, guided user configuration (#5111)
- feature: --oom, kernel OutOfMemory-killer (#5122)
- modif: --ids feature needs to be enabled at compile time (#5155)
- modif: --nettrace only available to root user
- rework: whitelist restructuring (#4985)
- rework: firemon, speed up and lots of fixes
- bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
- bugfix: nogroups + wrc prints confusing messages (#4930#4933)
- bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
- bugfix: fix printing in evince (#5011)
- bugfix: gcov: fix gcov functions always declared as dummy (#5028)
- bugfix: Stop warning on safe supplementary group clean (#5114)
- build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
- build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154)
- ci: replace centos (EOL) with almalinux (#4912)
- ci: fix --version not printing compile-time features (#5147)
- ci: print version after install & fix apparmor support on build_apparmor
- (#5148)
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=47
- security: on Ubuntu, the PPA is now recommended over the distro package
- (see README.md) (#4748)
- security: bugfix: private-cwd leaks access to the entire filesystem
- (#4780); reported by Hugo Osvaldo Barrera
- feature: remove (some) environment variables with auth-tokens (#4157)
- feature: ALLOW_TRAY condition (#4510#4599)
- feature: add basic Firejail support to AppArmor base abstraction (#3226
- #4628)
- feature: intrusion detection system (--ids-init, --ids-check)
- feature: deterministic shutdown command (--deterministic-exit-code,
- --deterministic-shutdown) (#928#3042#4635)
- feature: noprinters command (#4607#4827)
- feature: network monitor (--nettrace)
- feature: network locker (--netlock) (#4848)
- feature: whitelist-ro profile command (#4740)
- feature: disable pipewire with --nosound (#4855)
- feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
- feature: Allow apostrophe in whitelist and blacklist (#4614)
- feature: AppImage support in --build command (#4878)
- modifs: exit code: distinguish fatal signals by adding 128 (#4533)
- modifs: firecfg.config is now installed to /etc/firejail/ (#408#4669)
- modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
- modifs: nogroups now stopped causing certain system groups to be dropped,
- which are now controlled by the relevant "no" options instead (such as
- nosound -> drop audio group), which fixes device access issues on systems
- not using (e)logind (such as with seatd) (#4632#4725#4732#4851)
- removal: --disable-whitelist at compile time
- removal: whitelist=yes/no in /etc/firejail/firejail.config
- bugfix: Fix sndio support (#4362#4365)
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=42
- packaging fixes
- Update to version 0.9.64:
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
* new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
* new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
* new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
* new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
* new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
* new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
* new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
* new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
* new profiles: swell-foop, fdns, five-or-more, steam-runtime
* new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
* new profiles: gapplication, openarena_ded, element-desktop, cawbird
* new profiles: freetube, strawberry, jitsi-meet-desktop
* new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
* new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
* new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
* new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
* new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
* new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
* new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
* new profiles: qrencode, ytmdesktop, twitch
* new profiles: xournalpp, chromium-freeworld, equalx
- remove firejail-0.9.62-fix-usr-etc.patch, included upstream
- remove firejail-apparmor-3.0.diff, included upstream
OBS-URL: https://build.opensuse.org/request/show/846925
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firejail?expand=0&rev=10
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=32
- update to version 0.9.60:
* security bug reported by Austin Morton:
Seccomp filters are copied into /run/firejail/mnt, and are writable
within the jail. A malicious process can modify files from inside the
jail. Processes that are later joined to the jail will not have seccomp
filters applied.
CVE-2019-12589
boo#1137139
* memory-deny-write-execute now also blocks memfd_create
* add private-cwd option to control working directory within jail
* blocking system D-Bus socket with --nodbus
* bringing back Centos 6 support
* drop support for flatpak/snap packages
* new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
* new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
* new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
* new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
* new profiles: netactview, redshift, devhelp, assogiate, subdownloader
* new profiles: font-manager, exfalso, gconf-editor, dconf-editor
* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
* new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
* new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
* new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
* new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
* new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
* new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
* new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
* new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
* new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
* new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
OBS-URL: https://build.opensuse.org/request/show/707400
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firejail?expand=0&rev=4
* security bug reported by Austin Morton:
Seccomp filters are copied into /run/firejail/mnt, and are writable
within the jail. A malicious process can modify files from inside the
jail. Processes that are later joined to the jail will not have seccomp
filters applied.
* memory-deny-write-execute now also blocks memfd_create
* add private-cwd option to control working directory within jail
* blocking system D-Bus socket with --nodbus
* bringing back Centos 6 support
* drop support for flatpak/snap packages
* new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
* new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
* new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
* new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
* new profiles: netactview, redshift, devhelp, assogiate, subdownloader
* new profiles: font-manager, exfalso, gconf-editor, dconf-editor
* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
* new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
* new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
* new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
* new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
* new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
* new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
* new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
* new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
* new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
* new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=18
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=14
Setuid mode is used, but only allowed for users in the newly
created group 'firejail' (boo#1059013).
- Update to version 0.9.54:
* modif: --force removed
* modif: --csh, --zsh removed
* modif: --debug-check-filename removed
* modif: --git-install and --git-uninstall removed
* modif: support for private-bin, private-lib and shell none has been
disabled while running AppImage archives in order to be able to use
our regular profile files with AppImages.
* modif: restrictions for /proc, /sys and /run/user directories
are moved from AppArmor profile into firejail executable
* modif: unifying Chromium and Firefox browsers profiles.
All users of Firefox-based browsers who use addons and plugins
that read/write from ${HOME} will need to uncomment the includes for
firefox-common-addons.inc in firefox-common.profile.
* modif: split disable-devel.inc into disable-devel and
disable-interpreters.inc
* Firejail user access database (/etc/firejail/firejail.users,
man firejail-users)
* add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
* Spectre mitigation patch for gcc and clang compiler
* D-Bus handling (--nodbus)
* AppArmor support for overlayfs and chroot sandboxes
* AppArmor support for AppImages
* Enable AppArmor by default for a large number of programs
* firejail --apparmor.print option
* firemon --apparmor option
* apparmor yes/no flag in /etc/firejail/firejail.config
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=10
- Update to version 0.9.48:
* modifs: whitelisted Transmission, Deluge, qBitTorrent,
KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the
screen if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global
customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish,
HandBrake
* bugfixes
OBS-URL: https://build.opensuse.org/request/show/517016
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=7
* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* disabled --allow-debuggers when running on kernel versions prior
to 4.8; a kernel bug in ptrace system call allows a full bypass
of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
* root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
* new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
* major cleanup of file copying code
* tightening the rules for --chroot and --overlay features
* ported Gentoo compile patch
* Nvidia drivers bug in --private-dev
* fix ASSERT_PERMS_FD macro
* allow local customization using .local files under /etc/firejail
backported from our development branch
* spoof machine-id backported from our development branch
- Remove obsoleted patches:
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=6
- Update to version 0.9.44.2:
Security fixes:
* overwrite /etc/resolv.conf found by Martin Carpenter
* TOCTOU exploit for –get and –put found by Daniel Hodson
* invalid environment exploit found by Martin Carpenter
* several security enhancements
Bugfixes:
* crashing VLC by pressing Ctrl-O
* use user configured icons in KDE
* mkdir and mkfile are not applied to private directories
* cannot open files on Deluge running under KDE
* –private=dir where dir is the user home directory
* cannot start Vivaldi browser
* cannot start mupdf
* ssh profile problems
* –quiet
* quiet in git profile
* memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
OBS-URL: https://build.opensuse.org/request/show/448835
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=5
- Update to version 0.9.44:
* CVE-2016-7545 submitted by Aleksey Manevich
Modifications:
* removed man firejail-config
* –private-tmp whitelists /tmp/.X11-unix directory
* Nvidia drivers added to –private-dev
* /srv supported by –whitelist
New features:
* allow user access to /sys/fs (–noblacklist=/sys/fs)
* support starting/joining sandbox is a single command (–join-or-start)
* X11 detection support for –audit
* assign a name to the interface connected to the bridge (–veth-name)
* all user home directories are visible (–allusers)
* add files to sandbox container (–put)
* blocking x11 (–x11=block)
* X11 security extension (–x11=xorg)
* disable 3D hardware acceleration (–no3d)
* x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* move files in sandbox (–put)
* accept wildcard patterns in user name field of restricted shell login feature
New profiles:
* qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* feh, ranger, zathura, 7z, keepass, keepassx,
* claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* Flowblade, Eye of GNOME (eog), Evolution
OBS-URL: https://build.opensuse.org/request/show/437560
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=4
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
