firejail

pool/firejail

SHA256

Fork 1

81306e609a Accepting request 1236792 from Virtualization factory Ana Guerrero 2025-01-12 10:20:18 +0000
90c0107930 - Load/reload AppArmor profiles when installing the package (boo#1235142#c1) devel Sebastian Wagner 2025-01-10 06:33:14 +0000
e1238352af Accepting request 1144048 from Virtualization Ana Guerrero 2024-02-05 21:01:03 +0000
e4644503bf Accepting request 1144042 from home:adkorte:branches:Virtualization Sebastian Wagner 2024-02-04 20:59:51 +0000
3f121b056c Accepting request 1079767 from Virtualization Dominique Leuenberger 2023-04-16 18:13:35 +0000
4bea3e4122 - update to version 0.9.72: * modif: move hardcoded apps recognized by default in uiapps file * modif: remove sandbox edit dialog and replace it with uiapps file * feature: added uiapps file for default and user apps configuration * feature: added a system network monitor in sandbox stats * feature: added apparmor support in firejail-ui * feature: added bluetooth support in firejail-ui * feature: print final sandbox configuration in firejail-ui * bugfixes Sebastian Wagner 2023-04-09 15:22:50 +0000
4e0f543415 Accepting request 984254 from Virtualization Dominique Leuenberger 2022-06-23 08:23:38 +0000
02185620d8 - remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch as they are integrated upstream - update to version 0.9.70: - security: CVE-2022-31214 - root escalation in --join logic - Reported by Matthias Gerstner, working exploit code was provided to our - development team. In the same time frame, the problem was independently - reported by Birk Blechschmidt. Full working exploit code was also provided. - feature: enable shell tab completion with --tab (#4936) - feature: disable user profiles at compile time (#4990) - feature: Allow resolution of .local names with avahi-daemon in the apparmor - profile (#5088) - feature: always log seccomp errors (#5110) - feature: firecfg --guide, guided user configuration (#5111) - feature: --oom, kernel OutOfMemory-killer (#5122) - modif: --ids feature needs to be enabled at compile time (#5155) - modif: --nettrace only available to root user - rework: whitelist restructuring (#4985) - rework: firemon, speed up and lots of fixes - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) - bugfix: nogroups + wrc prints confusing messages (#4930 #4933) - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954) - bugfix: fix printing in evince (#5011) - bugfix: gcov: fix gcov functions always declared as dummy (#5028) - bugfix: Stop warning on safe supplementary group clean (#5114) - build: remove ultimately unused INSTALL and RANLIB check macros (#5133) - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154) - ci: replace centos (EOL) with almalinux (#4912) - ci: fix --version not printing compile-time features (#5147) - ci: print version after install & fix apparmor support on build_apparmor - (#5148) Sebastian Wagner 2022-06-14 20:25:23 +0000
c4df071dcc Accepting request 981393 from Virtualization Dominique Leuenberger 2022-06-09 12:11:55 +0000
b09fab085f - fix bsc#1199148 CVE-2022-31214 by adding patch fix-CVE-2022-31214.patch using commits from upstream. Sebastian Wagner 2022-06-08 21:08:53 +0000
90201d7f9f Accepting request 958270 from Virtualization Dominique Leuenberger 2022-03-01 16:03:56 +0000
566ad0a710 - add fix-internet-access.patch to fix boo#1196542 Sebastian Wagner 2022-02-28 19:39:03 +0000
f715d4c5b7 Accepting request 956436 from Virtualization Dominique Leuenberger 2022-02-21 16:46:50 +0000
48b9cccdb4 add apparmor directories to file list Failed in the Request to Factory Sebastian Wagner 2022-02-14 11:13:24 +0000
a9233baa33 - update to firejail 0.9.68: - security: on Ubuntu, the PPA is now recommended over the distro package - (see README.md) (#4748) - security: bugfix: private-cwd leaks access to the entire filesystem - (#4780); reported by Hugo Osvaldo Barrera - feature: remove (some) environment variables with auth-tokens (#4157) - feature: ALLOW_TRAY condition (#4510 #4599) - feature: add basic Firejail support to AppArmor base abstraction (#3226 - #4628) - feature: intrusion detection system (--ids-init, --ids-check) - feature: deterministic shutdown command (--deterministic-exit-code, - --deterministic-shutdown) (#928 #3042 #4635) - feature: noprinters command (#4607 #4827) - feature: network monitor (--nettrace) - feature: network locker (--netlock) (#4848) - feature: whitelist-ro profile command (#4740) - feature: disable pipewire with --nosound (#4855) - feature: Unset TMP if it doesn't exist inside of sandbox (#4151) - feature: Allow apostrophe in whitelist and blacklist (#4614) - feature: AppImage support in --build command (#4878) - modifs: exit code: distinguish fatal signals by adding 128 (#4533) - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669) - modifs: close file descriptors greater than 2 (--keep-fd) (#4845) - modifs: nogroups now stopped causing certain system groups to be dropped, - which are now controlled by the relevant "no" options instead (such as - nosound -> drop audio group), which fixes device access issues on systems - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851) - removal: --disable-whitelist at compile time - removal: whitelist=yes/no in /etc/firejail/firejail.config - bugfix: Fix sndio support (#4362 #4365) Sebastian Wagner 2022-02-06 21:09:45 +0000
4804987735 Accepting request 906960 from Virtualization Dominique Leuenberger 2021-07-18 21:45:05 +0000
b1111dceda Accepting request 906957 from home:AndreasStieger:branches:Virtualization Sebastian Wagner 2021-07-18 18:36:27 +0000
e59cb944f7 Accepting request 906934 from home:AndreasStieger:branches:Virtualization Sebastian Wagner 2021-07-18 12:48:18 +0000
5370568b3a Accepting request 870339 from Virtualization Dominique Leuenberger 2021-02-09 20:16:48 +0000
d7c0b56c56 Accepting request 870157 from home:13ilya:branches:Virtualization Sebastian Wagner 2021-02-08 07:37:21 +0000
eedaf3953b Accepting request 867566 from Virtualization Dominique Leuenberger 2021-01-28 20:29:33 +0000
2b52fe676f Accepting request 867564 from home:13ilya:branches:Virtualization Sebastian Wagner 2021-01-28 19:02:27 +0000
85d92c65e6 Accepting request 846925 from Virtualization Dominique Leuenberger 2020-11-08 19:59:06 +0000
8cefb6d42d fix file Sebastian Wagner 2020-11-02 22:09:54 +0000
478a8d32dc - packaging fixes Sebastian Wagner 2020-11-02 20:06:56 +0000
7ad2a2419a - Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX Sebastian Wagner 2020-11-01 17:53:52 +0000
22bea5c481 Accepting request 844222 from Virtualization Dominique Leuenberger 2020-10-27 18:00:22 +0000
0d233a7a59 Accepting request 844172 from home:cboltz:branches:Virtualization Sebastian Wagner 2020-10-27 07:43:21 +0000
845ba07aea Accepting request 827727 from Virtualization Dominique Leuenberger 2020-08-19 16:54:50 +0000
30f9931e5a Accepting request 827725 from home:polslinux:branches:Virtualization Sebastian Wagner 2020-08-19 06:28:03 +0000
a2f2028508 Accepting request 825005 from Virtualization Dominique Leuenberger 2020-08-10 12:57:56 +0000
20cd8acbae - Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986 Sebastian Wagner 2020-08-08 17:37:44 +0000
a0a118038b Accepting request 799832 from Virtualization Dominique Leuenberger 2020-05-03 20:47:44 +0000
b9023df37f add patch tag line in specfile Sebastian Wagner 2020-05-03 13:23:47 +0000
3bb61c9bf6 Accepting request 798884 from home:jubalh:branches:Virtualization Sebastian Wagner 2020-05-03 13:21:47 +0000
f53b9e77cd Accepting request 774571 from Virtualization Dominique Leuenberger 2020-02-15 21:25:12 +0000
84b9c6c073 Accepting request 773543 from home:darix:playground Sebastian Wagner 2020-02-15 15:30:46 +0000
8ee173b52b Accepting request 707400 from Virtualization Dominique Leuenberger 2019-06-04 10:14:58 +0000
ec099811d6 CVE-2019-12589 boo#1137139 Sebastian Wagner 2019-06-04 07:32:22 +0000
b32a343fff - update to version 0.9.60: * security bug reported by Austin Morton: Seccomp filters are copied into /run/firejail/mnt, and are writable within the jail. A malicious process can modify files from inside the jail. Processes that are later joined to the jail will not have seccomp filters applied. * memory-deny-write-execute now also blocks memfd_create * add private-cwd option to control working directory within jail * blocking system D-Bus socket with --nodbus * bringing back Centos 6 support * drop support for flatpak/snap packages * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool * new profiles: netactview, redshift, devhelp, assogiate, subdownloader * new profiles: font-manager, exfalso, gconf-editor, dconf-editor * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata Sebastian Wagner 2019-06-02 16:36:27 +0000
8f910e1f82 Accepting request 670891 from Virtualization Stephan Kulow 2019-02-04 13:25:03 +0000
8b442f3a70 Accepting request 670512 from home:polslinux:branches:Virtualization Dirk Mueller 2019-02-03 18:00:19 +0000
12593f1e6a Accepting request 639122 from Virtualization Dominique Leuenberger 2018-10-11 09:47:59 +0000
2892572be0 - update to version 0.9.56: * modif: removed CFG_CHROOT_DESKTOP configuration option * modif: removed compile time --enable-network=restricted * modif: removed compile time --disable-bind * modif: --net=none allowed even if networking was disabled at compile time or at run time * modif: allow system users to run the sandbox * support wireless devices in --net option * support tap devices in --net option (tunneling support) * allow IP address configuration if the parent interface specified by --net is not configured (--netmask) * support for firetunnel utility * disable U2F devices (--nou2f) * add --private-cache to support private ~/.cache * support full paths in private-lib * globbing support in private-lib * support for local user directories in firecfg (--bindir) * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois, * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3 * new profiles: start-tor-browser.desktop Sebastian Wagner 2018-09-22 09:20:11 +0000
6a7a47dd31 Accepting request 634916 from Virtualization Yuchen Lin 2018-09-18 09:43:16 +0000
726c0a1ca4 Accepting request 634910 from home:markoschandras:branches:Virtualization Sebastian Wagner 2018-09-11 08:20:15 +0000
cd8d8218e4 Accepting request 634702 from home:markoschandras:branches:Virtualization Sebastian Wagner 2018-09-10 10:12:02 +0000
925e8bdf31 - Changed the permissions of the firejail executable to 4750. Setuid mode is used, but only allowed for users in the newly created group 'firejail' (boo#1059013). - Update to version 0.9.54: * modif: --force removed * modif: --csh, --zsh removed * modif: --debug-check-filename removed * modif: --git-install and --git-uninstall removed * modif: support for private-bin, private-lib and shell none has been disabled while running AppImage archives in order to be able to use our regular profile files with AppImages. * modif: restrictions for /proc, /sys and /run/user directories are moved from AppArmor profile into firejail executable * modif: unifying Chromium and Firefox browsers profiles. All users of Firefox-based browsers who use addons and plugins that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile. * modif: split disable-devel.inc into disable-devel and disable-interpreters.inc * Firejail user access database (/etc/firejail/firejail.users, man firejail-users) * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * Spectre mitigation patch for gcc and clang compiler * D-Bus handling (--nodbus) * AppArmor support for overlayfs and chroot sandboxes * AppArmor support for AppImages * Enable AppArmor by default for a large number of programs * firejail --apparmor.print option * firemon --apparmor option * apparmor yes/no flag in /etc/firejail/firejail.config Sebastian Wagner 2018-08-26 10:45:50 +0000
68d6fd1be5 Accepting request 556579 from home:avindra Takashi Iwai 2017-12-14 10:26:35 +0000
c320ca99e4 Accepting request 522777 from home:avindra Takashi Iwai 2017-09-13 09:08:57 +0000
a872b3d7c4 Accepting request 517016 from home:tiwai:branches:Virtualization Takashi Iwai 2017-08-15 14:51:08 +0000
f1a8cd5699 - Update to version 0.9.44.4: * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) * disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206) * root exploit found by Sebastian Krahmer (CVE-2017-5180) - Update to version 0.9.44.6: * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week * major cleanup of file copying code * tightening the rules for --chroot and --overlay features * ported Gentoo compile patch * Nvidia drivers bug in --private-dev * fix ASSERT_PERMS_FD macro * allow local customization using .local files under /etc/firejail backported from our development branch * spoof machine-id backported from our development branch - Remove obsoleted patches: firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch Takashi Iwai 2017-01-16 15:36:03 +0000
7a7ff5e7fe Accepting request 448835 from home:tiwai:branches:Virtualization Ismail Dönmez 2017-01-07 09:27:56 +0000
c5bd94cd19 Accepting request 437560 from home:tiwai:branches:Virtualization Ismail Dönmez 2016-11-03 08:20:46 +0000
555d6e90b4 Accepting request 431498 from home:tiwai:branches:Virtualization Olaf Hering 2016-10-13 08:58:49 +0000
c0b4cdac0f Accepting request 400690 from home:tiwai:branches:Virtualization Ismail Dönmez 2016-06-08 17:13:02 +0000
755e067884 Accepting request 397032 from home:tiwai:firejail Dirk Mueller 2016-05-24 05:12:25 +0000

Commit Graph Select branches Hide Pull Requests devel factory Mono Color

Commit Graph

Select branches

Hide Pull Requests

devel

factory