7ff88bbd86
- add new additional signing key support+releasesigning@divested.dev 6395FC9911EDCD6158712DF7BADFCABDDBF5B694 - Update to version 0.9.76: * feature: use globbing in hardcoded numbered /dev paths (#2723#6704) * feature: add warn command (#6710) * feature: use non-blocking flock calls (#6761) * modif: block TPM devices & turn notpm command into keep-dev-tpm (#6698) * modif: improve error messages in mountinfo.c (#6711) * modif: use "Error:" in errExit message (#6716) * modif: keep tss group if keep-dev-tpm is used (#6718) * modif: keep /dev/tpmrm devices if keep-dev-tpm is used (#6719) * modif: keep tcm/tcmrm devices if keep-dev-tpm is used (#6724) * modif: improve "Failed mount" error messages in util.c (#6747) * modif: improve fcopy error messages in check() (#6801) * modif: fcopy: try normal case first instead of last in check() (#6804) * modif: improve new network namespace error message (#6824) * modif: improve error messages in sandbox.c/sbox.c (#6825) * bugfix: fix flock debug messages going to stderr (#6712) * bugfix: add missing selinux relabeling for /dev paths (#6734) * bugfix: fix potential deadlock with flock + SIGTSTP (#6729#6750) * bugfix: fcopy: add /usr/share + "runner:root" exception to fix CI (#6797#6803) * bugfix: fcopy: allow /etc/resolv.conf owned by systemd-resolve (#4545#6808) * bugfix: fix "Not enforcing Landlock" message always being printed (#6806) * bugfix: add NULL check for cmdline in find_child() (#6840) * build: use TARNAME in SYSCONFDIR/VARDIR (#6713) * build: add localstatedir and use in VARDIR (#6715) * build: replace SYSCONFDIR with @sysconfdir@ (#6737) * ci: upgrade debian:buster to debian:bullseye (#6832) * docs: improve URL formatting in man pages (#6706) * docs: clarify --private bug in man pages (#6805) * docs: fix man formatting of landlock.enforce (#6807)
Sebastian Wagner2025-07-31 10:55:18 +00:00
585944077b
Accepting request 1294517 from Virtualization
Ana Guerrero2025-07-21 17:59:50 +00:00
0314ee92a2
- update to version 0.9.74: * security: fix sscanf rv checks (CodeQL) (#6184) * feature: private-etc rework: improve handling of /etc/resolv.conf and add * private-etc groups (#6400#5518#5608#5609#5629#5638#5641#5642#5643 * #5650#5681#5737#5844#5989#6016#6104#5655#6435#6514#6515) * feature: Add "keep-shell-rc" command and option (#1127#5634) * feature: Print the argument when failing with "too long arguments" (#5677) * feature: a random hostname is assigned to each sandbox unless * overwritten using --hostname command * feature: add IPv6 support for --net.print option * feature: QUIC (HTTP/3) support in --nettrace * feature: add seccomp filters for --restrict-namespaces * feature: stats support for --nettrace * feature: add doas support in firecfg and jailcheck (#5899#5900) * feature: firecfg: add firecfg.d & add ignore command (#2097#5245#5876 * #6153#6268) * feature: expand simple macros in more commands (--chroot= --netfilter= * --netfilter6= --trace=) (#6032#6109) * feature: add Landlock support (#5269#6078#6115#6125#6187#6195#6200 * #6228#6260#6302#6305) * feature: add support for comm, coredump, and prctl procevents in firemon * (#6414#6415) * feature: add notpm command & keep tpm devices in private-dev (#6379#6390) * feature: fshaper.sh: support tc on NixOS (#6426#6431) * feature: add aarch64 syscalls (#5821#6574) * feature: add --disable-sandbox-check configure flag (#6592) * feature: block /dev/ntsync & add keep-dev-ntsync command (#6655#6660) * modif: Stop forwarding own double-dash to the shell (#5599#5600) * modif: Prevent sandbox name (--name=) and host name (--hostname=) * from containing only digits (#5578#5741)
Sebastian Wagner2025-07-19 11:13:47 +00:00
4263f525df
Accepting request 1236792 from Virtualization
Ana Guerrero2025-01-12 10:20:18 +00:00
9b5f3c31b2
Accepting request 1236742 from home:cboltz:branches:Virtualization
Sebastian Wagner2025-01-10 06:33:14 +00:00
4bea3e4122
- update to version 0.9.72: * modif: move hardcoded apps recognized by default in uiapps file * modif: remove sandbox edit dialog and replace it with uiapps file * feature: added uiapps file for default and user apps configuration * feature: added a system network monitor in sandbox stats * feature: added apparmor support in firejail-ui * feature: added bluetooth support in firejail-ui * feature: print final sandbox configuration in firejail-ui * bugfixes
Sebastian Wagner2023-04-09 15:22:50 +00:00
9b287dc9ad
- update to version 0.9.72: * modif: move hardcoded apps recognized by default in uiapps file * modif: remove sandbox edit dialog and replace it with uiapps file * feature: added uiapps file for default and user apps configuration * feature: added a system network monitor in sandbox stats * feature: added apparmor support in firejail-ui * feature: added bluetooth support in firejail-ui * feature: print final sandbox configuration in firejail-ui * bugfixes
Sebastian Wagner2023-04-09 15:22:50 +00:00
02185620d8
- remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch as they are integrated upstream - update to version 0.9.70: - security: CVE-2022-31214 - root escalation in --join logic - Reported by Matthias Gerstner, working exploit code was provided to our - development team. In the same time frame, the problem was independently - reported by Birk Blechschmidt. Full working exploit code was also provided. - feature: enable shell tab completion with --tab (#4936) - feature: disable user profiles at compile time (#4990) - feature: Allow resolution of .local names with avahi-daemon in the apparmor - profile (#5088) - feature: always log seccomp errors (#5110) - feature: firecfg --guide, guided user configuration (#5111) - feature: --oom, kernel OutOfMemory-killer (#5122) - modif: --ids feature needs to be enabled at compile time (#5155) - modif: --nettrace only available to root user - rework: whitelist restructuring (#4985) - rework: firemon, speed up and lots of fixes - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) - bugfix: nogroups + wrc prints confusing messages (#4930#4933) - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954) - bugfix: fix printing in evince (#5011) - bugfix: gcov: fix gcov functions always declared as dummy (#5028) - bugfix: Stop warning on safe supplementary group clean (#5114) - build: remove ultimately unused INSTALL and RANLIB check macros (#5133) - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154) - ci: replace centos (EOL) with almalinux (#4912) - ci: fix --version not printing compile-time features (#5147) - ci: print version after install & fix apparmor support on build_apparmor - (#5148)
Sebastian Wagner2022-06-14 20:25:23 +00:00
6cb3f5c608
- remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch as they are integrated upstream - update to version 0.9.70: - security: CVE-2022-31214 - root escalation in --join logic - Reported by Matthias Gerstner, working exploit code was provided to our - development team. In the same time frame, the problem was independently - reported by Birk Blechschmidt. Full working exploit code was also provided. - feature: enable shell tab completion with --tab (#4936) - feature: disable user profiles at compile time (#4990) - feature: Allow resolution of .local names with avahi-daemon in the apparmor - profile (#5088) - feature: always log seccomp errors (#5110) - feature: firecfg --guide, guided user configuration (#5111) - feature: --oom, kernel OutOfMemory-killer (#5122) - modif: --ids feature needs to be enabled at compile time (#5155) - modif: --nettrace only available to root user - rework: whitelist restructuring (#4985) - rework: firemon, speed up and lots of fixes - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) - bugfix: nogroups + wrc prints confusing messages (#4930#4933) - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954) - bugfix: fix printing in evince (#5011) - bugfix: gcov: fix gcov functions always declared as dummy (#5028) - bugfix: Stop warning on safe supplementary group clean (#5114) - build: remove ultimately unused INSTALL and RANLIB check macros (#5133) - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154) - ci: replace centos (EOL) with almalinux (#4912) - ci: fix --version not printing compile-time features (#5147) - ci: print version after install & fix apparmor support on build_apparmor - (#5148)
Sebastian Wagner2022-06-14 20:25:23 +00:00
b09fab085f
- fix bsc#1199148 CVE-2022-31214 by adding patch fix-CVE-2022-31214.patch using commits from upstream.
Sebastian Wagner2022-06-08 21:08:53 +00:00
dbb80f236a
- fix bsc#1199148 CVE-2022-31214 by adding patch fix-CVE-2022-31214.patch using commits from upstream.
Sebastian Wagner2022-06-08 21:08:53 +00:00
48b9cccdb4
add apparmor directories to file list Failed in the Request to Factory
Sebastian Wagner2022-02-14 11:13:24 +00:00
226e9ab47f
add apparmor directories to file list Failed in the Request to Factory
Sebastian Wagner2022-02-14 11:13:24 +00:00
a9233baa33
- update to firejail 0.9.68: - security: on Ubuntu, the PPA is now recommended over the distro package - (see README.md) (#4748) - security: bugfix: private-cwd leaks access to the entire filesystem - (#4780); reported by Hugo Osvaldo Barrera - feature: remove (some) environment variables with auth-tokens (#4157) - feature: ALLOW_TRAY condition (#4510#4599) - feature: add basic Firejail support to AppArmor base abstraction (#3226 - #4628) - feature: intrusion detection system (--ids-init, --ids-check) - feature: deterministic shutdown command (--deterministic-exit-code, - --deterministic-shutdown) (#928#3042#4635) - feature: noprinters command (#4607#4827) - feature: network monitor (--nettrace) - feature: network locker (--netlock) (#4848) - feature: whitelist-ro profile command (#4740) - feature: disable pipewire with --nosound (#4855) - feature: Unset TMP if it doesn't exist inside of sandbox (#4151) - feature: Allow apostrophe in whitelist and blacklist (#4614) - feature: AppImage support in --build command (#4878) - modifs: exit code: distinguish fatal signals by adding 128 (#4533) - modifs: firecfg.config is now installed to /etc/firejail/ (#408#4669) - modifs: close file descriptors greater than 2 (--keep-fd) (#4845) - modifs: nogroups now stopped causing certain system groups to be dropped, - which are now controlled by the relevant "no" options instead (such as - nosound -> drop audio group), which fixes device access issues on systems - not using (e)logind (such as with seatd) (#4632#4725#4732#4851) - removal: --disable-whitelist at compile time - removal: whitelist=yes/no in /etc/firejail/firejail.config - bugfix: Fix sndio support (#4362#4365)
Sebastian Wagner2022-02-06 21:09:45 +00:00
58476282b9
- update to firejail 0.9.68: - security: on Ubuntu, the PPA is now recommended over the distro package - (see README.md) (#4748) - security: bugfix: private-cwd leaks access to the entire filesystem - (#4780); reported by Hugo Osvaldo Barrera - feature: remove (some) environment variables with auth-tokens (#4157) - feature: ALLOW_TRAY condition (#4510#4599) - feature: add basic Firejail support to AppArmor base abstraction (#3226 - #4628) - feature: intrusion detection system (--ids-init, --ids-check) - feature: deterministic shutdown command (--deterministic-exit-code, - --deterministic-shutdown) (#928#3042#4635) - feature: noprinters command (#4607#4827) - feature: network monitor (--nettrace) - feature: network locker (--netlock) (#4848) - feature: whitelist-ro profile command (#4740) - feature: disable pipewire with --nosound (#4855) - feature: Unset TMP if it doesn't exist inside of sandbox (#4151) - feature: Allow apostrophe in whitelist and blacklist (#4614) - feature: AppImage support in --build command (#4878) - modifs: exit code: distinguish fatal signals by adding 128 (#4533) - modifs: firecfg.config is now installed to /etc/firejail/ (#408#4669) - modifs: close file descriptors greater than 2 (--keep-fd) (#4845) - modifs: nogroups now stopped causing certain system groups to be dropped, - which are now controlled by the relevant "no" options instead (such as - nosound -> drop audio group), which fixes device access issues on systems - not using (e)logind (such as with seatd) (#4632#4725#4732#4851) - removal: --disable-whitelist at compile time - removal: whitelist=yes/no in /etc/firejail/firejail.config - bugfix: Fix sndio support (#4362#4365)
Sebastian Wagner2022-02-06 21:09:45 +00:00
7ad2a2419a
- Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
Sebastian Wagner2020-11-01 17:53:52 +00:00
7de3dc79dc
- Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
Sebastian Wagner2020-11-01 17:53:52 +00:00
20cd8acbae
- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986
Sebastian Wagner2020-08-08 17:37:44 +00:00
3ad5b05034
- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986
Sebastian Wagner2020-08-08 17:37:44 +00:00
b32a343fff
- update to version 0.9.60: * security bug reported by Austin Morton: Seccomp filters are copied into /run/firejail/mnt, and are writable within the jail. A malicious process can modify files from inside the jail. Processes that are later joined to the jail will not have seccomp filters applied. * memory-deny-write-execute now also blocks memfd_create * add private-cwd option to control working directory within jail * blocking system D-Bus socket with --nodbus * bringing back Centos 6 support * drop support for flatpak/snap packages * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool * new profiles: netactview, redshift, devhelp, assogiate, subdownloader * new profiles: font-manager, exfalso, gconf-editor, dconf-editor * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
Sebastian Wagner2019-06-02 16:36:27 +00:00
d0d6eba4d5
- update to version 0.9.60: * security bug reported by Austin Morton: Seccomp filters are copied into /run/firejail/mnt, and are writable within the jail. A malicious process can modify files from inside the jail. Processes that are later joined to the jail will not have seccomp filters applied. * memory-deny-write-execute now also blocks memfd_create * add private-cwd option to control working directory within jail * blocking system D-Bus socket with --nodbus * bringing back Centos 6 support * drop support for flatpak/snap packages * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool * new profiles: netactview, redshift, devhelp, assogiate, subdownloader * new profiles: font-manager, exfalso, gconf-editor, dconf-editor * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
Sebastian Wagner2019-06-02 16:36:27 +00:00
8f910e1f82
Accepting request 670891 from Virtualization
Stephan Kulow
2019-02-04 13:25:03 +00:00
820f4356de
Accepting request 670891 from Virtualization
Stephan Kulow
2019-02-04 13:25:03 +00:00
8b442f3a70
Accepting request 670512 from home:polslinux:branches:Virtualization
Dirk Mueller2019-02-03 18:00:19 +00:00
2eb4256fe1
Accepting request 670512 from home:polslinux:branches:Virtualization
Dirk Mueller2019-02-03 18:00:19 +00:00
2892572be0
- update to version 0.9.56: * modif: removed CFG_CHROOT_DESKTOP configuration option * modif: removed compile time --enable-network=restricted * modif: removed compile time --disable-bind * modif: --net=none allowed even if networking was disabled at compile time or at run time * modif: allow system users to run the sandbox * support wireless devices in --net option * support tap devices in --net option (tunneling support) * allow IP address configuration if the parent interface specified by --net is not configured (--netmask) * support for firetunnel utility * disable U2F devices (--nou2f) * add --private-cache to support private ~/.cache * support full paths in private-lib * globbing support in private-lib * support for local user directories in firecfg (--bindir) * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois, * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3 * new profiles: start-tor-browser.desktop
Sebastian Wagner2018-09-22 09:20:11 +00:00
2a32cf322e
- update to version 0.9.56: * modif: removed CFG_CHROOT_DESKTOP configuration option * modif: removed compile time --enable-network=restricted * modif: removed compile time --disable-bind * modif: --net=none allowed even if networking was disabled at compile time or at run time * modif: allow system users to run the sandbox * support wireless devices in --net option * support tap devices in --net option (tunneling support) * allow IP address configuration if the parent interface specified by --net is not configured (--netmask) * support for firetunnel utility * disable U2F devices (--nou2f) * add --private-cache to support private ~/.cache * support full paths in private-lib * globbing support in private-lib * support for local user directories in firecfg (--bindir) * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois, * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3 * new profiles: start-tor-browser.desktop
Sebastian Wagner2018-09-22 09:20:11 +00:00
6a7a47dd31
Accepting request 634916 from Virtualization
Yuchen Lin2018-09-18 09:43:16 +00:00
60e12c3eae
Accepting request 634916 from Virtualization
Yuchen Lin2018-09-18 09:43:16 +00:00
726c0a1ca4
Accepting request 634910 from home:markoschandras:branches:Virtualization
Sebastian Wagner2018-09-11 08:20:15 +00:00
73de95461d
Accepting request 634910 from home:markoschandras:branches:Virtualization
Sebastian Wagner2018-09-11 08:20:15 +00:00
cd8d8218e4
Accepting request 634702 from home:markoschandras:branches:Virtualization
Sebastian Wagner2018-09-10 10:12:02 +00:00
a6e934237e
Accepting request 634702 from home:markoschandras:branches:Virtualization
Sebastian Wagner2018-09-10 10:12:02 +00:00
925e8bdf31
- Changed the permissions of the firejail executable to 4750. Setuid mode is used, but only allowed for users in the newly created group 'firejail' (boo#1059013). - Update to version 0.9.54: * modif: --force removed * modif: --csh, --zsh removed * modif: --debug-check-filename removed * modif: --git-install and --git-uninstall removed * modif: support for private-bin, private-lib and shell none has been disabled while running AppImage archives in order to be able to use our regular profile files with AppImages. * modif: restrictions for /proc, /sys and /run/user directories are moved from AppArmor profile into firejail executable * modif: unifying Chromium and Firefox browsers profiles. All users of Firefox-based browsers who use addons and plugins that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile. * modif: split disable-devel.inc into disable-devel and disable-interpreters.inc * Firejail user access database (/etc/firejail/firejail.users, man firejail-users) * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * Spectre mitigation patch for gcc and clang compiler * D-Bus handling (--nodbus) * AppArmor support for overlayfs and chroot sandboxes * AppArmor support for AppImages * Enable AppArmor by default for a large number of programs * firejail --apparmor.print option * firemon --apparmor option * apparmor yes/no flag in /etc/firejail/firejail.config
Sebastian Wagner2018-08-26 10:45:50 +00:00
209b4e66ce
- Changed the permissions of the firejail executable to 4750. Setuid mode is used, but only allowed for users in the newly created group 'firejail' (boo#1059013). - Update to version 0.9.54: * modif: --force removed * modif: --csh, --zsh removed * modif: --debug-check-filename removed * modif: --git-install and --git-uninstall removed * modif: support for private-bin, private-lib and shell none has been disabled while running AppImage archives in order to be able to use our regular profile files with AppImages. * modif: restrictions for /proc, /sys and /run/user directories are moved from AppArmor profile into firejail executable * modif: unifying Chromium and Firefox browsers profiles. All users of Firefox-based browsers who use addons and plugins that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile. * modif: split disable-devel.inc into disable-devel and disable-interpreters.inc * Firejail user access database (/etc/firejail/firejail.users, man firejail-users) * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * Spectre mitigation patch for gcc and clang compiler * D-Bus handling (--nodbus) * AppArmor support for overlayfs and chroot sandboxes * AppArmor support for AppImages * Enable AppArmor by default for a large number of programs * firejail --apparmor.print option * firemon --apparmor option * apparmor yes/no flag in /etc/firejail/firejail.config
Sebastian Wagner2018-08-26 10:45:50 +00:00
Ana Guerrero
Sebastian Wagner
Dominique Leuenberger
Stephan Kulow
Dirk Mueller
Yuchen Lin