pool/firejail
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c320ca99e4
firejail/firejail.changes
Takashi Iwai c320ca99e4 Accepting request 522777 from home:avindra 
- Update to version 0.9.50:
  * New features:
    - per-profile disable-mnt (--disable-mnt)
    - per-profile support to set X11 Xephyr screen size (--xephyr-screen)
    - private /lib directory (--private-lib)
    - disable CDROM/DVD drive (--nodvd)
    - disable DVB devices (--notv)
    - --profile.print
  * modif: --output split in two commands, --output and --output-stderr
  * set xpra-attach yes in /etc/firejail/firejail.config
  * Enhancements:
    - print all seccomp filters under --debug
    - /proc/sys mounting
    - rework IP address assingment for --net options
    - support for newer Xpra versions (2.1+) -
    - all profiles use a standard layout style
    - create /usr/local for firecfg if the directory doesn't exist
    - allow full paths in --private-bin
   * New seccomp features:
    - --memory-deny-write-execute
    - seccomp post-exec
    - block secondary architecture (--seccomp.block_secondary)
    - seccomp syscall groups
    - print all seccomp filters under --debug
    - default seccomp list update
  * new profiles:
    curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
    Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
    Android Studio, electron, riot-web, Extreme Tux Racer,
    Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
    telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
    hashcat, obs, picard, remmina, sdat2img, soundconverter
    truecraft, gnome-twitch, tuxguitar, musescore, neverball
    sqlitebrowse, Yandex Browser, minetest

OBS-URL: https://build.opensuse.org/request/show/522777
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=8
2017-09-13 09:08:57 +00:00

211 lines
8.4 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-------------------------------------------------------------------
Sat Sep 9 14:40:29 UTC 2017 - aavindraa@gmail.com
- Update to version 0.9.50:
* New features:
- per-profile disable-mnt (--disable-mnt)
- per-profile support to set X11 Xephyr screen size (--xephyr-screen)
- private /lib directory (--private-lib)
- disable CDROM/DVD drive (--nodvd)
- disable DVB devices (--notv)
- --profile.print
* modif: --output split in two commands, --output and --output-stderr
* set xpra-attach yes in /etc/firejail/firejail.config
* Enhancements:
- print all seccomp filters under --debug
- /proc/sys mounting
- rework IP address assingment for --net options
- support for newer Xpra versions (2.1+) -
- all profiles use a standard layout style
- create /usr/local for firecfg if the directory doesn't exist
- allow full paths in --private-bin
* New seccomp features:
- --memory-deny-write-execute
- seccomp post-exec
- block secondary architecture (--seccomp.block_secondary)
- seccomp syscall groups
- print all seccomp filters under --debug
- default seccomp list update
* new profiles:
curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Android Studio, electron, riot-web, Extreme Tux Racer,
Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
hashcat, obs, picard, remmina, sdat2img, soundconverter
truecraft, gnome-twitch, tuxguitar, musescore, neverball
sqlitebrowse, Yandex Browser, minetest
-------------------------------------------------------------------
Tue Aug 15 15:47:49 CEST 2017 - tiwai@suse.de
- Update to version 0.9.48:
* modifs: whitelisted Transmission, Deluge, qBitTorrent,
KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the
screen if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global
customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish,
HandBrake
* bugfixes
-------------------------------------------------------------------
Mon Jan 16 16:33:59 CET 2017 - tiwai@suse.de
- Update to version 0.9.44.4:
* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* disabled --allow-debuggers when running on kernel versions prior
to 4.8; a kernel bug in ptrace system call allows a full bypass
of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
* root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
* new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
* major cleanup of file copying code
* tightening the rules for --chroot and --overlay features
* ported Gentoo compile patch
* Nvidia drivers bug in --private-dev
* fix ASSERT_PERMS_FD macro
* allow local customization using .local files under /etc/firejail
backported from our development branch
* spoof machine-id backported from our development branch
- Remove obsoleted patches:
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
-------------------------------------------------------------------
Thu Jan 5 10:38:43 CET 2017 - tiwai@suse.de
- Update to version 0.9.44.2:
Security fixes:
* overwrite /etc/resolv.conf found by Martin Carpenter
* TOCTOU exploit for get and put found by Daniel Hodson
* invalid environment exploit found by Martin Carpenter
* several security enhancements
Bugfixes:
* crashing VLC by pressing Ctrl-O
* use user configured icons in KDE
* mkdir and mkfile are not applied to private directories
* cannot open files on Deluge running under KDE
* private=dir where dir is the user home directory
* cannot start Vivaldi browser
* cannot start mupdf
* ssh profile problems
* quiet
* quiet in git profile
* memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
-------------------------------------------------------------------
Thu Oct 27 17:49:48 CEST 2016 - tiwai@suse.de
- Update to version 0.9.44:
* CVE-2016-7545 submitted by Aleksey Manevich
Modifications:
* removed man firejail-config
* private-tmp whitelists /tmp/.X11-unix directory
* Nvidia drivers added to private-dev
* /srv supported by whitelist
New features:
* allow user access to /sys/fs (noblacklist=/sys/fs)
* support starting/joining sandbox is a single command (join-or-start)
* X11 detection support for audit
* assign a name to the interface connected to the bridge (veth-name)
* all user home directories are visible (allusers)
* add files to sandbox container (put)
* blocking x11 (x11=block)
* X11 security extension (x11=xorg)
* disable 3D hardware acceleration (no3d)
* x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* move files in sandbox (put)
* accept wildcard patterns in user name field of restricted shell login feature
New profiles:
* qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* feh, ranger, zathura, 7z, keepass, keepassx,
* claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* Flowblade, Eye of GNOME (eog), Evolution
-------------------------------------------------------------------
Fri Sep 30 10:56:58 CEST 2016 - tiwai@suse.de
- Update to version 0.9.42:
Security fixes:
* whitelist deleted files
* disable x32 ABI in seccomp
* tighten chroot
* terminal sandbox escape
* several TOCTOU fixes
Behavior changes:
* bringing back private-home option
* deprecated user option, please use “sudo -u username firejail”
* allow symlinks in home directory for whitelist option
* Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes”
* recursive mkdir
* include /dev/snd in private-dev
* seccomp filter update
* release archives moved to .xz format
New features:
* AppImage support (appimage)
* AppArmor support (apparmor)
* Ubuntu snap support (/etc/firejail/snap.profile)
* Sandbox auditing support (audit)
* remove environment variable (rmenv)
* noexec support (noexec)
* clean local overlay storage directory (overlay-clean)
* store and reuse overlay (overlay-named)
* allow debugging inside the sandbox with gdb and strace (allow-debuggers)
* mkfile profile command
* quiet profile command
* x11 profile command
* option to fix desktop files (firecfg fix)
Build options:
* Busybox support (enable-busybox-workaround)
* disable overlayfs (disable-overlayfs)
* disable whitlisting (disable-whitelist)
* disable global config (disable-globalcfg)
Runtime options:
* enable/disable overlayfs (overlayfs yes/no)
* enable/disable quiet as default (quiet-by-default yes/no)
* user-defined network filter (netfilter-default)
* enable/disable whitelisting (whitelist yes/no)
* enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
* enable/disable chroot desktop features (chroot-desktop yes/no)
New/updated profiels:
* Gitter, gThumb, mpv, Franz messenger, LibreOffice
* pix, audacity, xz, xzdec, gzip, cpio, less
* Atom Beta, Atom, jitsi, eom, uudeview
* tar (gtar), unzip, unrar, file, skypeforlinux,
* inox, Slack, gnome-chess. Gajim IM client, DOSBox
- Enable apparmor support
-------------------------------------------------------------------
Wed Jun 8 15:20:43 CEST 2016 - tiwai@suse.de
- Update to version 0.9.40:
* Added firecfg utility
* New options: -nice, -cpu.print, -writable-etc, -writable-var,
-read-only
* X11 support: -x11 option (-x11=xpra, -x11=xephr)
* Filetransfer options: ls and get
* Added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile
commands
* Run time config support, man firejail-config
* AppArmor fixes
* Default seccomp filter update
* Disable STUN/WebRTC in default netfilter configuration
* Lots of new profiles
-------------------------------------------------------------------
Tue May 17 17:13:03 CEST 2016 - tiwai@suse.de
- initial package: 0.9.38
Reference in New Issue View Git Blame Copy Permalink