rpm/firejail
SHA256
1
0
Fork 0
forked from pool/firejail
Code Pull Requests Activity

- remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch

Browse Source 
as they are integrated upstream
- update to version 0.9.70:
 - security: CVE-2022-31214 - root escalation in --join logic
 - Reported by Matthias Gerstner, working exploit code was provided to our
 - development team. In the same time frame, the problem was independently
 - reported by Birk Blechschmidt. Full working exploit code was also provided.
 - feature: enable shell tab completion with --tab (#4936)
 - feature: disable user profiles at compile time (#4990)
 - feature: Allow resolution of .local names with avahi-daemon in the apparmor
 - profile (#5088)
 - feature: always log seccomp errors (#5110)
 - feature: firecfg --guide, guided user configuration (#5111)
 - feature: --oom, kernel OutOfMemory-killer (#5122)
 - modif: --ids feature needs to be enabled at compile time (#5155)
 - modif: --nettrace only available to root user
 - rework: whitelist restructuring (#4985)
 - rework: firemon, speed up and lots of fixes
 - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
 - bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
 - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
 - bugfix: fix printing in evince (#5011)
 - bugfix: gcov: fix gcov functions always declared as dummy (#5028)
 - bugfix: Stop warning on safe supplementary group clean (#5114)
 - build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
 - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154)
 - ci: replace centos (EOL) with almalinux (#4912)
 - ci: fix --version not printing compile-time features (#5147)
 - ci: print version after install & fix apparmor support on build_apparmor
 - (#5148)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=47
This commit is contained in:
Sebastian Wagner 2022-06-14 20:25:23 +00:00 committed by Git OBS Bridge
parent b09fab085f
commit 02185620d8
8 changed files with 57 additions and 2287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
firejail-0.9.68.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a322395597d89d2e5ea21fb11cb3f2afc44b00fca5439bf44c7636c5cffa652f
size 477332

11
firejail-0.9.68.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAmH/zu0ACgkQLMs2rfxY
Saf2WAf/UI98s9MugTAq45CIuxaqzhbbGc435Lwo2NgS2LCYKoJOmes6UdyLPUa1
aawBImtfqTyOXWrWnKjYBl7fIVATKpP7Ddm2+y6RJ+px/4dRUWNLVqEvka5BLYNS
HrYP84a1vxqeg0LVOMcmD701mTmbT68jwpjD2Ai2ZkiRGXS5KfBWIRL+WR7PAorj
jDxqUSorEF8x316d+0doy9NyeCXS5A1aqTmjnTxZ3RBfkg+Zq33S+x+2ktepdnDH
q/Fv9W4C/GVoXBj6PKtk4JXFUJIeYUYCXE9sq2bpCEAdom5J+EpUMo+42G1/xLYL
mFP0G113+ciMoLWkjJMNQH6KbFjCsQ==
=6MJb
-----END PGP SIGNATURE-----

3
firejail-0.9.70.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b77b67a4db7c01d69cb033a50aa7b1132dfaeb2cd97ce6412285235265b71b17
size 485096

11
firejail-0.9.70.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAmKiC7EACgkQLMs2rfxY
SacmLAf+MhUh5ylaEjCSUKCYJKC7E/OoSYWm2/bRWl3KIeREeL59wxgb3n9ulqGD
MWKHuwetVtRMg5rO7D9LUHUEY80nZw/8iDC8QLzfOsZpS3dQF26Ab4bqaIo/HEQr
9eDk3SIHGqhP62qsAjaGACOOlVDeJXWx5h4M9cTe7VN+IFT7XtN7ytDc23/UZF9o
PmViKz9dyiXX6omt7mVddJx+OBeRUmSsTknmbNafz38aIikoJwivgn3Fc8PxGNzI
lwgHU1Kz4fenTZp2500Cof7rFqQwTdqcZbNIrt1xwQgBF/tdc2Bb4+MkfgiRYhGa
BV/EsPB7vysgGFluZsIY17Ptjc91lw==
=pzNZ
-----END PGP SIGNATURE-----

42
firejail.changes
View File

@ -1,3 +1,45 @@
-------------------------------------------------------------------
Tue Jun 14 20:21:18 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>
- remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch
as they are integrated upstream
- update to version 0.9.70:
- security: CVE-2022-31214 - root escalation in --join logic
- Reported by Matthias Gerstner, working exploit code was provided to our
- development team. In the same time frame, the problem was independently
- reported by Birk Blechschmidt. Full working exploit code was also provided.
- feature: enable shell tab completion with --tab (#4936)
- feature: disable user profiles at compile time (#4990)
- feature: Allow resolution of .local names with avahi-daemon in the apparmor
- profile (#5088)
- feature: always log seccomp errors (#5110)
- feature: firecfg --guide, guided user configuration (#5111)
- feature: --oom, kernel OutOfMemory-killer (#5122)
- modif: --ids feature needs to be enabled at compile time (#5155)
- modif: --nettrace only available to root user
- rework: whitelist restructuring (#4985)
- rework: firemon, speed up and lots of fixes
- bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
- bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
- bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
- bugfix: fix printing in evince (#5011)
- bugfix: gcov: fix gcov functions always declared as dummy (#5028)
- bugfix: Stop warning on safe supplementary group clean (#5114)
- build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
- build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154)
- ci: replace centos (EOL) with almalinux (#4912)
- ci: fix --version not printing compile-time features (#5147)
- ci: print version after install & fix apparmor support on build_apparmor
- (#5148)
- docs: Refer to firejail.config in configuration files (#4916)
- docs: firejail.config: add warning about allow-tray (#4946)
- docs: mention that the protocol command accumulates (#5043)
- docs: mention inconsistent homedir bug involving --private=dir (#5052)
- docs: mention capabilities(7) on --caps (#5078)
- new profiles: onionshare, onionshare-cli, opera-developer, songrec
- new profiles: node-gyp, npx, semver, ping-hardened
- removed profiles: nvm
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jun 8 21:08:03 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at> Wed Jun 8 21:08:03 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>

8
firejail.spec
View File

@ -17,7 +17,7 @@
Name: firejail Name: firejail
Version: 0.9.68 Version: 0.9.70
Release: 0 Release: 0
Summary: Linux namepaces sandbox program Summary: Linux namepaces sandbox program
License: GPL-2.0-only License: GPL-2.0-only
@ -27,10 +27,6 @@ Source0: https://github.com/netblue30/%{name}/releases/download/%{version
Source1: https://github.com/netblue30/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc Source1: https://github.com/netblue30/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc
# https://firejail.wordpress.com/download-2/ # https://firejail.wordpress.com/download-2/
Source2: %{name}.keyring Source2: %{name}.keyring
# PATCH-FIX-UPSTREAM fix-internet-access.patch -- from https://github.com/netblue30/firejail/commit/bb334a8fd4f0911a8dfa1538d02fbd0574b81333.patch
Patch0: fix-internet-access.patch
# PATCH-FIX-UPSTREAM fix-CVE-2022-31214.patch -- from https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50 and https://github.com/netblue30/firejail/commit/dab835e7a0eb287822016f5ae4e87f46e1d363e7.patch and https://github.com/netblue30/firejail/commit/1884ea22a90d225950d81c804f1771b42ae55f54
Patch1: fix-CVE-2022-31214.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libapparmor-devel BuildRequires: libapparmor-devel
@ -69,8 +65,6 @@ Optional dependency offering zsh completion for firejail
%prep %prep
%setup -q %setup -q
sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py contrib/fix_private-bin.py contrib/jail_prober.py sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py contrib/fix_private-bin.py contrib/jail_prober.py
%patch0 -p1
%patch1 -p1
%build %build
%configure --docdir=%{_docdir}/%{name} \ %configure --docdir=%{_docdir}/%{name} \

2244
fix-CVE-2022-31214.patch
View File

File diff suppressed because it is too large Load Diff

22
fix-internet-access.patch
View File

@ -1,22 +0,0 @@
From bb334a8fd4f0911a8dfa1538d02fbd0574b81333 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Tue, 22 Feb 2022 09:32:46 -0500
Subject: [PATCH] openSUSE Leap - whitelist-run-common.inc (#4954)
---
RELNOTES | 1 +
etc/inc/whitelist-run-common.inc | 1 +
2 files changed, 2 insertions(+)
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
index d74655a087..26160a10b9 100644
--- a/etc/inc/whitelist-run-common.inc
+++ b/etc/inc/whitelist-run-common.inc
@@ -7,6 +7,7 @@ whitelist /run/cups/cups.sock
whitelist /run/dbus/system_bus_socket
whitelist /run/media
whitelist /run/resolvconf/resolv.conf
+whitelist /run/netconfig/resolv.conf # openSUSE Leap
whitelist /run/shm
whitelist /run/systemd/journal/dev-log
whitelist /run/systemd/journal/socket