RELNOTES 27.9 KB
Newer Older
1
firejail (0.9.50) baseline; urgency=low
netblue30's avatar
netblue30 committed
2
  * modif: --output split in two commands, --output and --output-stderr
3 4
  * feature: per-profile disable-mnt (--disable-mnt)
  * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
netblue30's avatar
netblue30 committed
5 6
  * feature: private /lib directory (--private-lib)
  * feature: disable CDROM/DVD drive (--nodvd)
Fred-Barclay's avatar
Fred-Barclay committed
7
  * feature: disable DVB devices (--notv)
netblue30's avatar
netblue30 committed
8
  * feature: --profile.print
9
  * enhancement: print all seccomp filters under --debug
netblue30's avatar
netblue30 committed
10
  * enhancement: /proc/sys mounting
netblue30's avatar
netblue30 committed
11
  * enhancement: rework IP address assingment for --net options
netblue30's avatar
netblue30 committed
12
  * enhancement: support for newer Xpra versions (2.1+) -
netblue30's avatar
netblue30 committed
13
     set xpra-attach yes in /etc/firejail/firejail.config
Fred-Barclay's avatar
Fred-Barclay committed
14
  * enhancement: all profiles use a standard layout style
15
  * enhancement: create /usr/local for firecfg if the directory doesn't exist
16
  * enhancement: allow full paths in --private-bin
netblue30's avatar
netblue30 committed
17 18 19 20 21 22
  * seccomp feature: --memory-deny-write-execute
  * seccomp feature: seccomp post-exec
  * seccomp feature: block secondary architecture (--seccomp.block_secondary)
  * seccomp feature: seccomp syscall groups
  * seccomp enhancement: print all seccomp filters under --debug
  * seccomp enhancement: default seccomp list update
startx2017's avatar
startx2017 committed
23
  * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
Fred-Barclay's avatar
Fred-Barclay committed
24
  * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
Fred-Barclay's avatar
Fred-Barclay committed
25
  * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
netblue30's avatar
netblue30 committed
26
  * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
Fred-Barclay's avatar
Fred-Barclay committed
27
  * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
netblue30's avatar
netblue30 committed
28
  * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
Tad's avatar
Tad committed
29
  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
Tad's avatar
Tad committed
30
  * new profiles: sqlitebrowse, Yandex Browser, minetest
netblue30's avatar
netblue30 committed
31
  * bugfixes
32
 -- netblue30 <netblue30@yahoo.com>  Thu, 7 Sep 2017 08:00:00 -0500
netblue30's avatar
netblue30 committed
33

netblue30's avatar
netblue30 committed
34
firejail (0.9.48) baseline; urgency=low
netblue30's avatar
netblue30 committed
35 36
  * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
    please use ~/Downloads directory for saving files
37 38
  * modifs: AppArmor made optional; a warning is printed on the screen
    if the sandbox fails to load the AppArmor profile
netblue30's avatar
netblue30 committed
39
  * feature: --novideo
netblue30's avatar
netblue30 committed
40 41
  * feature: drop discretionary access control capabilities for
    root sandboxes
42 43
  * feature: added /etc/firejail/globals.local for global customizations
  * feature: profile support in overlayfs mode
startx2017's avatar
startx2017 committed
44
  * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
45
  * bugfixes
netblue30's avatar
netblue30 committed
46
 -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 08:00:00 -0500
47

48
firejail (0.9.46) baseline; urgency=low
netblue30's avatar
netblue30 committed
49
  * security: split most of networking code in a separate executable
netblue30's avatar
netblue30 committed
50
  * security: split seccomp filter code configuration in a separate executable
netblue30's avatar
netblue30 committed
51
  * security: split file copying in private option in a separate executable
52
  * feature: disable gnupg and systemd directories under /run/user
netblue30's avatar
netblue30 committed
53
  * feature: test coverage (gcov) support
netblue30's avatar
netblue30 committed
54
  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
netblue30's avatar
netblue30 committed
55 56
  * feature: private /opt directory (--private-opt, profile support)
  * feature: private /srv directory (--private-srv, profile support)
netblue30's avatar
netblue30 committed
57
  * feature: spoof machine-id (--machine-id, profile support)
netblue30's avatar
netblue30 committed
58 59
  * feature: allow blacklists under --private (--allow-private-blacklist,
    profile support)
netblue30's avatar
netblue30 committed
60
  * feature: user-defined /etc/hosts file (--hosts-file, profile support)
netblue30's avatar
netblue30 committed
61 62
  * feature: support for the real /var/log directory (--writable-var-log,
    profile support)
netblue30's avatar
netblue30 committed
63
  * feature: config support for firejail prompt in terminals
netblue30's avatar
netblue30 committed
64
  * feature: AppImage type 2 support
netblue30's avatar
netblue30 committed
65
  * feature: pass command line arguments to appimages
netblue30's avatar
netblue30 committed
66
  * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
Fred Barclay's avatar
Fred Barclay committed
67
  * feature: added a number of Python scripts for handling sandboxes
68
  * feature: allow local customization using .local files under /etc/firejail
Fred Barclay's avatar
Fred Barclay committed
69
  * feature: follow-symlink-as-user runtime config option in
netblue30's avatar
netblue30 committed
70
    /etc/firejail/firejail.config
71
  * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
72
  * feature: xvfb X11 server support (--x11=xvfb)
73
  * feature: allow /tmp directory in mkdir and mkfile profile commands
74 75
  * feature: implemented --noblacklist command, profile support
  * feature: config support to disable access to /mnt and /media (disable-mnt)
netblue30's avatar
netblue30 committed
76
  * feature: config support to disable join (join)
77
  * feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
netblue30's avatar
netblue30 committed
78
  * feature: support overlay, overlay-named and overlay-tmpfs in profile files
79
  * feature: allow PulseAudio sockets in --private-tmp
80
  * feature: --fix-sound support in firecfg
Fred Barclay's avatar
Fred Barclay committed
81
  * feature: added support for sandboxing Xpra, Xvfb and Xephyr in
82
    independent sandboxes when started with firejail --x11
83 84
  * feature: enable automatic X server sandboxing for --x11=xpra
    and --x11=xephyr
85
  * feature: support for Xpra extra params in firejail config file
Reiner Herrmann's avatar
Reiner Herrmann committed
86
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
Fred Barclay's avatar
Fred Barclay committed
87
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
Fred Barclay's avatar
Fred Barclay committed
88
  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
netblue30's avatar
netblue30 committed
89
  * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
Reiner Herrmann's avatar
Reiner Herrmann committed
90
  * new profiles: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
91 92
  * new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
  * new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
93
  * new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
netblue30's avatar
netblue30 committed
94 95
  * new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
  * new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
96
  * new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin,
Fred Barclay's avatar
Fred Barclay committed
97
  * new profiles: mate-calc, mate-dictionary, mate-color-select, caja,
netblue30's avatar
netblue30 committed
98
  * new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes
99
  * new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr
100
  * new profiles: Blender, 2048-qt
101
  * bugfixes
102
 -- netblue30 <netblue30@yahoo.com>  Sun, 14 May 2017 08:00:00 -0500
103

netblue30's avatar
netblue30 committed
104 105 106 107 108
firejail (0.9.44.10) baseline; urgency=low
  * security: when using --x11=xorg and --net, incorrect processing of
    the return code of /usr/bin/xauth could end up in starting the
    sandbox without X11 security extension installed. Problem found/fixed
    by Zack Weinberg
Fred Barclay's avatar
Fred Barclay committed
109
  * bugfix: ~/.pki directory whitelisted and later blacklisted. This affects
netblue30's avatar
netblue30 committed
110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174
    most browsers, and disables the custom certificates installed by the user
  * bugfix: firecfg config fix
  * bugfix: gajim security profile fix
  * bugfix: man page fix
  * bugfix: force-nonewprivs fix for /etc/firejail/firejail.config
  * bugfix: xephyr-extra-params fix for /etc/firejail/firejail.config
  * bugfix: memory corruption in noblacklist processing
  * bugfix: --quiet fix for Arch and Fedora systems
  * bugfix: updated Keepass(x) profiles
  * bugfix: firemon --nowrap problem
  * bugfix: document firemon --nowrap in man page and in --help option
  * bugfix: bash completion for --noblacklist command
  * bugfix: vlc profile fix
  * bugfix: fixed handling of .local profile files when the software is
    installed in ~/.local directory
  * bugfix: temporarily remove private-tmp from all profiles, until a fix for
    .Xauthority file handling in KDE becomes available
  * maintenance: --output cleanup
  * maintenance: updated copyright statement in all files
 -- netblue30 <netblue30@yahoo.com>  Sat, 18 Mar 2017 10:00:00 -0500

firejail (0.9.44.8) baseline; urgency=low
  * bugfix: fix broken PulseAudio support
 -- netblue30 <netblue30@yahoo.com>  Wed, 18 Jan 2017 10:00:00 -0500

firejail (0.9.44.6) baseline; urgency=low
  * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week,
     new CVE code assigned after release: CVE-2017-5940
  * security: major cleanup of file copying code
  * security: tightening the rules for --chroot and --overlay features
  * bugfix: ported Gentoo compile patch
  * bugfix: Nvidia drivers bug in --private-dev
  * bugfix: fix ASSERT_PERMS_FD macro
  * feature: allow local customization using .local files under /etc/firejail
    backported from our development branch
  * feature: spoof machine-id backported from our development branch
 -- netblue30 <netblue30@yahoo.com>  Sun, 15 Jan 2017 10:00:00 -0500

firejail (0.9.44.4) baseline; urgency=low
  * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
  * security: disabled --allow-debuggers when running on kernel
    versions prior to 4.8; a kernel bug in ptrace system call
    allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
    (CVE-2017-5206)
  * security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
 -- netblue30 <netblue30@yahoo.com>  Sat, 7 Jan 2017 10:00:00 -0500

firejail (0.9.44.2) baseline; urgency=low
  * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
  * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
  * security: several security enhancements
  * bugfix: crashing VLC by pressing Ctrl-O
  * bugfix: use user configured icons in KDE
  * bugfix: mkdir and mkfile are not applied to private directories
  * bugfix: cannot open files on Deluge running under KDE
  * bugfix: --private=dir where dir is the user home directory
  * bugfix: cannot start Vivaldi browser
  * bugfix: cannot start mupdf
  * bugfix: ssh profile problems
  * bugfix: --quiet
  * bugfix: quiet in git profile
  * bugfix: memory corruption
 -- netblue30 <netblue30@yahoo.com>  Fri, 2 Dec 2016 08:00:00 -0500

netblue30's avatar
netblue30 committed
175
firejail (0.9.44) baseline; urgency=low
176
  * CVE-2016-9016 submitted by Aleksey Manevich
netblue30's avatar
netblue30 committed
177
  * modifs: removed man firejail-config
178
  * modifs: --private-tmp whitelists /tmp/.X11-unix directory
179
  * modifs: Nvidia drivers added to --private-dev
netblue30's avatar
netblue30 committed
180
  * modifs: /srv supported by --whitelist
181
  * feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
182 183
  * feature: support starting/joining sandbox is a single command
    (--join-or-start)
184
  * feature: X11 detection support for --audit
Fred Barclay's avatar
Fred Barclay committed
185
  * feature: assign a name to the interface connected to the bridge
netblue30's avatar
netblue30 committed
186
    (--veth-name)
187
  * feature: all user home directories are visible (--allusers)
188
  * feature: add files to sandbox container (--put)
189
  * feature: blocking x11 (--x11=block)
netblue30's avatar
netblue30 committed
190
  * feature: X11 security extension (--x11=xorg)
191 192
  * feature: disable 3D hardware acceleration (--no3d)
  * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
netblue30's avatar
netblue30 committed
193
  * feature: move files in sandbox (--put)
netblue30's avatar
netblue30 committed
194 195
  * feature: accept wildcard patterns in user  name field of restricted
    shell login feature
netblue30's avatar
netblue30 committed
196
  * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
netblue30's avatar
netblue30 committed
197
  * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
netblue30's avatar
netblue30 committed
198
  * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
netblue30's avatar
netblue30 committed
199
  * new profiles: Flowblade, Eye of GNOME (eog), Evolution
netblue30's avatar
netblue30 committed
200
  * bugfixes
netblue30's avatar
netblue30 committed
201
 -- netblue30 <netblue30@yahoo.com>  Fri, 21 Oct 2016 08:00:00 -0500
netblue30's avatar
netblue30 committed
202

netblue30's avatar
netblue30 committed
203
firejail (0.9.42) baseline; urgency=low
netblue30's avatar
netblue30 committed
204
  * security: --whitelist deleted files, submitted by Vasya Novikov
205
  * security: disable x32 ABI in seccomp, submitted by Jann Horn
netblue30's avatar
netblue30 committed
206 207
  * security: tighten --chroot, submitted by Jann Horn
  * security: terminal sandbox escape, submitted by Stephan Sokolow
netblue30's avatar
netblue30 committed
208
  * security: several TOCTOU fixes submitted by Aleksey Manevich
netblue30's avatar
netblue30 committed
209
  * modifs: bringing back --private-home option
netblue30's avatar
netblue30 committed
210
  * modifs: deprecated --user option, please use "sudo -u username firejail"
211 212 213 214 215
  * modifs: allow symlinks in home directory for --whitelist option
  * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
  * modifs: recursive mkdir
  * modifs: include /dev/snd in --private-dev
  * modifs: seccomp filter update
netblue30's avatar
netblue30 committed
216
  * modifs: release archives moved to .xz format
217 218 219 220 221 222 223 224
  * feature: AppImage support (--appimage)
  * feature: AppArmor support (--apparmor)
  * feature: Ubuntu snap support (/etc/firejail/snap.profile)
  * feature: Sandbox auditing support (--audit)
  * feature: remove environment variable (--rmenv)
  * feature: noexec support (--noexec)
  * feature: clean local overlay storage directory (--overlay-clean)
  * feature: store and reuse overlay (--overlay-named)
netblue30's avatar
netblue30 committed
225 226
  * feature: allow debugging inside the sandbox with gdb and strace
         (--allow-debuggers)
227 228 229
  * feature: mkfile profile command
  * feature: quiet profile command
  * feature: x11 profile command
netblue30's avatar
netblue30 committed
230
  * feature: option to fix desktop files (firecfg --fix)
231 232
  * compile time: Busybox support (--enable-busybox-workaround)
  * compile time: disable overlayfs (--disable-overlayfs)
233
  * compile time: disable whitlisting (--disable-whitelist)
234 235 236 237 238
  * compile time: disable global config (--disable-globalcfg)
  * run time: enable/disable overlayfs (overlayfs yes/no)
  * run time: enable/disable  quiet as default (quiet-by-default yes/no)
  * run time: user-defined network filter (netfilter-default)
  * run time: enable/disable whitelisting (whitelist yes/no)
netblue30's avatar
netblue30 committed
239 240
  * run time: enable/disable remounting of /proc and /sys
          (remount-proc-sys yes/no)
241
  * run time: enable/disable chroot desktop features (chroot-desktop yes/no)
netblue30's avatar
netblue30 committed
242 243 244 245
  * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
  * profiles: pix, audacity, xz, xzdec, gzip, cpio, less
  * profiles: Atom Beta, Atom, jitsi, eom, uudeview
  * profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
Fred-Barclay's avatar
Fred-Barclay committed
246
  * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
netblue30's avatar
netblue30 committed
247
  * bugfixes
netblue30's avatar
netblue30 committed
248
 -- netblue30 <netblue30@yahoo.com>  Thu, 8 Sept 2016 08:00:00 -0500
249

netblue30's avatar
netblue30 committed
250
firejail (0.9.40) baseline; urgency=low
251
  * added --nice option
netblue30's avatar
netblue30 committed
252
  * added --x11 option
netblue30's avatar
netblue30 committed
253 254
  * added --x11=xpra option
  * added --x11=xephyr option
netblue30's avatar
netblue30 committed
255
  * added --cpu.print option
netblue30's avatar
netblue30 committed
256
  * added filetransfer options --ls and --get
257
  * added --writable-etc and --writable-var options
netblue30's avatar
netblue30 committed
258
  * added --read-only option
259
  * added mkdir, ipc-namespace, and nosound profile commands
netblue30's avatar
netblue30 committed
260
  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
261
  * --version also prints compile options
262
  * --output option also redirects stderr
263
  * added compile-time option to restrict --net= to root only
264
  * run time config support, man firejail-config
netblue30's avatar
netblue30 committed
265
  * added firecfg utility
netblue30's avatar
netblue30 committed
266
  * AppArmor fixes
netblue30's avatar
netblue30 committed
267 268
  * default seccomp filter update
  * disable STUN/WebRTC in default netfilter configuration
netblue30's avatar
netblue30 committed
269
  * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
netblue30's avatar
netblue30 committed
270
  * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
netblue30's avatar
netblue30 committed
271
  * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
272
  * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
273
  * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
netblue30's avatar
netblue30 committed
274
  * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
Fred-Barclay's avatar
Fred-Barclay committed
275
  * new profiles: generic Ubuntu snap application profile, xplayer
netblue30's avatar
netblue30 committed
276
  * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
277
  * new profiles: Brave, Gitter
278
  * generic.profile renamed default.profile
netblue30's avatar
netblue30 committed
279
  * build rpm packages using "make rpms"
280
  * bugfixes
netblue30's avatar
netblue30 committed
281
 -- netblue30 <netblue30@yahoo.com>  Sun, 29 May 2016 08:00:00 -0500
282

netblue30's avatar
netblue30 committed
283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301
firejail (0.9.38.10) baseline; urgency=low
  * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
     new CVE code assigned after release: CVE-2017-5940
  * security: tightening the rules for --chroot
  * bugfix: ported Gentoo compile patch
  * bugfix: fix ASSERT_PERMS_FD macro
 -- netblue30 <netblue30@yahoo.com>  Sun, 15 Jan 2017 10:00:00 -0500

firejail (0.9.38.8) baseline; urgency=low
  * security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
 -- netblue30 <netblue30@yahoo.com>  Sat, 7 Jan 2017 10:00:00 -0500

firejail (0.9.38.6) baseline; urgency=low
  * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
  * bugfix: crashing VLC by pressing Ctrl-O
 -- netblue30 <netblue30@yahoo.com>  Fri, 16 Dec 2016 10:00:00 -0500

firejail (0.9.38.4) baseline; urgency=low
  * CVE-2016-7545 submitted by Aleksey Manevich
Fred Barclay's avatar
Fred Barclay committed
302
  * bugfixes
netblue30's avatar
netblue30 committed
303 304 305 306 307 308 309 310 311 312 313
 -- netblue30 <netblue30@yahoo.com>  Mon, 10 Oct 2016 10:00:00 -0500

firejail (0.9.38.2) baseline; urgency=low
  * security: --whitelist deleted files, submitted by Vasya Novikov
  * security: disable x32 ABI, submitted by Jann Horn
  * security: tighten --chroot, submitted by Jann Horn
  * security: terminal sandbox escape, submitted by Stephan Sokolow
  * feature: clean local overlay storage directory (--overlay-clean)
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Tue, 23 Aug 2016 10:00:00 -0500

netblue30's avatar
netblue30 committed
314
firejail (0.9.38) baseline; urgency=low
netblue30's avatar
netblue30 committed
315
  * IPv6 support (--ip6 and --netfilter6)
netblue30's avatar
netblue30 committed
316
  * --join command enhancement (--join-network, --join-filesystem)
root's avatar
root committed
317 318
  * added --user command
  * added --disable-network and --disable-userns compile time flags
netblue30's avatar
netblue30 committed
319
  * Centos 6 support
netblue30's avatar
netblue30 committed
320
  * symlink invocation
netblue30's avatar
netblue30 committed
321 322
  * added KMail, Seamonkey, Telegram, Mathematica, uGet,
  *   and mupen64plus profiles
323
  * --chroot in user mode allowed only if seccomp support is available
324
  *   in current Linux kernel (CVE-2016-10123)
netblue30's avatar
netblue30 committed
325
  * deprecated --private-home feature
326
  * the first protocol list installed takes precedence
327
  * --tmpfs option allowed only running as root (CVE-2016-10117)
root's avatar
root committed
328
  * added --private-tmp option
329
  * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121)
netblue30's avatar
netblue30 committed
330
  * bugfixes
netblue30's avatar
netblue30 committed
331
 -- netblue30 <netblue30@yahoo.com>  Tue, 2 Feb 2016 10:00:00 -0500
332

netblue30's avatar
netblue30 committed
333
firejail (0.9.36) baseline; urgency=low
334 335
  * added  unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
     parole and rtorrent profiles
netblue30's avatar
netblue30 committed
336 337 338 339 340 341
  * Google Chrome profile rework
  * added google-chrome-stable profile
  * added google-chrome-beta profile
  * added google-chrome-unstable profile
  * Opera profile rework
  * added opera-beta profile
netblue30's avatar
netblue30 committed
342
  * added --noblacklist option
netblue30's avatar
netblue30 committed
343
  * added --profile-path option
netblue30's avatar
netblue30 committed
344
  * added --force option
netblue30's avatar
netblue30 committed
345
  * whitelist command enhancements
netblue30's avatar
netblue30 committed
346
  * prevent user name enumeration
347 348
  * added /etc/firejail/nolocal.net network filter
  * added /etc/firejail/webserver.net network filter
netblue30's avatar
netblue30 committed
349
  * blacklisting firejail configuration by default
netblue30's avatar
netblue30 committed
350
  * allow default gateway configuration for --interface option
netblue30's avatar
netblue30 committed
351 352
  * --debug enhancements: --debug-check-filenames, --debug-blacklists,
    --debug-whitelists
netblue30's avatar
netblue30 committed
353
  * filesystem log
netblue30's avatar
netblue30 committed
354 355
  * libtrace enhancements, tracing opendir call
  * added --tracelog option
356
  * added "name" command to profile files
netblue30's avatar
netblue30 committed
357 358
  * added "hostname" command to profile files
  * added automated feature testing framework
Reiner Herrmann's avatar
Reiner Herrmann committed
359
  * Debian reproducible build
360
  * bugfixes
netblue30's avatar
netblue30 committed
361
 -- netblue30 <netblue30@yahoo.com>  Sun, 27 Dec 2015 09:00:00 -0500
362

netblue30's avatar
netblue30 committed
363
firejail (0.9.34) baseline; urgency=low
netblue30's avatar
netblue30 committed
364
  * added --ignore option
netblue30's avatar
netblue30 committed
365 366
  * added --protocol option
  * support dual i386/amd64 seccomp filters
netblue30's avatar
netblue30 committed
367
  * added Google Chrome profile
netblue30's avatar
netblue30 committed
368
  * added Steam, Skype, Wine and Conkeror profiles
netblue30's avatar
netblue30 committed
369
  * bugfixes
netblue30's avatar
netblue30 committed
370
 -- netblue30 <netblue30@yahoo.com>  Sat, 7 Nov 2015 08:00:00 -0500
netblue30's avatar
netblue30 committed
371

netblue30's avatar
netblue30 committed
372
firejail (0.9.32) baseline; urgency=low
netblue30's avatar
netblue30 committed
373
  * added --interface option
netblue30's avatar
netblue30 committed
374
  * added --mtu option
netblue30's avatar
netblue30 committed
375
  * added --private-bin option
netblue30's avatar
netblue30 committed
376
  * added --nosound option
netblue30's avatar
netblue30 committed
377 378
  * added --hostname option
  * added --quiet option
379
  * added seccomp errno support
netblue30's avatar
netblue30 committed
380 381 382
  * added FBReader default profile
  * added Spotify default profile
  * lots of default security profile changes
netblue30's avatar
netblue30 committed
383
  * fixed a security problem on multi-user systems
netblue30's avatar
netblue30 committed
384
  * bugfixes
netblue30's avatar
netblue30 committed
385
 -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2015 08:00:00 -0500
netblue30's avatar
netblue30 committed
386 387


netblue30's avatar
netblue30 committed
388
firejail (0.9.30) baseline; urgency=low
389 390
  * added a disable-history.inc profile as a result of Firefox PDF.js exploit;
    disable-history.inc included in all default profiles
netblue30's avatar
netblue30 committed
391
  * Firefox PDF.js exploit (CVE-2015-4495) fixes
392
  * added --private-etc option
netblue30's avatar
netblue30 committed
393
  * added --env option
netblue30's avatar
netblue30 committed
394
  * added --whitelist option
395
  * support ${HOME} token in include directive in profile files
netblue30's avatar
netblue30 committed
396
  * --private.keep is transitioned to --private-home
397 398
  * support ~ and blanks in blacklist option
  * support "net none" command in profile files
netblue30's avatar
netblue30 committed
399 400
  * using /etc/firejail/generic.profile by default for user sessions
  * using /etc/firejail/server.profile by default for root sessions
netblue30's avatar
netblue30 committed
401
  * added build --enable-fatal-warnings configure option
netblue30's avatar
netblue30 committed
402 403
  * added persistence to --overlay option
  * added --overlay-tmpfs option
netblue30's avatar
netblue30 committed
404
  * make install-strip implemented, make install renamed
405
  * bugfixes
netblue30's avatar
netblue30 committed
406
 -- netblue30 <netblue30@yahoo.com>  Mon, 14 Sept 2015 08:00:00 -0500
407

netblue30's avatar
netblue30 committed
408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449
firejail (0.9.28) baseline; urgency=low
  * network scanning, --scan option
  * interface MAC address support, --mac option
  * IP address range, --iprange option
  * traffic shaping, --bandwidth option
  * reworked printing of network status at startup
  * man pages rework
  * added firejail-login man page
  * added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
    profiles
  * added an /etc/firejail/disable-common.inc file to hold common directory
    blacklists
  * blacklist Opera and Chrome/Chromium config directories in profile files
  * support noroot option for profile files
  * enabled noroot in default profile files
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Sat, 1 Aug 2015 08:00:00 -0500

firejail (0.9.26) baseline; urgency=low
  * private dev directory
  * private.keep option for whitelisting home files in a new private directory
  * user namespaces support, noroot option
  * added Deluge and qBittorent profiles
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Thu, 30 Apr 2015 08:00:00 -0500


firejail (0.9.24) baseline; urgency=low
  * whitelist and blacklist seccomp filters
  * doubledash option
  * --shell=none support
  * netfilter file support in profile files
  * dns server support in profile files
  * added --dns.print option
  * added default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem.
  * added --caps.drop=all in default profiles
  * new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
  *         clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
  * Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
  * two build patches from Reiner Herman (tickets 11, 12)
  * man page patch from Reiner Herman (ticket 13)
  * output patch (ticket 15) from sshirokov
Fred Barclay's avatar
Fred Barclay committed
450

netblue30's avatar
netblue30 committed
451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514
 -- netblue30 <netblue30@yahoo.com>  Sun, 5 Apr 2015 08:00:00 -0500

firejail (0.9.22) baseline; urgency=low
  * Replaced --noip option with --ip=none
  * Container stdout logging and log rotation
  * Added process_vm_readv, process_vm_writev and mknod to
  *    default seccomp blacklist
  * Added CAP_MKNOD to default caps blacklist
  * Blacklist and whitelist custom Linux capabilities filters
  * macvlan device driver support for --net option
  * DNS server support, --dns option
  * Netfilter support
  * Monitor network statistics, --netstats option
  * Added profile for Mozilla Thunderbird/Icedove
  * - --overlay support for Linux kernels 3.18+
  * Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
  * Bugfix: check uid/gid for cgroup

 -- netblue30 <netblue30@yahoo.com>  Mon, 9 Mar 2015 09:00:00 -0500

firejail (0.9.20) baseline; urgency=low
  * utmp, btmp and wtmp enhancements
  *    create empty /var/log/wtmp and /var/log/btmp files in sandbox
  *    generate a new /var/run/utmp file in sandbox
  * CPU affinity, --cpu option
  * Linux control groups support, --cgroup option
  * Opera web browser support
  * VLC support
  * Added "empty" attribute to seccomp command to remove the default
  *    syscall list form seccomp blacklist
  * Added --nogroups option to disable supplementary groups for regular
  *   users. root user always runs without supplementary groups.
  * firemon enhancements
  *   display the command that started the sandbox
  *   added --caps option to display capabilities for all sandboxes
  *   added --cgroup option to display the control groups for all sandboxes
  *   added --cpu option to display CPU affinity for all sandboxes
  *   added --seccomp option to display seccomp setting for all sandboxes
  * New compile time options: --disable-chroot, --disable-bind
  * bugfixes

 -- netblue30 <netblue30@yahoo.com>  Mon, 02 Feb 2015 08:00:00 -0500

firejail (0.9.18) baseline; urgency=low
  * Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
  * Support for tracing setreuid, setregid, setresuid, setresguid syscalls
  * Added profiles for transmission-gtk and transmission-qt
  * bugfixes

 -- netblue30 <netblue30@yahoo.com>  Fri, 25 Dec 2014 10:00:00 -0500

firejail (0.9.16) baseline; urgency=low
  * Configurable private home directory
  * Configurable default user shell
  * Software configuration support for --docdir and DESTDIR
  * Profile file support for include, caps, seccomp and private keywords
  * Dropbox profile file
  * Linux capabilities and seccomp filters enabled by default for Firefox,
  Midori, Evince and Dropbox
  * bugfixes

 -- netblue30 <netblue30@yahoo.com>  Tue, 4 Nov 2014 10:00:00 -0500

firejail (0.9.14) baseline; urgency=low
Fred Barclay's avatar
Fred Barclay committed
515
  * Linux capabilities and seccomp filters are automatically enabled in
netblue30's avatar
netblue30 committed
516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566
    chroot mode (--chroot option) if the sandbox is started as regular user
  * Added support for user defined seccomp blacklists
  * Added syscall trace support
  * Added --tmpfs option
  * Added --balcklist option
  * Added --read-only option
  * Added --bind option
  * Logging enhancements
  * --overlay option was reactivated
  * Added firemon support to print the ARP table for each sandbox
  * Added firemon support to print the route table for each sandbox
  * Added firemon support to print interface information for each sandbox
  * bugfixes

 -- netblue30 <netblue30@yahoo.com>  Tue, 15 Oct 2014 10:00:00 -0500

firejail (0.9.12.2) baseline; urgency=low
  * Fix for pulseaudio problems
  * --overlay option was temporarily disabled in this build

 -- netblue30 <netblue30@yahoo.com>  Mon, 29 Sept 2014 07:00:00 -0500

firejail (0.9.12.1) baseline; urgency=low
  * Fix for pulseaudio problems
  * --overlay option was temporarily disabled in this build

 -- netblue30 <netblue30@yahoo.com>  Mon, 22 Sept 2014 09:00:00 -0500

firejail (0.9.12) baseline; urgency=low
  * Added capabilities support
  * Added support for CentOS 7
  * bugfixes

 -- netblue30 <netblue30@yahoo.com>  Mon, 15 Sept 2014 10:00:00 -0500

firejail (0.9.10) baseline; urgency=low
  * Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot
  * Fixed --top option CPU utilization calculation
  * Implemented --tree option in firejail and firemon
  * Implemented --join=name option
  * Implemented --shutdown option
  * Preserve the current working directory if possible
  * Cppcheck and clang errors cleanup
  * Added a Chromium web browser profile

 -- netblue30 <netblue30@yahoo.com>  Thu, 28 Aug 2014 07:00:00 -0500

firejail (0.9.8.1) baseline; urgency=low
  * FIxed a number of bugs introduced in 0.9.8

 -- netblue30 <netblue30@yahoo.com>  Fri, 25 Jul 2014 07:25:00 -0500
Fred Barclay's avatar
Fred Barclay committed
567

netblue30's avatar
netblue30 committed
568 569 570 571 572 573 574 575
firejail (0.9.8) baseline; urgency=low
  * Implemented nowrap mode for firejail --list command option
  * Added --top option in both firejail and firemon
  * seccomp filter support
  * Added pid support for firemon
  * bugfixes

 -- netblue30 <netblue30@yahoo.com>  Tue, 24 Jul 2014 08:51:00 -0500
Fred Barclay's avatar
Fred Barclay committed
576

netblue30's avatar
netblue30 committed
577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614
firejail (0.9.6) baseline; urgency=low

  * Mounting tmpfs on top of /var/log, required by several server programs
  * Server fixes for /var/lib and /var/cache
  * Private mode fixes
  * csh and zsh default shell support
  * Chroot mode fixes
  * Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd,

 -- netblue30 <netblue30@yahoo.com>  Sat, 7 Jun 2014 09:00:00 -0500

firejail (0.9.4) baseline; urgency=low

  * Fixed resolv.conf on Ubuntu systems using DHCP
  * Fixed resolv.conf on Debian systems using resolvconf package
  * Fixed /var/lock directory
  * Fixed /var/tmp directory
  * Fixed symbolic links in profile files
  * Added profiles for evince, midori

 -- netblue30 <netblue30@yahoo.com>  Sun, 4 May 2014 08:00:00 -0500

firejail (0.9.2) baseline; urgency=low

  * Checking IP address passed with --ip option using ARP; exit if the address
   is already present
  * Using a lock file during ARP address assignment in order to removed a race
   condition.
  * Several fixes to --private option; it also mounts a tmpfs filesystem on top
   of /tmp
  * Added user access check for profile file
  * Added --defaultgw option
  * Added support of --noip option; it is necessary for DHCP setups
  * Added syslog support
  * Added support for "tmpfs" and "read-only" profile commands
  * Added an expect-based testing framework for the project
  * Added bash completion support
  * Added support for multiple networks
Fred Barclay's avatar
Fred Barclay committed
615

netblue30's avatar
netblue30 committed
616 617 618 619 620 621 622
 -- netblue30 <netblue30@yahoo.com>  Fri, 25 Apr 2014 08:00:00 -0500

firejail (0.9) baseline; urgency=low

  * First beta version

 -- netblue30 <netblue30@yahoo.com>  Sat, 12 Apr 2014 09:00:00 -0500