Commit 31f7c85c authored by Lorenzo Faletra's avatar Lorenzo Faletra

Import Upstream version 0.9.54

parent 578fd856
all: apps man filters
MYLIBS = src/lib
APPS = src/firejail src/firemon src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
prefix=@prefix@
exec_prefix=@exec_prefix@
......@@ -19,14 +19,14 @@ DOCDIR=@docdir@
HAVE_SECCOMP=@HAVE_SECCOMP@
HAVE_APPARMOR=@HAVE_APPARMOR@
HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
HAVE_SUID=@HAVE_SUID@
uids.h:; ./mkuid.sh
.PHONY: mylibs $(MYLIBS)
mylibs: $(MYLIBS) uids.h
$(MYLIBS):
mylibs: $(MYLIBS)
$(MYLIBS): uids.h
$(MAKE) -C $@
.PHONY: apps $(APPS)
......@@ -42,9 +42,11 @@ man: $(MANPAGES)
filters: src/fseccomp
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
src/fseccomp/fseccomp default seccomp
src/fsec-optimize/fsec-optimize seccomp
src/fseccomp/fseccomp default seccomp.debug allow-debuggers
src/fsec-optimize/fsec-optimize seccomp.debug
src/fseccomp/fseccomp secondary 32 seccomp.32
src/fseccomp/fseccomp secondary 64 seccomp.64
src/fsec-optimize/fsec-optimize seccomp.32
src/fseccomp/fseccomp secondary block seccomp.block_secondary
src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
endif
......@@ -71,13 +73,15 @@ distclean: clean
for dir in $(APPS) $(MYLIBS); do \
$(MAKE) -C $$dir distclean; \
done
rm -fr Makefile autom4te.cache config.log config.status config.h uids.h
rm -fr Makefile autom4te.cache config.log config.status config.h uids.h dummy.o src/common.mk
realinstall:
# firejail executable
install -m 0755 -d $(DESTDIR)/$(bindir)
install -c -m 0755 src/firejail/firejail $(DESTDIR)/$(bindir)/.
ifeq ($(HAVE_SUID),yes)
chmod u+s $(DESTDIR)/$(bindir)/firejail
endif
# firemon executable
install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/.
# firecfg executable
......@@ -89,10 +93,6 @@ realinstall:
install -c -m 0644 src/libpostexecseccomp/libpostexecseccomp.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
ifeq ($(HAVE_GIT_INSTALL),-DHAVE_GIT_INSTALL)
install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/.
endif
install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
......@@ -102,11 +102,12 @@ endif
install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fsec-optimize/fsec-optimize $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
endif
......@@ -170,6 +171,8 @@ install-strip: all
strip src/fnet/fnet
strip src/fnetfilter/fnetfilter
strip src/fseccomp/fseccomp
strip src/fsec-print/fsec-print
strip src/fsec-optimize/fsec-optimize
strip src/fcopy/fcopy
strip src/fldd/fldd
strip src/fbuilder/fbuilder
......@@ -189,7 +192,7 @@ uninstall:
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
dist:
......@@ -291,6 +294,10 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy
# with them you will need to restart your computer.
##########################################
# a firejail-test account is required, public/private key setup
test-ssh:
cd test/ssh; ./ssh.sh | grep TESTING
# requires root access
test-chroot:
cd test/chroot; ./chroot.sh | grep testing
......
......@@ -34,11 +34,13 @@ Maintainer:
Committers
- Fred-Barclay (https://github.com/Fred-Barclay)
- Reiner Herrmann (https://github.com/reinerh)
- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
- smithsohu (https://github.com/smitsohu)
- SpotComms (https://github.com/SpotComms)
- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer
- SkewedZeppelin (https://github.com/SkewedZeppelin)
- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer)
- Topi Miettinen (https://github.com/topimiettinen)
- Vincent43 (https://github.com/Vincent43)
- chiraag-nataraj (https://github.com/chiraag-nataraj)
- netblue30 (netblue30@yahoo.com)
......@@ -69,6 +71,9 @@ Aleksey Manevich (https://github.com/manevich)
- x11 xpra, xphyr, none profile commands
- added --join-or-start command
- CVE-2016-7545
Alexander Gerasiov (https://github.com/gerasiov)
- read-only ~/.ssh/authorized_keys
- profile updates
Alexander Stein (https://github.com/ajstein)
- added profile for qutebrowser
Andrey Alekseenko (https://github.com/al42and)
......@@ -80,6 +85,7 @@ announ (https://github.com/announ)
- mpv and youtube-dl profile fixes
Antonio Russo (https://github.com/aerusso)
- enumerate root directories in apparmor profile
- fix join-or-start
Austin S. Hemmelgarn (https://github.com/Ferroin)
- unbound profile update
avoidr (https://github.com/avoidr)
......@@ -101,6 +107,16 @@ Bader Zaidan (https://github.com/BaderSZ)
- Telegram profile
Benjamin Kampmann (https://github.com/ligthyear)
- Forward exit code from child process
bitfreak25 (https://github.com/bitfreak25)
- added PlayOnLinux profile
- minetest profile fix
- added sylpheed profile
bn0785ac (https://github.com/bn0785ac)
- fixed bnox, dnox profiles
- support all tor-browser langpacks
- chromium canary (inox-family) fixes
- allow multithreading for cin and natron
- fix dbus access for libreoffice on KDE
BogDan Vatra (https://github.com/bog-dan-ro)
- zoom profile
Bruno Nova (https://github.com/brunonova)
......@@ -143,6 +159,8 @@ Daan Bakker (https://github.com/dbakker)
Danil Semelenov (https://github.com/sgtpep)
- blacklist the Electron Cash Wallet
- blacklist s3cmd and s3fs configs
- blacklist Ethereum, Monero wallets
- blacklist Dash Core wallet
Dara Adib (https://github.com/daradib)
- ssh profile fix
- evince profile fix
......@@ -152,6 +170,8 @@ dewbasaur (https://github.com/dewbasaur)
- block access to history files
- Firefox PDF.js exploit (CVE-2015-4495) fixes
- Steam profile
DiGitHubCap (https://github.com/DiGitHubCap)
- deluge profile fix
dshmgh (https://github.com/dshmgh)
- overlayfs fix for systems with /home mounted on a separate partition
Duncan Overbruck (https://github.com/Duncaen)
......@@ -167,6 +187,8 @@ Fabian Würfl (https://github.com/BafDyce)
- Liferea profile
Felipe Barriga Richards (https://github.com/fbarriga)
- --private-etc fix
floxo (https://github.com/floxo)
- fixed qml disk cache issue
Franco (nextime) Lanza (https://github.com/nextime)
- added --private-template/--private-home
fuelflo (https://github.com/fuelflo)
......@@ -217,6 +239,8 @@ Fred-Barclay (https://github.com/Fred-Barclay)
- added BibleTime profile
- added caja and galculator profiles
- added Catfish profile
g3ngr33n (https://github.com/g3ngr33n)
- fix musl compilation
G4JC (http://sourceforge.net/u/gaming4jc/profile/)
- ARM support
- profile fixes
......@@ -224,6 +248,18 @@ Gaman Gabriel (https://github.com/stelariusinfinitek)
- inox profile
geg2048 (https://github.com/geg2048)
- kwallet profile fixes
glitsj16 (https://github.com/glitsj16)
- evince-previewer, evince-thumbnailer profiles
- gnome-recipes, gnome-logs profiles
- fixed private-lib for gnome-calculator
- gunzip, bunzip2 profiles
- enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles
- atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes
- acat, adiff, als, apack, arepack, aunpack profiles,
- fix sqlitebrowser blacklist
- spelling fixes
- bitblbee profile fixes
- fix firefox common addons
graywolf (https://github.com/graywolf)
- spelling fix
greigdp (https://github.com/greigdp)
......@@ -252,6 +288,8 @@ iiotx (https://github.com/iiotx)
- use generic.profile by default
Impyy (https://github.com/Impyy)
- added mumble profile
intika (https://github.com/intika)
- added musixmatch profile
irregulator (https://github.com/irregulator)
- thunderbird profile fixes for debian stretch
Irvine (https://github.com/Irvinehimself)
......@@ -264,6 +302,14 @@ Jaykishan Mutkawoa (https://github.com/jmutkawoa)
James Elford (https://github.com/jelford)
- pass password manager support
- removed shell none from ssh-agent configuration, fixing the infinit loop
- added gcloud profile
- blacklist sensitive cloud provider files in disable-common
Jean Lucas (https://github.com/flacks)
- fix Discord profile
- add AnyDesk profile
- add WebStorm profile
- add XMind profile
- add nvm to list of disabled interpreters
Jericho (https://github.com/attritionorg)
- spelling
Jesse Smith (https://github.com/slicer69)
......@@ -299,6 +345,8 @@ KellerFuchs (https://github.com/KellerFuchs)
- added support for .local profile files in /etc/firejail
- fixed Cryptocat profile
- make ~/.local read-only
Kishore96in (https://github.com/Kishore96in)
- added falkon profile
KOLANICH (https://github.com/KOLANICH)
- added symlink fixer fix_private-bin.py in contrib section
Kunal Mehta (https://github.com/legoktm)
......@@ -332,8 +380,11 @@ Mattias Wadman (https://github.com/wader)
- seccomp errno filter support
Matthew Gyurgyik (https://github.com/pyther)
- rpm spec and several fixes
melvinvermeeren (https://github.com/melvinvermeeren)
maxice8 (https://github.com/maxice8)
- fixed missing header
Melvin Vermeeren (https://github.com/melvinvermeeren)
- added teamspeak3 profile
- added --noautopulse command line option
Michael Haas (https://github.com/mhaas)
- bugfixes
Mike Frysinger (vapier@gentoo.org)
......@@ -355,6 +406,8 @@ Panzerfather (https://github.com/Panzerfather)
- allow eog to access user's trash
Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
- user namespace implementation
Paul Moore <pmoore@redhat.com>
-src/fsec-print/print.c extracted from libseccomp software package
Paupiah Yash (https://github.com/CaffeinatedStud)
- gzip profile
Peter Millerchip (https://github.com/pmillerchip)
......@@ -382,6 +435,8 @@ Pixel Fairy (https://github.com/xahare)
PizzaDude (https://github.com/pizzadude)
- add mpv support to smplayer
- added profile for torbrowser-launcher
- added profile for sayonara and qmmp
- remove tracelog from Firefox profile
probonopd (https://github.com/probonopd)
- automatic build on Travis CI
pshpsh (https://github.com/pshpsh)
......@@ -416,6 +471,10 @@ Reiner Herrmann (https://github.com/reinerh)
Remco Verhoef (https://github.com/nl5887)
- add overlay configuration to profiles
- prevent running shells recursively
RD PROJEKT (https://github.com/RDProjekt)
- noblacklist support for /sys/module directory
- whitelist support for /sys/module directory
- support AMD GPU by OpenCL in Blender
rogshdo (https://github.com/rogshdo)
- BitlBee profile
Ruan (https://github.com/ruany)
......@@ -452,7 +511,9 @@ soredake (https://github.com/soredake)
- fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
- fix keepassxc.profile
- fix qtox.profile
SpotComms (https://github.com/SpotComms)
- add ocaltime to private-etc to make qtox show correct time
- fixes for the keepassxc 2.2.5 version
SkewedZeppelin (https://github.com/SkewedZeppelin)
- added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
- added PDFSam, Pithos, and Xonotic profiles
- disabled Go, Rust, and OpenSSL in disable-devel.conf
......@@ -574,13 +635,18 @@ Vasya Novikov (https://github.com/vn971)
- fixed firecfg clean/clear issue
- found the ugliest bug so far
- seccomp debug description in man page
- seccomp syscall list update for glibc 2.26-10
Veeti Paananen (https://github.com/veeti)
- fixed Spotify profile
Vincent43 (https://github.com/Vincent43)
- apparmor enhancements
vismir2 (https://github.com/vismir2)
- feh, ranger, 7z, keepass, keepassx and zathura profiles
- claws-mail, mutt, git, emacs, vim profiles
- lots of profile fixes
- support for truecrypt and zuluCrypt
viq (https://github.com/viq)
- discord-canary profile
Vladimir Gorelov (https://github.com/larkvirtual)
- added Yandex browser profile
Vladimir Schowalter (https://github.com/VladimirSchowalter20)
......
firejail (0.9.54) baseline; urgency=low
* modif: --force removed
* modif: --csh, --zsh removed
* modif: --debug-check-filename removed
* modif: --git-install and --git-uninstall removed
* modif: support for private-bin, private-lib and shell none has been
disabled while running AppImage archives in order to be able to use
our regular profile files with AppImages.
* modif: restrictions for /proc, /sys and /run/user directories
are moved from AppArmor profile into firejail executable
* modif: unifying Chromium and Firefox browsers profiles.
All users of Firefox-based browsers who use addons and plugins
that read/write from ${HOME} will need to uncomment the includes for
firefox-common-addons.inc in firefox-common.profile.
* modif: split disable-devel.inc into disable-devel and
disable-interpreters.inc
* Firejail user access database (/etc/firejail/firejail.users,
man firejail-users)
* add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
* Spectre mitigation patch for gcc and clang compiler
* D-Bus handling (--nodbus)
* AppArmor support for overlayfs and chroot sandboxes
* AppArmor support for AppImages
* Enable AppArmor by default for a large number of programs
* firejail --apparmor.print option
* firemon --apparmor option
* apparmor yes/no flag in /etc/firejail/firejail.config
* seccomp syscall list update for glibc 2.26-10
* seccomp disassembler for --seccomp.print option
* seccomp machine code optimizer for default seccomp filters
* IPv6 DNS support
* whitelist support for overlay and chroot sandboxes
* private-dev support for overlay and chroot sandboxes
* private-tmp support for overlay and chroot sandboxes
* added sandbox name support in firemon
* firemon/prctl enhancements
* noblacklist support for /sys/module directory
* whitelist support for /sys/module directory
* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
* new profiles: discord-canary, pycharm-community, pycharm-professional,
* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
* new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
* new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
* new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
* new profiles: qmmp, sayonara
-- netblue30 <netblue30@yahoo.com> Wed, 16 May 2018 08:00:00 -0500
firejail (0.9.52) baseline; urgency=low
* modif: --allow-private-blacklists was deprecated; blacklisting,
read-only, read-write, tmpfs and noexec are allowed in
......@@ -43,9 +94,41 @@ firejail (0.9.52) baseline; urgency=low
xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report
cower (Arch), kdeinit4
-- netblue30 <netblue30@yahoo.com> Thu, 7 Dec 2017 08:00:00 -0500
firejail (0.9.50) baseline; urgency=low
* modif: --output split in two commands, --output and --output-stderr
* feature: per-profile disable-mnt (--disable-mnt)
* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
* feature: private /lib directory (--private-lib)
* feature: disable CDROM/DVD drive (--nodvd)
* feature: disable DVB devices (--notv)
* feature: --profile.print
* enhancement: print all seccomp filters under --debug
* enhancement: /proc/sys mounting
* enhancement: rework IP address assingment for --net options
* enhancement: support for newer Xpra versions (2.1+) -
set xpra-attach yes in /etc/firejail/firejail.config
* enhancement: all profiles use a standard layout style
* enhancement: create /usr/local for firecfg if the directory doesn't exist
* enhancement: allow full paths in --private-bin
* seccomp feature: --memory-deny-write-execute
* seccomp feature: seccomp post-exec
* seccomp feature: block secondary architecture (--seccomp.block_secondary)
* seccomp feature: seccomp syscall groups
* seccomp enhancement: print all seccomp filters under --debug
* seccomp enhancement: default seccomp list update
* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
* new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
* new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
* new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
* new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
* new profiles: sqlitebrows