Commit 3806df96 authored by Lorenzo Faletra's avatar Lorenzo Faletra

Import Upstream version 0.9.58.2

parent 74d92f26
......@@ -134,7 +134,8 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.
# install apparmor profile customization file
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;"
endif
# man pages
install -m 0755 -d $(DESTDIR)/$(mandir)/man1
......
......@@ -534,6 +534,7 @@ rusty-snake (https://github.com/rusty-snake)
- added ghostwriter profle
- fix gajim profile, added gajim-history-manager profile
- updates for ~/.cargo
- added klavaro profile
Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
- fixed ktorrent profile
sarneaud (https://github.com/sarneaud)
......@@ -743,4 +744,4 @@ Zack Weinberg (https://github.com/zackw)
with firejail --x11
- support for xpra-extra-params in firejail.config
Copyright (C) 2014-2017 Firejail Authors
Copyright (C) 2014-2019 Firejail Authors
firejail (0.9.58,2) baseline; urgency=low
* cgroup flag in /etc/firejail/firejail.config file
* name-change flag in /etc/firejail.config file
* --name rework
* new profiles: klavaro, vscodium
* browser profiles fixes
* various other bugfixes
-- netblue30 <netblue30@yahoo.com> Fri, 8 Feb 2019 08:00:00 -0500
firejail (0.9.58) baseline; urgency=low
* --disable-mnt rework
* --net.print command
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for firejail 0.9.58.
# Generated by GNU Autoconf 2.69 for firejail 0.9.58.2.
#
# Report bugs to <netblue30@yahoo.com>.
#
......@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='firejail'
PACKAGE_TARNAME='firejail'
PACKAGE_VERSION='0.9.58'
PACKAGE_STRING='firejail 0.9.58'
PACKAGE_VERSION='0.9.58.2'
PACKAGE_STRING='firejail 0.9.58.2'
PACKAGE_BUGREPORT='netblue30@yahoo.com'
PACKAGE_URL='https://firejail.wordpress.com'
......@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures firejail 0.9.58 to adapt to many kinds of systems.
\`configure' configures firejail 0.9.58.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1337,7 +1337,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of firejail 0.9.58:";;
short | recursive ) echo "Configuration of firejail 0.9.58.2:";;
esac
cat <<\_ACEOF
......@@ -1442,7 +1442,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
firejail configure 0.9.58
firejail configure 0.9.58.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by firejail $as_me 0.9.58, which was
It was created by firejail $as_me 0.9.58.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by firejail $as_me 0.9.58, which was
This file was extended by firejail $as_me 0.9.58.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -4433,7 +4433,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
firejail config.status 0.9.58
firejail config.status 0.9.58.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
AC_PREREQ([2.68])
AC_INIT(firejail, 0.9.58, netblue30@yahoo.com, , https://firejail.wordpress.com)
AC_INIT(firejail, 0.9.58.2, netblue30@yahoo.com, , https://firejail.wordpress.com)
AC_CONFIG_SRCDIR([src/firejail/main.c])
#AC_CONFIG_HEADERS([config.h])
......
......@@ -17,12 +17,14 @@ noblacklist ${HOME}/.config/xplayer
noblacklist ${HOME}/.local/share/totem
noblacklist ${HOME}/.local/share/xplayer
noblacklist ${HOME}/.mplayer
noblacklist ${VIDEOS}
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
include whitelist-var-common.inc
......@@ -36,7 +38,7 @@ nonewprivs
noroot
notv
nou2f
protocol unix,inet,inet6
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog
......
......@@ -22,7 +22,7 @@ include whitelist-var-common.inc
apparmor
caps.drop all
netfilter
nodbus
#nodbus - dbus needed for MPRIS
nogroups
nonewprivs
noroot
......@@ -35,6 +35,7 @@ shell none
tracelog
# private-bin audacious
private-cache
private-dev
private-tmp
......
......@@ -26,6 +26,7 @@ include disable-programs.inc
include whitelist-var-common.inc
caps.drop all
netfilter
no3d
nodvd
nogroups
......@@ -42,6 +43,7 @@ shell none
# x11 xorg
private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
private-cache
private-dev
private-tmp
......
......@@ -15,6 +15,7 @@ include disable-programs.inc
caps.drop all
ipc-namespace
# net none
netfilter
# nodbus
nodvd
nogroups
......
......@@ -7,6 +7,7 @@ include chromium-common.local
#include globals.local
noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
include disable-common.inc
include disable-devel.inc
......@@ -14,8 +15,10 @@ include disable-interpreters.inc
include disable-programs.inc
mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
include whitelist-common.inc
include whitelist-var-common.inc
......@@ -34,7 +37,8 @@ disable-mnt
private-dev
# private-tmp - problems with multiple browser sessions
noexec ${HOME}
# breaks DRM binaries
#noexec ${HOME}
noexec /tmp
# the file dialog needs to work without d-bus
......
......@@ -6,11 +6,14 @@ include cliqz.local
include globals.local
noblacklist ${HOME}/.cache/cliqz
noblacklist ${HOME}/.cliqz
noblacklist ${HOME}/.config/cliqz
mkdir ${HOME}/.cache/cliqz
mkdir ${HOME}/.cliqz
mkdir ${HOME}/.config/cliqz
whitelist ${HOME}/.cache/cliqz
whitelist ${HOME}/.cliqz
whitelist ${HOME}/.config/cliqz
# private-etc must first be enabled in firefox-common.profile
......
......@@ -6,6 +6,7 @@ include code.local
include globals.local
noblacklist ${HOME}/.vscode
noblacklist ${HOME}/.vscode-oss
noblacklist ${HOME}/.config/Code
include disable-common.inc
......
......@@ -11,12 +11,15 @@ blacklist ${HOME}/.local/share/Trash
blacklist-nolog ${HOME}/.*_history
blacklist-nolog ${HOME}/.adobe
blacklist-nolog ${HOME}/.cache/greenclip*
blacklist-nolog ${HOME}/.histfile
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.kde/share/apps/klipper
blacklist-nolog ${HOME}/.kde4/share/apps/klipper
blacklist-nolog ${HOME}/.local/share/fish/fish_history
blacklist-nolog ${HOME}/.local/share/klipper
blacklist-nolog ${HOME}/.macromedia
blacklist-nolog ${HOME}/.python-history
blacklist-nolog ${HOME}/.pythonhist
blacklist-nolog /tmp/clipmenu*
# X11 session autostart
......@@ -303,6 +306,7 @@ blacklist ${HOME}/.mutt
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.netrc
blacklist ${HOME}/.pki
blacklist ${HOME}/.local/share/pki
blacklist ${HOME}/.smbcredentials
blacklist ${HOME}/.ssh
blacklist ${HOME}/.vaults
......
......@@ -28,6 +28,7 @@ blacklist ${HOME}/.Steampid
blacklist ${HOME}/.TelegramDesktop
blacklist ${HOME}/.ViberPC
blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/.VSCodium
blacklist ${HOME}/.WebStorm*
blacklist ${HOME}/.Wolfram Research
blacklist ${HOME}/.ZAP
......@@ -46,6 +47,7 @@ blacklist ${HOME}/.audacity-data
blacklist ${HOME}/.bcast5
blacklist ${HOME}/.bibletime
blacklist ${HOME}/.claws-mail
blacklist ${HOME}/.cliqz
blacklist ${HOME}/.config/0ad
blacklist ${HOME}/.config/2048-qt
blacklist ${HOME}/.config/Atom
......@@ -175,6 +177,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc
blacklist ${HOME}/.config/katevirc
blacklist ${HOME}/.config/kdenliverc
blacklist ${HOME}/.config/kgetrc
blacklist ${HOME}/.config/klavaro
blacklist ${HOME}/.config/klipperrc
blacklist ${HOME}/.config/kmail2rc
blacklist ${HOME}/.config/kmailsearchindexingrc
......@@ -376,6 +379,7 @@ blacklist ${HOME}/.kodi
blacklist ${HOME}/.linphone-history.db
blacklist ${HOME}/.linphonerc
blacklist ${HOME}/.lmmsrc.xml
blacklist ${HOME}/.local/lib/vivaldi
blacklist ${HOME}/.local/share/0ad
blacklist ${HOME}/.local/share/3909/PapersPlease
blacklist ${HOME}/.local/share/Empathy
......@@ -430,6 +434,7 @@ blacklist ${HOME}/.local/share/kaffeine
blacklist ${HOME}/.local/share/kate
blacklist ${HOME}/.local/share/kdenlive
blacklist ${HOME}/.local/share/kget
blacklist ${HOME}/.local/share/klavaro
blacklist ${HOME}/.local/share/kmail2
blacklist ${HOME}/.local/share/knotes
blacklist ${HOME}/.local/share/krita
......@@ -538,6 +543,7 @@ blacklist ${HOME}/.w3m
blacklist ${HOME}/.warzone2100-3.*
blacklist ${HOME}/.waterfox
blacklist ${HOME}/.weechat
blacklist ${HOME}/.wget-hsts
blacklist ${HOME}/.wgetrc
blacklist ${HOME}/.wine
blacklist ${HOME}/.wireshark
......
......@@ -10,6 +10,7 @@ noblacklist ${HOME}/.emacs
noblacklist ${HOME}/.emacs.d
# uncomment the following line if you need gpg
#noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.python-history
include disable-common.inc
include disable-passwdmgr.inc
......
......@@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/evolution
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.local/share/evolution
noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
include disable-common.inc
include disable-devel.inc
......
......@@ -10,6 +10,7 @@ include firefox-common.local
#include firefox-common-addons.inc
noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
include disable-common.inc
include disable-devel.inc
......@@ -17,8 +18,10 @@ include disable-interpreters.inc
include disable-programs.inc
mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
include whitelist-common.inc
include whitelist-var-common.inc
......@@ -51,5 +54,6 @@ private-dev
#private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
private-tmp
noexec ${HOME}
# breaks DRM binaries
#noexec ${HOME}
noexec /tmp
......@@ -21,10 +21,13 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
dbus,
##########
# With ptrace it is possible to inspect and hijack running programs. Usually this
# is needed only for debugging. To allow ptrace, uncomment the following line.
# With ptrace it is possible to inspect and hijack running programs.
# Some browsers are also using ptrace for their sandboxing.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=firejail-default,
##########
# Allow read access to whole filesystem and control it from firejail.
......
# Site-specific additions and overrides for 'firejail-default'
# Site-specific additions and overrides for 'firejail-default'.
# For more details, please see /etc/apparmor.d/local/README.
......@@ -18,6 +18,9 @@
# Enable or disable bind support, default enabled.
# bind yes
# Enable or disable cgroup support, default enabled.
# cgroup yes
# Enable or disable chroot support, default enabled.
# chroot yes
......@@ -51,6 +54,9 @@
# root user can always join sandboxes.
# join yes
# Enable or disable sandbox name change, default enabled.
# name-change yes
# Enable or disable networking features, default enabled.
# network yes
......
......@@ -8,6 +8,7 @@ include globals.local
noblacklist ${HOME}/.cache/Franz
noblacklist ${HOME}/.config/Franz
noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki
include disable-common.inc
include disable-devel.inc
......@@ -17,10 +18,12 @@ include disable-programs.inc
mkdir ${HOME}/.cache/Franz
mkdir ${HOME}/.config/Franz
mkdir ${HOME}/.pki
mkdir ${HOME}/.local/share/pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/Franz
whitelist ${HOME}/.config/Franz
whitelist ${HOME}/.pki
whitelist ${HOME}/.local/share/pki
include whitelist-common.inc
caps.drop all
......
......@@ -7,6 +7,7 @@ include geany.local
include globals.local
noblacklist ${HOME}/.config/geany
noblacklist ${HOME}/.python-history
include disable-common.inc
include disable-passwdmgr.inc
......
......@@ -9,6 +9,7 @@ include globals.local
noblacklist ${HOME}/.config/enchant
noblacklist ${HOME}/.config/gedit
noblacklist ${HOME}/.gitconfig
noblacklist ${HOME}/.python-history
include disable-common.inc
# include disable-devel.inc
......
......@@ -8,6 +8,7 @@ include globals.local
noblacklist ${HOME}/.cargo/config
noblacklist ${HOME}/.cargo/registry
noblacklist ${HOME}/.python-history
include disable-common.inc
include disable-passwdmgr.inc
......
......@@ -9,6 +9,7 @@ include globals.local
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
noblacklist ${HOME}/.cache/champlain
noblacklist ${HOME}/.local/share/flatpak
include disable-common.inc
include disable-devel.inc
......
......@@ -28,6 +28,7 @@ include whitelist-var-common.inc
apparmor
caps.drop all
# net none
netfilter
# nodbus
nodvd
nogroups
......
......@@ -21,6 +21,7 @@ include disable-xdg.inc
include whitelist-var-common.inc
caps.drop all
netfilter
no3d
nonewprivs
noroot
......
# Firejail profile for klavaro
# Description: Yet another touch typing tutor
# This file is overwritten after every install/update
# Persistent local customizations
include klavaro.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/klavaro
noblacklist ${HOME}/.local/share/klavaro
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.local/share/klavaro
mkdir ${HOME}/.config/klavaro
whitelist ${HOME}/.local/share/klavaro
whitelist ${HOME}/.config/klavaro
include whitelist-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
machine-id
net none
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
novideo
protocol unix
seccomp
shell none
tracelog
disable-mnt
private-bin klavaro,tclsh,tclsh*,bash
private-cache
private-dev
private-etc fonts
private-tmp
private-opt none
private-srv none
memory-deny-write-execute
noexec ${HOME}
noexec /tmp
......@@ -41,5 +41,6 @@ tracelog
private-dev
private-tmp
noexec ${HOME}
# breaks plugins
#noexec ${HOME}
noexec /tmp
......@@ -15,6 +15,7 @@ include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
include whitelist-var-common.inc
......@@ -33,6 +34,7 @@ shell none
tracelog
private-bin konversation,kbuildsycoca4
private-cache
private-dev
private-tmp
......
......@@ -28,6 +28,7 @@ apparmor
caps.drop all
ipc-namespace
# net none
netfilter
# nodbus
nodvd
nogroups
......
......@@ -15,6 +15,7 @@ include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
include whitelist-var-common.inc
......
......@@ -16,6 +16,7 @@ noblacklist ${HOME}/.local/share/totem
noblacklist ${HOME}/.local/share/xplayer
noblacklist ${HOME}/.mediathek3
noblacklist ${HOME}/.mplayer
noblacklist ${VIDEOS}
# Allow access to java
noblacklist ${PATH}/java
......@@ -28,6 +29,7 @@ include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
include whitelist-var-common.inc
......@@ -44,6 +46,7 @@ protocol unix,inet,inet6
seccomp
tracelog
private-cache
private-dev
private-tmp
......
......@@ -12,7 +12,8 @@ noblacklist ${HOME}/.cache/Mendeley Ltd.