Commit a6e24a3f authored by Lorenzo Faletra's avatar Lorenzo Faletra

Import Debian changes 0.9.50-3parrot0

firejail (0.9.50-3parrot0) testing; urgency=medium

  * Non-maintainer upload.
  * Fix thunderbird rules.
  * Fix display rules.
  * Fix libreoffice rules.

firejail (0.9.50-3) unstable; urgency=medium

  * Upload to unstable.

firejail (0.9.50-2) experimental; urgency=low

  * Cherry-pick another seccomp-related build fix.

firejail (0.9.50-1) experimental; urgency=medium

  * New upstream release.
  * Drop build patch applied upstream.

firejail (0.9.50~rc1-2) experimental; urgency=low

  * Cherry-pick fix for build failure on some architectures.

firejail (0.9.50~rc1-1) experimental; urgency=low

  * New upstream release candidate.
    - Several profile fixes (Closes: #866014, #872287, #872720)
      Thanks to Martin Dosch for the reports and a patch.
    - Improve cross build support (Closes: #869707)
      Thanks to Helmut Grohne for providing the patch.
  * debian/copyright: Switch URLs to https.
  * Bump Standards-Version to 4.1.0.

firejail (0.9.48-2) unstable; urgency=medium

  * Upload to unstable.

firejail (0.9.48-1) experimental; urgency=low

  * New upstream release.
    - Allow jailed thunderbird to read mime data (Closes: #864510)
  * Run arguments and fcopy tests during autopkgtest.

firejail (0.9.46-2) experimental; urgency=low

  * Fix arch:all build by overriding dh_fixperms only for arch:any

firejail (0.9.46-1) experimental; urgency=low

  * New upstream release.
  * Replace patch which prevented installation of contrib scripts to
    /usr/lib with newly added configure option.
  * Add Xvfb as alternative recommendation for X isolation.

firejail (0.9.46~rc1-1) experimental; urgency=low

  * New upstream release candidate.
  * Split profiles into separate package (Closes: #850273).
    - New binary package firejail-profiles
    - Remove old profile conffiles from firejail binary package
    - Add NEWS to inform about the package split
  * debian/copyright:
    - Document copyright of contributed script
    - Update path of moved file
    - Bump copyright years to 2017
  * Install contrib scripts in doc directory.
  * Replace icedove with thunderbird in test dependencies.

firejail (0.9.44.10-1) experimental; urgency=medium

  * New upstream release.

firejail (0.9.44.8-1) unstable; urgency=medium

  * New upstream release.

firejail (0.9.44.6-1) unstable; urgency=medium

  * New upstream release.

firejail (0.9.44.4-1) unstable; urgency=high

  * New upstream release.
    - Security fixes for: CVE-2017-5180, CVE-2017-5206, CVE-2017-5207
      (Closes: #850528, #850558)
  * Drop patches applied upstream.

firejail (0.9.44.2-3) unstable; urgency=high

  * Add followup fix for CVE-2017-5180 (Closes: #850160).

firejail (0.9.44.2-2) unstable; urgency=high

  * Add upstream fix for CVE-2017-5180 (Closes: #850160).

firejail (0.9.44.2-1) unstable; urgency=medium

  * New upstream release.

firejail (0.9.44-1) unstable; urgency=medium

  * New upstream release.
    - Fix sandbox escape via terminal input buffer similar to
      SELinux's CVE-2016-7545.
  * Run apps-x11-xorg tests during autopkgtest.
  * Add xauth to Recommends for x11=xorg sandbox feature.

firejail (0.9.44~rc1-1) experimental; urgency=low

  * New upstream release candidate.
    - Fix program crashes with nvidia driver (Closes: #839868)
  * Add iptables to Recommends for netfilter feature.
  * Bump debhelper compat level to 10.
    - Drop --parallel, which is now default behavior

firejail (0.9.42-1) unstable; urgency=medium

  * New upstream release.

firejail (0.9.42~rc2-1) experimental; urgency=low

  * New upstream release candidate.
    - shell prompt no longer overwritten by default (Closes: #834256)
  * Drop patch for build failure, applied upstream.
  * Add upstream signing key.
  * Check upstream signature with uscan.
  * Install upstream README.
  * Enable AppArmor support.
  * Include upstream sysutils tests in autopkgtest run.

firejail (0.9.42~rc1-2) experimental; urgency=low

  * Cherry-pick upstream fix for build failure on non-x86 platforms.

firejail (0.9.42~rc1-1) experimental; urgency=low

  * New upstream release candidate.
  * Drop LXC patch applied upstream.
  * Add ping and wget to test dependencies.
  * Run autopkgtests in isolation-machine.

firejail (0.9.40-3) unstable; urgency=low

  * Replace patch for LXC support with improved version by upstream.
    Previous fix only worked for firejail as init process, not in
    user sessions inside containers (like with autopkgtest).

firejail (0.9.40-2) unstable; urgency=low

  * Remove obsolete conffiles (Closes: #825877).
  * Add iptables to test dependencies.
  * Cherry-pick upstream patch for LXC detection.
    autopkgtests were failing in LXC because firejail wrongly
    detected an already existing sandbox.
  * Add gbp.conf to enable pristine-tar by default.
  * Add Vcs-* fields; git repository is now in collab-maint.

firejail (0.9.40-1) unstable; urgency=low

  * New upstream release.
    - Fix legacy Opera profile (Closes: #819950)
  * Add autopkgtests to run upstream's test suite.
    - skip test target in debian/rules, which is run in autopkgtest

firejail (0.9.40~rc1-1) experimental; urgency=low

  * New upstream release candidate. (Closes: #823191)
  * Recommend xpra or xserver-xephyr for X11 isolation.
  * Drop autotools-dev; debhelper is now doing the same.
  * Bump copyright years to 2016.
  * Bump Standards-Version to 3.9.8.

firejail (0.9.38-1) unstable; urgency=low

  * New upstream release.
  * Bump standards version to 3.9.7.

firejail (0.9.36-1) unstable; urgency=low

  * New upstream release.
    - Support for logging of blacklist violations (Closes: #794837)
  * Updated Homepage field.
  * Dropped reproducibility patch, which has been applied upstream.
  * Dropped debian/missing-sources. Upstream removed binaries
    from release tarball.

firejail (0.9.34-1) unstable; urgency=low

  * New upstream release.
  * Drop libdir patch applied upstream.
  * Symlink source which lintian thinks is missing.

firejail (0.9.32-1) unstable; urgency=low

  * New upstream release.
  * Added README.Debian.
  * Added patch to fix the location of the lib dir.

firejail (0.9.28-1) unstable; urgency=low

  * New upstream release.
    - Common include for blacklisted directories (Closes: #789164)
    - Improved support for other architectures (Closes: #789317)
  * Enabled all Linux architectures again.
  * Removed unneeded debian/firejail.bash-completion file.

firejail (0.9.26-1) unstable; urgency=low

  * New upstream release.
  * Enabled all hardening options.
  * Amended reproducibility patch to use normalized locale.
  * Dropped usage of outdated bash-completion debhelper.
  * Limited architectures to supported ones (Closes: #789163).

firejail (0.9.24-1) unstable; urgency=low

  * New upstream release.
  * Dropped patches applied upstream.

firejail (0.9.22-1) unstable; urgency=low

  * Initial release (Closes: #777671)
parents e7a5918b 59e8b04a
*.o
*.so
*~
*.swp
*.rpm
*.gcda
*.gcno
Makefile
autom4te.cache/
config.log
config.status
firejail-login.5
firejail-profile.5
firejail-config.5
firejail.1
firemon.1
firecfg.1
src/firejail/firejail
src/firemon/firemon
src/firecfg/firecfg
src/ftee/ftee
src/tags
src/faudit/faudit
src/fnet/fnet
src/fseccomp/fseccomp
src/fcopy/fcopy
src/fldd/fldd
src/fbuilder/fbuilder
uids.h
seccomp
seccomp.debug
seccomp.32
seccomp.64
seccomp.block_secondary
seccomp.mdwx
language: c
dist: trusty
sudo: true
script:
- sudo apt-get -y install expect csh xzdec lintian fakeroot
# Build Debian package
- ( cd firejail; ./configure --prefix=/usr --enable-git-install && make deb && sudo dpkg -i firejail*.deb )
# Remove Debian package
- ( sudo dpkg -P firejail )
- ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
- ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
# If successful, build release tarball
- ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )
- curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2
- # Could use https://github.com/probonopd/uploadtool to upload to GitHub Releases instead
all: apps man filters all: apps man filters
MYLIBS = src/lib MYLIBS = src/lib
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
...@@ -99,7 +99,6 @@ endif ...@@ -99,7 +99,6 @@ endif
install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
...@@ -170,7 +169,6 @@ install-strip: all ...@@ -170,7 +169,6 @@ install-strip: all
strip src/fseccomp/fseccomp strip src/fseccomp/fseccomp
strip src/fcopy/fcopy strip src/fcopy/fcopy
strip src/fldd/fldd strip src/fldd/fldd
strip src/fbuilder/fbuilder
$(MAKE) realinstall $(MAKE) realinstall
uninstall: uninstall:
...@@ -239,9 +237,6 @@ scan-build: clean ...@@ -239,9 +237,6 @@ scan-build: clean
test-profiles: test-profiles:
cd test/profiles; ./profiles.sh | grep TESTING cd test/profiles; ./profiles.sh | grep TESTING
test-private-lib:
cd test/private-lib; ./private-lib.sh | grep TESTING
test-apps: test-apps:
cd test/apps; ./apps.sh | grep TESTING cd test/apps; ./apps.sh | grep TESTING
...@@ -274,7 +269,7 @@ test-fs: ...@@ -274,7 +269,7 @@ test-fs:
test-fcopy: test-fcopy:
cd test/fcopy; ./fcopy.sh | grep TESTING cd test/fcopy; ./fcopy.sh | grep TESTING
test: test-profiles test-private-lib test-fcopy test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments test: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
echo "TEST COMPLETE" echo "TEST COMPLETE"
test-travis: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-filters test-arguments test-travis: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-filters test-arguments
......
...@@ -35,8 +35,6 @@ Maintainer: ...@@ -35,8 +35,6 @@ Maintainer:
Committers Committers
- Fred-Barclay (https://github.com/Fred-Barclay) - Fred-Barclay (https://github.com/Fred-Barclay)
- Reiner Herrmann (https://github.com/reinerh) - Reiner Herrmann (https://github.com/reinerh)
- smithsohu (https://github.com/smitsohu)
- SpotComms (https://github.com/SpotComms)
- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer - startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer
- Topi Miettinen (https://github.com/topimiettinen) - Topi Miettinen (https://github.com/topimiettinen)
- netblue30 (netblue30@yahoo.com) - netblue30 (netblue30@yahoo.com)
...@@ -78,8 +76,6 @@ andrew160 (https://github.com/andrew160) ...@@ -78,8 +76,6 @@ andrew160 (https://github.com/andrew160)
- profile and man pages fixes - profile and man pages fixes
announ (https://github.com/announ) announ (https://github.com/announ)
- mpv and youtube-dl profile fixes - mpv and youtube-dl profile fixes
Antonio Russo (https://github.com/aerusso)
- enumerate root directories in apparmor profile
Austin S. Hemmelgarn (https://github.com/Ferroin) Austin S. Hemmelgarn (https://github.com/Ferroin)
- unbound profile update - unbound profile update
avoidr (https://github.com/avoidr) avoidr (https://github.com/avoidr)
...@@ -116,15 +112,9 @@ creideiki (https://github.com/creideiki) ...@@ -116,15 +112,9 @@ creideiki (https://github.com/creideiki)
- make the sandbox process reap all children - make the sandbox process reap all children
chiraag-nataraj (https://github.com/chiraag-nataraj) chiraag-nataraj (https://github.com/chiraag-nataraj)
- support for newer Xpra versions (2.1+) - support for newer Xpra versions (2.1+)
- added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles
- added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles
- added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles
- added tor, x-terminal-emulator, zart profiles
Christian Stadelmann (https://github.com/genodeftest) Christian Stadelmann (https://github.com/genodeftest)
- profile fixes - profile fixes
- evolution profile fix - evolution profile fix
Clayton Williams (https://github.com/gosre)
- addition of RLIMIT_AS
curiosity-seeker (https://github.com/curiosity-seeker) curiosity-seeker (https://github.com/curiosity-seeker)
- tightening unbound and dnscrypt-proxy profiles - tightening unbound and dnscrypt-proxy profiles
- correct and tighten QuiteRss profile - correct and tighten QuiteRss profile
...@@ -251,15 +241,12 @@ Impyy (https://github.com/Impyy) ...@@ -251,15 +241,12 @@ Impyy (https://github.com/Impyy)
- added mumble profile - added mumble profile
irregulator (https://github.com/irregulator) irregulator (https://github.com/irregulator)
- thunderbird profile fixes for debian stretch - thunderbird profile fixes for debian stretch
Irvine (https://github.com/Irvinehimself)
- added conky profile
Ivan Kozik (https://github.com/ivan) Ivan Kozik (https://github.com/ivan)
- speed up sandbox exit - speed up sandbox exit
Jaykishan Mutkawoa (https://github.com/jmutkawoa) Jaykishan Mutkawoa (https://github.com/jmutkawoa)
- cpio profile - cpio profile
James Elford (https://github.com/jelford) James Elford (https://github.com/jelford)
- pass password manager support - pass password manager support
- removed shell none from ssh-agent configuration, fixing the infinit loop
Jericho (https://github.com/attritionorg) Jericho (https://github.com/attritionorg)
- spelling - spelling
Jesse Smith (https://github.com/slicer69) Jesse Smith (https://github.com/slicer69)
...@@ -272,18 +259,12 @@ Joan Figueras (https://github.com/figue) ...@@ -272,18 +259,12 @@ Joan Figueras (https://github.com/figue)
- added cyberfox profile - added cyberfox profile
John Mullee (https://github.com/jmullee) John Mullee (https://github.com/jmullee)
- fix empty-string assignment in whitelisting code - fix empty-string assignment in whitelisting code
Jonas Heinrich (https://github.com/onny)
- added signal-desktop profile
jrabe (https://github.com/jrabe) jrabe (https://github.com/jrabe)
- disallow access to kdbx files - disallow access to kdbx files
- Epiphany profile - Epiphany profile
- Polari profile - Polari profile
- qTox profile - qTox profile
- X11 fixes - X11 fixes
juan (https://github.com/nyancat18)
- fixed Kdenlive, Shotcut profiles
- new profiles for Cinelerra, Cliqz, Bluefish
- profile hardening
Kaan Genç (https://github.com/SeriousBug) Kaan Genç (https://github.com/SeriousBug)
- dynamic allocation of noblacklist buffer - dynamic allocation of noblacklist buffer
KellerFuchs (https://github.com/KellerFuchs) KellerFuchs (https://github.com/KellerFuchs)
...@@ -296,8 +277,6 @@ KellerFuchs (https://github.com/KellerFuchs) ...@@ -296,8 +277,6 @@ KellerFuchs (https://github.com/KellerFuchs)
- make ~/.local read-only - make ~/.local read-only
KOLANICH (https://github.com/KOLANICH) KOLANICH (https://github.com/KOLANICH)
- added symlink fixer fix_private-bin.py in contrib section - added symlink fixer fix_private-bin.py in contrib section
Kunal Mehta (https://github.com/legoktm)
- converted all links to https in manpages
laniakea64 (https://github.com/laniakea64) laniakea64 (https://github.com/laniakea64)
- added fj-mkdeb.py script to build deb packages - added fj-mkdeb.py script to build deb packages
Lari Rauno (https://github.com/tuutti) Lari Rauno (https://github.com/tuutti)
...@@ -327,8 +306,6 @@ Mattias Wadman (https://github.com/wader) ...@@ -327,8 +306,6 @@ Mattias Wadman (https://github.com/wader)
- seccomp errno filter support - seccomp errno filter support
Matthew Gyurgyik (https://github.com/pyther) Matthew Gyurgyik (https://github.com/pyther)
- rpm spec and several fixes - rpm spec and several fixes
melvinvermeeren (https://github.com/melvinvermeeren)
- added teamspeak3 profile
Michael Haas (https://github.com/mhaas) Michael Haas (https://github.com/mhaas)
- bugfixes - bugfixes
Mike Frysinger (vapier@gentoo.org) Mike Frysinger (vapier@gentoo.org)
...@@ -342,8 +319,6 @@ n1trux (https://github.com/n1trux) ...@@ -342,8 +319,6 @@ n1trux (https://github.com/n1trux)
netblue30 (netblue30@yahoo.com) netblue30 (netblue30@yahoo.com)
Niklas Haas (https://github.com/haasn) Niklas Haas (https://github.com/haasn)
- blacklisting for keybase.io's client - blacklisting for keybase.io's client
nyancat18 (https://github.com/nyancat18)
- added ardour4, dooble, karbon, krita profiles
Ondra Nekola (https://github.com/satai) Ondra Nekola (https://github.com/satai)
- allow firefox theming with non-global themes - allow firefox theming with non-global themes
Panzerfather (https://github.com/Panzerfather) Panzerfather (https://github.com/Panzerfather)
...@@ -367,9 +342,6 @@ Peter Hogg (https://github.com/pigmonkey) ...@@ -367,9 +342,6 @@ Peter Hogg (https://github.com/pigmonkey)
- fixes for youtube-dl in mpv profile - fixes for youtube-dl in mpv profile
Petter Reinholdtsen (pere@hungry.com) Petter Reinholdtsen (pere@hungry.com)
- Opera profile patch - Opera profile patch
PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
- fix quiterss profile
- added profile for gnome-ring
pirate486743186 (https://github.com/pirate486743186) pirate486743186 (https://github.com/pirate486743186)
- KMail profile - KMail profile
Pixel Fairy (https://github.com/xahare) Pixel Fairy (https://github.com/xahare)
...@@ -441,10 +413,8 @@ smithsohu (https://github.com/smitsohu) ...@@ -441,10 +413,8 @@ smithsohu (https://github.com/smitsohu)
- improve server profiles, harden musescore - improve server profiles, harden musescore
- snap profile cleanup - snap profile cleanup
- tighten some capability sets further - tighten some capability sets further
- enhance mutt, goobox, baloo and clementine profiles
soredake (https://github.com/soredake) soredake (https://github.com/soredake)
- fix steam startup with >=llvm-4 - fix steam startup with >=llvm-4
- fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
SpotComms (https://github.com/SpotComms) SpotComms (https://github.com/SpotComms)
- added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
- added PDFSam, Pithos, and Xonotic profiles - added PDFSam, Pithos, and Xonotic profiles
...@@ -536,8 +506,6 @@ Topi Miettinen (https://github.com/topimiettinen) ...@@ -536,8 +506,6 @@ Topi Miettinen (https://github.com/topimiettinen)
- seccomp default list update - seccomp default list update
- improve loading of seccomp filter and memory-deny-write-execute feature - improve loading of seccomp filter and memory-deny-write-execute feature
- private-lib feature - private-lib feature
user1024 (user1024@tut.by)
- electron profile whitelisting
valoq (https://github.com/valoq) valoq (https://github.com/valoq)
- lots of profile fixes - lots of profile fixes
- added support for /srv in --whitelist feature - added support for /srv in --whitelist feature
......
# Firejail
[![Build Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail)
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting
the running environment of untrusted applications using Linux namespaces, seccomp-bpf
and Linux capabilities. It allows a process and all its descendants to have their own private
view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel
version or newer. It can sandbox any type of processes: servers, graphical applications, and even
user login sessions. The software includes sandbox profiles for a number of more common Linux programs,
such as Mozilla Firefox, Chromium, VLC, Transmission etc.
The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit,
no socket connections open, no daemons running in the background. All security features are
implemented directly in Linux kernel and available on any Linux computer.
[![About Firejail](video.png)](http://www.youtube.com/watch?v=Yk1HVPOeoTc)
Project webpage: https://firejail.wordpress.com/
Download and Installation: https://firejail.wordpress.com/download-2/
Features: https://firejail.wordpress.com/features-3/
Documentation: https://firejail.wordpress.com/documentation-2/
FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
Travis-CI status: https://travis-ci.org/netblue30/firejail
## Compile and install
`````
$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure && make && sudo make install-strip
`````
On Debian/Ubuntu you will need to install git and a compiler:
`````
$ sudo apt-get install git build-essential
`````
## Running the sandbox
To start the sandbox, prefix your command with “firejail”:
`````
$ firejail firefox # starting Mozilla Firefox
$ firejail transmission-gtk # starting Transmission BitTorrent
$ firejail vlc # starting VideoLAN Client
$ sudo firejail /etc/init.d/nginx start
`````
Run "firejail --list" in a terminal to list all active sandboxes. Example:
`````
$ firejail --list
1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt
7779:netblue:/usr/bin/firejail /usr/bin/galculator
7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4
7916:netblue:firejail --list
`````
## Desktop integration
Integrate your sandbox into your desktop by running the following two commands:
`````
$ firecfg --fix-sound
$ sudo firecfg
`````
The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9.
The second command integrates Firejail into your desktop. You would need to logout and login back to apply
PulseAudio changes.
Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers.
The integration applies to any program supported by default by Firejail. There are about 250 default applications
in current Firejail version, and the number goes up with every new release.
We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
## Security profiles
Most Firejail command line options can be passed to the sandbox using profile files.
You can find the profiles for all supported applications in [/etc/firejail](https://github.com/netblue30/firejail/tree/master/etc) directory.
If you keep additional Firejail security profiles in a public repository, please give us a link:
* https://github.com/chiraag-nataraj/firejail-profiles
* https://github.com/triceratops1/fe
Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
`````
`````
# Current development version: 0.9.51
## Whitelisting, globbing etc.
Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
Added globbing support for --private-bin. Added whitelisting support for /etc and /usr/share.
--private-lib was enhanced to autodetect GTK2, GTK3 and Qt4 libraries. We do a test run with this option enabled
for the following applications: evince, galculator, gnome-calculator,
leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
atril, mate-color-select, tar, file, strings, gpicview,
eom, eog, gedit, pluma
## Profile build tool
`````
$ firejail --build appname
$ firejail --build=appname.profile appname
`````
The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
in order to allow strace to run. Chromium and Chromium-based browsers will not work.
Example:
`````
$ firejail --build /usr/bin/vlc ~/Videos/test.mp4
[...]
############################################
# /usr/bin/vlc profile
############################################
# Persistent global definitions
# include /etc/firejail/globals.local
### basic blacklisting
include /etc/firejail/disable-common.inc
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
# include /etc/firejail/disable-programs.inc
### home directory whitelisting
whitelist ~/Videos
whitelist ~/.local/share/vlc
whitelist ~/.config/vlc
include /etc/firejail/whitelist-common.inc
### filesystem
private-tmp
private-dev
private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
whitelist /var/lib/menu-xdg
# private-bin vlc,
### security filters
caps.drop all
nonewprivs
seccomp
# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create
# 76 syscalls total
# Probably you will need to add more syscalls to seccomp.keep. Look for
# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
# running your sandbox.
### network
protocol unix,netlink,
net none
### environment
shell none
$
`````
## New command line and profile options
`````
--writable-run-user
This options disables the default blacklisting of
run/user/$UID/systemd and /run/user/$UID/gnupg.
Example:
$ sudo firejail --writable-run-user
--rlimit-as=number
Set the maximum size of the process's virtual memory (address
space) in bytes.
--rlimit-cpu=number
Set the maximum limit, in seconds, for the amount of CPU time
each sandboxed process can consume. When the limit is reached,
the processes are killed.
The CPU limit is a limit on CPU seconds rather than elapsed
time. CPU seconds is basically how many seconds the CPU has
been in use and does not necessarily directly relate to the
elapsed time. Linux kernel keeps track of CPU seconds for each
process independently.
--timeout=hh:mm:ss
Kill the sandbox automatically after the time has elapsed. The
time is specified in hours/minutes/seconds format.
$ firejail --timeout=01:30:00 firefox
`````
## New profiles:
terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu,
amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter,
calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget
Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles,
https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles.
firejail (0.9.51) baseline; urgency=low firejail (0.9.50) baseline; urgency=low
* work in progress!
* modif: --allow-private-blacklists was deprecated; blacklisting,
read-only, read-write, tmpfs and noexec are allowed in
private home directories
* modif: remount-proc-sys deprecated from firejail.config
* modif: --profile-path was deprecated
* enhancement: support Firejail user config directory in firecfg
* enhancement: disable DBus activation in firecfg
* enhancement; enumerate root directories in apparmor profile
* enhancement: /etc and /usr/share whitelisting support
* enhancement: globbing support for --private-bin
* feature: systemd-resolved integration
* feature: whitelisting /var directory in most profiles
* feature: GTK2, GTK3 and Qt4 private-lib support
* feature: test deployment of private-lib for the following
applications: evince, galculator, gnome-calculator,
leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
atril, mate-color-select, tar, file, strings, gpicview,
eom, eog, gedit, pluma
* feature: --writable-run-user
* feature: --rlimit-as
* feature: --rlimit-cpu
* feature: --timeout
* feature: profile build tool (--build)
* new profiles: upstreamed many profiles from the following sources:
https://github.com/chiraag-nataraj/firejail-profiles,
https://github.com/nyancat18/fe,
https://aur.archlinux.org/packages/firejail-profiles.
* new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
brackets, calligra, calligraauthor, calligraconverter, calligraflow,
calligraplan, calligraplanwork, calligrasheets, calligrastage,
calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,