Commit 05c593d9 authored by Nong Hoang Tu's avatar Nong Hoang Tu
Browse files

Update upstream source from tag 'upstream/0.9.66_rc1'

Update to upstream version '0.9.66~rc1'
with Debian dir 27187354e30963597c2b1d7e790d04aad9415675
parents 7f35423a a6b8e60d
all: apps man filters
MYLIBS = src/lib
APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
prefix=@prefix@
exec_prefix=@exec_prefix@
bindir=@bindir@
......@@ -16,43 +10,75 @@ VERSION=@PACKAGE_VERSION@
NAME=@PACKAGE_NAME@
PACKAGE_TARNAME=@PACKAGE_TARNAME@
DOCDIR=@docdir@
HAVE_SECCOMP=@HAVE_SECCOMP@
HAVE_APPARMOR=@HAVE_APPARMOR@
HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
HAVE_SUID=@HAVE_SUID@
HAVE_MAN=@HAVE_MAN@
.PHONY: mylibs $(MYLIBS)
mylibs: $(MYLIBS)
$(MYLIBS):
$(MAKE) -C $@
ifneq ($(HAVE_MAN),no)
MAN_TARGET = man
MAN_SRC = src/man
endif
.PHONY: apps $(APPS)
apps: $(APPS)
$(APPS): $(MYLIBS)
COMPLETIONDIRS = src/zsh_completion src/bash_completion
.PHONY: all
all: all_items mydirs $(MAN_TARGET) filters
APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee
SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.5
SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
.PHONY: all_items $(ALL_ITEMS)
all_items: $(ALL_ITEMS)
$(ALL_ITEMS): $(MYDIRS)
$(MAKE) -C $(dir $@)
.PHONY: mydirs $(MYDIRS)
mydirs: $(MYDIRS)
$(MYDIRS):
$(MAKE) -C $@
$(MANPAGES): $(wildcard src/man/*.txt)
./mkman.sh $(VERSION) src/man/$(basename $@).txt $@
$(MANPAGES): src/man
./mkman.sh $(VERSION) src/man/$(basename $@).man $@
man: $(MANPAGES)
filters: src/fseccomp
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
src/fseccomp/fseccomp default seccomp
src/fsec-optimize/fsec-optimize seccomp
seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
src/fseccomp/fseccomp default seccomp.debug allow-debuggers
src/fsec-optimize/fsec-optimize seccomp.debug
seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
src/fseccomp/fseccomp secondary 32 seccomp.32
src/fsec-optimize/fsec-optimize seccomp.32
seccomp.block_secondary: src/fseccomp/fseccomp
src/fseccomp/fseccomp secondary block seccomp.block_secondary
seccomp.mdwx: src/fseccomp/fseccomp
src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
endif
seccomp.mdwx.32: src/fseccomp/fseccomp
src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
.PHONY: clean
clean:
for dir in $(APPS) $(MYLIBS); do \
for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
$(MAKE) -C $$dir clean; \
done
$(MAKE) -C test clean
rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
rm -f $(SECCOMP_FILTERS)
rm -f test/utils/index.html*
......@@ -67,136 +93,114 @@ clean:
rm -f test/sysutils/firejail_t*
cd test/compile; ./compile.sh --clean; cd ../..
.PHONY: distclean
distclean: clean
for dir in $(APPS) $(MYLIBS); do \
for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
$(MAKE) -C $$dir distclean; \
done
rm -fr Makefile autom4te.cache config.log config.status config.h dummy.o src/common.mk
$(MAKE) -C test distclean
rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh
realinstall:
# firejail executable
install -m 0755 -d $(DESTDIR)/$(bindir)
install -c -m 0755 src/firejail/firejail $(DESTDIR)/$(bindir)/.
install -m 0755 -d $(DESTDIR)$(bindir)
install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
ifeq ($(HAVE_SUID),yes)
chmod u+s $(DESTDIR)/$(bindir)/firejail
chmod u+s $(DESTDIR)$(bindir)/firejail
endif
# firemon executable
install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/.
install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
# firecfg executable
install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/.
install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
# jailcheck executable
install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
# libraries and plugins
install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/libpostexecseccomp/libpostexecseccomp.so $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fsec-optimize/fsec-optimize $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
endif
install -m 0755 -d $(DESTDIR)$(libdir)/firejail
install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
# plugins w/o read permission (non-dumpable)
install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
ifeq ($(HAVE_CONTRIB_INSTALL),yes)
install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/.
# contrib scripts
install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
# vim syntax
install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
endif
# documents
install -m 0755 -d $(DESTDIR)/$(DOCDIR)
install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
# etc files
./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
for file in .etc/* etc/firejail.config; do \
install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \
done
install -m 0755 -d $(DESTDIR)$(DOCDIR)
install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
# profiles and settings
install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
rm -fr .etc
ifeq ($(BUSYBOX_WORKAROUND),yes)
./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
endif
ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
# install apparmor profile
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
# install apparmor profile customization file
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;"
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
endif
ifneq ($(HAVE_MAN),no)
# man pages
install -m 0755 -d $(DESTDIR)/$(mandir)/man1
install -m 0755 -d $(DESTDIR)/$(mandir)/man5
install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
for man in $(MANPAGES); do \
rm -f $$man.gz; \
gzip -9n $$man; \
case "$$man" in \
*.1) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man1/; ;; \
*.5) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man5/; ;; \
*.1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \
*.5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \
esac; \
done
rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
endif
# bash completion
install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
# zsh completion
install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/
install: all
$(MAKE) realinstall
install-strip: all
strip src/firejail/firejail
strip src/firemon/firemon
strip src/firecfg/firecfg
strip src/libtrace/libtrace.so
strip src/libtracelog/libtracelog.so
strip src/libpostexecseccomp/libpostexecseccomp.so
strip src/ftee/ftee
strip src/faudit/faudit
strip src/fnet/fnet
strip src/fnetfilter/fnetfilter
strip src/fseccomp/fseccomp
strip src/fsec-print/fsec-print
strip src/fsec-optimize/fsec-optimize
strip src/fcopy/fcopy
strip src/fldd/fldd
strip src/fbuilder/fbuilder
strip $(ALL_ITEMS)
$(MAKE) realinstall
uninstall:
rm -f $(DESTDIR)/$(bindir)/firejail
rm -f $(DESTDIR)/$(bindir)/firemon
rm -f $(DESTDIR)/$(bindir)/firecfg
rm -fr $(DESTDIR)/$(libdir)/firejail
rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail
rm -f $(DESTDIR)$(bindir)/firejail
rm -f $(DESTDIR)$(bindir)/firemon
rm -f $(DESTDIR)$(bindir)/firecfg
rm -fr $(DESTDIR)$(libdir)/firejail
rm -fr $(DESTDIR)$(libdir)/jailcheck
rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
for man in $(MANPAGES); do \
rm -f $(DESTDIR)/$(mandir)/man5/$$man*; \
rm -f $(DESTDIR)/$(mandir)/man1/$$man*; \
rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
rm -f $(DESTDIR)$(mandir)/man1/$$man*; \
done
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
@echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES"
DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES"
DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot"
dist:
mv config.status config.status.old
mv mkdeb.sh mkdeb.sh.old
make distclean
mv mkdeb.sh.old mkdeb.sh
mv config.status.old config.status
rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
mkdir -p $(NAME)-$(VERSION)/test
......@@ -210,120 +214,80 @@ dist:
asc:; ./mkasc.sh $(VERSION)
deb: dist
./mkdeb.sh $(NAME) $(VERSION)
./mkdeb.sh
deb-apparmor: dist
./mkdeb-apparmor.sh $(NAME) $(VERSION)
snap: all
cd platform/snap; ./snap.sh
install-snap: snap
sudo snap remove faudit; sudo snap install faudit*.snap
./mkdeb.sh -apparmor
test-compile: dist
cd test/compile; ./compile.sh $(NAME)-$(VERSION)
.PHONY: rpms
rpms:
rpms: src/man
./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
extras: all
$(MAKE) -C extras/firetools
cppcheck: clean
cppcheck --force .
cppcheck --force --error-exitcode=1 --enable=warning,performance .
scan-build: clean
scan-build make
NO_EXTRA_CFLAGS="yes" scan-build make
#
# make test
#
TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter
TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
test-profiles:
cd test/profiles; ./profiles.sh | grep TESTING
test-private-lib:
cd test/private-lib; ./private-lib.sh | grep TESTING
test-apps:
cd test/apps; ./apps.sh | grep TESTING
test-apps-x11:
cd test/apps-x11; ./apps-x11.sh | grep TESTING
test-apps-x11-xorg:
cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING
test-sysutils:
cd test/sysutils; ./sysutils.sh | grep TESTING
test-utils:
cd test/utils; ./utils.sh | grep TESTING
$(TEST_TARGETS):
$(MAKE) -C test $(subst test-,,$@)
test-environment:
cd test/environment; ./environment.sh | grep TESTING
test-filters:
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
cd test/filters; ./filters.sh | grep TESTING
endif
test-arguments:
cd test/arguments; ./arguments.sh | grep TESTING
test-fs:
cd test/fs; ./fs.sh | grep TESTING
test-fcopy:
cd test/fcopy; ./fcopy.sh | grep TESTING
test-fnetfilter:
cd test/fnetfilter; ./fnetfilter.sh | grep TESTING
test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
echo "TEST COMPLETE"
test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
echo "TEST COMPLETE"
test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments
test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment
echo "TEST COMPLETE"
##########################################
# Individual tests, some of them require root access
# The tests are very intrussive, by the time you are done
# The tests are very intrusive, by the time you are done
# with them you will need to restart your computer.
##########################################
# a firejail-test account is required, public/private key setup
test-ssh:
cd test/ssh; ./ssh.sh | grep TESTING
$(MAKE) -C test $(subst test-,,$@)
# requires root access
test-chroot:
cd test/chroot; ./chroot.sh | grep testing
$(MAKE) -C test $(subst test-,,$@)
# Huge appimage files, not included in "make dist" archive
test-appimage:
cd test/appimage; ./appimage.sh | grep TESTING
$(MAKE) -C test $(subst test-,,$@)
# Root access, network devices are created before the test
# restart your computer to get rid of these devices
test-network:
cd test/network; ./network.sh | grep TESTING
$(MAKE) -C test $(subst test-,,$@)
# requires the same setup as test-network
test-stress:
cd test/stress; ./stress.sh | grep TESTING
$(MAKE) -C test $(subst test-,,$@)
# Tesets running a root user
# Tests running a root user
test-root:
cd test/root; su -c ./root.sh | grep TESTING
$(MAKE) -C test $(subst test-,,$@)
# OverlayFS is not available on all platforms
test-overlay:
cd test/overlay; ./overlay.sh | grep TESTING
$(MAKE) -C test $(subst test-,,$@)
# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
......
This diff is collapsed.
firejail (0.9.65) baseline; urgency=low
* deprecated --audit options, relpaced by jailcheck utility
* deprecated follow-symlink-as-user from firejail.config
* rename --noautopulse to keep-config-pulse
* filtering environment variables
* zsh completion
* command line: --mkdir, --mkfile
* --protocol now accumulates
* Jolla/SailfishOS patches
* private-lib rework
* whitelist rework
* jailtest utility for testing running sandboxes
* capabilities list update
* faccessat2 syscall support
* --private-dev keeps /dev/input
* added --noinput to disable /dev/input
* add support for subdirs in --private-etc
* compile time: --enable-force-nonewprivs
* compile time: --disable-output
* compile time: --enable-lts
* subdirs support in private-etc
* input devices support in private-dev, --no-input
* support trailing comments on profile lines
* new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
* ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
* avidemux, calligragemini, vmware-player, vmware-workstation
* gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr
* PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum
* bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum
* sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway
* alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper,
* colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
* glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
* neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
* cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer
* links2, xlinks2
-- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500
firejail (0.9.64.4) baseline; urgency=low
* disabled overlayfs, pending multiple fixes (CVE-2021-26910)
-- netblue30 <netblue30@yahoo.com> Sun, 7 Feb 2021 09:00:00 -0500
firejail (0.9.64.2) baseline; urgency=low
* allow --tmpfs inside $HOME for unprivileged users
* --disable-usertmpfs compile time option
* allow AF_BLUETOOTH via --protocol=bluetooth
* Setup guide for new users: contrib/firejail-welcome.sh
* implement netns in profiles
* added nolocal6.net IPv6 network filter
* new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
* new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
* new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
* new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
* new profiles: guvcview, pkglog, kdiff3, CoyIM
-- netblue30 <netblue30@yahoo.com> Tue, 26 Jan 2021 09:00:00 -0500
firejail (0.9.64) baseline; urgency=low
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
* new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
* new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
* new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
* new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
* new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
* new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
* new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
* new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
* new profiles: swell-foop, fdns, five-or-more, steam-runtime
* new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
* new profiles: gapplication, openarena_ded, element-desktop, cawbird
* new profiles: freetube, strawberry, jitsi-meet-desktop
* new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
* new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
* new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
* new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
* new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
* new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
* new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
* new profiles: qrencode, ytmdesktop, twitch
* new profiles: xournalpp, chromium-freeworld, equalx
-- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 08:00:00 -0500
firejail (0.9.62) baseline; urgency=low
* added file-copy-limit in /etc/firejail/firejail.config
* profile templates (/usr/share/doc/firejail)
* allow-debuggers support in profiles
* several seccomp enhancements
* compiler flags autodetection
* move chroot entirely from path based to file descriptor based mounts
* whitelisting /usr/share in a large number of profiles
* new scripts in conrib: gdb-firejail.sh and sort.py
* enhancement: whitelist /usr/share in some profiles
* added signal mediation ot apparmor profile
* new conditions: HAS_X11, HAS_NET
* new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
* new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
* new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
* new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
* new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
* new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
* new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
* new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
* new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
* new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
* new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
* new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
* new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
* new profiles: electron-mail, gist, gist-paste
-- netblue30 <netblue30@yahoo.com> Sat, 28 Dec 2019 08:00:00 -0500
firejail (0.9.60) baseline; urgency=low
* security bug reported by Austin Morton:
Seccomp filters are copied into /run/firejail/mnt, and are writable
within the jail. A malicious process can modify files from inside the
jail. Processes that are later joined to the jail will not have seccomp
filters applied.
* memory-deny-write-execute now also blocks memfd_create
* add private-cwd option to control working directory within jail
* blocking system D-Bus socket with --nodbus
* bringing back Centos 6 support
* drop support for flatpak/snap packages
* new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
* new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
* new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
* new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
* new profiles: netactview, redshift, devhelp, assogiate, subdownloader
* new profiles: font-manager, exfalso, gconf-editor, dconf-editor
* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
* new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
* new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
* new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
* new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
* new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
* new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
* new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
* new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
* new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
* new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
-- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500
firejail (0.9.58,2) baseline; urgency=low
* cgroup flag in /etc/firejail/firejail.config file
* name-change flag in /etc/firejail.config file
......
This diff is collapsed.
#
# Note:
#
# If for any reason autoconf fails, run "autoreconf -i --install " and try again.
# This is how the error looks like on Arch Linux:
# ./configure: line 3064: syntax error near unexpected token `newline'
# ./configure: line 3064: `AX_CHECK_COMPILE_FLAG('
#
# We rely solely on autoconf, without automake. Apparently, in this case
# the macros from m4 directory are not picked up by default by automake.
# "autoreconf -i --install" seems to fix the problem.
#
AC_PREREQ([2.68])
AC_INIT(firejail, 0.9.58.2, netblue30@yahoo.com, , https://firejail.wordpress.com)