Import Upstream version 0.9.58.2

3806df96 · Lorenzo "Palinuro" Faletra · 74d92f26 · 3806df96 · 3806df96 · 3806df96
Commit 3806df96 authored Feb 28, 2019 by Lorenzo "Palinuro" Faletra
--- a/Makefile.in
+++ b/Makefile.in
@@ -134,7 +134,8 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
 	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
 	install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
 	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
-	install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.
+	# install apparmor profile customization file
+	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;"
 endif
 	# man pages
 	install -m 0755 -d $(DESTDIR)/$(mandir)/man1

--- a/README
+++ b/README
@@ -534,6 +534,7 @@ rusty-snake (https://github.com/rusty-snake)
 	- added ghostwriter profle
 	- fix gajim profile, added gajim-history-manager profile
 	- updates for ~/.cargo
+	- added klavaro profile
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
 	- fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
@@ -743,4 +744,4 @@ Zack Weinberg (https://github.com/zackw)
 	  with firejail --x11
 	- support for xpra-extra-params in firejail.config

-Copyright (C) 2014-2017 Firejail Authors
+Copyright (C) 2014-2019 Firejail Authors
--- a/RELNOTES
+++ b/RELNOTES
+firejail (0.9.58,2) baseline; urgency=low
+  * cgroup flag in /etc/firejail/firejail.config file
+  * name-change flag in /etc/firejail.config file
+  * --name rework
+  * new profiles: klavaro, vscodium
+  * browser profiles fixes
+  * various other bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Fri, 8 Feb 2019 08:00:00 -0500
+
 firejail (0.9.58) baseline; urgency=low
  * --disable-mnt rework
  * --net.print command

--- a/configure
+++ b/configure
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.58.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.58.2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.58'
-PACKAGE_STRING='firejail 0.9.58'
+PACKAGE_VERSION='0.9.58.2'
+PACKAGE_STRING='firejail 0.9.58.2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='https://firejail.wordpress.com'

@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.58 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.58.2 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@@ -1337,7 +1337,7 @@ fi

 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.58:";;
+     short | recursive ) echo "Configuration of firejail 0.9.58.2:";;
   esac
  cat <<\_ACEOF

@@ -1442,7 +1442,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.58
+firejail configure 0.9.58.2
 generated by GNU Autoconf 2.69

 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.

-It was created by firejail $as_me 0.9.58, which was
+It was created by firejail $as_me 0.9.58.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was

  $ $0 $@
@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.58, which was
+This file was extended by firejail $as_me 0.9.58.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
@@ -4433,7 +4433,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.58
+firejail config.status 0.9.58.2
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"


--- a/configure.ac
+++ b/configure.ac
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.58, netblue30@yahoo.com, , https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.58.2, netblue30@yahoo.com, , https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])


--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -17,12 +17,14 @@ noblacklist ${HOME}/.config/xplayer
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${HOME}/.local/share/xplayer
 noblacklist ${HOME}/.mplayer
+noblacklist ${VIDEOS}

 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc

 include whitelist-var-common.inc

@@ -36,7 +38,7 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog

--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
+#nodbus - dbus needed for MPRIS
 nogroups
 nonewprivs
 noroot
@@ -35,6 +35,7 @@ shell none
 tracelog

 # private-bin audacious
+private-cache
 private-dev
 private-tmp


--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -26,6 +26,7 @@ include disable-programs.inc
 include whitelist-var-common.inc

 caps.drop all
+netfilter
 no3d
 nodvd
 nogroups
@@ -42,6 +43,7 @@ shell none
 # x11 xorg

 private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
+private-cache
 private-dev
 private-tmp


--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
 caps.drop all
 ipc-namespace
 # net none
+netfilter
 # nodbus
 nodvd
 nogroups

--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -7,6 +7,7 @@ include chromium-common.local
 #include globals.local

 noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki

 include disable-common.inc
 include disable-devel.inc
@@ -14,8 +15,10 @@ include disable-interpreters.inc
 include disable-programs.inc

 mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-var-common.inc

@@ -34,7 +37,8 @@ disable-mnt
 private-dev
 # private-tmp - problems with multiple browser sessions

-noexec ${HOME}
+# breaks DRM binaries
+#noexec ${HOME}
 noexec /tmp

 # the file dialog needs to work without d-bus

--- a/etc/cliqz.profile
+++ b/etc/cliqz.profile
@@ -6,11 +6,14 @@ include cliqz.local
 include globals.local

 noblacklist ${HOME}/.cache/cliqz
+noblacklist ${HOME}/.cliqz
 noblacklist ${HOME}/.config/cliqz

 mkdir ${HOME}/.cache/cliqz
+mkdir ${HOME}/.cliqz
 mkdir ${HOME}/.config/cliqz
 whitelist ${HOME}/.cache/cliqz
+whitelist ${HOME}/.cliqz
 whitelist ${HOME}/.config/cliqz

 # private-etc must first be enabled in firefox-common.profile

--- a/etc/code.profile
+++ b/etc/code.profile
@@ -6,6 +6,7 @@ include code.local
 include globals.local

 noblacklist ${HOME}/.vscode
+noblacklist ${HOME}/.vscode-oss
 noblacklist ${HOME}/.config/Code

 include disable-common.inc

--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -11,12 +11,15 @@ blacklist ${HOME}/.local/share/Trash
 blacklist-nolog ${HOME}/.*_history
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.cache/greenclip*
+blacklist-nolog ${HOME}/.histfile
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.kde/share/apps/klipper
 blacklist-nolog ${HOME}/.kde4/share/apps/klipper
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
 blacklist-nolog ${HOME}/.local/share/klipper
 blacklist-nolog ${HOME}/.macromedia
+blacklist-nolog ${HOME}/.python-history
+blacklist-nolog ${HOME}/.pythonhist
 blacklist-nolog /tmp/clipmenu*

 # X11 session autostart
@@ -303,6 +306,7 @@ blacklist ${HOME}/.mutt
 blacklist ${HOME}/.muttrc
 blacklist ${HOME}/.netrc
 blacklist ${HOME}/.pki
+blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.vaults

--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -28,6 +28,7 @@ blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
 blacklist ${HOME}/.ViberPC
 blacklist ${HOME}/.VirtualBox
+blacklist ${HOME}/.VSCodium
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
@@ -46,6 +47,7 @@ blacklist ${HOME}/.audacity-data
 blacklist ${HOME}/.bcast5
 blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.claws-mail
+blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
 blacklist ${HOME}/.config/Atom
@@ -175,6 +177,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kgetrc
+blacklist ${HOME}/.config/klavaro
 blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kmailsearchindexingrc
@@ -376,6 +379,7 @@ blacklist ${HOME}/.kodi
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
 blacklist ${HOME}/.lmmsrc.xml
+blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/Empathy
@@ -430,6 +434,7 @@ blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/kdenlive
 blacklist ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
@@ -538,6 +543,7 @@ blacklist ${HOME}/.w3m
 blacklist ${HOME}/.warzone2100-3.*
 blacklist ${HOME}/.waterfox
 blacklist ${HOME}/.weechat
+blacklist ${HOME}/.wget-hsts
 blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wireshark

--- a/etc/emacs.profile
+++ b/etc/emacs.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.emacs
 noblacklist ${HOME}/.emacs.d
 # uncomment the following line if you need gpg
 #noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.python-history

 include disable-common.inc
 include disable-passwdmgr.inc

--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/evolution
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/evolution
 noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki

 include disable-common.inc
 include disable-devel.inc

--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -10,6 +10,7 @@ include firefox-common.local
 #include firefox-common-addons.inc

 noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki

 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +18,10 @@ include disable-interpreters.inc
 include disable-programs.inc

 mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-var-common.inc

@@ -51,5 +54,6 @@ private-dev
 #private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
 private-tmp

-noexec ${HOME}
+# breaks DRM binaries
+#noexec ${HOME}
 noexec /tmp
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -21,10 +21,13 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 dbus,

 ##########
-# With ptrace it is possible to inspect and hijack running programs. Usually this
-# is needed only for debugging. To allow ptrace, uncomment the following line.
+# With ptrace it is possible to inspect and hijack running programs.
+# Some browsers are also using ptrace for their sandboxing.
 ##########
+# Uncomment this line to allow all ptrace access
 #ptrace,
+# Allow obtaining some process information, but not ptrace(2)
+ptrace (read,readby) peer=firejail-default,

 ##########
 # Allow read access to whole filesystem and control it from firejail.

--- a/etc/firejail-local
+++ b/etc/firejail-local
-# Site-specific additions and overrides for 'firejail-default'
+# Site-specific additions and overrides for 'firejail-default'.
+# For more details, please see /etc/apparmor.d/local/README.
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -18,6 +18,9 @@
 # Enable or disable bind support, default enabled.
 # bind yes

+# Enable or disable cgroup support, default enabled.
+# cgroup yes
+
 # Enable or disable chroot support, default enabled.
 # chroot yes

@@ -51,6 +54,9 @@
 # root user can always join sandboxes.
 # join yes

+# Enable or disable sandbox name change, default enabled.
+# name-change yes
+
 # Enable or disable networking features, default enabled.
 # network yes