diff options
author | netblue30 <netblue30@yahoo.com> | 2017-05-13 09:51:21 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-05-13 09:51:21 -0400 |
commit | 32254c20905a3eb5b279a4d327bc3fb789d77ce7 (patch) | |
tree | b99753c3cb96145b0d7990448866604605bfb310 | |
parent | 0.9.46 testing (diff) | |
download | firejail-32254c20905a3eb5b279a4d327bc3fb789d77ce7.tar.gz firejail-32254c20905a3eb5b279a4d327bc3fb789d77ce7.tar.zst firejail-32254c20905a3eb5b279a4d327bc3fb789d77ce7.zip |
0.9.47 development
-rw-r--r-- | README.md | 158 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 |
3 files changed, 12 insertions, 166 deletions
@@ -62,161 +62,7 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
62 | ````` | 62 | ````` |
63 | 63 | ||
64 | ````` | 64 | ````` |
65 | # Current development version: 0.9.45 | 65 | # Current development version: 0.9.47 |
66 | ````` | ||
67 | |||
68 | ````` | ||
69 | ## Desktop integration | ||
70 | |||
71 | All --fix functionality is done by default in firecfg, --fix option was removed. Clicking on a program | ||
72 | in desktop manager menu should start the program automatically in a sandbox if a profile | ||
73 | is available in /etc/firejail. We cover about 300 different applications in this moment on all major desktop managers. | ||
74 | |||
75 | Symlinks for the common file managers are installed in /usr/local/bin by firecfg. | ||
76 | File managers are usually started by default at login time, and will be sandboxed. | ||
77 | Clicking on a file in the file manager will start the corresponding program in the same sandbox as the file manager. | ||
78 | For example, clicking on a video file will start a sandboxed VLC running the video. | ||
79 | We support in this moment XFCE, LXDE, MATE, Cinnamon and KDE. | ||
80 | |||
81 | ## AppImage | ||
82 | |||
83 | Added AppImage type 2 support, and support for passing command line arguments to appimages. | ||
84 | ````` | ||
85 | |||
86 | ````` | ||
87 | ## X11 sandboxing support | ||
88 | In this release we add support for Xvfb (X virtual framebuffer), an in-memory X display server. | ||
89 | Xvfb allows the user to run graphical applications without a display (e.g., browser tests on a CI server) | ||
90 | while also having the ability to take screenshots. | ||
91 | |||
92 | |||
93 | --x11=xvfb | ||
94 | Start Xvfb X11 server and attach the sandbox to this server. | ||
95 | Xvfb, short for X virtual framebuffer, performs all graphical | ||
96 | operations in memory without showing any screen output. Xvfb is | ||
97 | mainly used for remote access and software testing on headless | ||
98 | servers. | ||
99 | 66 | ||
100 | On Debian platforms Xvfb is installed with the command sudo apt- | 67 | Upcoming release 0.9.46 was moved on 0.9.46-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.46-bugfixes |
101 | get install xvfb. This feature is not available when running as | ||
102 | root. | ||
103 | 68 | ||
104 | Example: remote VNC access | ||
105 | |||
106 | On the server we start a sandbox using Xvfb and openbox window | ||
107 | manager. The default size of Xvfb screen is 800x600 - it can be | ||
108 | changed in /etc/firejail/firejail.config (xvfb-screen). Some | ||
109 | sort of networking (--net) is required in order to isolate the | ||
110 | abstract sockets used by other X servers. | ||
111 | |||
112 | $ firejail --net=none --x11=xvfb openbox | ||
113 | |||
114 | *** Attaching to Xvfb display 792 *** | ||
115 | |||
116 | Reading profile /etc/firejail/openbox.profile | ||
117 | Reading profile /etc/firejail/disable-common.inc | ||
118 | Reading profile /etc/firejail/disable-common.local | ||
119 | Parent pid 5400, child pid 5401 | ||
120 | |||
121 | On the server we also start a VNC server and attach it to the | ||
122 | display handled by our Xvfb server (792). | ||
123 | |||
124 | $ x11vnc -display :792 | ||
125 | |||
126 | On the client machine we start a VNC viewer and use it to con‐ | ||
127 | nect to our server: | ||
128 | |||
129 | $ vncviewer | ||
130 | |||
131 | |||
132 | ## New command line options | ||
133 | ````` | ||
134 | --private-opt=file,directory | ||
135 | Build a new /opt in a temporary filesystem, and copy the files | ||
136 | and directories in the list. If no listed file is found, /opt | ||
137 | directory will be empty. All modifications are discarded when | ||
138 | the sandbox is closed. | ||
139 | |||
140 | Example: | ||
141 | $ firejail --private-opt=firefox /opt/firefox/firefox | ||
142 | |||
143 | --private-srv=file,directory | ||
144 | Build a new /srv in a temporary filesystem, and copy the files | ||
145 | and directories in the list. If no listed file is found, /srv | ||
146 | directory will be empty. All modifications are discarded when | ||
147 | the sandbox is closed. | ||
148 | |||
149 | Example: | ||
150 | # firejail --private-srv=www /etc/init.d/apache2 start | ||
151 | |||
152 | --machine-id | ||
153 | Spoof id number in /etc/machine-id file - a new random id is | ||
154 | generated inside the sandbox. | ||
155 | |||
156 | Example: | ||
157 | $ firejail --machine-id | ||
158 | |||
159 | --allow-private-blacklist | ||
160 | Allow blacklisting files in private home directory. By default | ||
161 | these blacklists are disabled. | ||
162 | |||
163 | Example: | ||
164 | $ firejail --allow-private-blacklist --private=~/priv-dir | ||
165 | --blacklist=~/.mozilla | ||
166 | |||
167 | --hosts-file=file | ||
168 | Use file as /etc/hosts. | ||
169 | |||
170 | Example: | ||
171 | $ firejail --hosts-file=~/myhosts firefox | ||
172 | |||
173 | --writable-var-log | ||
174 | Use the real /var/log directory, not a clone. By default, a | ||
175 | tmpfs is mounted on top of /var/log directory, and a skeleton | ||
176 | filesystem is created based on the original /var/log. | ||
177 | |||
178 | Example: | ||
179 | $ sudo firejail --writable-var-log | ||
180 | |||
181 | --git-install | ||
182 | Download, compile and install mainline git version of Firejail | ||
183 | from the official repository on GitHub. The software is | ||
184 | installed in /usr/local/bin, and takes precedence over the (old) | ||
185 | version installed in /usr/bin. If for any reason the new version | ||
186 | doesn't work, the user can uninstall it using --git-uninstall | ||
187 | command and revert to the old version. | ||
188 | |||
189 | Prerequisites: git and compile support are required for this com‐ | ||
190 | mand to work. On Debian/Ubuntu systems this support is installed | ||
191 | using "sudo apt-get install build-essential git". | ||
192 | |||
193 | Example: | ||
194 | |||
195 | $ firejail --git-install | ||
196 | |||
197 | --git-uninstall | ||
198 | Remove the Firejail version previously installed in | ||
199 | /usr/local/bin using --git-install command. | ||
200 | |||
201 | Example: | ||
202 | |||
203 | $ firejail --git-uninstall | ||
204 | |||
205 | |||
206 | --nowhitelist=dirname_or_filename | ||
207 | Disable whitelist for this directory or file. | ||
208 | |||
209 | ````` | ||
210 | ## New Profiles | ||
211 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, | ||
212 | amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit, | ||
213 | gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, | ||
214 | goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, | ||
215 | simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, | ||
216 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, | ||
217 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, | ||
218 | Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file, | ||
219 | Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, | ||
220 | Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM, Dia, FontForge, Geany, Hugin, | ||
221 | mate-calc, mate-dictionary, mate-color-select, caja, galculator, Nemo, gnome-font-viewer, gucharmap, | ||
222 | knotes, clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr, Blender, 2048-qt | ||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.46~rc1. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.47. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.46~rc1' | 583 | PACKAGE_VERSION='0.9.47' |
584 | PACKAGE_STRING='firejail 0.9.46~rc1' | 584 | PACKAGE_STRING='firejail 0.9.47' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1265,7 +1265,7 @@ if test "$ac_init_help" = "long"; then | |||
1265 | # Omit some internal or obsolete options to make the list less imposing. | 1265 | # Omit some internal or obsolete options to make the list less imposing. |
1266 | # This message is too long to be a string in the A/UX 3.1 sh. | 1266 | # This message is too long to be a string in the A/UX 3.1 sh. |
1267 | cat <<_ACEOF | 1267 | cat <<_ACEOF |
1268 | \`configure' configures firejail 0.9.46~rc1 to adapt to many kinds of systems. | 1268 | \`configure' configures firejail 0.9.47 to adapt to many kinds of systems. |
1269 | 1269 | ||
1270 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1270 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1271 | 1271 | ||
@@ -1326,7 +1326,7 @@ fi | |||
1326 | 1326 | ||
1327 | if test -n "$ac_init_help"; then | 1327 | if test -n "$ac_init_help"; then |
1328 | case $ac_init_help in | 1328 | case $ac_init_help in |
1329 | short | recursive ) echo "Configuration of firejail 0.9.46~rc1:";; | 1329 | short | recursive ) echo "Configuration of firejail 0.9.47:";; |
1330 | esac | 1330 | esac |
1331 | cat <<\_ACEOF | 1331 | cat <<\_ACEOF |
1332 | 1332 | ||
@@ -1434,7 +1434,7 @@ fi | |||
1434 | test -n "$ac_init_help" && exit $ac_status | 1434 | test -n "$ac_init_help" && exit $ac_status |
1435 | if $ac_init_version; then | 1435 | if $ac_init_version; then |
1436 | cat <<\_ACEOF | 1436 | cat <<\_ACEOF |
1437 | firejail configure 0.9.46~rc1 | 1437 | firejail configure 0.9.47 |
1438 | generated by GNU Autoconf 2.69 | 1438 | generated by GNU Autoconf 2.69 |
1439 | 1439 | ||
1440 | Copyright (C) 2012 Free Software Foundation, Inc. | 1440 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1736,7 +1736,7 @@ cat >config.log <<_ACEOF | |||
1736 | This file contains any messages produced by compilers while | 1736 | This file contains any messages produced by compilers while |
1737 | running configure, to aid debugging if configure makes a mistake. | 1737 | running configure, to aid debugging if configure makes a mistake. |
1738 | 1738 | ||
1739 | It was created by firejail $as_me 0.9.46~rc1, which was | 1739 | It was created by firejail $as_me 0.9.47, which was |
1740 | generated by GNU Autoconf 2.69. Invocation command line was | 1740 | generated by GNU Autoconf 2.69. Invocation command line was |
1741 | 1741 | ||
1742 | $ $0 $@ | 1742 | $ $0 $@ |
@@ -4355,7 +4355,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4355 | # report actual input values of CONFIG_FILES etc. instead of their | 4355 | # report actual input values of CONFIG_FILES etc. instead of their |
4356 | # values after options handling. | 4356 | # values after options handling. |
4357 | ac_log=" | 4357 | ac_log=" |
4358 | This file was extended by firejail $as_me 0.9.46~rc1, which was | 4358 | This file was extended by firejail $as_me 0.9.47, which was |
4359 | generated by GNU Autoconf 2.69. Invocation command line was | 4359 | generated by GNU Autoconf 2.69. Invocation command line was |
4360 | 4360 | ||
4361 | CONFIG_FILES = $CONFIG_FILES | 4361 | CONFIG_FILES = $CONFIG_FILES |
@@ -4409,7 +4409,7 @@ _ACEOF | |||
4409 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4409 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4410 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4410 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4411 | ac_cs_version="\\ | 4411 | ac_cs_version="\\ |
4412 | firejail config.status 0.9.46~rc1 | 4412 | firejail config.status 0.9.47 |
4413 | configured by $0, generated by GNU Autoconf 2.69, | 4413 | configured by $0, generated by GNU Autoconf 2.69, |
4414 | with options \\"\$ac_cs_config\\" | 4414 | with options \\"\$ac_cs_config\\" |
4415 | 4415 | ||
diff --git a/configure.ac b/configure.ac index c6048ca61..594a7abf8 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.46~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.47, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||