diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-16 08:55:19 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-16 08:55:19 -0500 |
commit | 29b18c3960e25fbebdcc26a448fd86bbc8215dbe (patch) | |
tree | 206b1b6d4e7caffcdc18e5b37e9b6cc9e8876584 | |
parent | fix path (diff) | |
parent | make clean now removes rpms (diff) | |
download | firejail-29b18c3960e25fbebdcc26a448fd86bbc8215dbe.tar.gz firejail-29b18c3960e25fbebdcc26a448fd86bbc8215dbe.tar.zst firejail-29b18c3960e25fbebdcc26a448fd86bbc8215dbe.zip |
Merge pull request #297 from jgriffiths/rpmfixes
RPM build fixes
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Makefile.in | 6 | ||||
-rw-r--r-- | platform/rpm/firejail.spec | 161 | ||||
-rwxr-xr-x | platform/rpm/mkrpm.sh | 309 | ||||
-rwxr-xr-x | platform/rpm/old-mkrpm.sh | 450 |
5 files changed, 46 insertions, 881 deletions
diff --git a/.gitignore b/.gitignore index 60d06099f..408290b85 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -2,6 +2,7 @@ | |||
2 | *.so | 2 | *.so |
3 | *~ | 3 | *~ |
4 | *.swp | 4 | *.swp |
5 | *.rpm | ||
5 | Makefile | 6 | Makefile |
6 | config.log | 7 | config.log |
7 | config.status | 8 | config.status |
diff --git a/Makefile.in b/Makefile.in index 167dc0cf5..b436a89b2 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -41,7 +41,7 @@ clean: | |||
41 | for dir in $(MYLIBS); do \ | 41 | for dir in $(MYLIBS); do \ |
42 | $(MAKE) -C $$dir clean; \ | 42 | $(MAKE) -C $$dir clean; \ |
43 | done | 43 | done |
44 | rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz | 44 | rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm |
45 | 45 | ||
46 | distclean: clean | 46 | distclean: clean |
47 | for dir in $(APPS); do \ | 47 | for dir in $(APPS); do \ |
@@ -199,6 +199,10 @@ dist: | |||
199 | deb: dist | 199 | deb: dist |
200 | ./mkdeb.sh $(NAME) $(VERSION) | 200 | ./mkdeb.sh $(NAME) $(VERSION) |
201 | 201 | ||
202 | .PHONY: rpms | ||
203 | rpms: | ||
204 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) | ||
205 | |||
202 | extras: all | 206 | extras: all |
203 | $(MAKE) -C extras/firetools | 207 | $(MAKE) -C extras/firetools |
204 | 208 | ||
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index f1bf7ad7b..f6c9efa18 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -1,5 +1,5 @@ | |||
1 | Name: firejail | 1 | Name: __NAME__ |
2 | Version: 0.9.30 | 2 | Version: __VERSION__ |
3 | Release: 1 | 3 | Release: 1 |
4 | Summary: Linux namepaces sandbox program | 4 | Summary: Linux namepaces sandbox program |
5 | 5 | ||
@@ -29,156 +29,21 @@ rm -rf %{buildroot} | |||
29 | %clean | 29 | %clean |
30 | rm -rf %{buildroot} | 30 | rm -rf %{buildroot} |
31 | 31 | ||
32 | |||
33 | %files | 32 | %files |
34 | %doc | 33 | %doc |
35 | %defattr(-, root, root, -) | 34 | %defattr(-, root, root, -) |
36 | %attr(4755, -, -) %{_bindir}/firejail | 35 | %attr(4755, -, -) %{_bindir}/__NAME__ |
37 | %{_bindir}/firemon | 36 | %{_bindir}/firemon |
38 | %{_libdir}/firejail/ftee | 37 | %{_libdir}/__NAME__/ftee |
39 | %{_libdir}/firejail/fshaper.sh | 38 | %{_libdir}/__NAME__/fshaper.sh |
40 | %{_libdir}/firejail/libtrace.so | 39 | %{_libdir}/__NAME__/libtrace.so |
41 | %{_datarootdir}/bash-completion/completions/firejail | 40 | %{_libdir}/__NAME__/libtracelog.so |
41 | %{_datarootdir}/bash-completion/completions/__NAME__ | ||
42 | %{_datarootdir}/bash-completion/completions/firemon | 42 | %{_datarootdir}/bash-completion/completions/firemon |
43 | %{_docdir}/firejail | 43 | %{_docdir}/__NAME__ |
44 | %{_mandir}/man1/firejail.1.gz | 44 | %{_mandir}/man1/__NAME__.1.gz |
45 | %{_mandir}/man1/firemon.1.gz | 45 | %{_mandir}/man1/firemon.1.gz |
46 | %{_mandir}/man5/firejail-login.5.gz | 46 | %{_mandir}/man5/__NAME__-login.5.gz |
47 | %{_mandir}/man5/firejail-profile.5.gz | 47 | %{_mandir}/man5/__NAME__-profile.5.gz |
48 | %config %{_sysconfdir}/firejail | 48 | %config %{_sysconfdir}/__NAME__ |
49 | |||
50 | %changelog | ||
51 | * Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1 | ||
52 | - added a disable-history.inc profile as a result of Firefox PDF.js exploit; | ||
53 | disable-history.inc included in all default profiles | ||
54 | - Firefox PDF.js exploit (CVE-2015-4495) fixes | ||
55 | - added --private-etc option | ||
56 | - added --env option | ||
57 | - added --whitelist option | ||
58 | - support ${HOME} token in include directive in profile files | ||
59 | - --private.keep is transitioned to --private-home | ||
60 | - support ~ and blanks in blacklist option | ||
61 | - support "net none" command in profile files | ||
62 | - using /etc/firejail/generic.profile by default for user sessions | ||
63 | - using /etc/firejail/server.profile by default for root sessions | ||
64 | - added build --enable-fatal-warnings configure option | ||
65 | - added persistence to --overlay option | ||
66 | - added --overlay-tmpfs option | ||
67 | - make install-strip implemented, make install renamed | ||
68 | - bugfixes | ||
69 | |||
70 | * Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1 | ||
71 | - network scanning, --scan option | ||
72 | - interface MAC address support, --mac option | ||
73 | - IP address range, --iprange option | ||
74 | - traffic shaping, --bandwidth option | ||
75 | - reworked printing of network status at startup | ||
76 | - man pages rework | ||
77 | - added firejail-login man page | ||
78 | - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default | ||
79 | profiles | ||
80 | - added an /etc/firejail/disable-common.inc file to hold common directory | ||
81 | blacklists | ||
82 | - blacklist Opera and Chrome/Chromium config directories in profile files | ||
83 | - support noroot option for profile files | ||
84 | - enabled noroot in default profile files | ||
85 | - bugfixes | ||
86 | |||
87 | * Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1 | ||
88 | - private dev directory | ||
89 | - private.keep option for whitelisting home files in a new private directory | ||
90 | - user namespaces support, noroot option | ||
91 | - added Deluge and qBittorent profiles | ||
92 | - bugfixes | ||
93 | |||
94 | * Sun Apr 5 2015 netblue30 <netblue30@yahoo.com> 0.9.24-1 | ||
95 | - whitelist and blacklist seccomp filters | ||
96 | - doubledash option | ||
97 | - --shell=none support | ||
98 | - netfilter file support in profile files | ||
99 | - dns server support in profile files | ||
100 | - added --dns.print option | ||
101 | - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. | ||
102 | - added --caps.drop=all in default profiles | ||
103 | - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp | ||
104 | - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init | ||
105 | - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids | ||
106 | - two build patches from Reiner Herman (tickets 11, 12) | ||
107 | - man page patch from Reiner Herman (ticket 13) | ||
108 | - output patch (ticket 15) from sshirokov | ||
109 | |||
110 | * Mon Mar 9 2015 netblue30 <netblue30@yahoo.com> 0.9.22-1 | ||
111 | - Replaced --noip option with --ip=none | ||
112 | - Container stdout logging and log rotation | ||
113 | - Added process_vm_readv, process_vm_writev and mknod to | ||
114 | default seccomp blacklist | ||
115 | - Added CAP_MKNOD to default caps blacklist | ||
116 | - Blacklist and whitelist custom Linux capabilities filters | ||
117 | - macvlan device driver support for --net option | ||
118 | - DNS server support, --dns option | ||
119 | - Netfilter support | ||
120 | - Monitor network statistics, --netstats option | ||
121 | - Added profile for Mozilla Thunderbird/Icedove | ||
122 | - --overlay support for Linux kernels 3.18+ | ||
123 | - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) | ||
124 | - Bugfix: check uid/gid for cgroup | ||
125 | |||
126 | * Fri Feb 6 2015 netblue30 <netblue30@yahoo.com> 0.9.20-1 | ||
127 | - utmp, btmp and wtmp enhancements | ||
128 | - create empty /var/log/wtmp and /var/log/btmp files in sandbox | ||
129 | - generate a new /var/run/utmp file in sandbox | ||
130 | - CPU affinity, --cpu option | ||
131 | - Linux control groups support, --cgroup option | ||
132 | - Opera web browser support | ||
133 | - VLC support | ||
134 | - Added "empty" attribute to seccomp command to remove the default | ||
135 | - syscall list form seccomp blacklist | ||
136 | - Added --nogroups option to disable supplementary groups for regular | ||
137 | - users. root user always runs without supplementary groups. | ||
138 | - firemon enhancements | ||
139 | - display the command that started the sandbox | ||
140 | - added --caps option to display capabilities for all sandboxes | ||
141 | - added --cgroup option to display the control groups for all sandboxes | ||
142 | - added --cpu option to display CPU affinity for all sandboxes | ||
143 | - added --seccomp option to display seccomp setting for all sandboxes | ||
144 | - New compile time options: --disable-chroot, --disable-bind | ||
145 | - bugfixes | ||
146 | |||
147 | * Sat Dec 27 2014 netblue30 <netblue30@yahoo.com> 0.9.18-1 | ||
148 | - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls | ||
149 | - Support for tracing setreuid, setregid, setresuid, setresguid syscalls | ||
150 | - Added profiles for transmission-gtk and transmission-qt | ||
151 | - bugfixes | ||
152 | |||
153 | * Tue Nov 4 2014 netblue30 <netblue30@yahoo.com> 0.9.16-1 | ||
154 | - Configurable private home directory | ||
155 | - Configurable default user shell | ||
156 | - Software configuration support for --docdir and DESTDIR | ||
157 | - Profile file support for include, caps, seccomp and private keywords | ||
158 | - Dropbox profile file | ||
159 | - Linux capabilities and seccomp filters enabled by default for Firefox, | ||
160 | Midori, Evince and Dropbox | ||
161 | - bugfixes | ||
162 | |||
163 | * Wed Oct 8 2014 netblue30 <netblue30@yahoo.com> 0.9.14-1 | ||
164 | - Linux capabilities and seccomp filters are automatically enabled in | ||
165 | chroot mode (--chroot option) if the sandbox is started as regular | ||
166 | user | ||
167 | - Added support for user defined seccomp blacklists | ||
168 | - Added syscall trace support | ||
169 | - Added --tmpfs option | ||
170 | - Added --balcklist option | ||
171 | - Added --read-only option | ||
172 | - Added --bind option | ||
173 | - Logging enhancements | ||
174 | - --overlay option was reactivated | ||
175 | - Added firemon support to print the ARP table for each sandbox | ||
176 | - Added firemon support to print the route table for each sandbox | ||
177 | - Added firemon support to print interface information for each sandbox | ||
178 | - bugfixes | ||
179 | |||
180 | * Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1 | ||
181 | - Added capabilities support | ||
182 | - Added support for CentOS 7 | ||
183 | - bugfixes | ||
184 | 49 | ||
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 3daede84c..e600c6bdd 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -1,296 +1,41 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # | 2 | # |
3 | # Usage: ./mkrpm.sh | 3 | # Usage: ./platform/rpm/mkrpm.sh firejail <version> |
4 | # ./mkrpm.sh /path/to/firejail-0.9.30.tar.gz | ||
5 | # | 4 | # |
6 | # Script builds rpm in a temporary directory and places the built rpm in the | 5 | # Builds rpms in a temporary directory then places the result in the |
7 | # current working directory. | 6 | # current working directory. |
8 | 7 | ||
8 | name=$1 | ||
9 | version=$2 | ||
9 | 10 | ||
10 | source=$1 | 11 | if [[ ! -f platform/rpm/${name}.spec ]]; then |
11 | 12 | echo error: spec file not found for name \"${name}\" | |
12 | create_tmp_dir() { | ||
13 | tmpdir=$(mktemp -d) | ||
14 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | ||
15 | } | ||
16 | |||
17 | |||
18 | # copy or download source | ||
19 | if [[ $source ]]; then | ||
20 | |||
21 | # check file exists | ||
22 | if [[ ! -f $source ]]; then | ||
23 | echo "$source does not exist!" | ||
24 | exit 1 | ||
25 | fi | ||
26 | |||
27 | name=$(awk '/Name:/ {print $2}' firejail.spec) | ||
28 | version=$(awk '/Version:/ {print $2}' firejail.spec) | ||
29 | expected_filename="${name}-${version}.tar.gz" | ||
30 | |||
31 | # ensure file name matches spec file expets | ||
32 | if [[ $(basename $source) != $expected_filename ]]; then | ||
33 | echo "source ($source) does not match expected filename ($(basename $expected_filename))" | ||
34 | exit 1 | ||
35 | fi | ||
36 | |||
37 | create_tmp_dir | ||
38 | cp ${source} ${tmpdir}/SOURCES | ||
39 | else | ||
40 | create_tmp_dir | ||
41 | if ! spectool -C ${tmpdir}/SOURCES -g firejail.spec; then | ||
42 | echo "Failed to fetch firejail source code" | ||
43 | exit 1 | 13 | exit 1 |
44 | fi | ||
45 | fi | 14 | fi |
46 | 15 | ||
47 | cp ./firejail.spec "${tmpdir}/SPECS/firejail.spec" | 16 | if [[ -z "${version}" ]]; then |
48 | 17 | echo error: version must be given | |
49 | <<<<<<< HEAD | 18 | exit 1 |
50 | echo "building tar.gz archive" | 19 | fi |
51 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION | ||
52 | |||
53 | cp firejail-$VERSION.tar.gz SOURCES/. | ||
54 | |||
55 | echo "building config spec" | ||
56 | cat <<EOF > SPECS/firejail.spec | ||
57 | %define __spec_install_post %{nil} | ||
58 | %define debug_package %{nil} | ||
59 | %define __os_install_post %{_dbpath}/brp-compress | ||
60 | |||
61 | Summary: Linux namepaces sandbox program | ||
62 | Name: firejail | ||
63 | Version: $VERSION | ||
64 | Release: 1 | ||
65 | License: GPL+ | ||
66 | Group: Development/Tools | ||
67 | SOURCE0 : %{name}-%{version}.tar.gz | ||
68 | URL: http://github.com/netblue30/firejail | ||
69 | |||
70 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | ||
71 | |||
72 | %description | ||
73 | Firejail is a SUID sandbox program that reduces the risk of security | ||
74 | breaches by restricting the running environment of untrusted applications | ||
75 | using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | ||
76 | |||
77 | %prep | ||
78 | %setup -q | ||
79 | |||
80 | %build | ||
81 | |||
82 | %install | ||
83 | rm -rf %{buildroot} | ||
84 | mkdir -p %{buildroot} | ||
85 | |||
86 | cp -a * %{buildroot} | ||
87 | |||
88 | |||
89 | %clean | ||
90 | rm -rf %{buildroot} | ||
91 | |||
92 | |||
93 | %files | ||
94 | %defattr(-,root,root,-) | ||
95 | %config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile | ||
96 | %config(noreplace) %{_sysconfdir}/%{name}/chromium.profile | ||
97 | %config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc | ||
98 | %config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc | ||
99 | %config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile | ||
100 | %config(noreplace) %{_sysconfdir}/%{name}/evince.profile | ||
101 | %config(noreplace) %{_sysconfdir}/%{name}/firefox.profile | ||
102 | %config(noreplace) %{_sysconfdir}/%{name}/icedove.profile | ||
103 | %config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile | ||
104 | %config(noreplace) %{_sysconfdir}/%{name}/login.users | ||
105 | %config(noreplace) %{_sysconfdir}/%{name}/midori.profile | ||
106 | %config(noreplace) %{_sysconfdir}/%{name}/opera.profile | ||
107 | %config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile | ||
108 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile | ||
109 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile | ||
110 | %config(noreplace) %{_sysconfdir}/%{name}/vlc.profile | ||
111 | %config(noreplace) %{_sysconfdir}/%{name}/audacious.profile | ||
112 | %config(noreplace) %{_sysconfdir}/%{name}/clementine.profile | ||
113 | %config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile | ||
114 | %config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile | ||
115 | %config(noreplace) %{_sysconfdir}/%{name}/totem.profile | ||
116 | %config(noreplace) %{_sysconfdir}/%{name}/deluge.profile | ||
117 | %config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile | ||
118 | %config(noreplace) %{_sysconfdir}/%{name}/generic.profile | ||
119 | %config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile | ||
120 | %config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc | ||
121 | %config(noreplace) %{_sysconfdir}/%{name}/disable-history.inc | ||
122 | %config(noreplace) %{_sysconfdir}/%{name}/empathy.profile | ||
123 | %config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile | ||
124 | %config(noreplace) %{_sysconfdir}/%{name}/icecat.profile | ||
125 | %config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile | ||
126 | %config(noreplace) %{_sysconfdir}/%{name}/quassel.profile | ||
127 | %config(noreplace) %{_sysconfdir}/%{name}/server.profile | ||
128 | %config(noreplace) %{_sysconfdir}/%{name}/xchat.profile | ||
129 | |||
130 | /usr/bin/firejail | ||
131 | /usr/bin/firemon | ||
132 | /usr/lib/firejail/libtrace.so | ||
133 | /usr/lib/firejail/ftee | ||
134 | /usr/lib/firejail/fshaper.sh | ||
135 | /usr/share/doc/packages/firejail/COPYING | ||
136 | /usr/share/doc/packages/firejail/README | ||
137 | /usr/share/doc/packages/firejail/RELNOTES | ||
138 | /usr/share/man/man1/firejail.1.gz | ||
139 | /usr/share/man/man1/firemon.1.gz | ||
140 | /usr/share/man/man5/firejail-profile.5.gz | ||
141 | /usr/share/man/man5/firejail-login.5.gz | ||
142 | /usr/share/bash-completion/completions/firejail | ||
143 | /usr/share/bash-completion/completions/firemon | ||
144 | |||
145 | %post | ||
146 | chmod u+s /usr/bin/firejail | ||
147 | |||
148 | %changelog | ||
149 | * Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1 | ||
150 | - added a disable-history.inc profile as a result of Firefox PDF.js exploit; | ||
151 | disable-history.inc included in all default profiles | ||
152 | - Firefox PDF.js exploit (CVE-2015-4495) fixes | ||
153 | - added --private-etc option | ||
154 | - added --env option | ||
155 | - added --whitelist option | ||
156 | - support ${HOME} token in include directive in profile files | ||
157 | - --private.keep is transitioned to --private-home | ||
158 | - support ~ and blanks in blacklist option | ||
159 | - support "net none" command in profile files | ||
160 | - using /etc/firejail/generic.profile by default for user sessions | ||
161 | - using /etc/firejail/server.profile by default for root sessions | ||
162 | - added build --enable-fatal-warnings configure option | ||
163 | - added persistence to --overlay option | ||
164 | - added --overlay-tmpfs option | ||
165 | - make install-strip implemented, make install renamed | ||
166 | - bugfixes | ||
167 | |||
168 | * Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1 | ||
169 | - network scanning, --scan option | ||
170 | - interface MAC address support, --mac option | ||
171 | - IP address range, --iprange option | ||
172 | - traffic shaping, --bandwidth option | ||
173 | - reworked printing of network status at startup | ||
174 | - man pages rework | ||
175 | - added firejail-login man page | ||
176 | - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default | ||
177 | profiles | ||
178 | - added an /etc/firejail/disable-common.inc file to hold common directory | ||
179 | blacklists | ||
180 | - blacklist Opera and Chrome/Chromium config directories in profile files | ||
181 | - support noroot option for profile files | ||
182 | - enabled noroot in default profile files | ||
183 | - bugfixes | ||
184 | |||
185 | * Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1 | ||
186 | - private dev directory | ||
187 | - private.keep option for whitelisting home files in a new private directory | ||
188 | - user namespaces support, noroot option | ||
189 | - added Deluge and qBittorent profiles | ||
190 | - bugfixes | ||
191 | |||
192 | * Sun Apr 5 2015 netblue30 <netblue30@yahoo.com> 0.9.24-1 | ||
193 | - whitelist and blacklist seccomp filters | ||
194 | - doubledash option | ||
195 | - --shell=none support | ||
196 | - netfilter file support in profile files | ||
197 | - dns server support in profile files | ||
198 | - added --dns.print option | ||
199 | - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. | ||
200 | - added --caps.drop=all in default profiles | ||
201 | - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp | ||
202 | - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init | ||
203 | - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids | ||
204 | - two build patches from Reiner Herman (tickets 11, 12) | ||
205 | - man page patch from Reiner Herman (ticket 13) | ||
206 | - output patch (ticket 15) from sshirokov | ||
207 | |||
208 | * Mon Mar 9 2015 netblue30 <netblue30@yahoo.com> 0.9.22-1 | ||
209 | - Replaced --noip option with --ip=none | ||
210 | - Container stdout logging and log rotation | ||
211 | - Added process_vm_readv, process_vm_writev and mknod to | ||
212 | default seccomp blacklist | ||
213 | - Added CAP_MKNOD to default caps blacklist | ||
214 | - Blacklist and whitelist custom Linux capabilities filters | ||
215 | - macvlan device driver support for --net option | ||
216 | - DNS server support, --dns option | ||
217 | - Netfilter support | ||
218 | - Monitor network statistics, --netstats option | ||
219 | - Added profile for Mozilla Thunderbird/Icedove | ||
220 | - --overlay support for Linux kernels 3.18+ | ||
221 | - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) | ||
222 | - Bugfix: check uid/gid for cgroup | ||
223 | |||
224 | * Fri Feb 6 2015 netblue30 <netblue30@yahoo.com> 0.9.20-1 | ||
225 | - utmp, btmp and wtmp enhancements | ||
226 | - create empty /var/log/wtmp and /var/log/btmp files in sandbox | ||
227 | - generate a new /var/run/utmp file in sandbox | ||
228 | - CPU affinity, --cpu option | ||
229 | - Linux control groups support, --cgroup option | ||
230 | - Opera web browser support | ||
231 | - VLC support | ||
232 | - Added "empty" attribute to seccomp command to remove the default | ||
233 | - syscall list form seccomp blacklist | ||
234 | - Added --nogroups option to disable supplementary groups for regular | ||
235 | - users. root user always runs without supplementary groups. | ||
236 | - firemon enhancements | ||
237 | - display the command that started the sandbox | ||
238 | - added --caps option to display capabilities for all sandboxes | ||
239 | - added --cgroup option to display the control groups for all sandboxes | ||
240 | - added --cpu option to display CPU affinity for all sandboxes | ||
241 | - added --seccomp option to display seccomp setting for all sandboxes | ||
242 | - New compile time options: --disable-chroot, --disable-bind | ||
243 | - bugfixes | ||
244 | |||
245 | * Sat Dec 27 2014 netblue30 <netblue30@yahoo.com> 0.9.18-1 | ||
246 | - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls | ||
247 | - Support for tracing setreuid, setregid, setresuid, setresguid syscalls | ||
248 | - Added profiles for transmission-gtk and transmission-qt | ||
249 | - bugfixes | ||
250 | |||
251 | * Tue Nov 4 2014 netblue30 <netblue30@yahoo.com> 0.9.16-1 | ||
252 | - Configurable private home directory | ||
253 | - Configurable default user shell | ||
254 | - Software configuration support for --docdir and DESTDIR | ||
255 | - Profile file support for include, caps, seccomp and private keywords | ||
256 | - Dropbox profile file | ||
257 | - Linux capabilities and seccomp filters enabled by default for Firefox, | ||
258 | Midori, Evince and Dropbox | ||
259 | - bugfixes | ||
260 | 20 | ||
261 | * Wed Oct 8 2014 netblue30 <netblue30@yahoo.com> 0.9.14-1 | 21 | # Make a temporary directory and arrange to clean up on exit |
262 | - Linux capabilities and seccomp filters are automatically enabled in | 22 | tmpdir=$(mktemp -d) |
263 | chroot mode (--chroot option) if the sandbox is started as regular | 23 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} |
264 | user | 24 | function cleanup { |
265 | - Added support for user defined seccomp blacklists | 25 | rm -rf ${tmpdir} |
266 | - Added syscall trace support | 26 | } |
267 | - Added --tmpfs option | 27 | trap cleanup EXIT |
268 | - Added --balcklist option | ||
269 | - Added --read-only option | ||
270 | - Added --bind option | ||
271 | - Logging enhancements | ||
272 | - --overlay option was reactivated | ||
273 | - Added firemon support to print the ARP table for each sandbox | ||
274 | - Added firemon support to print the route table for each sandbox | ||
275 | - Added firemon support to print interface information for each sandbox | ||
276 | - bugfixes | ||
277 | 28 | ||
278 | * Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1 | 29 | # Create the spec file |
279 | - Added capabilities support | 30 | tmp_spec_file=${tmpdir}/SPECS/${name}.spec |
280 | - Added support for CentOS 7 | 31 | sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file} |
281 | - bugfixes | 32 | # FIXME: We could parse RELNOTES and create a %changelog section here |
282 | 33 | ||
283 | EOF | 34 | # Copy the source to build into a tarball |
35 | tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='.git/*' | ||
284 | 36 | ||
285 | echo "building rpm" | 37 | # Build the files (rpm, debug rpm and source rpm) |
286 | rpmbuild -ba SPECS/firejail.spec | 38 | rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} |
287 | rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm | ||
288 | cd .. | ||
289 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
290 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . | ||
291 | ======= | ||
292 | rpmbuild --define "_topdir ${tmpdir}" -ba "${tmpdir}/SPECS/firejail.spec" | ||
293 | >>>>>>> d69c2f8a62fca967460265dedd5afa62592264dd | ||
294 | 39 | ||
295 | cp ${tmpdir}/RPMS/x86_64/firejail-*-1.x86_64.rpm . | 40 | # Copy the results to cwd |
296 | rm -rf "${tmpdir}" | 41 | mv ${tmpdir}/SRPMS/*.rpm ${tmpdir}/RPMS/*/*rpm . |
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh deleted file mode 100755 index 99f7a536c..000000000 --- a/platform/rpm/old-mkrpm.sh +++ /dev/null | |||
@@ -1,450 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | VERSION="0.9.38" | ||
3 | rm -fr ~/rpmbuild | ||
4 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
5 | |||
6 | mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp} | ||
7 | cat <<EOF >~/.rpmmacros | ||
8 | %_topdir %(echo $HOME)/rpmbuild | ||
9 | %_tmppath %{_topdir}/tmp | ||
10 | EOF | ||
11 | |||
12 | cd ~/rpmbuild | ||
13 | echo "building directory tree" | ||
14 | |||
15 | mkdir -p firejail-$VERSION/usr/bin | ||
16 | install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/. | ||
17 | install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/. | ||
18 | |||
19 | mkdir -p firejail-$VERSION/usr/lib/firejail | ||
20 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | ||
21 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. | ||
22 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | ||
23 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | ||
24 | |||
25 | mkdir -p firejail-$VERSION/usr/share/man/man1 | ||
26 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
27 | install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
28 | |||
29 | mkdir -p firejail-$VERSION/usr/share/man/man5 | ||
30 | install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/. | ||
31 | install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/. | ||
32 | |||
33 | mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail | ||
34 | install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
35 | install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
36 | install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
37 | |||
38 | mkdir -p firejail-$VERSION/etc/firejail | ||
39 | install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/xchat.profile | ||
40 | install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/server.profile | ||
41 | install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/quassel.profile | ||
42 | install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/pidgin.profile | ||
43 | install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/icecat.profile | ||
44 | install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/filezilla.profile | ||
45 | install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/chromium-browser.profile | ||
46 | install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/chromium.profile | ||
47 | install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/dropbox.profile | ||
48 | install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/disable-common.inc | ||
49 | install -m 644 /etc/firejail/disable-secret.inc firejail-$VERSION/etc/firejail/disable-secret.inc | ||
50 | install -m 644 /etc/firejail/disable-mgmt.inc firejail-$VERSION/etc/firejail/disable-mgmt.inc | ||
51 | install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/evince.profile | ||
52 | install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/firefox.profile | ||
53 | install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/icedove.profile | ||
54 | install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/iceweasel.profile | ||
55 | install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/midori.profile | ||
56 | install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/thunderbird.profile | ||
57 | install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/opera.profile | ||
58 | install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/transmission-gtk.profile | ||
59 | install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/transmission-qt.profile | ||
60 | install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/vlc.profile | ||
61 | install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/audacious.profile | ||
62 | install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/clementine.profile | ||
63 | install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/gnome-mplayer.profile | ||
64 | install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/rhythmbox.profile | ||
65 | install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/totem.profile | ||
66 | install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/deluge.profile | ||
67 | install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/qbittorrent.profile | ||
68 | install -m 644 /etc/firejail/generic.profile firejail-$VERSION/etc/firejail/generic.profile | ||
69 | install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/login.users | ||
70 | install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/deadbeef.profile | ||
71 | install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/empathy.profile | ||
72 | install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/fbreader.profile | ||
73 | install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/spotify.profile | ||
74 | install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/google-chrome.profile | ||
75 | install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/skype.profile | ||
76 | install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/steam.profile | ||
77 | install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/wine.profile | ||
78 | install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/disable-devel.inc | ||
79 | |||
80 | install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/bitlbee.profile | ||
81 | install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/conkeror.profile | ||
82 | install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/google-chrome-beta.profile | ||
83 | install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/google-chrome-stable.profile | ||
84 | install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/google-chrome-unstable.profile | ||
85 | install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/hexchat.profile | ||
86 | install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/nolocal.net | ||
87 | install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/opera-beta.profile | ||
88 | install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/parole.profile | ||
89 | install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/rtorrent.profile | ||
90 | install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/unbound.profile | ||
91 | install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/webserver.net | ||
92 | install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/weechat-curses.profile | ||
93 | install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/weechat.profile | ||
94 | install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/whitelist-common.inc | ||
95 | |||
96 | install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/kmail.profile | ||
97 | install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/seamonkey.profile | ||
98 | install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/seamonkey-bin.profile | ||
99 | install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/telegram.profile | ||
100 | install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/mathematica.profile | ||
101 | install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/Mathematica.profile | ||
102 | install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/uget-gtk.profile | ||
103 | install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/mupen64plus.profile | ||
104 | |||
105 | |||
106 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions | ||
107 | install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. | ||
108 | install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. | ||
109 | |||
110 | echo "building tar.gz archive" | ||
111 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION | ||
112 | |||
113 | cp firejail-$VERSION.tar.gz SOURCES/. | ||
114 | |||
115 | echo "building config spec" | ||
116 | cat <<EOF > SPECS/firejail.spec | ||
117 | %define __spec_install_post %{nil} | ||
118 | %define debug_package %{nil} | ||
119 | %define __os_install_post %{_dbpath}/brp-compress | ||
120 | |||
121 | Summary: Linux namepaces sandbox program | ||
122 | Name: firejail | ||
123 | Version: $VERSION | ||
124 | Release: 1 | ||
125 | License: GPL+ | ||
126 | Group: Development/Tools | ||
127 | SOURCE0 : %{name}-%{version}.tar.gz | ||
128 | URL: http://firejail.wordpress.com | ||
129 | |||
130 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | ||
131 | |||
132 | %description | ||
133 | Firejail is a SUID sandbox program that reduces the risk of security | ||
134 | breaches by restricting the running environment of untrusted applications | ||
135 | using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | ||
136 | |||
137 | %prep | ||
138 | %setup -q | ||
139 | |||
140 | %build | ||
141 | |||
142 | %install | ||
143 | rm -rf %{buildroot} | ||
144 | mkdir -p %{buildroot} | ||
145 | |||
146 | cp -a * %{buildroot} | ||
147 | |||
148 | |||
149 | %clean | ||
150 | rm -rf %{buildroot} | ||
151 | |||
152 | |||
153 | %files | ||
154 | %defattr(-,root,root,-) | ||
155 | %config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile | ||
156 | %config(noreplace) %{_sysconfdir}/%{name}/chromium.profile | ||
157 | %config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc | ||
158 | %config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc | ||
159 | %config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile | ||
160 | %config(noreplace) %{_sysconfdir}/%{name}/evince.profile | ||
161 | %config(noreplace) %{_sysconfdir}/%{name}/firefox.profile | ||
162 | %config(noreplace) %{_sysconfdir}/%{name}/icedove.profile | ||
163 | %config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile | ||
164 | %config(noreplace) %{_sysconfdir}/%{name}/login.users | ||
165 | %config(noreplace) %{_sysconfdir}/%{name}/midori.profile | ||
166 | %config(noreplace) %{_sysconfdir}/%{name}/opera.profile | ||
167 | %config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile | ||
168 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile | ||
169 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile | ||
170 | %config(noreplace) %{_sysconfdir}/%{name}/vlc.profile | ||
171 | %config(noreplace) %{_sysconfdir}/%{name}/audacious.profile | ||
172 | %config(noreplace) %{_sysconfdir}/%{name}/clementine.profile | ||
173 | %config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile | ||
174 | %config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile | ||
175 | %config(noreplace) %{_sysconfdir}/%{name}/totem.profile | ||
176 | %config(noreplace) %{_sysconfdir}/%{name}/deluge.profile | ||
177 | %config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile | ||
178 | %config(noreplace) %{_sysconfdir}/%{name}/generic.profile | ||
179 | %config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile | ||
180 | %config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc | ||
181 | %config(noreplace) %{_sysconfdir}/%{name}/empathy.profile | ||
182 | %config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile | ||
183 | %config(noreplace) %{_sysconfdir}/%{name}/icecat.profile | ||
184 | %config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile | ||
185 | %config(noreplace) %{_sysconfdir}/%{name}/quassel.profile | ||
186 | %config(noreplace) %{_sysconfdir}/%{name}/server.profile | ||
187 | %config(noreplace) %{_sysconfdir}/%{name}/xchat.profile | ||
188 | %config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile | ||
189 | %config(noreplace) %{_sysconfdir}/%{name}/spotify.profile | ||
190 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile | ||
191 | %config(noreplace) %{_sysconfdir}/%{name}/skype.profile | ||
192 | %config(noreplace) %{_sysconfdir}/%{name}/steam.profile | ||
193 | %config(noreplace) %{_sysconfdir}/%{name}/wine.profile | ||
194 | %config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc | ||
195 | %config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile | ||
196 | %config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile | ||
197 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile | ||
198 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile | ||
199 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile | ||
200 | %config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile | ||
201 | %config(noreplace) %{_sysconfdir}/%{name}/nolocal.net | ||
202 | %config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile | ||
203 | %config(noreplace) %{_sysconfdir}/%{name}/parole.profile | ||
204 | %config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile | ||
205 | %config(noreplace) %{_sysconfdir}/%{name}/unbound.profile | ||
206 | %config(noreplace) %{_sysconfdir}/%{name}/webserver.net | ||
207 | %config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile | ||
208 | %config(noreplace) %{_sysconfdir}/%{name}/weechat.profile | ||
209 | %config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc | ||
210 | %config(noreplace) %{_sysconfdir}/%{name}/kmail.profile | ||
211 | %config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile | ||
212 | %config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile | ||
213 | %config(noreplace) %{_sysconfdir}/%{name}/telegram.profile | ||
214 | %config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile | ||
215 | %config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile | ||
216 | %config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile | ||
217 | %config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile | ||
218 | |||
219 | /usr/bin/firejail | ||
220 | /usr/bin/firemon | ||
221 | /usr/lib/firejail/libtrace.so | ||
222 | /usr/lib/firejail/libtracelog.so | ||
223 | /usr/lib/firejail/ftee | ||
224 | /usr/lib/firejail/fshaper.sh | ||
225 | /usr/share/doc/packages/firejail/COPYING | ||
226 | /usr/share/doc/packages/firejail/README | ||
227 | /usr/share/doc/packages/firejail/RELNOTES | ||
228 | /usr/share/man/man1/firejail.1.gz | ||
229 | /usr/share/man/man1/firemon.1.gz | ||
230 | /usr/share/man/man5/firejail-profile.5.gz | ||
231 | /usr/share/man/man5/firejail-login.5.gz | ||
232 | /usr/share/bash-completion/completions/firejail | ||
233 | /usr/share/bash-completion/completions/firemon | ||
234 | |||
235 | %post | ||
236 | chmod u+s /usr/bin/firejail | ||
237 | |||
238 | %changelog | ||
239 | * Wed Feb 3 2016 netblue30 <netblue30@yahoo.com> 0.9.38-1 | ||
240 | - IPv6 support (--ip6 and --netfilter6) | ||
241 | - --join command enhancement (--join-network, --join-filesystem) | ||
242 | - added --user command | ||
243 | - added --disable-network and --disable-userns compile time flags | ||
244 | - Centos 6 support | ||
245 | - symlink invocation | ||
246 | - added KMail, Seamonkey, Telegram, Mathematica, uGet, | ||
247 | and mupen64plus profiles | ||
248 | - --chroot in user mode allowed only if seccomp support is available | ||
249 | in current Linux kernel | ||
250 | - deprecated --private-home feature | ||
251 | - the first protocol list installed takes precedence | ||
252 | - --tmpfs option allowed only running as root | ||
253 | - added --private-tmp option | ||
254 | - bugfixes | ||
255 | |||
256 | * Thu Dec 24 2015 netblue30 <netblue30@yahoo.com> 0.9.36-1 | ||
257 | - added unbound, dnscrypt-proxy, BitlBee, HexChat profiles | ||
258 | - added WeeChat, parole and rtorrent profiles | ||
259 | - Google Chrome profile rework | ||
260 | - added google-chrome-stable profile | ||
261 | - added google-chrome-beta profile | ||
262 | - added google-chrome-unstable profile | ||
263 | - Opera profile rework | ||
264 | - added opera-beta profile | ||
265 | - added --noblacklist option | ||
266 | - added --profile-path option | ||
267 | - added --force option | ||
268 | - whitelist command enhancements | ||
269 | - prevent user name enumeration | ||
270 | - added /etc/firejail/nolocal.net network filter | ||
271 | - added /etc/firejail/webserver.net network filter | ||
272 | - blacklisting firejail configuration by default | ||
273 | - allow default gateway configuration for --interface option | ||
274 | - --debug enhancements: --debug-check-filenames | ||
275 | - --debug enhancements:--debug-blacklists | ||
276 | - --debug enhancements: --debug-whitelists | ||
277 | - filesystem log | ||
278 | - libtrace enhancements, tracing opendir call | ||
279 | - added --tracelog option | ||
280 | - added "name" command to profile files | ||
281 | - added "hostname" command to profile files | ||
282 | - added automated feature testing framework | ||
283 | - Debian reproducible build | ||
284 | - bugfixes | ||
285 | |||
286 | * Sat Nov 7 2015 netblue30 <netblue30@yahoo.com> 0.9.34-1 | ||
287 | - added --ignore option | ||
288 | - added --protocol option | ||
289 | - support dual i386/amd64 seccomp filters | ||
290 | - added Google Chrome profile | ||
291 | - added Steam, Skype, Wine and Conkeror profiles | ||
292 | - bugfixes | ||
293 | |||
294 | * Wed Oct 21 2015 netblue30 <netblue30@yahoo.com> 0.9.32-1 | ||
295 | - added --interface option | ||
296 | - added --mtu option | ||
297 | - added --private-bin option | ||
298 | - added --nosound option | ||
299 | - added --hostname option | ||
300 | - added --quiet option | ||
301 | - added seccomp errno support | ||
302 | - added FBReader default profile | ||
303 | - added Spotify default profile | ||
304 | - lots of default security profile changes | ||
305 | - fixed a security problem on multi-user systems | ||
306 | - bugfixes | ||
307 | |||
308 | * Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1 | ||
309 | - added a disable-history.inc profile as a result of Firefox PDF.js exploit; | ||
310 | disable-history.inc included in all default profiles | ||
311 | - Firefox PDF.js exploit (CVE-2015-4495) fixes | ||
312 | - added --private-etc option | ||
313 | - added --env option | ||
314 | - added --whitelist option | ||
315 | - support ${HOME} token in include directive in profile files | ||
316 | - --private.keep is transitioned to --private-home | ||
317 | - support ~ and blanks in blacklist option | ||
318 | - support "net none" command in profile files | ||
319 | - using /etc/firejail/generic.profile by default for user sessions | ||
320 | - using /etc/firejail/server.profile by default for root sessions | ||
321 | - added build --enable-fatal-warnings configure option | ||
322 | - added persistence to --overlay option | ||
323 | - added --overlay-tmpfs option | ||
324 | - make install-strip implemented, make install renamed | ||
325 | - bugfixes | ||
326 | |||
327 | * Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1 | ||
328 | - network scanning, --scan option | ||
329 | - interface MAC address support, --mac option | ||
330 | - IP address range, --iprange option | ||
331 | - traffic shaping, --bandwidth option | ||
332 | - reworked printing of network status at startup | ||
333 | - man pages rework | ||
334 | - added firejail-login man page | ||
335 | - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default | ||
336 | profiles | ||
337 | - added an /etc/firejail/disable-common.inc file to hold common directory | ||
338 | blacklists | ||
339 | - blacklist Opera and Chrome/Chromium config directories in profile files | ||
340 | - support noroot option for profile files | ||
341 | - enabled noroot in default profile files | ||
342 | - bugfixes | ||
343 | |||
344 | * Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1 | ||
345 | - private dev directory | ||
346 | - private.keep option for whitelisting home files in a new private directory | ||
347 | - user namespaces support, noroot option | ||
348 | - added Deluge and qBittorent profiles | ||
349 | - bugfixes | ||
350 | |||
351 | * Sun Apr 5 2015 netblue30 <netblue30@yahoo.com> 0.9.24-1 | ||
352 | - whitelist and blacklist seccomp filters | ||
353 | - doubledash option | ||
354 | - --shell=none support | ||
355 | - netfilter file support in profile files | ||
356 | - dns server support in profile files | ||
357 | - added --dns.print option | ||
358 | - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. | ||
359 | - added --caps.drop=all in default profiles | ||
360 | - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp | ||
361 | - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init | ||
362 | - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids | ||
363 | - two build patches from Reiner Herman (tickets 11, 12) | ||
364 | - man page patch from Reiner Herman (ticket 13) | ||
365 | - output patch (ticket 15) from sshirokov | ||
366 | |||
367 | * Mon Mar 9 2015 netblue30 <netblue30@yahoo.com> 0.9.22-1 | ||
368 | - Replaced --noip option with --ip=none | ||
369 | - Container stdout logging and log rotation | ||
370 | - Added process_vm_readv, process_vm_writev and mknod to | ||
371 | default seccomp blacklist | ||
372 | - Added CAP_MKNOD to default caps blacklist | ||
373 | - Blacklist and whitelist custom Linux capabilities filters | ||
374 | - macvlan device driver support for --net option | ||
375 | - DNS server support, --dns option | ||
376 | - Netfilter support | ||
377 | - Monitor network statistics, --netstats option | ||
378 | - Added profile for Mozilla Thunderbird/Icedove | ||
379 | - --overlay support for Linux kernels 3.18+ | ||
380 | - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) | ||
381 | - Bugfix: check uid/gid for cgroup | ||
382 | |||
383 | * Fri Feb 6 2015 netblue30 <netblue30@yahoo.com> 0.9.20-1 | ||
384 | - utmp, btmp and wtmp enhancements | ||
385 | - create empty /var/log/wtmp and /var/log/btmp files in sandbox | ||
386 | - generate a new /var/run/utmp file in sandbox | ||
387 | - CPU affinity, --cpu option | ||
388 | - Linux control groups support, --cgroup option | ||
389 | - Opera web browser support | ||
390 | - VLC support | ||
391 | - Added "empty" attribute to seccomp command to remove the default | ||
392 | - syscall list form seccomp blacklist | ||
393 | - Added --nogroups option to disable supplementary groups for regular | ||
394 | - users. root user always runs without supplementary groups. | ||
395 | - firemon enhancements | ||
396 | - display the command that started the sandbox | ||
397 | - added --caps option to display capabilities for all sandboxes | ||
398 | - added --cgroup option to display the control groups for all sandboxes | ||
399 | - added --cpu option to display CPU affinity for all sandboxes | ||
400 | - added --seccomp option to display seccomp setting for all sandboxes | ||
401 | - New compile time options: --disable-chroot, --disable-bind | ||
402 | - bugfixes | ||
403 | |||
404 | * Sat Dec 27 2014 netblue30 <netblue30@yahoo.com> 0.9.18-1 | ||
405 | - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls | ||
406 | - Support for tracing setreuid, setregid, setresuid, setresguid syscalls | ||
407 | - Added profiles for transmission-gtk and transmission-qt | ||
408 | - bugfixes | ||
409 | |||
410 | * Tue Nov 4 2014 netblue30 <netblue30@yahoo.com> 0.9.16-1 | ||
411 | - Configurable private home directory | ||
412 | - Configurable default user shell | ||
413 | - Software configuration support for --docdir and DESTDIR | ||
414 | - Profile file support for include, caps, seccomp and private keywords | ||
415 | - Dropbox profile file | ||
416 | - Linux capabilities and seccomp filters enabled by default for Firefox, | ||
417 | Midori, Evince and Dropbox | ||
418 | - bugfixes | ||
419 | |||
420 | * Wed Oct 8 2014 netblue30 <netblue30@yahoo.com> 0.9.14-1 | ||
421 | - Linux capabilities and seccomp filters are automatically enabled in | ||
422 | chroot mode (--chroot option) if the sandbox is started as regular | ||
423 | user | ||
424 | - Added support for user defined seccomp blacklists | ||
425 | - Added syscall trace support | ||
426 | - Added --tmpfs option | ||
427 | - Added --balcklist option | ||
428 | - Added --read-only option | ||
429 | - Added --bind option | ||
430 | - Logging enhancements | ||
431 | - --overlay option was reactivated | ||
432 | - Added firemon support to print the ARP table for each sandbox | ||
433 | - Added firemon support to print the route table for each sandbox | ||
434 | - Added firemon support to print interface information for each sandbox | ||
435 | - bugfixes | ||
436 | |||
437 | * Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1 | ||
438 | - Added capabilities support | ||
439 | - Added support for CentOS 7 | ||
440 | - bugfixes | ||
441 | |||
442 | EOF | ||
443 | |||
444 | echo "building rpm" | ||
445 | rpmbuild -ba SPECS/firejail.spec | ||
446 | rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm | ||
447 | cd .. | ||
448 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
449 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . | ||
450 | |||