diff options
author | netblue30 <netblue30@yahoo.com> | 2017-09-07 10:22:10 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-09-07 10:22:10 -0400 |
commit | 957713cc3628a65fc01bbfafe866baf3842810d9 (patch) | |
tree | 5c26f6e07e4a7f391dcb4bbfce580575cacc4589 | |
parent | small fixes (diff) | |
download | firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.gz firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.zst firejail-957713cc3628a65fc01bbfafe866baf3842810d9.zip |
0.9.51 development starting
-rw-r--r-- | README.md | 129 | ||||
-rw-r--r-- | RELNOTES | 6 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 |
4 files changed, 18 insertions, 137 deletions
@@ -96,131 +96,8 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
96 | ````` | 96 | ````` |
97 | 97 | ||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.49 | 99 | # 0.9.50 release pending |
100 | 100 | ||
101 | ## Travis-CI integration | 101 | Development moved on 0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes |
102 | 102 | ||
103 | Check the status of the latest build here: https://travis-ci.org/netblue30/firejail | 103 | # Current development version: 0.9.51 |
104 | |||
105 | ## New command options: | ||
106 | ````` | ||
107 | --disable-mnt | ||
108 | Disable /mnt, /media, /run/mount and /run/media access. | ||
109 | |||
110 | Example: | ||
111 | $ firejail --disable-mnt firefox | ||
112 | |||
113 | --xephyr-screen=WIDTHxHEIGHT | ||
114 | Set screen size for --x11=xephyr. The setting will overwrite the | ||
115 | default set in /etc/firejail/firejail.config for the current | ||
116 | sandbox. Run xrandr to get a list of supported resolutions on | ||
117 | your computer. | ||
118 | |||
119 | Example: | ||
120 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐ | ||
121 | fox | ||
122 | |||
123 | --output-stderr=logfile | ||
124 | Similar to --output, but stderr is also stored. | ||
125 | |||
126 | --notv Disable DVB (Digital Video Broadcasting) TV devices. | ||
127 | |||
128 | Example: | ||
129 | $ firejail --notv vlc | ||
130 | |||
131 | --nodvd | ||
132 | Disable DVD and audio CD devices. | ||
133 | |||
134 | Example: | ||
135 | $ firejail --nodvd | ||
136 | |||
137 | --memory-deny-write-execute | ||
138 | Install a seccomp filter to block attempts to create memory | ||
139 | mappings that are both writable and executable, to change map‐ | ||
140 | pings to be executable or to create executable shared memory. | ||
141 | |||
142 | --private-lib=file,directory | ||
143 | This feature is currently under heavy development. Only amd64 | ||
144 | platforms are supported at this moment. The idea is to build a | ||
145 | new /lib in a temporary filesystem, with only the library files | ||
146 | necessary to run the application. It could be as simple as: | ||
147 | |||
148 | $ firejail --private-lib galculator | ||
149 | |||
150 | but it gets complicated really fast: | ||
151 | |||
152 | $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux- | ||
153 | gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed | ||
154 | |||
155 | The feature is integrated with --private-bin: | ||
156 | |||
157 | $ firejail --private-lib --private-bin=bash,ls,ps | ||
158 | $ ls /lib | ||
159 | ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐ | ||
160 | temd.so.0 | ||
161 | libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 | ||
162 | libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu | ||
163 | libgcrypt.so.20 libpcre.so.3 libselinux.so.1 | ||
164 | $ ps | ||
165 | PID TTY TIME CMD | ||
166 | 1 pts/0 00:00:00 firejail | ||
167 | 45 pts/0 00:00:00 bash | ||
168 | 48 pts/0 00:00:00 ps | ||
169 | $ | ||
170 | |||
171 | --seccomp.block_secondary | ||
172 | Enable seccomp filter and filter system call architectures so | ||
173 | that only the native architecture is allowed. For example, on | ||
174 | amd64, i386 and x32 system calls are blocked as well as chang‐ | ||
175 | ing the execution domain with personality(2) system call. | ||
176 | |||
177 | --profile.print=name|pid | ||
178 | Print the name of the profile file for the sandbox identified | ||
179 | by name or or PID. | ||
180 | |||
181 | Example: | ||
182 | $ firejail --profile.print=browser | ||
183 | /etc/firejail/firefox.profile | ||
184 | |||
185 | |||
186 | ````` | ||
187 | |||
188 | ## /etc/firejail/firejail.config | ||
189 | |||
190 | ````` | ||
191 | # Number of ARP probes sent when assigning an IP address for --net option, | ||
192 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds | ||
193 | # timeout is implemented for each probe. Increase this number to 4 if your | ||
194 | # local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are | ||
195 | # between 1 and 30. | ||
196 | # arp-probes 2 | ||
197 | |||
198 | # Enable this option if you have a version of Xpra that supports --attach switch | ||
199 | # for start command, default disabled. | ||
200 | # xpra-attach no | ||
201 | |||
202 | |||
203 | ````` | ||
204 | |||
205 | |||
206 | ## Default seccomp list update | ||
207 | |||
208 | The following syscalls have been added: | ||
209 | afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, | ||
210 | pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, | ||
211 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, | ||
212 | ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default. | ||
213 | |||
214 | get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break | ||
215 | playing youtube videos on Firefox Nightly. | ||
216 | |||
217 | |||
218 | |||
219 | ## New profiles: | ||
220 | |||
221 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, | ||
222 | IntelliJ IDEA, Android Studio, electron, riot-web, | ||
223 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux, | ||
224 | telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, | ||
225 | remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar, | ||
226 | musescore, neverball, Yandex Browser, minetest | ||
@@ -1,5 +1,9 @@ | |||
1 | firejail (0.9.50~rc1) baseline; urgency=low | 1 | firejail (0.9.51) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 | ||
4 | |||
5 | firejail (0.9.50~rc1) baseline; urgency=low | ||
6 | * release pending! | ||
3 | * modif: --output split in two commands, --output and --output-stderr | 7 | * modif: --output split in two commands, --output and --output-stderr |
4 | * feature: per-profile disable-mnt (--disable-mnt) | 8 | * feature: per-profile disable-mnt (--disable-mnt) |
5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) | 9 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.50~rc2. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.51. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.50~rc2' | 583 | PACKAGE_VERSION='0.9.51' |
584 | PACKAGE_STRING='firejail 0.9.50~rc2' | 584 | PACKAGE_STRING='firejail 0.9.51' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then | |||
1276 | # Omit some internal or obsolete options to make the list less imposing. | 1276 | # Omit some internal or obsolete options to make the list less imposing. |
1277 | # This message is too long to be a string in the A/UX 3.1 sh. | 1277 | # This message is too long to be a string in the A/UX 3.1 sh. |
1278 | cat <<_ACEOF | 1278 | cat <<_ACEOF |
1279 | \`configure' configures firejail 0.9.50~rc2 to adapt to many kinds of systems. | 1279 | \`configure' configures firejail 0.9.51 to adapt to many kinds of systems. |
1280 | 1280 | ||
1281 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1281 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1282 | 1282 | ||
@@ -1338,7 +1338,7 @@ fi | |||
1338 | 1338 | ||
1339 | if test -n "$ac_init_help"; then | 1339 | if test -n "$ac_init_help"; then |
1340 | case $ac_init_help in | 1340 | case $ac_init_help in |
1341 | short | recursive ) echo "Configuration of firejail 0.9.50~rc2:";; | 1341 | short | recursive ) echo "Configuration of firejail 0.9.51:";; |
1342 | esac | 1342 | esac |
1343 | cat <<\_ACEOF | 1343 | cat <<\_ACEOF |
1344 | 1344 | ||
@@ -1446,7 +1446,7 @@ fi | |||
1446 | test -n "$ac_init_help" && exit $ac_status | 1446 | test -n "$ac_init_help" && exit $ac_status |
1447 | if $ac_init_version; then | 1447 | if $ac_init_version; then |
1448 | cat <<\_ACEOF | 1448 | cat <<\_ACEOF |
1449 | firejail configure 0.9.50~rc2 | 1449 | firejail configure 0.9.51 |
1450 | generated by GNU Autoconf 2.69 | 1450 | generated by GNU Autoconf 2.69 |
1451 | 1451 | ||
1452 | Copyright (C) 2012 Free Software Foundation, Inc. | 1452 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF | |||
1748 | This file contains any messages produced by compilers while | 1748 | This file contains any messages produced by compilers while |
1749 | running configure, to aid debugging if configure makes a mistake. | 1749 | running configure, to aid debugging if configure makes a mistake. |
1750 | 1750 | ||
1751 | It was created by firejail $as_me 0.9.50~rc2, which was | 1751 | It was created by firejail $as_me 0.9.51, which was |
1752 | generated by GNU Autoconf 2.69. Invocation command line was | 1752 | generated by GNU Autoconf 2.69. Invocation command line was |
1753 | 1753 | ||
1754 | $ $0 $@ | 1754 | $ $0 $@ |
@@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4367 | # report actual input values of CONFIG_FILES etc. instead of their | 4367 | # report actual input values of CONFIG_FILES etc. instead of their |
4368 | # values after options handling. | 4368 | # values after options handling. |
4369 | ac_log=" | 4369 | ac_log=" |
4370 | This file was extended by firejail $as_me 0.9.50~rc2, which was | 4370 | This file was extended by firejail $as_me 0.9.51, which was |
4371 | generated by GNU Autoconf 2.69. Invocation command line was | 4371 | generated by GNU Autoconf 2.69. Invocation command line was |
4372 | 4372 | ||
4373 | CONFIG_FILES = $CONFIG_FILES | 4373 | CONFIG_FILES = $CONFIG_FILES |
@@ -4421,7 +4421,7 @@ _ACEOF | |||
4421 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4421 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4422 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4422 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4423 | ac_cs_version="\\ | 4423 | ac_cs_version="\\ |
4424 | firejail config.status 0.9.50~rc2 | 4424 | firejail config.status 0.9.51 |
4425 | configured by $0, generated by GNU Autoconf 2.69, | 4425 | configured by $0, generated by GNU Autoconf 2.69, |
4426 | with options \\"\$ac_cs_config\\" | 4426 | with options \\"\$ac_cs_config\\" |
4427 | 4427 | ||
diff --git a/configure.ac b/configure.ac index b9f3cbde9..e06512665 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.50~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.51, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||