diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-08 11:31:39 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-08 11:31:39 -0500 |
commit | 19427f0f6102946b56f5fbf3d11c5e5c38043fa7 (patch) | |
tree | c5613023e58255849542acadf8839ab24de49d37 | |
parent | 0.9.34 testing (diff) | |
download | firejail-19427f0f6102946b56f5fbf3d11c5e5c38043fa7.tar.gz firejail-19427f0f6102946b56f5fbf3d11c5e5c38043fa7.tar.zst firejail-19427f0f6102946b56f5fbf3d11c5e5c38043fa7.zip |
0.9.34 released0.9.34
-rw-r--r-- | README.md | 71 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | chromium-whitelist.png | bin | 47978 -> 0 bytes | |||
-rw-r--r-- | firefox-whitelist.png | bin | 53657 -> 0 bytes | |||
-rwxr-xr-x | platform/rpm/old-mkrpm.sh | 22 |
5 files changed, 21 insertions, 76 deletions
@@ -34,74 +34,3 @@ FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/ | |||
34 | 34 | ||
35 | 35 | ||
36 | 36 | ||
37 | ## New features in the development version | ||
38 | |||
39 | ### Whitelisting in default Firefox profile | ||
40 | |||
41 | The next release will bring in default whitelisting for Firefox files and folders under /home/user. | ||
42 | If you start the sandbox without any other options, this is what you'll get: | ||
43 | |||
44 | ![Whitelisted home directory](firefox-whitelist.png?raw=true) | ||
45 | |||
46 | The code is located in etc/firefox.inc file: | ||
47 | |||
48 | ````` | ||
49 | whitelist ~/.mozilla | ||
50 | whitelist ~/Downloads | ||
51 | whitelist ~/dwhelper | ||
52 | whitelist ~/.zotero | ||
53 | whitelist ~/.lastpass | ||
54 | whitelist ~/.gtkrc-2.0 | ||
55 | whitelist ~/.vimperatorrc | ||
56 | whitelist ~/.vimperator | ||
57 | whitelist ~/.pentadactylrc | ||
58 | whitelist ~/.pentadactyl | ||
59 | ````` | ||
60 | |||
61 | I intend to bring in all files and directories used by Firefox addons and plugins. So far I have | ||
62 | [Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/), | ||
63 | [Zotero](https://www.zotero.org/download/), | ||
64 | [LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/), | ||
65 | [Vimperator](https://addons.mozilla.org/en-US/firefox/addon/vimperator/) | ||
66 | and [Pentadactyl](http://5digits.org/pentadactyl/) | ||
67 | If you're using anything else, please let me know. | ||
68 | |||
69 | ### Whitelisting in default Chromium profile | ||
70 | |||
71 | ![Whitelisted home directory](chromium-whitelist.png?raw=true) | ||
72 | |||
73 | ### --ignore option | ||
74 | |||
75 | Ignore commands in profile files. Example: | ||
76 | ````` | ||
77 | $ firejail --ignore=seccomp wine | ||
78 | ````` | ||
79 | |||
80 | ### --protocol option | ||
81 | |||
82 | Enable protocol filter. It is based on seccomp and it filters the first argument to socket system call. | ||
83 | If the value is not recognized, seccomp will kill the process. | ||
84 | Valid values: unix, inet, inet6, netlink and packet. | ||
85 | |||
86 | Example: | ||
87 | ````` | ||
88 | $ firejail --protocol=unix,inet,inet6 | ||
89 | ````` | ||
90 | |||
91 | "unix" describes the regular Unix socket connections, | ||
92 | and "inet" and "inet6" describe the regular IPv4 and IPv6 traffic. Most GUI applications need "unix,inet,inet6". "netlink" is the protocol | ||
93 | used to talk to Linux kernel. You'll only need this for applications such as [iproute2](http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2) | ||
94 | used in system administration, and "packet" is used by sniffers to talk directly with the Ethernet layer. | ||
95 | |||
96 | Protocol filter is enabled in all default security profiles for GUI applications ("protocol unix,inet,inet6"). | ||
97 | |||
98 | ### Dual i386/amd64 seccomp filter | ||
99 | |||
100 | --seccomp option now installs a dual i386/amd64 default filter. | ||
101 | 32bit applications, such as Skype, running on regular 64bit computers, are protected by i386 seccomp filter. | ||
102 | |||
103 | ### New security profiles | ||
104 | |||
105 | Steam, Skype, Wine. The dual seccomp filter is enabled by default for these applications. | ||
106 | |||
107 | |||
@@ -1,11 +1,11 @@ | |||
1 | firejail (0.9.34-rc1) baseline; urgency=low | 1 | firejail (0.9.34) baseline; urgency=low |
2 | * added --ignore option | 2 | * added --ignore option |
3 | * added --protocol option | 3 | * added --protocol option |
4 | * support dual i386/amd64 seccomp filters | 4 | * support dual i386/amd64 seccomp filters |
5 | * added Google Chrome profile | 5 | * added Google Chrome profile |
6 | * added Steam, Skype, Wine and Conkeror profiles | 6 | * added Steam, Skype, Wine and Conkeror profiles |
7 | * bugfixes | 7 | * bugfixes |
8 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Oct 2015 08:00:00 -0500 | 8 | -- netblue30 <netblue30@yahoo.com> Sat, 7 Nov 2015 08:00:00 -0500 |
9 | 9 | ||
10 | firejail (0.9.32) baseline; urgency=low | 10 | firejail (0.9.32) baseline; urgency=low |
11 | * added --interface option | 11 | * added --interface option |
diff --git a/chromium-whitelist.png b/chromium-whitelist.png deleted file mode 100644 index a90f2aa1f..000000000 --- a/chromium-whitelist.png +++ /dev/null | |||
Binary files differ | |||
diff --git a/firefox-whitelist.png b/firefox-whitelist.png deleted file mode 100644 index e98cb4b02..000000000 --- a/firefox-whitelist.png +++ /dev/null | |||
Binary files differ | |||
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 30aba0462..c65544cb5 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -1,5 +1,5 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | VERSION="0.9.32" | 2 | VERSION="0.9.34" |
3 | rm -fr ~/rpmbuild | 3 | rm -fr ~/rpmbuild |
4 | rm -f firejail-$VERSION-1.x86_64.rpm | 4 | rm -f firejail-$VERSION-1.x86_64.rpm |
5 | 5 | ||
@@ -45,7 +45,6 @@ install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/fire | |||
45 | install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/chromium.profile | 45 | install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/chromium.profile |
46 | install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/dropbox.profile | 46 | install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/dropbox.profile |
47 | install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/disable-common.inc | 47 | install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/disable-common.inc |
48 | install -m 644 /etc/firejail/disable-history.inc firejail-$VERSION/etc/firejail/disable-history.inc | ||
49 | install -m 644 /etc/firejail/disable-secret.inc firejail-$VERSION/etc/firejail/disable-secret.inc | 48 | install -m 644 /etc/firejail/disable-secret.inc firejail-$VERSION/etc/firejail/disable-secret.inc |
50 | install -m 644 /etc/firejail/disable-mgmt.inc firejail-$VERSION/etc/firejail/disable-mgmt.inc | 49 | install -m 644 /etc/firejail/disable-mgmt.inc firejail-$VERSION/etc/firejail/disable-mgmt.inc |
51 | install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/evince.profile | 50 | install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/evince.profile |
@@ -71,6 +70,11 @@ install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/dea | |||
71 | install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/empathy.profile | 70 | install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/empathy.profile |
72 | install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/fbreader.profile | 71 | install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/fbreader.profile |
73 | install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/spotify.profile | 72 | install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/spotify.profile |
73 | install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/google-chrome.profile | ||
74 | install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/skype.profile | ||
75 | install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/steam.profile | ||
76 | install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/wine.profile | ||
77 | install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/disable-devel.inc | ||
74 | 78 | ||
75 | 79 | ||
76 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions | 80 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions |
@@ -148,7 +152,6 @@ rm -rf %{buildroot} | |||
148 | %config(noreplace) %{_sysconfdir}/%{name}/generic.profile | 152 | %config(noreplace) %{_sysconfdir}/%{name}/generic.profile |
149 | %config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile | 153 | %config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile |
150 | %config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc | 154 | %config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc |
151 | %config(noreplace) %{_sysconfdir}/%{name}/disable-history.inc | ||
152 | %config(noreplace) %{_sysconfdir}/%{name}/empathy.profile | 155 | %config(noreplace) %{_sysconfdir}/%{name}/empathy.profile |
153 | %config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile | 156 | %config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile |
154 | %config(noreplace) %{_sysconfdir}/%{name}/icecat.profile | 157 | %config(noreplace) %{_sysconfdir}/%{name}/icecat.profile |
@@ -158,6 +161,11 @@ rm -rf %{buildroot} | |||
158 | %config(noreplace) %{_sysconfdir}/%{name}/xchat.profile | 161 | %config(noreplace) %{_sysconfdir}/%{name}/xchat.profile |
159 | %config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile | 162 | %config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile |
160 | %config(noreplace) %{_sysconfdir}/%{name}/spotify.profile | 163 | %config(noreplace) %{_sysconfdir}/%{name}/spotify.profile |
164 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile | ||
165 | %config(noreplace) %{_sysconfdir}/%{name}/skype.profile | ||
166 | %config(noreplace) %{_sysconfdir}/%{name}/steam.profile | ||
167 | %config(noreplace) %{_sysconfdir}/%{name}/wine.profile | ||
168 | %config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc | ||
161 | 169 | ||
162 | /usr/bin/firejail | 170 | /usr/bin/firejail |
163 | /usr/bin/firemon | 171 | /usr/bin/firemon |
@@ -178,6 +186,14 @@ rm -rf %{buildroot} | |||
178 | chmod u+s /usr/bin/firejail | 186 | chmod u+s /usr/bin/firejail |
179 | 187 | ||
180 | %changelog | 188 | %changelog |
189 | * Sat Nov 7 2015 netblue30 <netblue30@yahoo.com> 0.9.34-1 | ||
190 | - added --ignore option | ||
191 | - added --protocol option | ||
192 | - support dual i386/amd64 seccomp filters | ||
193 | - added Google Chrome profile | ||
194 | - added Steam, Skype, Wine and Conkeror profiles | ||
195 | - bugfixes | ||
196 | |||
181 | * Wed Oct 21 2015 netblue30 <netblue30@yahoo.com> 0.9.32-1 | 197 | * Wed Oct 21 2015 netblue30 <netblue30@yahoo.com> 0.9.32-1 |
182 | - added --interface option | 198 | - added --interface option |
183 | - added --mtu option | 199 | - added --mtu option |