0.9.51 development starting

author: netblue30 <netblue30@yahoo.com> 2017-09-07 10:22:10 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-07 10:22:10 -0400
commit: 957713cc3628a65fc01bbfafe866baf3842810d9 (patch)
tree: 5c26f6e07e4a7f391dcb4bbfce580575cacc4589
parent: small fixes (diff)
download: firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.gz
firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.zst
firejail-957713cc3628a65fc01bbfafe866baf3842810d9.zip
4 files changed, 18 insertions, 137 deletions
diff --git a/README.md b/README.md
index 26b76361e..26055300b 100644
--- a/README.md
+++ b/README.md
@@ -96,131 +96,8 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 `````
-# Current development version: 0.9.49
+# 0.9.50 release pending
-## Travis-CI integration
+Development moved on  0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes
-Check the status of the latest build here: https://travis-ci.org/netblue30/firejail
+# Current development version: 0.9.51
-## New command options:
-`````
-      --disable-mnt
-              Disable /mnt, /media, /run/mount and /run/media access.
-              Example:
-              $ firejail --disable-mnt firefox
-       --xephyr-screen=WIDTHxHEIGHT
-              Set screen size for --x11=xephyr. The setting will overwrite the
-              default set in  /etc/firejail/firejail.config  for  the  current
-              sandbox.  Run  xrandr  to get a list of supported resolutions on
-              your computer.
-              Example:
-              $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
-              fox
-       --output-stderr=logfile
-              Similar to --output, but stderr is also stored.
-      --notv Disable DVB (Digital Video Broadcasting) TV devices.
-              Example:
-              $ firejail --notv vlc
-       --nodvd
-              Disable DVD and audio CD devices.
-              Example:
-              $ firejail --nodvd
-      --memory-deny-write-execute
-              Install a seccomp filter to block  attempts  to  create  memory
-              mappings  that are both writable and executable, to change map‐
-              pings to be executable or to create executable shared memory.
-       --private-lib=file,directory
-              This  feature  is currently under heavy development. Only amd64
-              platforms are supported at this moment.  The idea is to build a
-              new /lib in a temporary filesystem, with only the library files
-              necessary to run the application.  It could be as simple as:
-              $ firejail --private-lib galculator
-              but it gets complicated really fast:
-              $   firejail   --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
-              gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
-              The feature is integrated with --private-bin:
-              $ firejail --private-lib --private-bin=bash,ls,ps
-              $ ls /lib
-              ld-linux-x86-64.so.2  libgpg-error.so.0  libprocps.so.6 libsys‐
-              temd.so.0
-              libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
-              libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
-              libgcrypt.so.20 libpcre.so.3 libselinux.so.1
-              $ ps
-               PID TTY          TIME CMD
-                  1 pts/0    00:00:00 firejail
-                 45 pts/0    00:00:00 bash
-                 48 pts/0    00:00:00 ps
-              $
-       --seccomp.block_secondary
-              Enable seccomp filter and filter system call  architectures  so
-              that  only  the native architecture is allowed. For example, on
-              amd64, i386 and x32 system calls are blocked as well as  chang‐
-              ing the execution domain with personality(2) system call.
-       --profile.print=name|pid
-              Print  the  name of the profile file for the sandbox identified
-              by name or or PID.
-              Example:
-              $ firejail --profile.print=browser
-              /etc/firejail/firefox.profile
-`````
-## /etc/firejail/firejail.config
-`````
-# Number of ARP probes sent when assigning an IP address for --net option,
-# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
-# timeout is implemented for each probe. Increase this number to 4 if your
-# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
-# between 1 and 30.
-# arp-probes 2
-# Enable this option if you have a version of Xpra that supports --attach switch
-# for start command, default disabled.
-# xpra-attach no
-`````
-## Default seccomp list update
-The following syscalls have been added:
-afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
-pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
-security, setdomainname,  sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
-ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default.
-get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break
-playing youtube videos on Firefox Nightly.
-## New profiles:
-curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy,
-IntelliJ IDEA, Android Studio, electron, riot-web,
-Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux,
-telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard,
-remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar,
-musescore, neverball, Yandex Browser, minetest
diff --git a/RELNOTES b/RELNOTES
index 47b337c2f..eea0d4a3a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,9 @@
-firejail (0.9.50~rc1) baseline; urgency=low
+firejail (0.9.51) baseline; urgency=low
  * work in progress!
+ -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
+firejail (0.9.50~rc1) baseline; urgency=low
+  * release pending!
  * modif: --output split in two commands, --output and --output-stderr
  * feature: per-profile disable-mnt (--disable-mnt)
  * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
diff --git a/configure b/configure
index 2f14e0a83..e1cc0147f 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.50~rc2.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.51.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.50~rc2'
+PACKAGE_VERSION='0.9.51'
-PACKAGE_STRING='firejail 0.9.50~rc2'
+PACKAGE_STRING='firejail 0.9.51'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.50~rc2 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.51 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1338,7 +1338,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.50~rc2:";;
+     short | recursive ) echo "Configuration of firejail 0.9.51:";;
   esac
  cat <<\_ACEOF
@@ -1446,7 +1446,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.50~rc2
+firejail configure 0.9.51
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.50~rc2, which was
+It was created by firejail $as_me 0.9.51, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.50~rc2, which was
+This file was extended by firejail $as_me 0.9.51, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4421,7 +4421,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.50~rc2
+firejail config.status 0.9.51
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index b9f3cbde9..e06512665 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.50~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.51, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
author	netblue30 <netblue30@yahoo.com>	2017-09-07 10:22:10 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-07 10:22:10 -0400
commit	957713cc3628a65fc01bbfafe866baf3842810d9 (patch)
tree	5c26f6e07e4a7f391dcb4bbfce580575cacc4589
parent	small fixes (diff)
download	firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.gz firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.zst firejail-957713cc3628a65fc01bbfafe866baf3842810d9.zip

diff --git a/README.md b/README.md index 26b76361e..26055300b 100644 --- a/README.md +++ b/README.md
@@ -96,131 +96,8 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
96	`````	96	`````
97		97
98	`````	98	`````
99	# Current development version: 0.9.49	99	# 0.9.50 release pending
100		100
101	## Travis-CI integration	101	Development moved on 0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes
102		102
103	Check the status of the latest build here: https://travis-ci.org/netblue30/firejail	103	# Current development version: 0.9.51
104
105	## New command options:
106	`````
107	--disable-mnt
108	Disable /mnt, /media, /run/mount and /run/media access.
109
110	Example:
111	$ firejail --disable-mnt firefox
112
113	--xephyr-screen=WIDTHxHEIGHT
114	Set screen size for --x11=xephyr. The setting will overwrite the
115	default set in /etc/firejail/firejail.config for the current
116	sandbox. Run xrandr to get a list of supported resolutions on
117	your computer.
118
119	Example:
120	$ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
121	fox
122
123	--output-stderr=logfile
124	Similar to --output, but stderr is also stored.
125
126	--notv Disable DVB (Digital Video Broadcasting) TV devices.
127
128	Example:
129	$ firejail --notv vlc
130
131	--nodvd
132	Disable DVD and audio CD devices.
133
134	Example:
135	$ firejail --nodvd
136
137	--memory-deny-write-execute
138	Install a seccomp filter to block attempts to create memory
139	mappings that are both writable and executable, to change map‐
140	pings to be executable or to create executable shared memory.
141
142	--private-lib=file,directory
143	This feature is currently under heavy development. Only amd64
144	platforms are supported at this moment. The idea is to build a
145	new /lib in a temporary filesystem, with only the library files
146	necessary to run the application. It could be as simple as:
147
148	$ firejail --private-lib galculator
149
150	but it gets complicated really fast:
151
152	$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
153	gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
154
155	The feature is integrated with --private-bin:
156
157	$ firejail --private-lib --private-bin=bash,ls,ps
158	$ ls /lib
159	ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
160	temd.so.0
161	libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
162	libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
163	libgcrypt.so.20 libpcre.so.3 libselinux.so.1
164	$ ps
165	PID TTY TIME CMD
166	1 pts/0 00:00:00 firejail
167	45 pts/0 00:00:00 bash
168	48 pts/0 00:00:00 ps
169	$
170
171	--seccomp.block_secondary
172	Enable seccomp filter and filter system call architectures so
173	that only the native architecture is allowed. For example, on
174	amd64, i386 and x32 system calls are blocked as well as chang‐
175	ing the execution domain with personality(2) system call.
176
177	--profile.print=name\|pid
178	Print the name of the profile file for the sandbox identified
179	by name or or PID.
180
181	Example:
182	$ firejail --profile.print=browser
183	/etc/firejail/firefox.profile
184
185
186	`````
187
188	## /etc/firejail/firejail.config
189
190	`````
191	# Number of ARP probes sent when assigning an IP address for --net option,
192	# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
193	# timeout is implemented for each probe. Increase this number to 4 if your
194	# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
195	# between 1 and 30.
196	# arp-probes 2
197
198	# Enable this option if you have a version of Xpra that supports --attach switch
199	# for start command, default disabled.
200	# xpra-attach no
201
202
203	`````
204
205
206	## Default seccomp list update
207
208	The following syscalls have been added:
209	afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
210	pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
211	security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
212	ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default.
213
214	get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break
215	playing youtube videos on Firefox Nightly.
216
217
218
219	## New profiles:
220
221	curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy,
222	IntelliJ IDEA, Android Studio, electron, riot-web,
223	Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux,
224	telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard,
225	remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar,
226	musescore, neverball, Yandex Browser, minetest


diff --git a/RELNOTES b/RELNOTES index 47b337c2f..eea0d4a3a 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,5 +1,9 @@
1	firejail (0.9.50~rc1) baseline; urgency=low	1	firejail (0.9.51) baseline; urgency=low
2	* work in progress!	2	* work in progress!
		3	-- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500
		4
		5	firejail (0.9.50~rc1) baseline; urgency=low
		6	* release pending!
3	* modif: --output split in two commands, --output and --output-stderr	7	* modif: --output split in two commands, --output and --output-stderr
4	* feature: per-profile disable-mnt (--disable-mnt)	8	* feature: per-profile disable-mnt (--disable-mnt)
5	* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)	9	* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)


diff --git a/configure b/configure index 2f14e0a83..e1cc0147f 100755 --- a/configure +++ b/configure
@@ -1,6 +1,6 @@
1	#! /bin/sh	1	#! /bin/sh
2	# Guess values for system-dependent variables and create Makefiles.	2	# Guess values for system-dependent variables and create Makefiles.
3	# Generated by GNU Autoconf 2.69 for firejail 0.9.50~rc2.	3	# Generated by GNU Autoconf 2.69 for firejail 0.9.51.
4	#	4	#
5	# Report bugs to <netblue30@yahoo.com>.	5	# Report bugs to <netblue30@yahoo.com>.
6	#	6	#
@@ -580,8 +580,8 @@ MAKEFLAGS=
580	# Identity of this package.	580	# Identity of this package.
581	PACKAGE_NAME='firejail'	581	PACKAGE_NAME='firejail'
582	PACKAGE_TARNAME='firejail'	582	PACKAGE_TARNAME='firejail'
583	PACKAGE_VERSION='0.9.50~rc2'	583	PACKAGE_VERSION='0.9.51'
584	PACKAGE_STRING='firejail 0.9.50~rc2'	584	PACKAGE_STRING='firejail 0.9.51'
585	PACKAGE_BUGREPORT='netblue30@yahoo.com'	585	PACKAGE_BUGREPORT='netblue30@yahoo.com'
586	PACKAGE_URL='http://firejail.wordpress.com'	586	PACKAGE_URL='http://firejail.wordpress.com'
587		587
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then
1276	# Omit some internal or obsolete options to make the list less imposing.	1276	# Omit some internal or obsolete options to make the list less imposing.
1277	# This message is too long to be a string in the A/UX 3.1 sh.	1277	# This message is too long to be a string in the A/UX 3.1 sh.
1278	cat <<_ACEOF	1278	cat <<_ACEOF
1279	\`configure' configures firejail 0.9.50~rc2 to adapt to many kinds of systems.	1279	\`configure' configures firejail 0.9.51 to adapt to many kinds of systems.
1280		1280
1281	Usage: $0 [OPTION]... [VAR=VALUE]...	1281	Usage: $0 [OPTION]... [VAR=VALUE]...
1282		1282
@@ -1338,7 +1338,7 @@ fi
1338		1338
1339	if test -n "$ac_init_help"; then	1339	if test -n "$ac_init_help"; then
1340	case $ac_init_help in	1340	case $ac_init_help in
1341	short \| recursive ) echo "Configuration of firejail 0.9.50~rc2:";;	1341	short \| recursive ) echo "Configuration of firejail 0.9.51:";;
1342	esac	1342	esac
1343	cat <<\_ACEOF	1343	cat <<\_ACEOF
1344		1344
@@ -1446,7 +1446,7 @@ fi
1446	test -n "$ac_init_help" && exit $ac_status	1446	test -n "$ac_init_help" && exit $ac_status
1447	if $ac_init_version; then	1447	if $ac_init_version; then
1448	cat <<\_ACEOF	1448	cat <<\_ACEOF
1449	firejail configure 0.9.50~rc2	1449	firejail configure 0.9.51
1450	generated by GNU Autoconf 2.69	1450	generated by GNU Autoconf 2.69
1451		1451
1452	Copyright (C) 2012 Free Software Foundation, Inc.	1452	Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF
1748	This file contains any messages produced by compilers while	1748	This file contains any messages produced by compilers while
1749	running configure, to aid debugging if configure makes a mistake.	1749	running configure, to aid debugging if configure makes a mistake.
1750		1750
1751	It was created by firejail $as_me 0.9.50~rc2, which was	1751	It was created by firejail $as_me 0.9.51, which was
1752	generated by GNU Autoconf 2.69. Invocation command line was	1752	generated by GNU Autoconf 2.69. Invocation command line was
1753		1753
1754	$ $0 $@	1754	$ $0 $@
@@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF \|\| ac_write_fail=1
4367	# report actual input values of CONFIG_FILES etc. instead of their	4367	# report actual input values of CONFIG_FILES etc. instead of their
4368	# values after options handling.	4368	# values after options handling.
4369	ac_log="	4369	ac_log="
4370	This file was extended by firejail $as_me 0.9.50~rc2, which was	4370	This file was extended by firejail $as_me 0.9.51, which was
4371	generated by GNU Autoconf 2.69. Invocation command line was	4371	generated by GNU Autoconf 2.69. Invocation command line was
4372		4372
4373	CONFIG_FILES = $CONFIG_FILES	4373	CONFIG_FILES = $CONFIG_FILES
@@ -4421,7 +4421,7 @@ _ACEOF
4421	cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1	4421	cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1
4422	ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"	4422	ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
4423	ac_cs_version="\\	4423	ac_cs_version="\\
4424	firejail config.status 0.9.50~rc2	4424	firejail config.status 0.9.51
4425	configured by $0, generated by GNU Autoconf 2.69,	4425	configured by $0, generated by GNU Autoconf 2.69,
4426	with options \\"\$ac_cs_config\\"	4426	with options \\"\$ac_cs_config\\"
4427		4427


diff --git a/configure.ac b/configure.ac index b9f3cbde9..e06512665 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,5 +1,5 @@
1	AC_PREREQ([2.68])	1	AC_PREREQ([2.68])
2	AC_INIT(firejail, 0.9.50~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)	2	AC_INIT(firejail, 0.9.51, netblue30@yahoo.com, , http://firejail.wordpress.com)
3	AC_CONFIG_SRCDIR([src/firejail/main.c])	3	AC_CONFIG_SRCDIR([src/firejail/main.c])
4	#AC_CONFIG_HEADERS([config.h])	4	#AC_CONFIG_HEADERS([config.h])
5		5