fixes

author: netblue30 <netblue30@yahoo.com> 2018-10-03 07:54:53 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-10-03 07:54:53 -0400
commit: 68819975d8af11337c5462d880eb4a48dd09eb4b (patch)
tree: e4b31b261ffbc5ffb7cf8ad3ea2443cc6727b9f5 /RELNOTES
parent: building debian apparmror packages (diff)
download: firejail-68819975d8af11337c5462d880eb4a48dd09eb4b.tar.gz
firejail-68819975d8af11337c5462d880eb4a48dd09eb4b.tar.zst
firejail-68819975d8af11337c5462d880eb4a48dd09eb4b.zip
1 files changed, 14 insertions, 774 deletions
diff --git a/RELNOTES b/RELNOTES
index 974999bcb..c521aec70 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,775 +1,15 @@
-firejail (0.9.56~rc1) baseline; urgency=low
+firejail (0.9.56-LTS~rc1) baseline; urgency=low
-  * work in progress
+  * code based on Firejail version 0.9.56
-  * modif: removed CFG_CHROOT_DESKTOP configuration option
+  * much smaller code base for SUID executable
-  * modif: removed compile time --enable-network=restricted
+  * command line options removed:
-  * modif: --net=none allowed even if networking was disabled at compile
+     --audit, --build, --cgroup, --chroot, --get, --ls, --output,
-     time or at run time
+     --output-stderr, --overlay, --overlay-named, --overlay-tmpfs,
-  * support wireless devices in --net option
+     --overlay-clean, --private-home, --private-bin, --private-etc,
-  * support tap devices in --net option (tunneling support)
+     --private-opt, --private-srv, --put, --rlimit*, --trace, --tracelog,
-  * allow IP address configuration if the parent interface specified
+     --x11*, --xephyr*
-     by --net is not configured (--netmask)
+  * compile-time options: --enable-apparmor, --disable-seccomp,
-  * disable U2F devices (--nou2f)
+     --disable-globalcfg, --disable-network, --disable-userns,
-  * add --private-cache to support private ~/.cache
+     --disable-whitelist, --disable-suid, --enable-fatal-warnings,
-  * support full paths in private-lib
+     --enable-busybox-workaround
-  * globbing support in private-lib
+ -- netblue30 <netblue30@yahoo.com>  Wed, 3 Oct 2018 08:00:00 -0500
-  * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
-  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
-  * new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
-  * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
-  * new profiles: Beaker, electrum
- -- netblue30 <netblue30@yahoo.com>  Sat, 11 Aug 2018 08:00:00 -0500
-firejail (0.9.54) baseline; urgency=low
-  * modif: --force removed
-  * modif: --csh, --zsh removed
-  * modif: --debug-check-filename removed
-  * modif: --git-install and --git-uninstall removed
-  * modif: support for private-bin, private-lib and shell none has been
-     disabled while running AppImage archives in order to be able to use
-     our regular profile files with AppImages.
-  * modif: restrictions for /proc, /sys and /run/user directories
-     are moved from AppArmor profile into firejail executable
-  * modif: unifying Chromium and Firefox browsers profiles.
-     All users of Firefox-based browsers who use addons and plugins
-     that read/write from ${HOME} will need to uncomment the includes for
-     firefox-common-addons.inc in firefox-common.profile.
-  * modif: split disable-devel.inc into disable-devel and
-     disable-interpreters.inc
-  * Firejail user access database (/etc/firejail/firejail.users,
-     man firejail-users)
-  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
-  * Spectre mitigation patch for gcc and clang compiler
-  * D-Bus handling (--nodbus)
-  * AppArmor support for overlayfs and chroot sandboxes
-  * AppArmor support for AppImages
-  * Enable AppArmor by default for a large number of programs
-  * firejail --apparmor.print option
-  * firemon --apparmor option
-  * apparmor yes/no flag in /etc/firejail/firejail.config
-  * seccomp syscall list update for glibc 2.26-10
-  * seccomp disassembler for --seccomp.print option
-  * seccomp machine code optimizer for default seccomp filters
-  * IPv6 DNS support
-  * whitelist support for overlay and chroot sandboxes
-  * private-dev support for overlay and chroot sandboxes
-  * private-tmp support for overlay and chroot sandboxes
-  * added sandbox name support in firemon
-  * firemon/prctl enhancements
-  * noblacklist support for /sys/module directory
-  * whitelist support for /sys/module directory
-  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
-  * new profiles: discord-canary, pycharm-community, pycharm-professional,
-  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
-  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
-  * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
-  * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
-  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
-  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
-  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
-  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
-  * new profiles: qmmp, sayonara
- -- netblue30 <netblue30@yahoo.com>  Wed, 16 May 2018 08:00:00 -0500
-firejail (0.9.52) baseline; urgency=low
-  * modif: --allow-private-blacklists was deprecated; blacklisting,
-    read-only, read-write, tmpfs and noexec are allowed in
-    private home directories
-  * modif: remount-proc-sys deprecated from firejail.config
-  * modif: follow-symlink-private-bin deprecated from firejail.config
-  * modif: --profile-path was deprecated
-  * enhancement: support Firejail user config directory in firecfg
-  * enhancement: disable DBus activation in firecfg
-  * enhancement; enumerate root directories in apparmor profile
-  * enhancement: /etc and /usr/share whitelisting support
-  * enhancement: globbing support for --private-bin
-  * feature: systemd-resolved integration
-  * feature: whitelisting /var directory in most profiles
-  * feature: GTK2, GTK3 and Qt4 private-lib support
-  * feature: --debug-private-lib
-  * feature: test deployment of private-lib for the following
-    applications: evince, galculator, gnome-calculator,
-    leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
-    atril, mate-color-select, tar, file, strings, gpicview,
-    eom, eog, gedit, pluma
-  * feature: --writable-run-user
-  * feature: --rlimit-as
-  * feature: --rlimit-cpu
-  * feature: --timeout
-  * feature: profile build tool (--build)
-  * feature: --netfilter.print
-  * feature: --netfilter6.print
-  * feature: netfilter template support
-  * new profiles: upstreamed many profiles from the following sources:
-     https://github.com/chiraag-nataraj/firejail-profiles,
-     https://github.com/nyancat18/fe,
-     https://aur.archlinux.org/packages/firejail-profiles.
-  * new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
-      clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
-      brackets, calligra, calligraauthor, calligraconverter, calligraflow,
-      calligraplan, calligraplanwork, calligrasheets, calligrastage,
-      calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
-      google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
-      mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
-      Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
-      cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
-      xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
-      kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report
-      cower (Arch), kdeinit4
- -- netblue30 <netblue30@yahoo.com>  Thu, 7 Dec 2017 08:00:00 -0500
-firejail (0.9.50) baseline; urgency=low
-  * modif: --output split in two commands, --output and --output-stderr
-  * feature: per-profile disable-mnt (--disable-mnt)
-  * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
-  * feature: private /lib directory (--private-lib)
-  * feature: disable CDROM/DVD drive (--nodvd)
-  * feature: disable DVB devices (--notv)
-  * feature: --profile.print
-  * enhancement: print all seccomp filters under --debug
-  * enhancement: /proc/sys mounting
-  * enhancement: rework IP address assingment for --net options
-  * enhancement: support for newer Xpra versions (2.1+) -
-     set xpra-attach yes in /etc/firejail/firejail.config
-  * enhancement: all profiles use a standard layout style
-  * enhancement: create /usr/local for firecfg if the directory doesn't exist
-  * enhancement: allow full paths in --private-bin
-  * seccomp feature: --memory-deny-write-execute
-  * seccomp feature: seccomp post-exec
-  * seccomp feature: block secondary architecture (--seccomp.block_secondary)
-  * seccomp feature: seccomp syscall groups
-  * seccomp enhancement: print all seccomp filters under --debug
-  * seccomp enhancement: default seccomp list update
-  * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
-  * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
-  * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
-  * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
-  * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
-  * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
-  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
-  * new profiles: sqlitebrowse, Yandex Browser, minetest
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sat, 30 Sep 2017 08:00:00 -0500
-firejail (0.9.50~rc1) baseline; urgency=low
-  * release pending!
-  * modif: --output split in two commands, --output and --output-stderr
-  * feature: per-profile disable-mnt (--disable-mnt)
-  * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
-  * feature: private /lib directory (--private-lib)
-  * feature: disable CDROM/DVD drive (--nodvd)
-  * feature: disable DVB devices (--notv)
-  * feature: --profile.print
-  * enhancement: print all seccomp filters under --debug
-  * enhancement: /proc/sys mounting
-  * enhancement: rework IP address assingment for --net options
-  * enhancement: support for newer Xpra versions (2.1+) -
-     set xpra-attach yes in /etc/firejail/firejail.config
-  * enhancement: all profiles use a standard layout style
-  * enhancement: create /usr/local for firecfg if the directory doesn't exist
-  * enhancement: allow full paths in --private-bin
-  * seccomp feature: --memory-deny-write-execute
-  * seccomp feature: seccomp post-exec
-  * seccomp feature: block secondary architecture (--seccomp.block_secondary)
-  * seccomp feature: seccomp syscall groups
-  * seccomp enhancement: print all seccomp filters under --debug
-  * seccomp enhancement: default seccomp list update
-  * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
-  * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
-  * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
-  * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
-  * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
-  * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
-  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
-  * new profiles: sqlitebrowse, Yandex Browser, minetest
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
-firejail (0.9.48) baseline; urgency=low
-  * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
-    please use ~/Downloads directory for saving files
-  * modifs: AppArmor made optional; a warning is printed on the screen
-    if the sandbox fails to load the AppArmor profile
-  * feature: --novideo
-  * feature: drop discretionary access control capabilities for
-    root sandboxes
-  * feature: added /etc/firejail/globals.local for global customizations
-  * feature: profile support in overlayfs mode
-  * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 08:00:00 -0500
-firejail (0.9.46) baseline; urgency=low
-  * security: split most of networking code in a separate executable
-  * security: split seccomp filter code configuration in a separate executable
-  * security: split file copying in private option in a separate executable
-  * feature: disable gnupg and systemd directories under /run/user
-  * feature: test coverage (gcov) support
-  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
-  * feature: private /opt directory (--private-opt, profile support)
-  * feature: private /srv directory (--private-srv, profile support)
-  * feature: spoof machine-id (--machine-id, profile support)
-  * feature: allow blacklists under --private (--allow-private-blacklist,
-    profile support)
-  * feature: user-defined /etc/hosts file (--hosts-file, profile support)
-  * feature: support for the real /var/log directory (--writable-var-log,
-    profile support)
-  * feature: config support for firejail prompt in terminals
-  * feature: AppImage type 2 support
-  * feature: pass command line arguments to appimages
-  * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
-  * feature: added a number of Python scripts for handling sandboxes
-  * feature: allow local customization using .local files under /etc/firejail
-  * feature: follow-symlink-as-user runtime config option in
-    /etc/firejail/firejail.config
-  * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
-  * feature: xvfb X11 server support (--x11=xvfb)
-  * feature: allow /tmp directory in mkdir and mkfile profile commands
-  * feature: implemented --noblacklist command, profile support
-  * feature: config support to disable access to /mnt and /media (disable-mnt)
-  * feature: config support to disable join (join)
-  * feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
-  * feature: support overlay, overlay-named and overlay-tmpfs in profile files
-  * feature: allow PulseAudio sockets in --private-tmp
-  * feature: --fix-sound support in firecfg
-  * feature: added support for sandboxing Xpra, Xvfb and Xephyr in
-    independent sandboxes when started with firejail --x11
-  * feature: enable automatic X server sandboxing for --x11=xpra
-    and --x11=xephyr
-  * feature: support for Xpra extra params in firejail config file
-  * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
-  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
-  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
-  * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
-  * new profiles: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
-  * new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
-  * new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
-  * new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
-  * new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
-  * new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
-  * new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin,
-  * new profiles: mate-calc, mate-dictionary, mate-color-select, caja,
-  * new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes
-  * new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr
-  * new profiles: Blender, 2048-qt
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sun, 14 May 2017 08:00:00 -0500
-firejail (0.9.44.10) baseline; urgency=low
-  * security: when using --x11=xorg and --net, incorrect processing of
-    the return code of /usr/bin/xauth could end up in starting the
-    sandbox without X11 security extension installed. Problem found/fixed
-    by Zack Weinberg
-  * bugfix: ~/.pki directory whitelisted and later blacklisted. This affects
-    most browsers, and disables the custom certificates installed by the user
-  * bugfix: firecfg config fix
-  * bugfix: gajim security profile fix
-  * bugfix: man page fix
-  * bugfix: force-nonewprivs fix for /etc/firejail/firejail.config
-  * bugfix: xephyr-extra-params fix for /etc/firejail/firejail.config
-  * bugfix: memory corruption in noblacklist processing
-  * bugfix: --quiet fix for Arch and Fedora systems
-  * bugfix: updated Keepass(x) profiles
-  * bugfix: firemon --nowrap problem
-  * bugfix: document firemon --nowrap in man page and in --help option
-  * bugfix: bash completion for --noblacklist command
-  * bugfix: vlc profile fix
-  * bugfix: fixed handling of .local profile files when the software is
-    installed in ~/.local directory
-  * bugfix: temporarily remove private-tmp from all profiles, until a fix for
-    .Xauthority file handling in KDE becomes available
-  * maintenance: --output cleanup
-  * maintenance: updated copyright statement in all files
- -- netblue30 <netblue30@yahoo.com>  Sat, 18 Mar 2017 10:00:00 -0500
-firejail (0.9.44.8) baseline; urgency=low
-  * bugfix: fix broken PulseAudio support
- -- netblue30 <netblue30@yahoo.com>  Wed, 18 Jan 2017 10:00:00 -0500
-firejail (0.9.44.6) baseline; urgency=low
-  * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week,
-     new CVE code assigned after release: CVE-2017-5940
-  * security: major cleanup of file copying code
-  * security: tightening the rules for --chroot and --overlay features
-  * bugfix: ported Gentoo compile patch
-  * bugfix: Nvidia drivers bug in --private-dev
-  * bugfix: fix ASSERT_PERMS_FD macro
-  * feature: allow local customization using .local files under /etc/firejail
-    backported from our development branch
-  * feature: spoof machine-id backported from our development branch
- -- netblue30 <netblue30@yahoo.com>  Sun, 15 Jan 2017 10:00:00 -0500
-firejail (0.9.44.4) baseline; urgency=low
-  * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
-  * security: disabled --allow-debuggers when running on kernel
-    versions prior to 4.8; a kernel bug in ptrace system call
-    allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
-    (CVE-2017-5206)
-  * security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
- -- netblue30 <netblue30@yahoo.com>  Sat, 7 Jan 2017 10:00:00 -0500
-firejail (0.9.44.2) baseline; urgency=low
-  * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
-  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
-  * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
-  * security: several security enhancements
-  * bugfix: crashing VLC by pressing Ctrl-O
-  * bugfix: use user configured icons in KDE
-  * bugfix: mkdir and mkfile are not applied to private directories
-  * bugfix: cannot open files on Deluge running under KDE
-  * bugfix: --private=dir where dir is the user home directory
-  * bugfix: cannot start Vivaldi browser
-  * bugfix: cannot start mupdf
-  * bugfix: ssh profile problems
-  * bugfix: --quiet
-  * bugfix: quiet in git profile
-  * bugfix: memory corruption
- -- netblue30 <netblue30@yahoo.com>  Fri, 2 Dec 2016 08:00:00 -0500
-firejail (0.9.44) baseline; urgency=low
-  * CVE-2016-9016 submitted by Aleksey Manevich
-  * modifs: removed man firejail-config
-  * modifs: --private-tmp whitelists /tmp/.X11-unix directory
-  * modifs: Nvidia drivers added to --private-dev
-  * modifs: /srv supported by --whitelist
-  * feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
-  * feature: support starting/joining sandbox is a single command
-    (--join-or-start)
-  * feature: X11 detection support for --audit
-  * feature: assign a name to the interface connected to the bridge
-    (--veth-name)
-  * feature: all user home directories are visible (--allusers)
-  * feature: add files to sandbox container (--put)
-  * feature: blocking x11 (--x11=block)
-  * feature: X11 security extension (--x11=xorg)
-  * feature: disable 3D hardware acceleration (--no3d)
-  * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
-  * feature: move files in sandbox (--put)
-  * feature: accept wildcard patterns in user  name field of restricted
-    shell login feature
-  * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
-  * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
-  * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
-  * new profiles: Flowblade, Eye of GNOME (eog), Evolution
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Fri, 21 Oct 2016 08:00:00 -0500
-firejail (0.9.42) baseline; urgency=low
-  * security: --whitelist deleted files, submitted by Vasya Novikov
-  * security: disable x32 ABI in seccomp, submitted by Jann Horn
-  * security: tighten --chroot, submitted by Jann Horn
-  * security: terminal sandbox escape, submitted by Stephan Sokolow
-  * security: several TOCTOU fixes submitted by Aleksey Manevich
-  * modifs: bringing back --private-home option
-  * modifs: deprecated --user option, please use "sudo -u username firejail"
-  * modifs: allow symlinks in home directory for --whitelist option
-  * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
-  * modifs: recursive mkdir
-  * modifs: include /dev/snd in --private-dev
-  * modifs: seccomp filter update
-  * modifs: release archives moved to .xz format
-  * feature: AppImage support (--appimage)
-  * feature: AppArmor support (--apparmor)
-  * feature: Ubuntu snap support (/etc/firejail/snap.profile)
-  * feature: Sandbox auditing support (--audit)
-  * feature: remove environment variable (--rmenv)
-  * feature: noexec support (--noexec)
-  * feature: clean local overlay storage directory (--overlay-clean)
-  * feature: store and reuse overlay (--overlay-named)
-  * feature: allow debugging inside the sandbox with gdb and strace
-         (--allow-debuggers)
-  * feature: mkfile profile command
-  * feature: quiet profile command
-  * feature: x11 profile command
-  * feature: option to fix desktop files (firecfg --fix)
-  * compile time: Busybox support (--enable-busybox-workaround)
-  * compile time: disable overlayfs (--disable-overlayfs)
-  * compile time: disable whitelisting (--disable-whitelist)
-  * compile time: disable global config (--disable-globalcfg)
-  * run time: enable/disable overlayfs (overlayfs yes/no)
-  * run time: enable/disable  quiet as default (quiet-by-default yes/no)
-  * run time: user-defined network filter (netfilter-default)
-  * run time: enable/disable whitelisting (whitelist yes/no)
-  * run time: enable/disable remounting of /proc and /sys
-          (remount-proc-sys yes/no)
-  * run time: enable/disable chroot desktop features (chroot-desktop yes/no)
-  * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
-  * profiles: pix, audacity, xz, xzdec, gzip, cpio, less
-  * profiles: Atom Beta, Atom, jitsi, eom, uudeview
-  * profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
-  * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Thu, 8 Sept 2016 08:00:00 -0500
-firejail (0.9.40) baseline; urgency=low
-  * added --nice option
-  * added --x11 option
-  * added --x11=xpra option
-  * added --x11=xephyr option
-  * added --cpu.print option
-  * added filetransfer options --ls and --get
-  * added --writable-etc and --writable-var options
-  * added --read-only option
-  * added mkdir, ipc-namespace, and nosound profile commands
-  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
-  * --version also prints compile options
-  * --output option also redirects stderr
-  * added compile-time option to restrict --net= to root only
-  * run time config support, man firejail-config
-  * added firecfg utility
-  * AppArmor fixes
-  * default seccomp filter update
-  * disable STUN/WebRTC in default netfilter configuration
-  * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
-  * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
-  * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
-  * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
-  * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
-  * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
-  * new profiles: generic Ubuntu snap application profile, xplayer
-  * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
-  * new profiles: Brave, Gitter
-  * generic.profile renamed default.profile
-  * build rpm packages using "make rpms"
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sun, 29 May 2016 08:00:00 -0500
-firejail (0.9.38.10) baseline; urgency=low
-  * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
-     new CVE code assigned after release: CVE-2017-5940
-  * security: tightening the rules for --chroot
-  * bugfix: ported Gentoo compile patch
-  * bugfix: fix ASSERT_PERMS_FD macro
- -- netblue30 <netblue30@yahoo.com>  Sun, 15 Jan 2017 10:00:00 -0500
-firejail (0.9.38.8) baseline; urgency=low
-  * security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
- -- netblue30 <netblue30@yahoo.com>  Sat, 7 Jan 2017 10:00:00 -0500
-firejail (0.9.38.6) baseline; urgency=low
-  * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
-  * bugfix: crashing VLC by pressing Ctrl-O
- -- netblue30 <netblue30@yahoo.com>  Fri, 16 Dec 2016 10:00:00 -0500
-firejail (0.9.38.4) baseline; urgency=low
-  * CVE-2016-7545 submitted by Aleksey Manevich
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Mon, 10 Oct 2016 10:00:00 -0500
-firejail (0.9.38.2) baseline; urgency=low
-  * security: --whitelist deleted files, submitted by Vasya Novikov
-  * security: disable x32 ABI, submitted by Jann Horn
-  * security: tighten --chroot, submitted by Jann Horn
-  * security: terminal sandbox escape, submitted by Stephan Sokolow
-  * feature: clean local overlay storage directory (--overlay-clean)
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Tue, 23 Aug 2016 10:00:00 -0500
-firejail (0.9.38) baseline; urgency=low
-  * IPv6 support (--ip6 and --netfilter6)
-  * --join command enhancement (--join-network, --join-filesystem)
-  * added --user command
-  * added --disable-network and --disable-userns compile time flags
-  * Centos 6 support
-  * symlink invocation
-  * added KMail, Seamonkey, Telegram, Mathematica, uGet,
-  *   and mupen64plus profiles
-  * --chroot in user mode allowed only if seccomp support is available
-  *   in current Linux kernel (CVE-2016-10123)
-  * deprecated --private-home feature
-  * the first protocol list installed takes precedence
-  * --tmpfs option allowed only running as root (CVE-2016-10117)
-  * added --private-tmp option
-  * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121)
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Tue, 2 Feb 2016 10:00:00 -0500
-firejail (0.9.36) baseline; urgency=low
-  * added  unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
-     parole and rtorrent profiles
-  * Google Chrome profile rework
-  * added google-chrome-stable profile
-  * added google-chrome-beta profile
-  * added google-chrome-unstable profile
-  * Opera profile rework
-  * added opera-beta profile
-  * added --noblacklist option
-  * added --profile-path option
-  * added --force option
-  * whitelist command enhancements
-  * prevent user name enumeration
-  * added /etc/firejail/nolocal.net network filter
-  * added /etc/firejail/webserver.net network filter
-  * blacklisting firejail configuration by default
-  * allow default gateway configuration for --interface option
-  * --debug enhancements: --debug-check-filenames, --debug-blacklists,
-    --debug-whitelists
-  * filesystem log
-  * libtrace enhancements, tracing opendir call
-  * added --tracelog option
-  * added "name" command to profile files
-  * added "hostname" command to profile files
-  * added automated feature testing framework
-  * Debian reproducible build
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sun, 27 Dec 2015 09:00:00 -0500
-firejail (0.9.34) baseline; urgency=low
-  * added --ignore option
-  * added --protocol option
-  * support dual i386/amd64 seccomp filters
-  * added Google Chrome profile
-  * added Steam, Skype, Wine and Conkeror profiles
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sat, 7 Nov 2015 08:00:00 -0500
-firejail (0.9.32) baseline; urgency=low
-  * added --interface option
-  * added --mtu option
-  * added --private-bin option
-  * added --nosound option
-  * added --hostname option
-  * added --quiet option
-  * added seccomp errno support
-  * added FBReader default profile
-  * added Spotify default profile
-  * lots of default security profile changes
-  * fixed a security problem on multi-user systems
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2015 08:00:00 -0500
-firejail (0.9.30) baseline; urgency=low
-  * added a disable-history.inc profile as a result of Firefox PDF.js exploit;
-    disable-history.inc included in all default profiles
-  * Firefox PDF.js exploit (CVE-2015-4495) fixes
-  * added --private-etc option
-  * added --env option
-  * added --whitelist option
-  * support ${HOME} token in include directive in profile files
-  * --private.keep is transitioned to --private-home
-  * support ~ and blanks in blacklist option
-  * support "net none" command in profile files
-  * using /etc/firejail/generic.profile by default for user sessions
-  * using /etc/firejail/server.profile by default for root sessions
-  * added build --enable-fatal-warnings configure option
-  * added persistence to --overlay option
-  * added --overlay-tmpfs option
-  * make install-strip implemented, make install renamed
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Mon, 14 Sept 2015 08:00:00 -0500
-firejail (0.9.28) baseline; urgency=low
-  * network scanning, --scan option
-  * interface MAC address support, --mac option
-  * IP address range, --iprange option
-  * traffic shaping, --bandwidth option
-  * reworked printing of network status at startup
-  * man pages rework
-  * added firejail-login man page
-  * added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
-    profiles
-  * added an /etc/firejail/disable-common.inc file to hold common directory
-    blacklists
-  * blacklist Opera and Chrome/Chromium config directories in profile files
-  * support noroot option for profile files
-  * enabled noroot in default profile files
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sat, 1 Aug 2015 08:00:00 -0500
-firejail (0.9.26) baseline; urgency=low
-  * private dev directory
-  * private.keep option for whitelisting home files in a new private directory
-  * user namespaces support, noroot option
-  * added Deluge and qBittorent profiles
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Thu, 30 Apr 2015 08:00:00 -0500
-firejail (0.9.24) baseline; urgency=low
-  * whitelist and blacklist seccomp filters
-  * doubledash option
-  * --shell=none support
-  * netfilter file support in profile files
-  * dns server support in profile files
-  * added --dns.print option
-  * added default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem.
-  * added --caps.drop=all in default profiles
-  * new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
-  *         clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
-  * Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
-  * two build patches from Reiner Herman (tickets 11, 12)
-  * man page patch from Reiner Herman (ticket 13)
-  * output patch (ticket 15) from sshirokov
- -- netblue30 <netblue30@yahoo.com>  Sun, 5 Apr 2015 08:00:00 -0500
-firejail (0.9.22) baseline; urgency=low
-  * Replaced --noip option with --ip=none
-  * Container stdout logging and log rotation
-  * Added process_vm_readv, process_vm_writev and mknod to
-  *    default seccomp blacklist
-  * Added CAP_MKNOD to default caps blacklist
-  * Blacklist and whitelist custom Linux capabilities filters
-  * macvlan device driver support for --net option
-  * DNS server support, --dns option
-  * Netfilter support
-  * Monitor network statistics, --netstats option
-  * Added profile for Mozilla Thunderbird/Icedove
-  * - --overlay support for Linux kernels 3.18+
-  * Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
-  * Bugfix: check uid/gid for cgroup
- -- netblue30 <netblue30@yahoo.com>  Mon, 9 Mar 2015 09:00:00 -0500
-firejail (0.9.20) baseline; urgency=low
-  * utmp, btmp and wtmp enhancements
-  *    create empty /var/log/wtmp and /var/log/btmp files in sandbox
-  *    generate a new /var/run/utmp file in sandbox
-  * CPU affinity, --cpu option
-  * Linux control groups support, --cgroup option
-  * Opera web browser support
-  * VLC support
-  * Added "empty" attribute to seccomp command to remove the default
-  *    syscall list form seccomp blacklist
-  * Added --nogroups option to disable supplementary groups for regular
-  *   users. root user always runs without supplementary groups.
-  * firemon enhancements
-  *   display the command that started the sandbox
-  *   added --caps option to display capabilities for all sandboxes
-  *   added --cgroup option to display the control groups for all sandboxes
-  *   added --cpu option to display CPU affinity for all sandboxes
-  *   added --seccomp option to display seccomp setting for all sandboxes
-  * New compile time options: --disable-chroot, --disable-bind
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Mon, 02 Feb 2015 08:00:00 -0500
-firejail (0.9.18) baseline; urgency=low
-  * Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
-  * Support for tracing setreuid, setregid, setresuid, setresguid syscalls
-  * Added profiles for transmission-gtk and transmission-qt
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Fri, 25 Dec 2014 10:00:00 -0500
-firejail (0.9.16) baseline; urgency=low
-  * Configurable private home directory
-  * Configurable default user shell
-  * Software configuration support for --docdir and DESTDIR
-  * Profile file support for include, caps, seccomp and private keywords
-  * Dropbox profile file
-  * Linux capabilities and seccomp filters enabled by default for Firefox,
-  Midori, Evince and Dropbox
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Tue, 4 Nov 2014 10:00:00 -0500
-firejail (0.9.14) baseline; urgency=low
-  * Linux capabilities and seccomp filters are automatically enabled in
-    chroot mode (--chroot option) if the sandbox is started as regular user
-  * Added support for user defined seccomp blacklists
-  * Added syscall trace support
-  * Added --tmpfs option
-  * Added --balcklist option
-  * Added --read-only option
-  * Added --bind option
-  * Logging enhancements
-  * --overlay option was reactivated
-  * Added firemon support to print the ARP table for each sandbox
-  * Added firemon support to print the route table for each sandbox
-  * Added firemon support to print interface information for each sandbox
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Tue, 15 Oct 2014 10:00:00 -0500
-firejail (0.9.12.2) baseline; urgency=low
-  * Fix for pulseaudio problems
-  * --overlay option was temporarily disabled in this build
- -- netblue30 <netblue30@yahoo.com>  Mon, 29 Sept 2014 07:00:00 -0500
-firejail (0.9.12.1) baseline; urgency=low
-  * Fix for pulseaudio problems
-  * --overlay option was temporarily disabled in this build
- -- netblue30 <netblue30@yahoo.com>  Mon, 22 Sept 2014 09:00:00 -0500
-firejail (0.9.12) baseline; urgency=low
-  * Added capabilities support
-  * Added support for CentOS 7
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Mon, 15 Sept 2014 10:00:00 -0500
-firejail (0.9.10) baseline; urgency=low
-  * Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot
-  * Fixed --top option CPU utilization calculation
-  * Implemented --tree option in firejail and firemon
-  * Implemented --join=name option
-  * Implemented --shutdown option
-  * Preserve the current working directory if possible
-  * Cppcheck and clang errors cleanup
-  * Added a Chromium web browser profile
- -- netblue30 <netblue30@yahoo.com>  Thu, 28 Aug 2014 07:00:00 -0500
-firejail (0.9.8.1) baseline; urgency=low
-  * FIxed a number of bugs introduced in 0.9.8
- -- netblue30 <netblue30@yahoo.com>  Fri, 25 Jul 2014 07:25:00 -0500
-firejail (0.9.8) baseline; urgency=low
-  * Implemented nowrap mode for firejail --list command option
-  * Added --top option in both firejail and firemon
-  * seccomp filter support
-  * Added pid support for firemon
-  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Tue, 24 Jul 2014 08:51:00 -0500
-firejail (0.9.6) baseline; urgency=low
-  * Mounting tmpfs on top of /var/log, required by several server programs
-  * Server fixes for /var/lib and /var/cache
-  * Private mode fixes
-  * csh and zsh default shell support
-  * Chroot mode fixes
-  * Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd,
- -- netblue30 <netblue30@yahoo.com>  Sat, 7 Jun 2014 09:00:00 -0500
-firejail (0.9.4) baseline; urgency=low
-  * Fixed resolv.conf on Ubuntu systems using DHCP
-  * Fixed resolv.conf on Debian systems using resolvconf package
-  * Fixed /var/lock directory
-  * Fixed /var/tmp directory
-  * Fixed symbolic links in profile files
-  * Added profiles for evince, midori
- -- netblue30 <netblue30@yahoo.com>  Sun, 4 May 2014 08:00:00 -0500
-firejail (0.9.2) baseline; urgency=low
-  * Checking IP address passed with --ip option using ARP; exit if the address
-   is already present
-  * Using a lock file during ARP address assignment in order to removed a race
-   condition.
-  * Several fixes to --private option; it also mounts a tmpfs filesystem on top
-   of /tmp
-  * Added user access check for profile file
-  * Added --defaultgw option
-  * Added support of --noip option; it is necessary for DHCP setups
-  * Added syslog support
-  * Added support for "tmpfs" and "read-only" profile commands
-  * Added an expect-based testing framework for the project
-  * Added bash completion support
-  * Added support for multiple networks
- -- netblue30 <netblue30@yahoo.com>  Fri, 25 Apr 2014 08:00:00 -0500
-firejail (0.9) baseline; urgency=low
-  * First beta version
- -- netblue30 <netblue30@yahoo.com>  Sat, 12 Apr 2014 09:00:00 -0500
author	netblue30 <netblue30@yahoo.com>	2018-10-03 07:54:53 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-10-03 07:54:53 -0400
commit	68819975d8af11337c5462d880eb4a48dd09eb4b (patch)
tree	e4b31b261ffbc5ffb7cf8ad3ea2443cc6727b9f5 /RELNOTES
parent	building debian apparmror packages (diff)
download	firejail-68819975d8af11337c5462d880eb4a48dd09eb4b.tar.gz firejail-68819975d8af11337c5462d880eb4a48dd09eb4b.tar.zst firejail-68819975d8af11337c5462d880eb4a48dd09eb4b.zip