diff options
author | netblue30 <netblue30@yahoo.com> | 2015-10-11 08:27:22 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-10-11 08:27:22 -0400 |
commit | a84e62e9b9517a91c88cedf74051f039758a2b30 (patch) | |
tree | 34b3e471d978fe02a55a751e092ffe2859d47f1b /platform/rpm | |
parent | Merge pull request #77 from pyther/master (diff) | |
download | firejail-a84e62e9b9517a91c88cedf74051f039758a2b30.tar.gz firejail-a84e62e9b9517a91c88cedf74051f039758a2b30.tar.zst firejail-a84e62e9b9517a91c88cedf74051f039758a2b30.zip |
merget #78 - standalone rpm spec
Diffstat (limited to 'platform/rpm')
-rw-r--r-- | platform/rpm/firejail.spec | 184 | ||||
-rwxr-xr-x | platform/rpm/mkrpm.sh | 129 |
2 files changed, 237 insertions, 76 deletions
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec new file mode 100644 index 000000000..d50ab7eca --- /dev/null +++ b/platform/rpm/firejail.spec | |||
@@ -0,0 +1,184 @@ | |||
1 | Name: firejail | ||
2 | Version: 0.9.30 | ||
3 | Release: 1 | ||
4 | Summary: Linux namepaces sandbox program | ||
5 | |||
6 | License: GPL+ | ||
7 | Group: Development/Tools | ||
8 | Source0: https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz | ||
9 | URL: http://firejail.sourceforege.net | ||
10 | |||
11 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | ||
12 | |||
13 | %description | ||
14 | Firejail is a SUID sandbox program that reduces the risk of security | ||
15 | breaches by restricting the running environment of untrusted applications | ||
16 | using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | ||
17 | |||
18 | %prep | ||
19 | %setup -q | ||
20 | |||
21 | %build | ||
22 | %configure | ||
23 | make %{?_smp_mflags} | ||
24 | |||
25 | %install | ||
26 | rm -rf %{buildroot} | ||
27 | %make_install | ||
28 | |||
29 | %clean | ||
30 | rm -rf %{buildroot} | ||
31 | |||
32 | |||
33 | %files | ||
34 | %doc | ||
35 | %defattr(-, root, root, -) | ||
36 | %attr(4755, -, -) %{_bindir}/firejail | ||
37 | %{_bindir}/firemon | ||
38 | %{_libdir}/firejail/ftee | ||
39 | %{_libdir}/firejail/fshaper.sh | ||
40 | %{_libdir}/firejail/libtrace.so | ||
41 | %{_datarootdir}/bash-completion/completions/firejail | ||
42 | %{_datarootdir}/bash-completion/completions/firemon | ||
43 | %{_docdir}/firejail | ||
44 | %{_mandir}/man1/firejail.1.gz | ||
45 | %{_mandir}/man1/firemon.1.gz | ||
46 | %{_mandir}/man5/firejail-login.5.gz | ||
47 | %{_mandir}/man5/firejail-profile.5.gz | ||
48 | %config %{_sysconfdir}/firejail | ||
49 | |||
50 | %changelog | ||
51 | * Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1 | ||
52 | - added a disable-history.inc profile as a result of Firefox PDF.js exploit; | ||
53 | disable-history.inc included in all default profiles | ||
54 | - Firefox PDF.js exploit (CVE-2015-4495) fixes | ||
55 | - added --private-etc option | ||
56 | - added --env option | ||
57 | - added --whitelist option | ||
58 | - support ${HOME} token in include directive in profile files | ||
59 | - --private.keep is transitioned to --private-home | ||
60 | - support ~ and blanks in blacklist option | ||
61 | - support "net none" command in profile files | ||
62 | - using /etc/firejail/generic.profile by default for user sessions | ||
63 | - using /etc/firejail/server.profile by default for root sessions | ||
64 | - added build --enable-fatal-warnings configure option | ||
65 | - added persistence to --overlay option | ||
66 | - added --overlay-tmpfs option | ||
67 | - make install-strip implemented, make install renamed | ||
68 | - bugfixes | ||
69 | |||
70 | * Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1 | ||
71 | - network scanning, --scan option | ||
72 | - interface MAC address support, --mac option | ||
73 | - IP address range, --iprange option | ||
74 | - traffic shaping, --bandwidth option | ||
75 | - reworked printing of network status at startup | ||
76 | - man pages rework | ||
77 | - added firejail-login man page | ||
78 | - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default | ||
79 | profiles | ||
80 | - added an /etc/firejail/disable-common.inc file to hold common directory | ||
81 | blacklists | ||
82 | - blacklist Opera and Chrome/Chromium config directories in profile files | ||
83 | - support noroot option for profile files | ||
84 | - enabled noroot in default profile files | ||
85 | - bugfixes | ||
86 | |||
87 | * Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1 | ||
88 | - private dev directory | ||
89 | - private.keep option for whitelisting home files in a new private directory | ||
90 | - user namespaces support, noroot option | ||
91 | - added Deluge and qBittorent profiles | ||
92 | - bugfixes | ||
93 | |||
94 | * Sun Apr 5 2015 netblue30 <netblue30@yahoo.com> 0.9.24-1 | ||
95 | - whitelist and blacklist seccomp filters | ||
96 | - doubledash option | ||
97 | - --shell=none support | ||
98 | - netfilter file support in profile files | ||
99 | - dns server support in profile files | ||
100 | - added --dns.print option | ||
101 | - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. | ||
102 | - added --caps.drop=all in default profiles | ||
103 | - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp | ||
104 | - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init | ||
105 | - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids | ||
106 | - two build patches from Reiner Herman (tickets 11, 12) | ||
107 | - man page patch from Reiner Herman (ticket 13) | ||
108 | - output patch (ticket 15) from sshirokov | ||
109 | |||
110 | * Mon Mar 9 2015 netblue30 <netblue30@yahoo.com> 0.9.22-1 | ||
111 | - Replaced --noip option with --ip=none | ||
112 | - Container stdout logging and log rotation | ||
113 | - Added process_vm_readv, process_vm_writev and mknod to | ||
114 | default seccomp blacklist | ||
115 | - Added CAP_MKNOD to default caps blacklist | ||
116 | - Blacklist and whitelist custom Linux capabilities filters | ||
117 | - macvlan device driver support for --net option | ||
118 | - DNS server support, --dns option | ||
119 | - Netfilter support | ||
120 | - Monitor network statistics, --netstats option | ||
121 | - Added profile for Mozilla Thunderbird/Icedove | ||
122 | - --overlay support for Linux kernels 3.18+ | ||
123 | - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) | ||
124 | - Bugfix: check uid/gid for cgroup | ||
125 | |||
126 | * Fri Feb 6 2015 netblue30 <netblue30@yahoo.com> 0.9.20-1 | ||
127 | - utmp, btmp and wtmp enhancements | ||
128 | - create empty /var/log/wtmp and /var/log/btmp files in sandbox | ||
129 | - generate a new /var/run/utmp file in sandbox | ||
130 | - CPU affinity, --cpu option | ||
131 | - Linux control groups support, --cgroup option | ||
132 | - Opera web browser support | ||
133 | - VLC support | ||
134 | - Added "empty" attribute to seccomp command to remove the default | ||
135 | - syscall list form seccomp blacklist | ||
136 | - Added --nogroups option to disable supplementary groups for regular | ||
137 | - users. root user always runs without supplementary groups. | ||
138 | - firemon enhancements | ||
139 | - display the command that started the sandbox | ||
140 | - added --caps option to display capabilities for all sandboxes | ||
141 | - added --cgroup option to display the control groups for all sandboxes | ||
142 | - added --cpu option to display CPU affinity for all sandboxes | ||
143 | - added --seccomp option to display seccomp setting for all sandboxes | ||
144 | - New compile time options: --disable-chroot, --disable-bind | ||
145 | - bugfixes | ||
146 | |||
147 | * Sat Dec 27 2014 netblue30 <netblue30@yahoo.com> 0.9.18-1 | ||
148 | - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls | ||
149 | - Support for tracing setreuid, setregid, setresuid, setresguid syscalls | ||
150 | - Added profiles for transmission-gtk and transmission-qt | ||
151 | - bugfixes | ||
152 | |||
153 | * Tue Nov 4 2014 netblue30 <netblue30@yahoo.com> 0.9.16-1 | ||
154 | - Configurable private home directory | ||
155 | - Configurable default user shell | ||
156 | - Software configuration support for --docdir and DESTDIR | ||
157 | - Profile file support for include, caps, seccomp and private keywords | ||
158 | - Dropbox profile file | ||
159 | - Linux capabilities and seccomp filters enabled by default for Firefox, | ||
160 | Midori, Evince and Dropbox | ||
161 | - bugfixes | ||
162 | |||
163 | * Wed Oct 8 2014 netblue30 <netblue30@yahoo.com> 0.9.14-1 | ||
164 | - Linux capabilities and seccomp filters are automatically enabled in | ||
165 | chroot mode (--chroot option) if the sandbox is started as regular | ||
166 | user | ||
167 | - Added support for user defined seccomp blacklists | ||
168 | - Added syscall trace support | ||
169 | - Added --tmpfs option | ||
170 | - Added --balcklist option | ||
171 | - Added --read-only option | ||
172 | - Added --bind option | ||
173 | - Logging enhancements | ||
174 | - --overlay option was reactivated | ||
175 | - Added firemon support to print the ARP table for each sandbox | ||
176 | - Added firemon support to print the route table for each sandbox | ||
177 | - Added firemon support to print interface information for each sandbox | ||
178 | - bugfixes | ||
179 | |||
180 | * Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1 | ||
181 | - Added capabilities support | ||
182 | - Added support for CentOS 7 | ||
183 | - bugfixes | ||
184 | |||
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 2e17fdfc1..3daede84c 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -1,80 +1,52 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | VERSION="0.9.30" | 2 | # |
3 | rm -fr ~/rpmbuild | 3 | # Usage: ./mkrpm.sh |
4 | rm -f firejail-$VERSION-1.x86_64.rpm | 4 | # ./mkrpm.sh /path/to/firejail-0.9.30.tar.gz |
5 | 5 | # | |
6 | mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp} | 6 | # Script builds rpm in a temporary directory and places the built rpm in the |
7 | cat <<EOF >~/.rpmmacros | 7 | # current working directory. |
8 | %_topdir %(echo $HOME)/rpmbuild | 8 | |
9 | %_tmppath %{_topdir}/tmp | 9 | |
10 | EOF | 10 | source=$1 |
11 | 11 | ||
12 | cd ~/rpmbuild | 12 | create_tmp_dir() { |
13 | echo "building directory tree" | 13 | tmpdir=$(mktemp -d) |
14 | 14 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | |
15 | mkdir -p firejail-$VERSION/usr/bin | 15 | } |
16 | install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/. | 16 | |
17 | install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/. | 17 | |
18 | 18 | # copy or download source | |
19 | mkdir -p firejail-$VERSION/usr/lib/firejail | 19 | if [[ $source ]]; then |
20 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | 20 | |
21 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | 21 | # check file exists |
22 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | 22 | if [[ ! -f $source ]]; then |
23 | 23 | echo "$source does not exist!" | |
24 | mkdir -p firejail-$VERSION/usr/share/man/man1 | 24 | exit 1 |
25 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. | 25 | fi |
26 | install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/. | 26 | |
27 | 27 | name=$(awk '/Name:/ {print $2}' firejail.spec) | |
28 | mkdir -p firejail-$VERSION/usr/share/man/man5 | 28 | version=$(awk '/Version:/ {print $2}' firejail.spec) |
29 | install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/. | 29 | expected_filename="${name}-${version}.tar.gz" |
30 | install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/. | 30 | |
31 | 31 | # ensure file name matches spec file expets | |
32 | mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail | 32 | if [[ $(basename $source) != $expected_filename ]]; then |
33 | install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/. | 33 | echo "source ($source) does not match expected filename ($(basename $expected_filename))" |
34 | install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/. | 34 | exit 1 |
35 | install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/. | 35 | fi |
36 | 36 | ||
37 | mkdir -p firejail-$VERSION/etc/firejail | 37 | create_tmp_dir |
38 | install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/xchat.profile | 38 | cp ${source} ${tmpdir}/SOURCES |
39 | install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/server.profile | 39 | else |
40 | install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/quassel.profile | 40 | create_tmp_dir |
41 | install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/pidgin.profile | 41 | if ! spectool -C ${tmpdir}/SOURCES -g firejail.spec; then |
42 | install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/icecat.profile | 42 | echo "Failed to fetch firejail source code" |
43 | install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/filezilla.profile | 43 | exit 1 |
44 | install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/chromium-browser.profile | 44 | fi |
45 | install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/chromium.profile | 45 | fi |
46 | install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/dropbox.profile | 46 | |
47 | install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/disable-common.inc | 47 | cp ./firejail.spec "${tmpdir}/SPECS/firejail.spec" |
48 | install -m 644 /etc/firejail/disable-history.inc firejail-$VERSION/etc/firejail/disable-history.inc | 48 | |
49 | install -m 644 /etc/firejail/disable-secret.inc firejail-$VERSION/etc/firejail/disable-secret.inc | 49 | <<<<<<< HEAD |
50 | install -m 644 /etc/firejail/disable-mgmt.inc firejail-$VERSION/etc/firejail/disable-mgmt.inc | ||
51 | install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/evince.profile | ||
52 | install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/firefox.profile | ||
53 | install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/icedove.profile | ||
54 | install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/iceweasel.profile | ||
55 | install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/midori.profile | ||
56 | install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/thunderbird.profile | ||
57 | install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/opera.profile | ||
58 | install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/transmission-gtk.profile | ||
59 | install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/transmission-qt.profile | ||
60 | install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/vlc.profile | ||
61 | install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/audacious.profile | ||
62 | install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/clementine.profile | ||
63 | install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/gnome-mplayer.profile | ||
64 | install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/rhythmbox.profile | ||
65 | install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/totem.profile | ||
66 | install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/deluge.profile | ||
67 | install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/qbittorrent.profile | ||
68 | install -m 644 /etc/firejail/generic.profile firejail-$VERSION/etc/firejail/generic.profile | ||
69 | install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/login.users | ||
70 | install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/deadbeef.profile | ||
71 | install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/empathy.profile | ||
72 | |||
73 | |||
74 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions | ||
75 | install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. | ||
76 | install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. | ||
77 | |||
78 | echo "building tar.gz archive" | 50 | echo "building tar.gz archive" |
79 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION | 51 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION |
80 | 52 | ||
@@ -316,4 +288,9 @@ rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm | |||
316 | cd .. | 288 | cd .. |
317 | rm -f firejail-$VERSION-1.x86_64.rpm | 289 | rm -f firejail-$VERSION-1.x86_64.rpm |
318 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . | 290 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . |
291 | ======= | ||
292 | rpmbuild --define "_topdir ${tmpdir}" -ba "${tmpdir}/SPECS/firejail.spec" | ||
293 | >>>>>>> d69c2f8a62fca967460265dedd5afa62592264dd | ||
319 | 294 | ||
295 | cp ${tmpdir}/RPMS/x86_64/firejail-*-1.x86_64.rpm . | ||
296 | rm -rf "${tmpdir}" | ||