Fix mkrpm.sh

author: Jon Griffiths <jon_p_griffiths@yahoo.com> 2016-02-16 04:28:24 +1300
committer: Jon Griffiths <jon_p_griffiths@yahoo.com> 2016-02-16 04:35:58 +1300
commit: d684d9988bcc56e376cf89e51160d10ac8c9c9ff (patch)
tree: 086a6eeee1891ee450178984b0164dbdaa873a1e /platform/rpm
parent: Update spec file (diff)
download: firejail-d684d9988bcc56e376cf89e51160d10ac8c9c9ff.tar.gz
firejail-d684d9988bcc56e376cf89e51160d10ac8c9c9ff.tar.zst
firejail-d684d9988bcc56e376cf89e51160d10ac8c9c9ff.zip
2 files changed, 40 insertions, 295 deletions
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index 98b556d56..f6c9efa18 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -1,5 +1,5 @@
-Name: firejail
+Name: __NAME__
-Version: 0.9.30
+Version: __VERSION__
 Release: 1
 Summary: Linux namepaces sandbox program
@@ -32,18 +32,18 @@ rm -rf %{buildroot}
 %files
 %doc
 %defattr(-, root, root, -)
-%attr(4755, -, -) %{_bindir}/firejail
+%attr(4755, -, -) %{_bindir}/__NAME__
 %{_bindir}/firemon
-%{_libdir}/firejail/ftee
+%{_libdir}/__NAME__/ftee
-%{_libdir}/firejail/fshaper.sh
+%{_libdir}/__NAME__/fshaper.sh
-%{_libdir}/firejail/libtrace.so
+%{_libdir}/__NAME__/libtrace.so
-%{_libdir}/firejail/libtracelog.so
+%{_libdir}/__NAME__/libtracelog.so
-%{_datarootdir}/bash-completion/completions/firejail
+%{_datarootdir}/bash-completion/completions/__NAME__
 %{_datarootdir}/bash-completion/completions/firemon
-%{_docdir}/firejail
+%{_docdir}/__NAME__
-%{_mandir}/man1/firejail.1.gz
+%{_mandir}/man1/__NAME__.1.gz
 %{_mandir}/man1/firemon.1.gz
-%{_mandir}/man5/firejail-login.5.gz
+%{_mandir}/man5/__NAME__-login.5.gz
-%{_mandir}/man5/firejail-profile.5.gz
+%{_mandir}/man5/__NAME__-profile.5.gz
-%config %{_sysconfdir}/firejail
+%config %{_sysconfdir}/__NAME__
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index 3daede84c..e600c6bdd 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -1,296 +1,41 @@
 #!/bin/bash
 #
-# Usage: ./mkrpm.sh
+# Usage: ./platform/rpm/mkrpm.sh firejail <version>
-#        ./mkrpm.sh /path/to/firejail-0.9.30.tar.gz
 #
-# Script builds rpm in a temporary directory and places the built rpm in the
+# Builds rpms in a temporary directory then places the result in the
 # current working directory.
+name=$1
+version=$2
-source=$1
+if [[ ! -f platform/rpm/${name}.spec ]]; then
+    echo error: spec file not found for name \"${name}\"
-create_tmp_dir() {
-    tmpdir=$(mktemp -d)
-    mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-}
-# copy or download source
-if [[ $source ]]; then
-    # check file exists
-    if [[ ! -f $source ]]; then
-        echo "$source does not exist!"
-        exit 1
-    fi
-    name=$(awk '/Name:/ {print $2}' firejail.spec)
-    version=$(awk '/Version:/ {print $2}' firejail.spec)
-    expected_filename="${name}-${version}.tar.gz"
-    # ensure file name matches spec file expets
-    if [[ $(basename $source) != $expected_filename ]]; then
-        echo "source ($source) does not match expected filename ($(basename $expected_filename))"
-        exit 1
-    fi
-    create_tmp_dir
-    cp ${source} ${tmpdir}/SOURCES
-else
-  create_tmp_dir
-  if ! spectool -C ${tmpdir}/SOURCES -g firejail.spec; then
-    echo "Failed to fetch firejail source code"
    exit 1
-  fi
 fi
-cp ./firejail.spec "${tmpdir}/SPECS/firejail.spec"
+if [[ -z "${version}" ]]; then
+    echo error: version must be given
-<<<<<<< HEAD
+    exit 1
-echo "building tar.gz archive"
+fi
-tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
-cp firejail-$VERSION.tar.gz SOURCES/.
-echo "building config spec"
-cat <<EOF > SPECS/firejail.spec
-%define        __spec_install_post %{nil}
-%define          debug_package %{nil}
-%define        __os_install_post %{_dbpath}/brp-compress
-Summary: Linux namepaces sandbox program
-Name: firejail
-Version: $VERSION
-Release: 1
-License: GPL+
-Group: Development/Tools
-SOURCE0 : %{name}-%{version}.tar.gz
-URL: http://github.com/netblue30/firejail
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-%description
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
-%prep
-%setup -q
-%build
-%install
-rm -rf %{buildroot}
-mkdir -p  %{buildroot}
-cp -a * %{buildroot}
-%clean
-rm -rf %{buildroot}
-%files
-%defattr(-,root,root,-)
-%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
-%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc
-%config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc
-%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
-%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
-%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/login.users
-%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
-%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
-%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
-%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
-%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
-%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
-%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
-%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
-%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
-%config(noreplace) %{_sysconfdir}/%{name}/generic.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
-%config(noreplace) %{_sysconfdir}/%{name}/disable-history.inc
-%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
-%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
-%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/server.profile
-%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
-/usr/bin/firejail
-/usr/bin/firemon
-/usr/lib/firejail/libtrace.so
-/usr/lib/firejail/ftee
-/usr/lib/firejail/fshaper.sh
-/usr/share/doc/packages/firejail/COPYING
-/usr/share/doc/packages/firejail/README
-/usr/share/doc/packages/firejail/RELNOTES
-/usr/share/man/man1/firejail.1.gz
-/usr/share/man/man1/firemon.1.gz
-/usr/share/man/man5/firejail-profile.5.gz
-/usr/share/man/man5/firejail-login.5.gz
-/usr/share/bash-completion/completions/firejail
-/usr/share/bash-completion/completions/firemon
- 
-%post
-chmod u+s /usr/bin/firejail
-%changelog
-* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
- - added a disable-history.inc profile as a result of Firefox PDF.js exploit;
-   disable-history.inc included in all default profiles
- - Firefox PDF.js exploit (CVE-2015-4495) fixes
- - added --private-etc option
- - added --env option
- - added --whitelist option
- - support ${HOME} token in include directive in profile files
- - --private.keep is transitioned to --private-home
- - support ~ and blanks in blacklist option
- - support "net none" command in profile files
- - using /etc/firejail/generic.profile by default for user sessions
- - using /etc/firejail/server.profile by default for root sessions
- - added build --enable-fatal-warnings configure option
- - added persistence to --overlay option
- - added --overlay-tmpfs option
- - make install-strip implemented, make install renamed
- - bugfixes
-* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
- - network scanning, --scan option
- - interface MAC address support, --mac option
- - IP address range, --iprange option
- - traffic shaping, --bandwidth option
- - reworked printing of network status at startup
- - man pages rework
- - added firejail-login man page
- - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
-   profiles
- - added an /etc/firejail/disable-common.inc file to hold common directory
-   blacklists
- - blacklist Opera and Chrome/Chromium config directories in profile files
- - support noroot option for profile files
- - enabled noroot in default profile files
- - bugfixes
-* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
- - private dev directory
- - private.keep option for whitelisting home files in a new private directory
- - user namespaces support, noroot option
- - added Deluge and qBittorent profiles
- - bugfixes
-* Sun Apr 5 2015  netblue30 <netblue30@yahoo.com> 0.9.24-1
- - whitelist and blacklist seccomp filters
- - doubledash option
- - --shell=none support
- - netfilter file support in profile files
- - dns server support in profile files
- - added --dns.print option
- - added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
- - added --caps.drop=all in default profiles
- - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
- -        clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
- - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
- - two build patches from Reiner Herman (tickets 11, 12)
- - man page patch from Reiner Herman (ticket 13)
- - output patch (ticket 15) from sshirokov
-* Mon Mar 9 2015  netblue30 <netblue30@yahoo.com> 0.9.22-1
- - Replaced --noip option with --ip=none
- - Container stdout logging and log rotation
- - Added process_vm_readv, process_vm_writev and mknod to
-     default seccomp blacklist
- - Added CAP_MKNOD to default caps blacklist
- - Blacklist and whitelist custom Linux capabilities filters
- - macvlan device driver support for --net option
- - DNS server support, --dns option
- - Netfilter support
- - Monitor network statistics, --netstats option
- - Added profile for Mozilla Thunderbird/Icedove
- - --overlay support for Linux kernels 3.18+
- - Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
- - Bugfix: check uid/gid for cgroup
-* Fri Feb 6 2015   netblue30 <netblue30@yahoo.com> 0.9.20-1
- - utmp, btmp and wtmp enhancements
- -    create empty /var/log/wtmp and /var/log/btmp files in sandbox
- -    generate a new /var/run/utmp file in sandbox
- - CPU affinity, --cpu option
- - Linux control groups support, --cgroup option
- - Opera web browser support
- - VLC support
- - Added "empty" attribute to seccomp command to remove the default
- -    syscall list form seccomp blacklist
- - Added --nogroups option to disable supplementary groups for regular
- -   users. root user always runs without supplementary groups.
- - firemon enhancements
- -   display the command that started the sandbox
- -   added --caps option to display capabilities for all sandboxes
- -   added --cgroup option to display the control groups for all sandboxes
- -   added --cpu option to display CPU affinity for all sandboxes
- -   added --seccomp option to display seccomp setting for all sandboxes
- - New compile time options: --disable-chroot, --disable-bind
- - bugfixes
-* Sat Dec 27 2014  netblue30 <netblue30@yahoo.com> 0.9.18-1
- - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
- - Support for tracing setreuid, setregid, setresuid, setresguid syscalls
- - Added profiles for transmission-gtk and transmission-qt
- - bugfixes
-* Tue Nov 4 2014  netblue30 <netblue30@yahoo.com> 0.9.16-1
- - Configurable private home directory
- - Configurable default user shell
- - Software configuration support for --docdir and DESTDIR
- - Profile file support for include, caps, seccomp and private keywords
- - Dropbox profile file
- - Linux capabilities and seccomp filters enabled by default for Firefox,
-  Midori, Evince and Dropbox
- - bugfixes
-* Wed Oct 8 2014  netblue30 <netblue30@yahoo.com> 0.9.14-1
+# Make a temporary directory and arrange to clean up on exit
- - Linux capabilities and seccomp filters are automatically enabled in 
+tmpdir=$(mktemp -d)
-   chroot mode (--chroot option) if the sandbox is started as regular
+mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-   user
+function cleanup {
- - Added support for user defined seccomp blacklists
+  rm -rf ${tmpdir}
- - Added syscall trace support
+}
- - Added --tmpfs option
+trap cleanup EXIT
- - Added --balcklist option
- - Added --read-only option
- - Added --bind option
- - Logging enhancements
- - --overlay option was reactivated
- - Added firemon support to print the ARP table for each sandbox
- - Added firemon support to print the route table for each sandbox
- - Added firemon support to print interface information for each sandbox
- - bugfixes
-* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1
+# Create the spec file
- - Added capabilities support
+tmp_spec_file=${tmpdir}/SPECS/${name}.spec
- - Added support for CentOS 7
+sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file}
- - bugfixes
+# FIXME: We could parse RELNOTES and create a %changelog section here
-EOF
+# Copy the source to build into a tarball
+tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='.git/*'
-echo "building rpm"
+# Build the files (rpm, debug rpm and source rpm)
-rpmbuild -ba SPECS/firejail.spec
+rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
-rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
-cd ..
-rm -f firejail-$VERSION-1.x86_64.rpm
-cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
-=======
-rpmbuild --define "_topdir ${tmpdir}" -ba "${tmpdir}/SPECS/firejail.spec"
->>>>>>> d69c2f8a62fca967460265dedd5afa62592264dd
-cp ${tmpdir}/RPMS/x86_64/firejail-*-1.x86_64.rpm .
+# Copy the results to cwd
-rm -rf "${tmpdir}"
+mv ${tmpdir}/SRPMS/*.rpm ${tmpdir}/RPMS/*/*rpm .
author	Jon Griffiths <jon_p_griffiths@yahoo.com>	2016-02-16 04:28:24 +1300
committer	Jon Griffiths <jon_p_griffiths@yahoo.com>	2016-02-16 04:35:58 +1300
commit	d684d9988bcc56e376cf89e51160d10ac8c9c9ff (patch)
tree	086a6eeee1891ee450178984b0164dbdaa873a1e /platform/rpm
parent	Update spec file (diff)
download	firejail-d684d9988bcc56e376cf89e51160d10ac8c9c9ff.tar.gz firejail-d684d9988bcc56e376cf89e51160d10ac8c9c9ff.tar.zst firejail-d684d9988bcc56e376cf89e51160d10ac8c9c9ff.zip

diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index 98b556d56..f6c9efa18 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec
@@ -1,5 +1,5 @@
1	Name: firejail	1	Name: __NAME__
2	Version: 0.9.30	2	Version: __VERSION__
3	Release: 1	3	Release: 1
4	Summary: Linux namepaces sandbox program	4	Summary: Linux namepaces sandbox program
5		5
@@ -32,18 +32,18 @@ rm -rf %{buildroot}
32	%files	32	%files
33	%doc	33	%doc
34	%defattr(-, root, root, -)	34	%defattr(-, root, root, -)
35	%attr(4755, -, -) %{_bindir}/firejail	35	%attr(4755, -, -) %{_bindir}/__NAME__
36	%{_bindir}/firemon	36	%{_bindir}/firemon
37	%{_libdir}/firejail/ftee	37	%{_libdir}/__NAME__/ftee
38	%{_libdir}/firejail/fshaper.sh	38	%{_libdir}/__NAME__/fshaper.sh
39	%{_libdir}/firejail/libtrace.so	39	%{_libdir}/__NAME__/libtrace.so
40	%{_libdir}/firejail/libtracelog.so	40	%{_libdir}/__NAME__/libtracelog.so
41	%{_datarootdir}/bash-completion/completions/firejail	41	%{_datarootdir}/bash-completion/completions/__NAME__
42	%{_datarootdir}/bash-completion/completions/firemon	42	%{_datarootdir}/bash-completion/completions/firemon
43	%{_docdir}/firejail	43	%{_docdir}/__NAME__
44	%{_mandir}/man1/firejail.1.gz	44	%{_mandir}/man1/__NAME__.1.gz
45	%{_mandir}/man1/firemon.1.gz	45	%{_mandir}/man1/firemon.1.gz
46	%{_mandir}/man5/firejail-login.5.gz	46	%{_mandir}/man5/__NAME__-login.5.gz
47	%{_mandir}/man5/firejail-profile.5.gz	47	%{_mandir}/man5/__NAME__-profile.5.gz
48	%config %{_sysconfdir}/firejail	48	%config %{_sysconfdir}/__NAME__
49		49


diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 3daede84c..e600c6bdd 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh
@@ -1,296 +1,41 @@
1	#!/bin/bash	1	#!/bin/bash
2	#	2	#
3	# Usage: ./mkrpm.sh	3	# Usage: ./platform/rpm/mkrpm.sh firejail <version>
4	# ./mkrpm.sh /path/to/firejail-0.9.30.tar.gz
5	#	4	#
6	# Script builds rpm in a temporary directory and places the built rpm in the	5	# Builds rpms in a temporary directory then places the result in the
7	# current working directory.	6	# current working directory.
8		7
		8	name=$1
		9	version=$2
9		10
10	source=$1	11	if [[ ! -f platform/rpm/${name}.spec ]]; then
11		12	echo error: spec file not found for name \"${name}\"
12	create_tmp_dir() {
13	tmpdir=$(mktemp -d)
14	mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
15	}
16
17
18	# copy or download source
19	if [[ $source ]]; then
20
21	# check file exists
22	if [[ ! -f $source ]]; then
23	echo "$source does not exist!"
24	exit 1
25	fi
26
27	name=$(awk '/Name:/ {print $2}' firejail.spec)
28	version=$(awk '/Version:/ {print $2}' firejail.spec)
29	expected_filename="${name}-${version}.tar.gz"
30
31	# ensure file name matches spec file expets
32	if [[ $(basename $source) != $expected_filename ]]; then
33	echo "source ($source) does not match expected filename ($(basename $expected_filename))"
34	exit 1
35	fi
36
37	create_tmp_dir
38	cp ${source} ${tmpdir}/SOURCES
39	else
40	create_tmp_dir
41	if ! spectool -C ${tmpdir}/SOURCES -g firejail.spec; then
42	echo "Failed to fetch firejail source code"
43	exit 1	13	exit 1
44	fi
45	fi	14	fi
46		15
47	cp ./firejail.spec "${tmpdir}/SPECS/firejail.spec"	16	if [[ -z "${version}" ]]; then
48		17	echo error: version must be given
49	<<<<<<< HEAD	18	exit 1
50	echo "building tar.gz archive"	19	fi
51	tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
52
53	cp firejail-$VERSION.tar.gz SOURCES/.
54
55	echo "building config spec"
56	cat <<EOF > SPECS/firejail.spec
57	%define __spec_install_post %{nil}
58	%define debug_package %{nil}
59	%define __os_install_post %{_dbpath}/brp-compress
60
61	Summary: Linux namepaces sandbox program
62	Name: firejail
63	Version: $VERSION
64	Release: 1
65	License: GPL+
66	Group: Development/Tools
67	SOURCE0 : %{name}-%{version}.tar.gz
68	URL: http://github.com/netblue30/firejail
69
70	BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
71
72	%description
73	Firejail is a SUID sandbox program that reduces the risk of security
74	breaches by restricting the running environment of untrusted applications
75	using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
76
77	%prep
78	%setup -q
79
80	%build
81
82	%install
83	rm -rf %{buildroot}
84	mkdir -p %{buildroot}
85
86	cp -a * %{buildroot}
87
88
89	%clean
90	rm -rf %{buildroot}
91
92
93	%files
94	%defattr(-,root,root,-)
95	%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
96	%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
97	%config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc
98	%config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc
99	%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
100	%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
101	%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
102	%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
103	%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
104	%config(noreplace) %{_sysconfdir}/%{name}/login.users
105	%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
106	%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
107	%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
108	%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
109	%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
110	%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
111	%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
112	%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
113	%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
114	%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
115	%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
116	%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
117	%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
118	%config(noreplace) %{_sysconfdir}/%{name}/generic.profile
119	%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
120	%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
121	%config(noreplace) %{_sysconfdir}/%{name}/disable-history.inc
122	%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
123	%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
124	%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
125	%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
126	%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
127	%config(noreplace) %{_sysconfdir}/%{name}/server.profile
128	%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
129
130	/usr/bin/firejail
131	/usr/bin/firemon
132	/usr/lib/firejail/libtrace.so
133	/usr/lib/firejail/ftee
134	/usr/lib/firejail/fshaper.sh
135	/usr/share/doc/packages/firejail/COPYING
136	/usr/share/doc/packages/firejail/README
137	/usr/share/doc/packages/firejail/RELNOTES
138	/usr/share/man/man1/firejail.1.gz
139	/usr/share/man/man1/firemon.1.gz
140	/usr/share/man/man5/firejail-profile.5.gz
141	/usr/share/man/man5/firejail-login.5.gz
142	/usr/share/bash-completion/completions/firejail
143	/usr/share/bash-completion/completions/firemon
144
145	%post
146	chmod u+s /usr/bin/firejail
147
148	%changelog
149	* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
150	- added a disable-history.inc profile as a result of Firefox PDF.js exploit;
151	disable-history.inc included in all default profiles
152	- Firefox PDF.js exploit (CVE-2015-4495) fixes
153	- added --private-etc option
154	- added --env option
155	- added --whitelist option
156	- support ${HOME} token in include directive in profile files
157	- --private.keep is transitioned to --private-home
158	- support ~ and blanks in blacklist option
159	- support "net none" command in profile files
160	- using /etc/firejail/generic.profile by default for user sessions
161	- using /etc/firejail/server.profile by default for root sessions
162	- added build --enable-fatal-warnings configure option
163	- added persistence to --overlay option
164	- added --overlay-tmpfs option
165	- make install-strip implemented, make install renamed
166	- bugfixes
167
168	* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
169	- network scanning, --scan option
170	- interface MAC address support, --mac option
171	- IP address range, --iprange option
172	- traffic shaping, --bandwidth option
173	- reworked printing of network status at startup
174	- man pages rework
175	- added firejail-login man page
176	- added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
177	profiles
178	- added an /etc/firejail/disable-common.inc file to hold common directory
179	blacklists
180	- blacklist Opera and Chrome/Chromium config directories in profile files
181	- support noroot option for profile files
182	- enabled noroot in default profile files
183	- bugfixes
184
185	* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
186	- private dev directory
187	- private.keep option for whitelisting home files in a new private directory
188	- user namespaces support, noroot option
189	- added Deluge and qBittorent profiles
190	- bugfixes
191
192	* Sun Apr 5 2015 netblue30 <netblue30@yahoo.com> 0.9.24-1
193	- whitelist and blacklist seccomp filters
194	- doubledash option
195	- --shell=none support
196	- netfilter file support in profile files
197	- dns server support in profile files
198	- added --dns.print option
199	- added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
200	- added --caps.drop=all in default profiles
201	- new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
202	- clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
203	- Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
204	- two build patches from Reiner Herman (tickets 11, 12)
205	- man page patch from Reiner Herman (ticket 13)
206	- output patch (ticket 15) from sshirokov
207
208	* Mon Mar 9 2015 netblue30 <netblue30@yahoo.com> 0.9.22-1
209	- Replaced --noip option with --ip=none
210	- Container stdout logging and log rotation
211	- Added process_vm_readv, process_vm_writev and mknod to
212	default seccomp blacklist
213	- Added CAP_MKNOD to default caps blacklist
214	- Blacklist and whitelist custom Linux capabilities filters
215	- macvlan device driver support for --net option
216	- DNS server support, --dns option
217	- Netfilter support
218	- Monitor network statistics, --netstats option
219	- Added profile for Mozilla Thunderbird/Icedove
220	- --overlay support for Linux kernels 3.18+
221	- Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
222	- Bugfix: check uid/gid for cgroup
223
224	* Fri Feb 6 2015 netblue30 <netblue30@yahoo.com> 0.9.20-1
225	- utmp, btmp and wtmp enhancements
226	- create empty /var/log/wtmp and /var/log/btmp files in sandbox
227	- generate a new /var/run/utmp file in sandbox
228	- CPU affinity, --cpu option
229	- Linux control groups support, --cgroup option
230	- Opera web browser support
231	- VLC support
232	- Added "empty" attribute to seccomp command to remove the default
233	- syscall list form seccomp blacklist
234	- Added --nogroups option to disable supplementary groups for regular
235	- users. root user always runs without supplementary groups.
236	- firemon enhancements
237	- display the command that started the sandbox
238	- added --caps option to display capabilities for all sandboxes
239	- added --cgroup option to display the control groups for all sandboxes
240	- added --cpu option to display CPU affinity for all sandboxes
241	- added --seccomp option to display seccomp setting for all sandboxes
242	- New compile time options: --disable-chroot, --disable-bind
243	- bugfixes
244
245	* Sat Dec 27 2014 netblue30 <netblue30@yahoo.com> 0.9.18-1
246	- Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
247	- Support for tracing setreuid, setregid, setresuid, setresguid syscalls
248	- Added profiles for transmission-gtk and transmission-qt
249	- bugfixes
250
251	* Tue Nov 4 2014 netblue30 <netblue30@yahoo.com> 0.9.16-1
252	- Configurable private home directory
253	- Configurable default user shell
254	- Software configuration support for --docdir and DESTDIR
255	- Profile file support for include, caps, seccomp and private keywords
256	- Dropbox profile file
257	- Linux capabilities and seccomp filters enabled by default for Firefox,
258	Midori, Evince and Dropbox
259	- bugfixes
260		20
261	* Wed Oct 8 2014 netblue30 <netblue30@yahoo.com> 0.9.14-1	21	# Make a temporary directory and arrange to clean up on exit
262	- Linux capabilities and seccomp filters are automatically enabled in	22	tmpdir=$(mktemp -d)
263	chroot mode (--chroot option) if the sandbox is started as regular	23	mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
264	user	24	function cleanup {
265	- Added support for user defined seccomp blacklists	25	rm -rf ${tmpdir}
266	- Added syscall trace support	26	}
267	- Added --tmpfs option	27	trap cleanup EXIT
268	- Added --balcklist option
269	- Added --read-only option
270	- Added --bind option
271	- Logging enhancements
272	- --overlay option was reactivated
273	- Added firemon support to print the ARP table for each sandbox
274	- Added firemon support to print the route table for each sandbox
275	- Added firemon support to print interface information for each sandbox
276	- bugfixes
277		28
278	* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1	29	# Create the spec file
279	- Added capabilities support	30	tmp_spec_file=${tmpdir}/SPECS/${name}.spec
280	- Added support for CentOS 7	31	sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file}
281	- bugfixes	32	# FIXME: We could parse RELNOTES and create a %changelog section here
282		33
283	EOF	34	# Copy the source to build into a tarball
		35	tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='.git/*'
284		36
285	echo "building rpm"	37	# Build the files (rpm, debug rpm and source rpm)
286	rpmbuild -ba SPECS/firejail.spec	38	rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
287	rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
288	cd ..
289	rm -f firejail-$VERSION-1.x86_64.rpm
290	cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
291	=======
292	rpmbuild --define "_topdir ${tmpdir}" -ba "${tmpdir}/SPECS/firejail.spec"
293	>>>>>>> d69c2f8a62fca967460265dedd5afa62592264dd
294		39
295	cp ${tmpdir}/RPMS/x86_64/firejail-*-1.x86_64.rpm .	40	# Copy the results to cwd
296	rm -rf "${tmpdir}"	41	mv ${tmpdir}/SRPMS/.rpm ${tmpdir}/RPMS//*rpm .