diff options
-rw-r--r-- | README | 11 | ||||
-rw-r--r-- | RELNOTES | 6 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 9 |
6 files changed, 29 insertions, 18 deletions
@@ -2,14 +2,17 @@ Firejail is a SUID sandbox program that reduces the risk of security | |||
2 | breaches by restricting the running environment of untrusted applications | 2 | breaches by restricting the running environment of untrusted applications |
3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for | 3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for |
4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, | 4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, |
5 | VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge and qBittorrent. | 5 | VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. |
6 | DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, | ||
7 | Pidgin, Quassel and XChat. | ||
6 | 8 | ||
7 | Firejail also expands the restricted shell facility found in bash by adding | 9 | Firejail also expands the restricted shell facility found in bash by adding |
8 | Linux namespace support. It supports sandboxing specific users upon login. | 10 | Linux namespace support. It supports sandboxing specific users upon login. |
9 | 11 | ||
10 | Download: http://sourceforge.net/projects/firejail/files/ | 12 | Download: http://sourceforge.net/projects/firejail/files/ |
11 | Build and install: ./configure && make && sudo make install | 13 | Build and install: ./configure && make && sudo make install |
12 | Documentation and support: http://firejail.sourceforge.net | 14 | Documentation and support: https://l3net.wordpress.com/projects/firejail/ |
15 | Development: https://github.com/netblue30/firejail | ||
13 | License: GPL v2 | 16 | License: GPL v2 |
14 | 17 | ||
15 | Firejail Authors: | 18 | Firejail Authors: |
@@ -30,8 +33,6 @@ Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) | |||
30 | Reiner Herrmann - a number of build patches, man page fixes, Debian integration | 33 | Reiner Herrmann - a number of build patches, man page fixes, Debian integration |
31 | sshirokov (http://sourceforge.net/u/yshirokov/profile/) | 34 | sshirokov (http://sourceforge.net/u/yshirokov/profile/) |
32 | - Patch to output "Reading profile" to stderr instead of stdout | 35 | - Patch to output "Reading profile" to stderr instead of stdout |
33 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) | ||
34 | - src/lib/libnetlink.c extracted from iproute2 software package | ||
35 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) | 36 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) |
36 | - ARM support | 37 | - ARM support |
37 | dewbasaur (https://github.com/dewbasaur) | 38 | dewbasaur (https://github.com/dewbasaur) |
@@ -43,5 +44,7 @@ mjudtmann (https://github.com/mjudtmann) | |||
43 | - lock firejail configuration in disable-mgmt.inc | 44 | - lock firejail configuration in disable-mgmt.inc |
44 | iiotx (https://github.com/iiotx) | 45 | iiotx (https://github.com/iiotx) |
45 | - use generci.profile by default | 46 | - use generci.profile by default |
47 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) | ||
48 | - src/lib/libnetlink.c extracted from iproute2 software package | ||
46 | 49 | ||
47 | Copyright (C) 2014, 2015 Firejail Authors | 50 | Copyright (C) 2014, 2015 Firejail Authors |
@@ -1,17 +1,19 @@ | |||
1 | firejail (0.9.29) baseline; urgency=low | 1 | firejail (0.9.30-rc1) baseline; urgency=low |
2 | * added a disable-history.inc profile as a result of Firefox PDF.js exploit; | 2 | * added a disable-history.inc profile as a result of Firefox PDF.js exploit; |
3 | disable-history.inc included in all default profiles | 3 | disable-history.inc included in all default profiles |
4 | * Firefox PDF.js exploit (CVE-2015-4495) fixes | 4 | * Firefox PDF.js exploit (CVE-2015-4495) fixes |
5 | * added --private-etc option | 5 | * added --private-etc option |
6 | * added --env option | 6 | * added --env option |
7 | * added --whitelist option | ||
7 | * support ${HOME} token in include directive in profile files | 8 | * support ${HOME} token in include directive in profile files |
8 | * --private.keep is transitioned to --private-home | 9 | * --private.keep is transitioned to --private-home |
9 | * support ~ and blanks in blacklist option | 10 | * support ~ and blanks in blacklist option |
10 | * support "net none" command in profile files | 11 | * support "net none" command in profile files |
11 | * using /etc/firejail/generic.profile by default for user sessions | 12 | * using /etc/firejail/generic.profile by default for user sessions |
12 | * using /etc/firejail/server.profile by default for root sessions | 13 | * using /etc/firejail/server.profile by default for root sessions |
14 | * added build --enable-fatal-warnings configure option | ||
13 | * bugfixes | 15 | * bugfixes |
14 | -- netblue30 <netblue30@yahoo.com> Mon, 24 Aug 2015 20:25:00 -0500 | 16 | -- netblue30 <netblue30@yahoo.com> Wed, 9 Sept 2015 08:00:00 -0500 |
15 | 17 | ||
16 | firejail (0.9.28) baseline; urgency=low | 18 | firejail (0.9.28) baseline; urgency=low |
17 | * network scanning, --scan option | 19 | * network scanning, --scan option |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.29-github. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.30-rc1. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.29-github' | 583 | PACKAGE_VERSION='0.9.30-rc1' |
584 | PACKAGE_STRING='firejail 0.9.29-github' | 584 | PACKAGE_STRING='firejail 0.9.30-rc1' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.sourceforge.net' | 586 | PACKAGE_URL='http://firejail.sourceforge.net' |
587 | 587 | ||
@@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then | |||
1238 | # Omit some internal or obsolete options to make the list less imposing. | 1238 | # Omit some internal or obsolete options to make the list less imposing. |
1239 | # This message is too long to be a string in the A/UX 3.1 sh. | 1239 | # This message is too long to be a string in the A/UX 3.1 sh. |
1240 | cat <<_ACEOF | 1240 | cat <<_ACEOF |
1241 | \`configure' configures firejail 0.9.29-github to adapt to many kinds of systems. | 1241 | \`configure' configures firejail 0.9.30-rc1 to adapt to many kinds of systems. |
1242 | 1242 | ||
1243 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1243 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1244 | 1244 | ||
@@ -1299,7 +1299,7 @@ fi | |||
1299 | 1299 | ||
1300 | if test -n "$ac_init_help"; then | 1300 | if test -n "$ac_init_help"; then |
1301 | case $ac_init_help in | 1301 | case $ac_init_help in |
1302 | short | recursive ) echo "Configuration of firejail 0.9.29-github:";; | 1302 | short | recursive ) echo "Configuration of firejail 0.9.30-rc1:";; |
1303 | esac | 1303 | esac |
1304 | cat <<\_ACEOF | 1304 | cat <<\_ACEOF |
1305 | 1305 | ||
@@ -1389,7 +1389,7 @@ fi | |||
1389 | test -n "$ac_init_help" && exit $ac_status | 1389 | test -n "$ac_init_help" && exit $ac_status |
1390 | if $ac_init_version; then | 1390 | if $ac_init_version; then |
1391 | cat <<\_ACEOF | 1391 | cat <<\_ACEOF |
1392 | firejail configure 0.9.29-github | 1392 | firejail configure 0.9.30-rc1 |
1393 | generated by GNU Autoconf 2.69 | 1393 | generated by GNU Autoconf 2.69 |
1394 | 1394 | ||
1395 | Copyright (C) 2012 Free Software Foundation, Inc. | 1395 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF | |||
1691 | This file contains any messages produced by compilers while | 1691 | This file contains any messages produced by compilers while |
1692 | running configure, to aid debugging if configure makes a mistake. | 1692 | running configure, to aid debugging if configure makes a mistake. |
1693 | 1693 | ||
1694 | It was created by firejail $as_me 0.9.29-github, which was | 1694 | It was created by firejail $as_me 0.9.30-rc1, which was |
1695 | generated by GNU Autoconf 2.69. Invocation command line was | 1695 | generated by GNU Autoconf 2.69. Invocation command line was |
1696 | 1696 | ||
1697 | $ $0 $@ | 1697 | $ $0 $@ |
@@ -4102,7 +4102,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4102 | # report actual input values of CONFIG_FILES etc. instead of their | 4102 | # report actual input values of CONFIG_FILES etc. instead of their |
4103 | # values after options handling. | 4103 | # values after options handling. |
4104 | ac_log=" | 4104 | ac_log=" |
4105 | This file was extended by firejail $as_me 0.9.29-github, which was | 4105 | This file was extended by firejail $as_me 0.9.30-rc1, which was |
4106 | generated by GNU Autoconf 2.69. Invocation command line was | 4106 | generated by GNU Autoconf 2.69. Invocation command line was |
4107 | 4107 | ||
4108 | CONFIG_FILES = $CONFIG_FILES | 4108 | CONFIG_FILES = $CONFIG_FILES |
@@ -4156,7 +4156,7 @@ _ACEOF | |||
4156 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4156 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4157 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4157 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4158 | ac_cs_version="\\ | 4158 | ac_cs_version="\\ |
4159 | firejail config.status 0.9.29-github | 4159 | firejail config.status 0.9.30-rc1 |
4160 | configured by $0, generated by GNU Autoconf 2.69, | 4160 | configured by $0, generated by GNU Autoconf 2.69, |
4161 | with options \\"\$ac_cs_config\\" | 4161 | with options \\"\$ac_cs_config\\" |
4162 | 4162 | ||
diff --git a/configure.ac b/configure.ac index 3fa0c933b..5e3f44bed 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.29-github, netblue30@yahoo.com, , http://firejail.sourceforge.net) | 2 | AC_INIT(firejail, 0.9.30-rc1, netblue30@yahoo.com, , http://firejail.sourceforge.net) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 116bd404a..aa8144a40 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -368,6 +368,7 @@ void env_store(const char *str); | |||
368 | void env_apply(void); | 368 | void env_apply(void); |
369 | 369 | ||
370 | // fs_whitelist.c | 370 | // fs_whitelist.c |
371 | void fs_whitelist(void); | ||
371 | 372 | ||
372 | #endif | 373 | #endif |
373 | 374 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1473c5889..470cade7e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -10,7 +10,7 @@ firejail \-\-profile=filename.profile | |||
10 | Several command line options can be passed to the program using | 10 | Several command line options can be passed to the program using |
11 | profile files. Firejail chooses the profile file as follows: | 11 | profile files. Firejail chooses the profile file as follows: |
12 | 12 | ||
13 | 1. If a profile file is provided by the user with --profile option, the profile file is loaded. | 13 | 1. If a profile file is provided by the user with \-\-profile option, the profile file is loaded. |
14 | Example: | 14 | Example: |
15 | .PP | 15 | .PP |
16 | .RS | 16 | .RS |
@@ -120,7 +120,7 @@ Remove ifconfig command from the regular path directories. | |||
120 | \f\blacklist ${HOME}/.ssh | 120 | \f\blacklist ${HOME}/.ssh |
121 | Remove .ssh directory from user home directory. | 121 | Remove .ssh directory from user home directory. |
122 | .TP | 122 | .TP |
123 | \f\ noblacklist ${HOME}/config/evince | 123 | \f\noblacklist ${HOME}/config/evince |
124 | Prevent any new blacklist commands from blacklisting | 124 | Prevent any new blacklist commands from blacklisting |
125 | config/evince in the user home directory. Useful for defining | 125 | config/evince in the user home directory. Useful for defining |
126 | exceptions before including a large blacklist from a file. Note | 126 | exceptions before including a large blacklist from a file. Note |
@@ -149,6 +149,11 @@ Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, uran | |||
149 | Build a new /etc in a temporary | 149 | Build a new /etc in a temporary |
150 | filesystem, and copy the files and directories in the list. | 150 | filesystem, and copy the files and directories in the list. |
151 | All modifications are discarded when the sandbox is closed. | 151 | All modifications are discarded when the sandbox is closed. |
152 | .TP | ||
153 | \f\whitelist file_or_directory | ||
154 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | ||
155 | The modifications to file_or_directory are persistent, everything else is discarded | ||
156 | when the sandbox is closed. | ||
152 | 157 | ||
153 | .SH Filters | 158 | .SH Filters |
154 | \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: | 159 | \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: |