diff options
-rw-r--r-- | README.md | 93 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rwxr-xr-x | platform/rpm/old-mkrpm.sh | 39 | ||||
-rw-r--r-- | test/features/features.txt | 5 |
4 files changed, 42 insertions, 97 deletions
@@ -32,96 +32,5 @@ Documentation: https://firejail.wordpress.com/documentation-2/ | |||
32 | 32 | ||
33 | FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | 33 | FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ |
34 | 34 | ||
35 | # Current development version: 0.9.37 | 35 | # Current development version: 0.9.39 |
36 | |||
37 | ## Symlink invocation | ||
38 | |||
39 | This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under | ||
40 | the name of the program you want to run, and put the link in the first $PATH position (for | ||
41 | example in /usr/local/bin). Example: | ||
42 | ````` | ||
43 | $ which -a transmission-gtk | ||
44 | /usr/bin/transmission-gtk | ||
45 | |||
46 | $ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk | ||
47 | |||
48 | $ which -a transmission-gtk | ||
49 | /usr/local/bin/transmission-gtk | ||
50 | /usr/bin/transmission-gtk | ||
51 | ````` | ||
52 | We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail. | ||
53 | The second one is the real program. Starting transmission in this moment, invokes "firejail transmission-gtk" | ||
54 | ````` | ||
55 | $ transmission-gtk | ||
56 | Redirecting symlink to /usr/bin/transmission-gtk | ||
57 | Reading profile /etc/firejail/transmission-gtk.profile | ||
58 | Reading profile /etc/firejail/disable-mgmt.inc | ||
59 | Reading profile /etc/firejail/disable-secret.inc | ||
60 | Reading profile /etc/firejail/disable-common.inc | ||
61 | Reading profile /etc/firejail/disable-devel.inc | ||
62 | Parent pid 19343, child pid 19344 | ||
63 | Blacklist violations are logged to syslog | ||
64 | Child process initialized | ||
65 | ````` | ||
66 | |||
67 | |||
68 | ## IPv6 support: | ||
69 | ````` | ||
70 | --ip6=address | ||
71 | Assign IPv6 addresses to the last network interface defined by a | ||
72 | --net option. | ||
73 | |||
74 | Example: | ||
75 | $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox | ||
76 | |||
77 | --netfilter6=filename | ||
78 | Enable the IPv6 network filter specified by filename in the new | ||
79 | network namespace. The filter file format is the format of | ||
80 | ip6tables-save and ip6table-restore commands. New network | ||
81 | namespaces are created using --net option. If a new network | ||
82 | namespaces is not created, --netfilter6 option does nothing. | ||
83 | |||
84 | ````` | ||
85 | |||
86 | ## join command enhancements | ||
87 | |||
88 | ````` | ||
89 | --join-filesystem=name | ||
90 | Join the mount namespace of the sandbox identified by name. By | ||
91 | default a /bin/bash shell is started after joining the sandbox. | ||
92 | If a program is specified, the program is run in the sandbox. | ||
93 | This command is available only to root user. Security filters, | ||
94 | cgroups and cpus configurations are not applied to the process | ||
95 | joining the sandbox. | ||
96 | |||
97 | --join-filesystem=pid | ||
98 | Join the mount namespace of the sandbox identified by process | ||
99 | ID. By default a /bin/bash shell is started after joining the | ||
100 | sandbox. If a program is specified, the program is run in the | ||
101 | sandbox. This command is available only to root user. Security | ||
102 | filters, cgroups and cpus configurations are not applied to the | ||
103 | process joining the sandbox. | ||
104 | |||
105 | --join-network=name | ||
106 | Join the network namespace of the sandbox identified by name. By | ||
107 | default a /bin/bash shell is started after joining the sandbox. | ||
108 | If a program is specified, the program is run in the sandbox. | ||
109 | This command is available only to root user. Security filters, | ||
110 | cgroups and cpus configurations are not applied to the process | ||
111 | joining the sandbox. | ||
112 | |||
113 | --join-network=pid | ||
114 | Join the network namespace of the sandbox identified by process | ||
115 | ID. By default a /bin/bash shell is started after joining the | ||
116 | sandbox. If a program is specified, the program is run in the | ||
117 | sandbox. This command is available only to root user. Security | ||
118 | filters, cgroups and cpus configurations are not applied to the | ||
119 | process joining the sandbox. | ||
120 | |||
121 | ````` | ||
122 | |||
123 | |||
124 | ## New profiles: KMail | ||
125 | |||
126 | |||
127 | 36 | ||
@@ -14,7 +14,7 @@ firejail (0.9.38) baseline; urgency=low | |||
14 | * --tmpfs option allowed only running as root | 14 | * --tmpfs option allowed only running as root |
15 | * added --private-tmp option | 15 | * added --private-tmp option |
16 | * bugfixes | 16 | * bugfixes |
17 | -- netblue30 <netblue30@yahoo.com> Mon, 2 Feb 2016 10:00:00 -0500 | 17 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 |
18 | 18 | ||
19 | firejail (0.9.36) baseline; urgency=low | 19 | firejail (0.9.36) baseline; urgency=low |
20 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, | 20 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, |
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 5775783af..99f7a536c 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -1,5 +1,5 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | VERSION="0.9.36" | 2 | VERSION="0.9.38" |
3 | rm -fr ~/rpmbuild | 3 | rm -fr ~/rpmbuild |
4 | rm -f firejail-$VERSION-1.x86_64.rpm | 4 | rm -f firejail-$VERSION-1.x86_64.rpm |
5 | 5 | ||
@@ -83,7 +83,6 @@ install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/fi | |||
83 | install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/google-chrome-stable.profile | 83 | install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/google-chrome-stable.profile |
84 | install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/google-chrome-unstable.profile | 84 | install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/google-chrome-unstable.profile |
85 | install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/hexchat.profile | 85 | install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/hexchat.profile |
86 | install -m 644 /etc/firejail/konqueror.profile firejail-$VERSION/etc/firejail/konqueror.profile | ||
87 | install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/nolocal.net | 86 | install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/nolocal.net |
88 | install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/opera-beta.profile | 87 | install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/opera-beta.profile |
89 | install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/parole.profile | 88 | install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/parole.profile |
@@ -94,6 +93,16 @@ install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/fireja | |||
94 | install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/weechat.profile | 93 | install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/weechat.profile |
95 | install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/whitelist-common.inc | 94 | install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/whitelist-common.inc |
96 | 95 | ||
96 | install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/kmail.profile | ||
97 | install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/seamonkey.profile | ||
98 | install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/seamonkey-bin.profile | ||
99 | install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/telegram.profile | ||
100 | install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/mathematica.profile | ||
101 | install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/Mathematica.profile | ||
102 | install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/uget-gtk.profile | ||
103 | install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/mupen64plus.profile | ||
104 | |||
105 | |||
97 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions | 106 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions |
98 | install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. | 107 | install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. |
99 | install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. | 108 | install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. |
@@ -189,7 +198,6 @@ rm -rf %{buildroot} | |||
189 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile | 198 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile |
190 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile | 199 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile |
191 | %config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile | 200 | %config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile |
192 | %config(noreplace) %{_sysconfdir}/%{name}/konqueror.profile | ||
193 | %config(noreplace) %{_sysconfdir}/%{name}/nolocal.net | 201 | %config(noreplace) %{_sysconfdir}/%{name}/nolocal.net |
194 | %config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile | 202 | %config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile |
195 | %config(noreplace) %{_sysconfdir}/%{name}/parole.profile | 203 | %config(noreplace) %{_sysconfdir}/%{name}/parole.profile |
@@ -199,6 +207,14 @@ rm -rf %{buildroot} | |||
199 | %config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile | 207 | %config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile |
200 | %config(noreplace) %{_sysconfdir}/%{name}/weechat.profile | 208 | %config(noreplace) %{_sysconfdir}/%{name}/weechat.profile |
201 | %config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc | 209 | %config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc |
210 | %config(noreplace) %{_sysconfdir}/%{name}/kmail.profile | ||
211 | %config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile | ||
212 | %config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile | ||
213 | %config(noreplace) %{_sysconfdir}/%{name}/telegram.profile | ||
214 | %config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile | ||
215 | %config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile | ||
216 | %config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile | ||
217 | %config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile | ||
202 | 218 | ||
203 | /usr/bin/firejail | 219 | /usr/bin/firejail |
204 | /usr/bin/firemon | 220 | /usr/bin/firemon |
@@ -220,6 +236,23 @@ rm -rf %{buildroot} | |||
220 | chmod u+s /usr/bin/firejail | 236 | chmod u+s /usr/bin/firejail |
221 | 237 | ||
222 | %changelog | 238 | %changelog |
239 | * Wed Feb 3 2016 netblue30 <netblue30@yahoo.com> 0.9.38-1 | ||
240 | - IPv6 support (--ip6 and --netfilter6) | ||
241 | - --join command enhancement (--join-network, --join-filesystem) | ||
242 | - added --user command | ||
243 | - added --disable-network and --disable-userns compile time flags | ||
244 | - Centos 6 support | ||
245 | - symlink invocation | ||
246 | - added KMail, Seamonkey, Telegram, Mathematica, uGet, | ||
247 | and mupen64plus profiles | ||
248 | - --chroot in user mode allowed only if seccomp support is available | ||
249 | in current Linux kernel | ||
250 | - deprecated --private-home feature | ||
251 | - the first protocol list installed takes precedence | ||
252 | - --tmpfs option allowed only running as root | ||
253 | - added --private-tmp option | ||
254 | - bugfixes | ||
255 | |||
223 | * Thu Dec 24 2015 netblue30 <netblue30@yahoo.com> 0.9.36-1 | 256 | * Thu Dec 24 2015 netblue30 <netblue30@yahoo.com> 0.9.36-1 |
224 | - added unbound, dnscrypt-proxy, BitlBee, HexChat profiles | 257 | - added unbound, dnscrypt-proxy, BitlBee, HexChat profiles |
225 | - added WeeChat, parole and rtorrent profiles | 258 | - added WeeChat, parole and rtorrent profiles |
diff --git a/test/features/features.txt b/test/features/features.txt index 0b1634669..4d8821a92 100644 --- a/test/features/features.txt +++ b/test/features/features.txt | |||
@@ -43,16 +43,19 @@ C - chroot filesystem | |||
43 | 3.2 read-only | 43 | 3.2 read-only |
44 | 3.3 blacklist | 44 | 3.3 blacklist |
45 | 3.4 whitelist home | 45 | 3.4 whitelist home |
46 | - N braking on Fedora | ||
46 | 3.5 private-dev | 47 | 3.5 private-dev |
47 | - O, C - somehow /dev/log is missing | 48 | - O, C - somehow /dev/log is missing |
49 | - N - problems on Debian wheezy 32-bit, Fedora | ||
48 | 3.6 private-etc | 50 | 3.6 private-etc |
49 | - O not working - todo | 51 | - O not working - todo |
50 | 3.7 private-tmp | 52 | 3.7 private-tmp |
51 | 3.8 private-bin | 53 | 3.8 private-bin |
52 | - O, C not working - todo | 54 | - O, C not working - todo |
53 | 3.9 whitelist dev | 55 | 3.9 whitelist dev |
56 | - N not working on Debian wheezy (32-bit and 64-bit) - todo | ||
54 | 3.10 whitelist tmp | 57 | 3.10 whitelist tmp |
55 | - O not working on Arch Linux | 58 | - O not working on Arch Linux - todo |
56 | 59 | ||
57 | 60 | ||
58 | 61 | ||