5 files changed, 53 insertions, 848 deletions

diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 83a4404cf..a2c3727ce 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -21,6 +21,7 @@
 /etc/firejail/vlc.profile
 /etc/firejail/audacious.profile
 /etc/firejail/clementine.profile
+/etc/firejail/epiphany.profile
 /etc/firejail/gnome-mplayer.profile
 /etc/firejail/rhythmbox.profile
 /etc/firejail/totem.profile
@@ -55,3 +56,12 @@
 /etc/firejail/rtorrent.profile
 /etc/firejail/parole.profile
 /etc/firejail/kmail.profile
+/etc/firejail/seamonkey.profile
+/etc/firejail/seamonkey-bin.profile
+/etc/firejail/telegram.profile
+/etc/firejail/mathematica.profile
+/etc/firejail/Mathematica.profile
+/etc/firejail/uget-gtk.profile
+/etc/firejail/mupen64plus.profile
+/etc/disable-terminals.inc
+/etc/lxterminal.profile
diff --git a/platform/debian/firejail.lintian-overrides b/platform/debian/firejail.lintian-overrides
new file mode 100644
index 000000000..5b5f7e7ef
--- /dev/null
+++ b/platform/debian/firejail.lintian-overrides
@@ -0,0 +1,2 @@
+# Firejail binary should be setuid
+firejail binary: setuid-binary usr/bin/firejail 4755 root/root
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index f1bf7ad7b..e365af2d6 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -1,5 +1,5 @@
-Name: firejail
-Version: 0.9.30
+Name: __NAME__
+Version: __VERSION__
 Release: 1
 Summary: Linux namepaces sandbox program
 
@@ -19,7 +19,7 @@ using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
 %setup -q
 
 %build
-%configure
+%configure --disable-userns
 make %{?_smp_mflags}
 
 %install
@@ -29,156 +29,21 @@ rm -rf %{buildroot}
 %clean
 rm -rf %{buildroot}
 
-
 %files
 %doc
 %defattr(-, root, root, -)
-%attr(4755, -, -) %{_bindir}/firejail
+%attr(4755, -, -) %{_bindir}/__NAME__
 %{_bindir}/firemon
-%{_libdir}/firejail/ftee
-%{_libdir}/firejail/fshaper.sh
-%{_libdir}/firejail/libtrace.so
-%{_datarootdir}/bash-completion/completions/firejail
+%{_libdir}/__NAME__/ftee
+%{_libdir}/__NAME__/fshaper.sh
+%{_libdir}/__NAME__/libtrace.so
+%{_libdir}/__NAME__/libtracelog.so
+%{_datarootdir}/bash-completion/completions/__NAME__
 %{_datarootdir}/bash-completion/completions/firemon
-%{_docdir}/firejail
-%{_mandir}/man1/firejail.1.gz
+%{_docdir}/__NAME__
+%{_mandir}/man1/__NAME__.1.gz
 %{_mandir}/man1/firemon.1.gz
-%{_mandir}/man5/firejail-login.5.gz
-%{_mandir}/man5/firejail-profile.5.gz
-%config %{_sysconfdir}/firejail
-
-%changelog
-* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
- - added a disable-history.inc profile as a result of Firefox PDF.js exploit;
-   disable-history.inc included in all default profiles
- - Firefox PDF.js exploit (CVE-2015-4495) fixes
- - added --private-etc option
- - added --env option
- - added --whitelist option
- - support ${HOME} token in include directive in profile files
- - --private.keep is transitioned to --private-home
- - support ~ and blanks in blacklist option
- - support "net none" command in profile files
- - using /etc/firejail/generic.profile by default for user sessions
- - using /etc/firejail/server.profile by default for root sessions
- - added build --enable-fatal-warnings configure option
- - added persistence to --overlay option
- - added --overlay-tmpfs option
- - make install-strip implemented, make install renamed
- - bugfixes
-
-* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
- - network scanning, --scan option
- - interface MAC address support, --mac option
- - IP address range, --iprange option
- - traffic shaping, --bandwidth option
- - reworked printing of network status at startup
- - man pages rework
- - added firejail-login man page
- - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
-   profiles
- - added an /etc/firejail/disable-common.inc file to hold common directory
-   blacklists
- - blacklist Opera and Chrome/Chromium config directories in profile files
- - support noroot option for profile files
- - enabled noroot in default profile files
- - bugfixes
-
-* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
- - private dev directory
- - private.keep option for whitelisting home files in a new private directory
- - user namespaces support, noroot option
- - added Deluge and qBittorent profiles
- - bugfixes
-
-* Sun Apr 5 2015  netblue30 <netblue30@yahoo.com> 0.9.24-1
- - whitelist and blacklist seccomp filters
- - doubledash option
- - --shell=none support
- - netfilter file support in profile files
- - dns server support in profile files
- - added --dns.print option
- - added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
- - added --caps.drop=all in default profiles
- - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
- -        clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
- - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
- - two build patches from Reiner Herman (tickets 11, 12)
- - man page patch from Reiner Herman (ticket 13)
- - output patch (ticket 15) from sshirokov
-
-* Mon Mar 9 2015  netblue30 <netblue30@yahoo.com> 0.9.22-1
- - Replaced --noip option with --ip=none
- - Container stdout logging and log rotation
- - Added process_vm_readv, process_vm_writev and mknod to
-     default seccomp blacklist
- - Added CAP_MKNOD to default caps blacklist
- - Blacklist and whitelist custom Linux capabilities filters
- - macvlan device driver support for --net option
- - DNS server support, --dns option
- - Netfilter support
- - Monitor network statistics, --netstats option
- - Added profile for Mozilla Thunderbird/Icedove
- - --overlay support for Linux kernels 3.18+
- - Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
- - Bugfix: check uid/gid for cgroup
-
-* Fri Feb 6 2015   netblue30 <netblue30@yahoo.com> 0.9.20-1
- - utmp, btmp and wtmp enhancements
- -    create empty /var/log/wtmp and /var/log/btmp files in sandbox
- -    generate a new /var/run/utmp file in sandbox
- - CPU affinity, --cpu option
- - Linux control groups support, --cgroup option
- - Opera web browser support
- - VLC support
- - Added "empty" attribute to seccomp command to remove the default
- -    syscall list form seccomp blacklist
- - Added --nogroups option to disable supplementary groups for regular
- -   users. root user always runs without supplementary groups.
- - firemon enhancements
- -   display the command that started the sandbox
- -   added --caps option to display capabilities for all sandboxes
- -   added --cgroup option to display the control groups for all sandboxes
- -   added --cpu option to display CPU affinity for all sandboxes
- -   added --seccomp option to display seccomp setting for all sandboxes
- - New compile time options: --disable-chroot, --disable-bind
- - bugfixes
-
-* Sat Dec 27 2014  netblue30 <netblue30@yahoo.com> 0.9.18-1
- - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
- - Support for tracing setreuid, setregid, setresuid, setresguid syscalls
- - Added profiles for transmission-gtk and transmission-qt
- - bugfixes
-
-* Tue Nov 4 2014  netblue30 <netblue30@yahoo.com> 0.9.16-1
- - Configurable private home directory
- - Configurable default user shell
- - Software configuration support for --docdir and DESTDIR
- - Profile file support for include, caps, seccomp and private keywords
- - Dropbox profile file
- - Linux capabilities and seccomp filters enabled by default for Firefox,
-  Midori, Evince and Dropbox
- - bugfixes
-
-* Wed Oct 8 2014  netblue30 <netblue30@yahoo.com> 0.9.14-1
- - Linux capabilities and seccomp filters are automatically enabled in 
-   chroot mode (--chroot option) if the sandbox is started as regular
-   user
- - Added support for user defined seccomp blacklists
- - Added syscall trace support
- - Added --tmpfs option
- - Added --balcklist option
- - Added --read-only option
- - Added --bind option
- - Logging enhancements
- - --overlay option was reactivated
- - Added firemon support to print the ARP table for each sandbox
- - Added firemon support to print the route table for each sandbox
- - Added firemon support to print interface information for each sandbox
- - bugfixes
-
-* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1
- - Added capabilities support
- - Added support for CentOS 7
- - bugfixes
+%{_mandir}/man5/__NAME__-login.5.gz
+%{_mandir}/man5/__NAME__-profile.5.gz
+%config %{_sysconfdir}/__NAME__
 
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index 3daede84c..e600c6bdd 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -1,296 +1,41 @@
 #!/bin/bash
 #
-# Usage: ./mkrpm.sh
-#        ./mkrpm.sh /path/to/firejail-0.9.30.tar.gz
+# Usage: ./platform/rpm/mkrpm.sh firejail <version>
 #
-# Script builds rpm in a temporary directory and places the built rpm in the
+# Builds rpms in a temporary directory then places the result in the
 # current working directory.
 
+name=$1
+version=$2
 
-source=$1
-
-create_tmp_dir() {
-    tmpdir=$(mktemp -d)
-    mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-}
-
-
-# copy or download source
-if [[ $source ]]; then
-
-    # check file exists
-    if [[ ! -f $source ]]; then
-        echo "$source does not exist!"
-        exit 1
-    fi
-
-    name=$(awk '/Name:/ {print $2}' firejail.spec)
-    version=$(awk '/Version:/ {print $2}' firejail.spec)
-    expected_filename="${name}-${version}.tar.gz"
-
-    # ensure file name matches spec file expets
-    if [[ $(basename $source) != $expected_filename ]]; then
-        echo "source ($source) does not match expected filename ($(basename $expected_filename))"
-        exit 1
-    fi
-
-    create_tmp_dir
-    cp ${source} ${tmpdir}/SOURCES
-else
-  create_tmp_dir
-  if ! spectool -C ${tmpdir}/SOURCES -g firejail.spec; then
-    echo "Failed to fetch firejail source code"
+if [[ ! -f platform/rpm/${name}.spec ]]; then
+    echo error: spec file not found for name \"${name}\"
     exit 1
-  fi
 fi
 
-cp ./firejail.spec "${tmpdir}/SPECS/firejail.spec"
-
-<<<<<<< HEAD
-echo "building tar.gz archive"
-tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
-
-cp firejail-$VERSION.tar.gz SOURCES/.
-
-echo "building config spec"
-cat <<EOF > SPECS/firejail.spec
-%define        __spec_install_post %{nil}
-%define          debug_package %{nil}
-%define        __os_install_post %{_dbpath}/brp-compress
-
-Summary: Linux namepaces sandbox program
-Name: firejail
-Version: $VERSION
-Release: 1
-License: GPL+
-Group: Development/Tools
-SOURCE0 : %{name}-%{version}.tar.gz
-URL: http://github.com/netblue30/firejail
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-
-%description
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
-
-%prep
-%setup -q
-
-%build
-
-%install
-rm -rf %{buildroot}
-mkdir -p  %{buildroot}
-
-cp -a * %{buildroot}
-
-
-%clean
-rm -rf %{buildroot}
-
-
-%files
-%defattr(-,root,root,-)
-%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
-%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc
-%config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc
-%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
-%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
-%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/login.users
-%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
-%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
-%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
-%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
-%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
-%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
-%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
-%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
-%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
-%config(noreplace) %{_sysconfdir}/%{name}/generic.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
-%config(noreplace) %{_sysconfdir}/%{name}/disable-history.inc
-%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
-%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
-%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/server.profile
-%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
-
-/usr/bin/firejail
-/usr/bin/firemon
-/usr/lib/firejail/libtrace.so
-/usr/lib/firejail/ftee
-/usr/lib/firejail/fshaper.sh
-/usr/share/doc/packages/firejail/COPYING
-/usr/share/doc/packages/firejail/README
-/usr/share/doc/packages/firejail/RELNOTES
-/usr/share/man/man1/firejail.1.gz
-/usr/share/man/man1/firemon.1.gz
-/usr/share/man/man5/firejail-profile.5.gz
-/usr/share/man/man5/firejail-login.5.gz
-/usr/share/bash-completion/completions/firejail
-/usr/share/bash-completion/completions/firemon
- 
-%post
-chmod u+s /usr/bin/firejail
-
-%changelog
-* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
- - added a disable-history.inc profile as a result of Firefox PDF.js exploit;
-   disable-history.inc included in all default profiles
- - Firefox PDF.js exploit (CVE-2015-4495) fixes
- - added --private-etc option
- - added --env option
- - added --whitelist option
- - support ${HOME} token in include directive in profile files
- - --private.keep is transitioned to --private-home
- - support ~ and blanks in blacklist option
- - support "net none" command in profile files
- - using /etc/firejail/generic.profile by default for user sessions
- - using /etc/firejail/server.profile by default for root sessions
- - added build --enable-fatal-warnings configure option
- - added persistence to --overlay option
- - added --overlay-tmpfs option
- - make install-strip implemented, make install renamed
- - bugfixes
-
-* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
- - network scanning, --scan option
- - interface MAC address support, --mac option
- - IP address range, --iprange option
- - traffic shaping, --bandwidth option
- - reworked printing of network status at startup
- - man pages rework
- - added firejail-login man page
- - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
-   profiles
- - added an /etc/firejail/disable-common.inc file to hold common directory
-   blacklists
- - blacklist Opera and Chrome/Chromium config directories in profile files
- - support noroot option for profile files
- - enabled noroot in default profile files
- - bugfixes
-
-* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
- - private dev directory
- - private.keep option for whitelisting home files in a new private directory
- - user namespaces support, noroot option
- - added Deluge and qBittorent profiles
- - bugfixes
-
-* Sun Apr 5 2015  netblue30 <netblue30@yahoo.com> 0.9.24-1
- - whitelist and blacklist seccomp filters
- - doubledash option
- - --shell=none support
- - netfilter file support in profile files
- - dns server support in profile files
- - added --dns.print option
- - added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
- - added --caps.drop=all in default profiles
- - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
- -        clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
- - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
- - two build patches from Reiner Herman (tickets 11, 12)
- - man page patch from Reiner Herman (ticket 13)
- - output patch (ticket 15) from sshirokov
-
-* Mon Mar 9 2015  netblue30 <netblue30@yahoo.com> 0.9.22-1
- - Replaced --noip option with --ip=none
- - Container stdout logging and log rotation
- - Added process_vm_readv, process_vm_writev and mknod to
-     default seccomp blacklist
- - Added CAP_MKNOD to default caps blacklist
- - Blacklist and whitelist custom Linux capabilities filters
- - macvlan device driver support for --net option
- - DNS server support, --dns option
- - Netfilter support
- - Monitor network statistics, --netstats option
- - Added profile for Mozilla Thunderbird/Icedove
- - --overlay support for Linux kernels 3.18+
- - Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
- - Bugfix: check uid/gid for cgroup
-
-* Fri Feb 6 2015   netblue30 <netblue30@yahoo.com> 0.9.20-1
- - utmp, btmp and wtmp enhancements
- -    create empty /var/log/wtmp and /var/log/btmp files in sandbox
- -    generate a new /var/run/utmp file in sandbox
- - CPU affinity, --cpu option
- - Linux control groups support, --cgroup option
- - Opera web browser support
- - VLC support
- - Added "empty" attribute to seccomp command to remove the default
- -    syscall list form seccomp blacklist
- - Added --nogroups option to disable supplementary groups for regular
- -   users. root user always runs without supplementary groups.
- - firemon enhancements
- -   display the command that started the sandbox
- -   added --caps option to display capabilities for all sandboxes
- -   added --cgroup option to display the control groups for all sandboxes
- -   added --cpu option to display CPU affinity for all sandboxes
- -   added --seccomp option to display seccomp setting for all sandboxes
- - New compile time options: --disable-chroot, --disable-bind
- - bugfixes
-
-* Sat Dec 27 2014  netblue30 <netblue30@yahoo.com> 0.9.18-1
- - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
- - Support for tracing setreuid, setregid, setresuid, setresguid syscalls
- - Added profiles for transmission-gtk and transmission-qt
- - bugfixes
-
-* Tue Nov 4 2014  netblue30 <netblue30@yahoo.com> 0.9.16-1
- - Configurable private home directory
- - Configurable default user shell
- - Software configuration support for --docdir and DESTDIR
- - Profile file support for include, caps, seccomp and private keywords
- - Dropbox profile file
- - Linux capabilities and seccomp filters enabled by default for Firefox,
-  Midori, Evince and Dropbox
- - bugfixes
+if [[ -z "${version}" ]]; then
+    echo error: version must be given
+    exit 1
+fi
 
-* Wed Oct 8 2014  netblue30 <netblue30@yahoo.com> 0.9.14-1
- - Linux capabilities and seccomp filters are automatically enabled in 
-   chroot mode (--chroot option) if the sandbox is started as regular
-   user
- - Added support for user defined seccomp blacklists
- - Added syscall trace support
- - Added --tmpfs option
- - Added --balcklist option
- - Added --read-only option
- - Added --bind option
- - Logging enhancements
- - --overlay option was reactivated
- - Added firemon support to print the ARP table for each sandbox
- - Added firemon support to print the route table for each sandbox
- - Added firemon support to print interface information for each sandbox
- - bugfixes
+# Make a temporary directory and arrange to clean up on exit
+tmpdir=$(mktemp -d)
+mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+function cleanup {
+  rm -rf ${tmpdir}
+}
+trap cleanup EXIT
 
-* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1
- - Added capabilities support
- - Added support for CentOS 7
- - bugfixes
+# Create the spec file
+tmp_spec_file=${tmpdir}/SPECS/${name}.spec
+sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file}
+# FIXME: We could parse RELNOTES and create a %changelog section here
 
-EOF
+# Copy the source to build into a tarball
+tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='.git/*'
 
-echo "building rpm"
-rpmbuild -ba SPECS/firejail.spec
-rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
-cd ..
-rm -f firejail-$VERSION-1.x86_64.rpm
-cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
-=======
-rpmbuild --define "_topdir ${tmpdir}" -ba "${tmpdir}/SPECS/firejail.spec"
->>>>>>> d69c2f8a62fca967460265dedd5afa62592264dd
+# Build the files (rpm, debug rpm and source rpm)
+rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
 
-cp ${tmpdir}/RPMS/x86_64/firejail-*-1.x86_64.rpm .
-rm -rf "${tmpdir}"
+# Copy the results to cwd
+mv ${tmpdir}/SRPMS/*.rpm ${tmpdir}/RPMS/*/*rpm .
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
deleted file mode 100755
index 5775783af..000000000
--- a/platform/rpm/old-mkrpm.sh
+++ /dev/null
@@ -1,417 +0,0 @@
-#!/bin/bash
-VERSION="0.9.36"
-rm -fr ~/rpmbuild
-rm -f firejail-$VERSION-1.x86_64.rpm
-
-mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
-cat <<EOF >~/.rpmmacros
-%_topdir   %(echo $HOME)/rpmbuild
-%_tmppath  %{_topdir}/tmp
-EOF
-
-cd ~/rpmbuild
-echo "building directory tree"
-
-mkdir -p firejail-$VERSION/usr/bin
-install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
-install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
-
-mkdir -p  firejail-$VERSION/usr/lib/firejail
-install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/.
-
-mkdir -p firejail-$VERSION/usr/share/man/man1
-install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
-install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
-
-mkdir -p firejail-$VERSION/usr/share/man/man5
-install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
-install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
-
-mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
-install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
-install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
-install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
-
-mkdir -p firejail-$VERSION/etc/firejail
-install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/xchat.profile
-install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/server.profile
-install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/quassel.profile
-install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/pidgin.profile
-install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/icecat.profile
-install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/filezilla.profile
-install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/chromium-browser.profile
-install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/chromium.profile
-install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/dropbox.profile
-install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/disable-common.inc
-install -m 644 /etc/firejail/disable-secret.inc firejail-$VERSION/etc/firejail/disable-secret.inc
-install -m 644 /etc/firejail/disable-mgmt.inc firejail-$VERSION/etc/firejail/disable-mgmt.inc
-install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/evince.profile
-install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/firefox.profile
-install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/icedove.profile
-install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/iceweasel.profile
-install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/midori.profile
-install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/thunderbird.profile
-install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/opera.profile
-install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/transmission-gtk.profile
-install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/transmission-qt.profile
-install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/vlc.profile
-install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/audacious.profile
-install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/clementine.profile
-install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/gnome-mplayer.profile
-install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/rhythmbox.profile
-install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/totem.profile
-install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/deluge.profile
-install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/qbittorrent.profile
-install -m 644 /etc/firejail/generic.profile firejail-$VERSION/etc/firejail/generic.profile
-install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/login.users
-install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/deadbeef.profile
-install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/empathy.profile
-install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/fbreader.profile
-install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/spotify.profile
-install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/google-chrome.profile
-install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/skype.profile
-install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/steam.profile
-install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/wine.profile
-install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/disable-devel.inc
-
-install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/bitlbee.profile
-install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/conkeror.profile
-install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/google-chrome-beta.profile
-install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/google-chrome-stable.profile
-install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/google-chrome-unstable.profile
-install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/hexchat.profile
-install -m 644 /etc/firejail/konqueror.profile firejail-$VERSION/etc/firejail/konqueror.profile
-install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/nolocal.net
-install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/opera-beta.profile
-install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/parole.profile
-install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/rtorrent.profile
-install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/unbound.profile
-install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/webserver.net
-install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/weechat-curses.profile
-install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/weechat.profile
-install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/whitelist-common.inc
-
-mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
-install -m 644 /usr/share/bash-completion/completions/firejail  firejail-$VERSION/usr/share/bash-completion/completions/.
-install -m 644 /usr/share/bash-completion/completions/firemon  firejail-$VERSION/usr/share/bash-completion/completions/.
-
-echo "building tar.gz archive"
-tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
-
-cp firejail-$VERSION.tar.gz SOURCES/.
-
-echo "building config spec"
-cat <<EOF > SPECS/firejail.spec
-%define        __spec_install_post %{nil}
-%define          debug_package %{nil}
-%define        __os_install_post %{_dbpath}/brp-compress
-
-Summary: Linux namepaces sandbox program
-Name: firejail
-Version: $VERSION
-Release: 1
-License: GPL+
-Group: Development/Tools
-SOURCE0 : %{name}-%{version}.tar.gz
-URL: http://firejail.wordpress.com
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-
-%description
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
-
-%prep
-%setup -q
-
-%build
-
-%install
-rm -rf %{buildroot}
-mkdir -p  %{buildroot}
-
-cp -a * %{buildroot}
-
-
-%clean
-rm -rf %{buildroot}
-
-
-%files
-%defattr(-,root,root,-)
-%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
-%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc
-%config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc
-%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
-%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
-%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/login.users
-%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
-%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
-%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
-%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
-%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
-%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
-%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
-%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
-%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
-%config(noreplace) %{_sysconfdir}/%{name}/generic.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
-%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
-%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
-%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/server.profile
-%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile
-%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile
-%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile
-%config(noreplace) %{_sysconfdir}/%{name}/skype.profile
-%config(noreplace) %{_sysconfdir}/%{name}/steam.profile
-%config(noreplace) %{_sysconfdir}/%{name}/wine.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc
-%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile
-%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile
-%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile
-%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile
-%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile
-%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/konqueror.profile
-%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net
-%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile
-%config(noreplace) %{_sysconfdir}/%{name}/parole.profile
-%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile
-%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile
-%config(noreplace) %{_sysconfdir}/%{name}/webserver.net
-%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile
-%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc
-
-/usr/bin/firejail
-/usr/bin/firemon
-/usr/lib/firejail/libtrace.so
-/usr/lib/firejail/libtracelog.so
-/usr/lib/firejail/ftee
-/usr/lib/firejail/fshaper.sh
-/usr/share/doc/packages/firejail/COPYING
-/usr/share/doc/packages/firejail/README
-/usr/share/doc/packages/firejail/RELNOTES
-/usr/share/man/man1/firejail.1.gz
-/usr/share/man/man1/firemon.1.gz
-/usr/share/man/man5/firejail-profile.5.gz
-/usr/share/man/man5/firejail-login.5.gz
-/usr/share/bash-completion/completions/firejail
-/usr/share/bash-completion/completions/firemon
- 
-%post
-chmod u+s /usr/bin/firejail
-
-%changelog
-* Thu Dec 24 2015 netblue30 <netblue30@yahoo.com> 0.9.36-1
- - added  unbound, dnscrypt-proxy, BitlBee, HexChat profiles
- - added WeeChat, parole and rtorrent profiles
- - Google Chrome profile rework
- - added google-chrome-stable profile
- - added google-chrome-beta profile
- - added google-chrome-unstable profile
- - Opera profile rework
- - added opera-beta profile
- - added --noblacklist option
- - added --profile-path option
- - added --force option
- - whitelist command enhancements
- - prevent user name enumeration
- - added /etc/firejail/nolocal.net network filter
- - added /etc/firejail/webserver.net network filter
- - blacklisting firejail configuration by default
- - allow default gateway configuration for --interface option
- - --debug enhancements: --debug-check-filenames
- - --debug enhancements:--debug-blacklists
- - --debug enhancements: --debug-whitelists
- - filesystem log
- - libtrace enhancements, tracing opendir call
- - added --tracelog option
- - added "name" command to profile files
- - added "hostname" command to profile files
- - added automated feature testing framework
- - Debian reproducible build
- - bugfixes
-
-* Sat Nov 7 2015 netblue30 <netblue30@yahoo.com> 0.9.34-1
- - added --ignore option
- - added --protocol option
- - support dual i386/amd64 seccomp filters
- - added Google Chrome profile
- - added Steam, Skype, Wine and Conkeror profiles
- - bugfixes
-
-* Wed Oct 21 2015 netblue30 <netblue30@yahoo.com> 0.9.32-1
- - added --interface option
- - added --mtu option
- - added --private-bin option
- - added --nosound option
- - added --hostname option
- - added --quiet option
- - added seccomp errno support
- - added FBReader default profile
- - added Spotify default profile
- - lots of default security profile changes
- - fixed a security problem on multi-user systems
- - bugfixes
-
-* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
- - added a disable-history.inc profile as a result of Firefox PDF.js exploit;
-   disable-history.inc included in all default profiles
- - Firefox PDF.js exploit (CVE-2015-4495) fixes
- - added --private-etc option
- - added --env option
- - added --whitelist option
- - support ${HOME} token in include directive in profile files
- - --private.keep is transitioned to --private-home
- - support ~ and blanks in blacklist option
- - support "net none" command in profile files
- - using /etc/firejail/generic.profile by default for user sessions
- - using /etc/firejail/server.profile by default for root sessions
- - added build --enable-fatal-warnings configure option
- - added persistence to --overlay option
- - added --overlay-tmpfs option
- - make install-strip implemented, make install renamed
- - bugfixes
-
-* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
- - network scanning, --scan option
- - interface MAC address support, --mac option
- - IP address range, --iprange option
- - traffic shaping, --bandwidth option
- - reworked printing of network status at startup
- - man pages rework
- - added firejail-login man page
- - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
-   profiles
- - added an /etc/firejail/disable-common.inc file to hold common directory
-   blacklists
- - blacklist Opera and Chrome/Chromium config directories in profile files
- - support noroot option for profile files
- - enabled noroot in default profile files
- - bugfixes
-
-* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
- - private dev directory
- - private.keep option for whitelisting home files in a new private directory
- - user namespaces support, noroot option
- - added Deluge and qBittorent profiles
- - bugfixes
-
-* Sun Apr 5 2015  netblue30 <netblue30@yahoo.com> 0.9.24-1
- - whitelist and blacklist seccomp filters
- - doubledash option
- - --shell=none support
- - netfilter file support in profile files
- - dns server support in profile files
- - added --dns.print option
- - added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
- - added --caps.drop=all in default profiles
- - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
- -        clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
- - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
- - two build patches from Reiner Herman (tickets 11, 12)
- - man page patch from Reiner Herman (ticket 13)
- - output patch (ticket 15) from sshirokov
-
-* Mon Mar 9 2015  netblue30 <netblue30@yahoo.com> 0.9.22-1
- - Replaced --noip option with --ip=none
- - Container stdout logging and log rotation
- - Added process_vm_readv, process_vm_writev and mknod to
-     default seccomp blacklist
- - Added CAP_MKNOD to default caps blacklist
- - Blacklist and whitelist custom Linux capabilities filters
- - macvlan device driver support for --net option
- - DNS server support, --dns option
- - Netfilter support
- - Monitor network statistics, --netstats option
- - Added profile for Mozilla Thunderbird/Icedove
- - --overlay support for Linux kernels 3.18+
- - Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
- - Bugfix: check uid/gid for cgroup
-
-* Fri Feb 6 2015   netblue30 <netblue30@yahoo.com> 0.9.20-1
- - utmp, btmp and wtmp enhancements
- -    create empty /var/log/wtmp and /var/log/btmp files in sandbox
- -    generate a new /var/run/utmp file in sandbox
- - CPU affinity, --cpu option
- - Linux control groups support, --cgroup option
- - Opera web browser support
- - VLC support
- - Added "empty" attribute to seccomp command to remove the default
- -    syscall list form seccomp blacklist
- - Added --nogroups option to disable supplementary groups for regular
- -   users. root user always runs without supplementary groups.
- - firemon enhancements
- -   display the command that started the sandbox
- -   added --caps option to display capabilities for all sandboxes
- -   added --cgroup option to display the control groups for all sandboxes
- -   added --cpu option to display CPU affinity for all sandboxes
- -   added --seccomp option to display seccomp setting for all sandboxes
- - New compile time options: --disable-chroot, --disable-bind
- - bugfixes
-
-* Sat Dec 27 2014  netblue30 <netblue30@yahoo.com> 0.9.18-1
- - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
- - Support for tracing setreuid, setregid, setresuid, setresguid syscalls
- - Added profiles for transmission-gtk and transmission-qt
- - bugfixes
-
-* Tue Nov 4 2014  netblue30 <netblue30@yahoo.com> 0.9.16-1
- - Configurable private home directory
- - Configurable default user shell
- - Software configuration support for --docdir and DESTDIR
- - Profile file support for include, caps, seccomp and private keywords
- - Dropbox profile file
- - Linux capabilities and seccomp filters enabled by default for Firefox,
-  Midori, Evince and Dropbox
- - bugfixes
-
-* Wed Oct 8 2014  netblue30 <netblue30@yahoo.com> 0.9.14-1
- - Linux capabilities and seccomp filters are automatically enabled in 
-   chroot mode (--chroot option) if the sandbox is started as regular
-   user
- - Added support for user defined seccomp blacklists
- - Added syscall trace support
- - Added --tmpfs option
- - Added --balcklist option
- - Added --read-only option
- - Added --bind option
- - Logging enhancements
- - --overlay option was reactivated
- - Added firemon support to print the ARP table for each sandbox
- - Added firemon support to print the route table for each sandbox
- - Added firemon support to print interface information for each sandbox
- - bugfixes
-
-* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1
- - Added capabilities support
- - Added support for CentOS 7
- - bugfixes
-
-EOF
-
-echo "building rpm"
-rpmbuild -ba SPECS/firejail.spec
-rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
-cd ..
-rm -f firejail-$VERSION-1.x86_64.rpm
-cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
-