From 79db355e0ac8ef96ba499488a4beb9ad7ff9a67c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 10 Sep 2015 08:15:42 -0400 Subject: 0.9.30-rc1 --- README | 11 +++++++---- RELNOTES | 6 ++++-- configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/firejail.h | 1 + src/man/firejail-profile.txt | 9 +++++++-- 6 files changed, 29 insertions(+), 18 deletions(-) diff --git a/README b/README index 206655487..f8f73ff1a 100644 --- a/README +++ b/README @@ -2,14 +2,17 @@ Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It includes sandbox profiles for Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, -VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge and qBittorrent. +VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. +DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, +Pidgin, Quassel and XChat. Firejail also expands the restricted shell facility found in bash by adding Linux namespace support. It supports sandboxing specific users upon login. Download: http://sourceforge.net/projects/firejail/files/ Build and install: ./configure && make && sudo make install -Documentation and support: http://firejail.sourceforge.net +Documentation and support: https://l3net.wordpress.com/projects/firejail/ +Development: https://github.com/netblue30/firejail License: GPL v2 Firejail Authors: @@ -30,8 +33,6 @@ Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) Reiner Herrmann - a number of build patches, man page fixes, Debian integration sshirokov (http://sourceforge.net/u/yshirokov/profile/) - Patch to output "Reading profile" to stderr instead of stdout -Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) - - src/lib/libnetlink.c extracted from iproute2 software package G4JC (http://sourceforge.net/u/gaming4jc/profile/) - ARM support dewbasaur (https://github.com/dewbasaur) @@ -43,5 +44,7 @@ mjudtmann (https://github.com/mjudtmann) - lock firejail configuration in disable-mgmt.inc iiotx (https://github.com/iiotx) - use generci.profile by default +Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) + - src/lib/libnetlink.c extracted from iproute2 software package Copyright (C) 2014, 2015 Firejail Authors diff --git a/RELNOTES b/RELNOTES index b2a63e400..811f2c5cf 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,17 +1,19 @@ -firejail (0.9.29) baseline; urgency=low +firejail (0.9.30-rc1) baseline; urgency=low * added a disable-history.inc profile as a result of Firefox PDF.js exploit; disable-history.inc included in all default profiles * Firefox PDF.js exploit (CVE-2015-4495) fixes * added --private-etc option * added --env option + * added --whitelist option * support ${HOME} token in include directive in profile files * --private.keep is transitioned to --private-home * support ~ and blanks in blacklist option * support "net none" command in profile files * using /etc/firejail/generic.profile by default for user sessions * using /etc/firejail/server.profile by default for root sessions + * added build --enable-fatal-warnings configure option * bugfixes - -- netblue30 Mon, 24 Aug 2015 20:25:00 -0500 + -- netblue30 Wed, 9 Sept 2015 08:00:00 -0500 firejail (0.9.28) baseline; urgency=low * network scanning, --scan option diff --git a/configure b/configure index 1b8f6728c..c15e4c9aa 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.29-github. +# Generated by GNU Autoconf 2.69 for firejail 0.9.30-rc1. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.29-github' -PACKAGE_STRING='firejail 0.9.29-github' +PACKAGE_VERSION='0.9.30-rc1' +PACKAGE_STRING='firejail 0.9.30-rc1' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.sourceforge.net' @@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.29-github to adapt to many kinds of systems. +\`configure' configures firejail 0.9.30-rc1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1299,7 +1299,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.29-github:";; + short | recursive ) echo "Configuration of firejail 0.9.30-rc1:";; esac cat <<\_ACEOF @@ -1389,7 +1389,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.29-github +firejail configure 0.9.30-rc1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.29-github, which was +It was created by firejail $as_me 0.9.30-rc1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4102,7 +4102,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.29-github, which was +This file was extended by firejail $as_me 0.9.30-rc1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4156,7 +4156,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.29-github +firejail config.status 0.9.30-rc1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 3fa0c933b..5e3f44bed 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.29-github, netblue30@yahoo.com, , http://firejail.sourceforge.net) +AC_INIT(firejail, 0.9.30-rc1, netblue30@yahoo.com, , http://firejail.sourceforge.net) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 116bd404a..aa8144a40 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -368,6 +368,7 @@ void env_store(const char *str); void env_apply(void); // fs_whitelist.c +void fs_whitelist(void); #endif diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1473c5889..470cade7e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -10,7 +10,7 @@ firejail \-\-profile=filename.profile Several command line options can be passed to the program using profile files. Firejail chooses the profile file as follows: -1. If a profile file is provided by the user with --profile option, the profile file is loaded. +1. If a profile file is provided by the user with \-\-profile option, the profile file is loaded. Example: .PP .RS @@ -120,7 +120,7 @@ Remove ifconfig command from the regular path directories. \f\blacklist ${HOME}/.ssh Remove .ssh directory from user home directory. .TP -\f\ noblacklist ${HOME}/config/evince +\f\noblacklist ${HOME}/config/evince Prevent any new blacklist commands from blacklisting config/evince in the user home directory. Useful for defining exceptions before including a large blacklist from a file. Note @@ -149,6 +149,11 @@ Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, uran Build a new /etc in a temporary filesystem, and copy the files and directories in the list. All modifications are discarded when the sandbox is closed. +.TP +\f\whitelist file_or_directory +Build a new user home in a temporary filesystem, and mount-bind file_or_directory. +The modifications to file_or_directory are persistent, everything else is discarded +when the sandbox is closed. .SH Filters \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: -- cgit v1.2.3-70-g09d2