From 8fd8fe3035f6ee353430032d0079420d4bfeaf2f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 5 Feb 2016 07:52:41 -0500 Subject: 0.9.38 released --- README.md | 93 +--------------------------------------------- RELNOTES | 2 +- platform/rpm/old-mkrpm.sh | 39 +++++++++++++++++-- test/features/features.txt | 5 ++- 4 files changed, 42 insertions(+), 97 deletions(-) diff --git a/README.md b/README.md index 812ad4008..3addca694 100644 --- a/README.md +++ b/README.md @@ -32,96 +32,5 @@ Documentation: https://firejail.wordpress.com/documentation-2/ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ -# Current development version: 0.9.37 - -## Symlink invocation - -This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under -the name of the program you want to run, and put the link in the first $PATH position (for -example in /usr/local/bin). Example: -````` -$ which -a transmission-gtk -/usr/bin/transmission-gtk - -$ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk - -$ which -a transmission-gtk -/usr/local/bin/transmission-gtk -/usr/bin/transmission-gtk -````` -We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail. -The second one is the real program. Starting transmission in this moment, invokes "firejail transmission-gtk" -````` -$ transmission-gtk -Redirecting symlink to /usr/bin/transmission-gtk -Reading profile /etc/firejail/transmission-gtk.profile -Reading profile /etc/firejail/disable-mgmt.inc -Reading profile /etc/firejail/disable-secret.inc -Reading profile /etc/firejail/disable-common.inc -Reading profile /etc/firejail/disable-devel.inc -Parent pid 19343, child pid 19344 -Blacklist violations are logged to syslog -Child process initialized -````` - - -## IPv6 support: -````` - --ip6=address - Assign IPv6 addresses to the last network interface defined by a - --net option. - - Example: - $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox - - --netfilter6=filename - Enable the IPv6 network filter specified by filename in the new - network namespace. The filter file format is the format of - ip6tables-save and ip6table-restore commands. New network - namespaces are created using --net option. If a new network - namespaces is not created, --netfilter6 option does nothing. - -````` - -## join command enhancements - -````` - --join-filesystem=name - Join the mount namespace of the sandbox identified by name. By - default a /bin/bash shell is started after joining the sandbox. - If a program is specified, the program is run in the sandbox. - This command is available only to root user. Security filters, - cgroups and cpus configurations are not applied to the process - joining the sandbox. - - --join-filesystem=pid - Join the mount namespace of the sandbox identified by process - ID. By default a /bin/bash shell is started after joining the - sandbox. If a program is specified, the program is run in the - sandbox. This command is available only to root user. Security - filters, cgroups and cpus configurations are not applied to the - process joining the sandbox. - - --join-network=name - Join the network namespace of the sandbox identified by name. By - default a /bin/bash shell is started after joining the sandbox. - If a program is specified, the program is run in the sandbox. - This command is available only to root user. Security filters, - cgroups and cpus configurations are not applied to the process - joining the sandbox. - - --join-network=pid - Join the network namespace of the sandbox identified by process - ID. By default a /bin/bash shell is started after joining the - sandbox. If a program is specified, the program is run in the - sandbox. This command is available only to root user. Security - filters, cgroups and cpus configurations are not applied to the - process joining the sandbox. - -````` - - -## New profiles: KMail - - +# Current development version: 0.9.39 diff --git a/RELNOTES b/RELNOTES index 4dd5e1b50..979f359bd 100644 --- a/RELNOTES +++ b/RELNOTES @@ -14,7 +14,7 @@ firejail (0.9.38) baseline; urgency=low * --tmpfs option allowed only running as root * added --private-tmp option * bugfixes - -- netblue30 Mon, 2 Feb 2016 10:00:00 -0500 + -- netblue30 Tue, 2 Feb 2016 10:00:00 -0500 firejail (0.9.36) baseline; urgency=low * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 5775783af..99f7a536c 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh @@ -1,5 +1,5 @@ #!/bin/bash -VERSION="0.9.36" +VERSION="0.9.38" rm -fr ~/rpmbuild rm -f firejail-$VERSION-1.x86_64.rpm @@ -83,7 +83,6 @@ install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/fi install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/google-chrome-stable.profile install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/google-chrome-unstable.profile install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/hexchat.profile -install -m 644 /etc/firejail/konqueror.profile firejail-$VERSION/etc/firejail/konqueror.profile install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/nolocal.net install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/opera-beta.profile install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/parole.profile @@ -94,6 +93,16 @@ install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/fireja install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/weechat.profile install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/whitelist-common.inc +install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/kmail.profile +install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/seamonkey.profile +install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/seamonkey-bin.profile +install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/telegram.profile +install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/mathematica.profile +install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/Mathematica.profile +install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/uget-gtk.profile +install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/mupen64plus.profile + + mkdir -p firejail-$VERSION/usr/share/bash-completion/completions install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. @@ -189,7 +198,6 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile %config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile -%config(noreplace) %{_sysconfdir}/%{name}/konqueror.profile %config(noreplace) %{_sysconfdir}/%{name}/nolocal.net %config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile %config(noreplace) %{_sysconfdir}/%{name}/parole.profile @@ -199,6 +207,14 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile %config(noreplace) %{_sysconfdir}/%{name}/weechat.profile %config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc +%config(noreplace) %{_sysconfdir}/%{name}/kmail.profile +%config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile +%config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile +%config(noreplace) %{_sysconfdir}/%{name}/telegram.profile +%config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile +%config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile +%config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile +%config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile /usr/bin/firejail /usr/bin/firemon @@ -220,6 +236,23 @@ rm -rf %{buildroot} chmod u+s /usr/bin/firejail %changelog +* Wed Feb 3 2016 netblue30 0.9.38-1 + - IPv6 support (--ip6 and --netfilter6) + - --join command enhancement (--join-network, --join-filesystem) + - added --user command + - added --disable-network and --disable-userns compile time flags + - Centos 6 support + - symlink invocation + - added KMail, Seamonkey, Telegram, Mathematica, uGet, + and mupen64plus profiles + - --chroot in user mode allowed only if seccomp support is available + in current Linux kernel + - deprecated --private-home feature + - the first protocol list installed takes precedence + - --tmpfs option allowed only running as root + - added --private-tmp option + - bugfixes + * Thu Dec 24 2015 netblue30 0.9.36-1 - added unbound, dnscrypt-proxy, BitlBee, HexChat profiles - added WeeChat, parole and rtorrent profiles diff --git a/test/features/features.txt b/test/features/features.txt index 0b1634669..4d8821a92 100644 --- a/test/features/features.txt +++ b/test/features/features.txt @@ -43,16 +43,19 @@ C - chroot filesystem 3.2 read-only 3.3 blacklist 3.4 whitelist home + - N braking on Fedora 3.5 private-dev - O, C - somehow /dev/log is missing + - N - problems on Debian wheezy 32-bit, Fedora 3.6 private-etc - O not working - todo 3.7 private-tmp 3.8 private-bin - O, C not working - todo 3.9 whitelist dev + - N not working on Debian wheezy (32-bit and 64-bit) - todo 3.10 whitelist tmp - - O not working on Arch Linux + - O not working on Arch Linux - todo -- cgit v1.2.3-54-g00ecf