From e0935c5a3bb4c3b297c151e2060cfc624377a421 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 9 Sep 2016 13:18:18 -0400 Subject: starting new development --- README.md | 167 +---------------------------------------------------------- RELNOTES | 4 ++ configure | 18 +++---- configure.ac | 2 +- 4 files changed, 15 insertions(+), 176 deletions(-) diff --git a/README.md b/README.md index 2f2ab38e7..eafcf1d78 100644 --- a/README.md +++ b/README.md @@ -34,170 +34,5 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` ````` -# Current development version: 0.9.42~rc2 - -Version 0.9.41~rc1 was released. - -## Bringing back --private-home - -## Deprecated --user - ---user option was deprecated, please use "sudo -u username firejail application" instead. - -## --whitelist rework - -Symlinks outside user home directories are allowed: -````` - --whitelist=dirname_or_filename - Whitelist directory or file. This feature is implemented only - for user home, /dev, /media, /opt, /var, and /tmp directories. - With the exception of user home, both the link and the real file - should be in the same top directory. For /home, both the link - and the real file should be owned by the user. - - Example: - $ firejail --noprofile --whitelist=~/.mozilla - $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null - $ firejail "--whitelist=/home/username/My Virtual Machines" -````` - -## AppArmor support - -So far I've seen this working on Debian Jessie and Ubuntu 16.04, where I can get Firefox and -Chromium running. There is more testing to come. - -````` -APPARMOR - AppArmor support is disabled by default at compile time. Use --enable- - apparmor configuration option to enable it: - - $ ./configure --prefix=/usr --enable-apparmor - - During software install, a generic AppArmor profile file, firejail- - default, is placed in /etc/apparmor.d directory. The profile needs to - be loaded into the kernel by running the following command as root: - - # aa-enforce firejail-default - - The installed profile tries to replicate some advanced security fea‐ - tures inspired by kernel-based Grsecurity: - - - Prevent information leakage in /proc and /sys directories. The - resulting file system is barely enough for running commands such - as "top" and "ps aux". - - - Allow running programs only from well-known system paths, such - as /bin, /sbin, /usr/bin etc. Running programs and scripts from - user home or other directories writable by the user is not - allowed. - - - Disable D-Bus. D-Bus has long been a huge security hole, and - most programs don't use it anyway. You should have no problems - running Chromium or Firefox. - - To enable AppArmor confinement on top of your current Firejail security - features, pass --apparmor flag to Firejail command line. You can also - include apparmor command in a Firejail profile file. Example: - - $ firejail --apparmor firefox - -````` - -## AppImage support - -AppImage (http://appimage.org/) is a distribution-agnostic packaging format. -The package is a regular ISO file containing all binaries, libraries and resources -necessary for the program to run. - -We introduce in this release support for sandboxing AppImage applications. Example: -````` -$ firejail --appimage krita-3.0-x86_64.appimage -````` -All Firejail sandboxing options should be available. A private home directory: -````` -$ firejail --appimage --private krita-3.0-x86_64.appimage -````` -or some basic X11 sandboxing: -````` -$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage -````` -Major software applications distributing AppImage packages: - -* Krita: https://krita.org/download/krita-desktop/ -* OpenShot: http://www.openshot.org/download/ -* Scribus: https://www.scribus.net/downloads/unstable-branch/ -* MuseScore: https://musescore.org/en/download - -More packages build by AppImage developer Simon Peter: https://bintray.com/probono/AppImages - -AppImage project home: https://github.com/probonopd/AppImageKit - -## Sandbox auditing -````` -AUDIT - Audit feature allows the user to point out gaps in security profiles. - The implementation replaces the program to be sandboxed with a test - program. By default, we use faudit program distributed with Firejail. A - custom test program can also be supplied by the user. Examples: - - Running the default audit program: - $ firejail --audit transmission-gtk - - Running a custom audit program: - $ firejail --audit=~/sandbox-test transmission-gtk - - In the examples above, the sandbox configures transmission-gtk profile - and starts the test program. The real program, transmission-gtk, will - not be started. - - Limitations: audit feature is not implemented for --x11 commands. -````` - -## --noexec -````` - --noexec=dirname_or_filename - Remount directory or file noexec, nodev and nosuid. - - Example: - $ firejail --noexec=/tmp - - /etc and /var are noexec by default. If there are more than one - mount operation on the path of the file or directory, noexec - should be applied to the last one. Always check if the change - took effect inside the sandbox. -````` - -## --rmenv -````` - --rmenv=name - Remove environment variable in the new sandbox. - - Example: - $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS -````` - -## Converting profiles to private-bin - work in progress! - -BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk - -File transfer: filezilla - -Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom - -Office: evince, gthumb, fbreader, pix, atril, xreader, - -Chat/messaging: qtox, gitter, pidgin - -Games: warzone2100, gnome-chess - -Weather/climate: aweather - -Astronomy: gpredict, stellarium - -Browsers: Palemoon - -## New security profiles - -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client, DOSBox +# Current development version: 0.9.43 diff --git a/RELNOTES b/RELNOTES index e48dbbb0e..6a0bd4711 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,7 @@ +firejail (0.9.43) baseline; urgency=low + * development version + -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 + firejail (0.9.42) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov * security: disable x32 ABI in seccomp, submitted by Jann Horn diff --git a/configure b/configure index b591987e7..7f9fdc3f0 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.42. +# Generated by GNU Autoconf 2.69 for firejail 0.9.43. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.42' -PACKAGE_STRING='firejail 0.9.42' +PACKAGE_VERSION='0.9.43' +PACKAGE_STRING='firejail 0.9.43' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.42 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.43 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.42:";; + short | recursive ) echo "Configuration of firejail 0.9.43:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.42 +firejail configure 0.9.43 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.42, which was +It was created by firejail $as_me 0.9.43, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4310,7 +4310,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.42, which was +This file was extended by firejail $as_me 0.9.43, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4364,7 +4364,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.42 +firejail config.status 0.9.43 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 11c5b993e..f4deff7b5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.42, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.43, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2