From f89ba6ad2638749e96b048330c262ee591cefe30 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 12 Dec 2017 09:09:13 -0500 Subject: starting 0.9.53 --- README.md | 155 +---------------------------------------------------------- RELNOTES | 5 +- configure | 18 +++---- configure.ac | 2 +- 4 files changed, 15 insertions(+), 165 deletions(-) diff --git a/README.md b/README.md index 20659dc3d..1a3c1b4c5 100644 --- a/README.md +++ b/README.md @@ -96,157 +96,4 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir ````` ````` -# Current development version: 0.9.51 - -## Whitelisting, globbing etc. - -We deployed a whitelist for /var directory ("include /etc/firejail/whitelist-var-common.inc"). -It is currently done for 115 applications. - -We added globbing support for --private-bin and whitelisting support for /etc and /usr/share. - ---private-lib was enhanced to autodetect GTK2, GTK3 and Qt4 libraries. In the next release we do a test run with this option enabled -for the following applications: evince, galculator, gnome-calculator, - leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu, - atril, mate-color-select, tar, file, strings, gpicview, - eom, eog, gedit, pluma - -Just for fun, this is a private-bin/private-lib Firefox running on Debian 9: -````` -$ firejail --private-bin=firefox,firefox-esr,sh,which --private-lib=firefox-esr firefox -````` - - -## Profile build tool -````` -$ firejail --build appname -$ firejail --build=appname.profile appname -````` -The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also -builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, -with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported -in order to allow strace to run. Chromium and Chromium-based browsers will not work. - -Example: -````` -$ firejail --build /usr/bin/vlc ~/Videos/test.mp4 - -[...] - -############################################ -# /usr/bin/vlc profile -############################################ -# Persistent global definitions -# include /etc/firejail/globals.local - -### basic blacklisting -include /etc/firejail/disable-common.inc -# include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -# include /etc/firejail/disable-programs.inc - -### home directory whitelisting -whitelist ~/Videos -whitelist ~/.local/share/vlc -whitelist ~/.config/vlc -include /etc/firejail/whitelist-common.inc - -### filesystem -private-tmp -private-dev -private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, -whitelist /var/lib/menu-xdg -# private-bin vlc, - -### security filters -caps.drop all -nonewprivs -seccomp -# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create -# 76 syscalls total -# Probably you will need to add more syscalls to seccomp.keep. Look for -# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while -# running your sandbox. - -### network -protocol unix,netlink, -net none - -### environment -shell none -$ -````` - -## New command line and profile options -````` - --writable-run-user - This options disables the default blacklisting of - run/user/$UID/systemd and /run/user/$UID/gnupg. - - Example: - $ sudo firejail --writable-run-user - - --rlimit-as=number - Set the maximum size of the process's virtual memory (address - space) in bytes. - - --rlimit-cpu=number - Set the maximum limit, in seconds, for the amount of CPU time - each sandboxed process can consume. When the limit is reached, - the processes are killed. - - The CPU limit is a limit on CPU seconds rather than elapsed - time. CPU seconds is basically how many seconds the CPU has - been in use and does not necessarily directly relate to the - elapsed time. Linux kernel keeps track of CPU seconds for each - process independently. - - --timeout=hh:mm:ss - Kill the sandbox automatically after the time has elapsed. The - time is specified in hours/minutes/seconds format. - - $ firejail --timeout=01:30:00 firefox - - --debug-private-lib - Debug messages for --private-lib option. - - --netfilter=filename,arg1,arg2,arg3 ... - This is the template version of the previous command. $ARG1, - $ARG2, $ARG3 ... in the firewall script are replaced with arg1, - arg2, arg3 ... passed on the command line. Up to 16 arguments - are supported. Example: - - $ firejail --net=eth0 --ip=192.168.1.105 \ - --netfilter=/etc/firejail/tcpserver.net,5001 server-program - - --netfilter.print=name|pid - Print the firewall installed in the sandbox specified by name - or PID. Example: - - $ firejail --name=browser --net=eth0 --netfilter firefox & - $ firejail --netfilter.print=browser - - --netfilter6.print=name|pid - Print the IPv6 firewall installed in the sandbox specified by - name or PID. Example: - - $ firejail --name=browser --net=eth0 --netfilter firefox & - $ firejail --netfilter6.print=browser - -````` - -## New profiles: - -terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, -amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, -calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, -calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, -imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, -ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, -conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool, -aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass, -kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch), -kdeinit4 - -Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles, -https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles. +# Current development version: 0.9.53 diff --git a/RELNOTES b/RELNOTES index b5eac249c..b3ddbbc8e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,7 @@ +firejail (0.9.52) baseline; urgency=low + * work in progress + -- netblue30 Tue, 12 Dec 2017 08:00:00 -0500 + firejail (0.9.52) baseline; urgency=low * modif: --allow-private-blacklists was deprecated; blacklisting, read-only, read-write, tmpfs and noexec are allowed in @@ -43,7 +47,6 @@ firejail (0.9.52) baseline; urgency=low xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass, kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report cower (Arch), kdeinit4 - -- netblue30 Thu, 7 Dec 2017 08:00:00 -0500 firejail (0.9.50~rc1) baseline; urgency=low diff --git a/configure b/configure index 17b814393..d38487aaa 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.52. +# Generated by GNU Autoconf 2.69 for firejail 0.9.53. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.52' -PACKAGE_STRING='firejail 0.9.52' +PACKAGE_VERSION='0.9.53' +PACKAGE_STRING='firejail 0.9.53' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.52 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.53 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1338,7 +1338,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.52:";; + short | recursive ) echo "Configuration of firejail 0.9.53:";; esac cat <<\_ACEOF @@ -1446,7 +1446,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.52 +firejail configure 0.9.53 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.52, which was +It was created by firejail $as_me 0.9.53, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.52, which was +This file was extended by firejail $as_me 0.9.53, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4421,7 +4421,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.52 +firejail config.status 0.9.53 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 2b7dd1d28..cc70a4ded 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.52, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.53, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-54-g00ecf