README


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295

Firejail  is  a  SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of  untrusted  applications
using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
Pidgin, Quassel and XChat.

Firejail also expands the restricted shell facility found  in  bash  by adding 
Linux  namespace support. It supports sandboxing specific users upon login.

Download: http://sourceforge.net/projects/firejail/files/
Build and install: ./configure && make && sudo make install
Documentation and support: https://firejail.wordpress.com/
Development: https://github.com/netblue30/firejail
License: GPL v2

Firejail Authors:

netblue30 (netblue30@yahoo.com)
Reiner Herrmann (https://github.com/reinerh)
	- a number of build patches
	- man page fixes
	- Debian and Ubuntu integration
	- clang-analyzer fixes
	- Debian reproducible build
	- unit testing framework
	- moved build to .xz
	- detached signatures for source archive
	- recursive mkdir
Aleksey Manevich (https://github.com/manevich)
	- several profile fixes
	- fix problem with relative path in storage_find function
	- fix build for systems without bash
	- fix double quotes/single quotes problem
	- big rework of argument processing subsystem
	- --join fixes
	- spliting up cmdline.c
	- Busybox support
	- X11 support rewrite
	- gether shell selection code in one place
	- fixed several TOCTOU security problems
	- added --fix option to firecfg utility
	- read_pid fix
	- added --x11=block options
	- x11 xpra, xphyr, block profile commands
	- added --join-or-start command
	- CVE-2016-7545
Fred-Barclay (https://github.com/Fred-Barclay)
	- added Vivaldi, Atril profiles
	- added PaleMoon profile
	- split Icedove and Thunderbird profiles
	- added 0ad profile
	- fixed version for .deb packages
	- added Warzone2100 profile
	- blacklisted VeraCrypt
	- added Gpredict profile
	- added Aweather, Stellarium profiles
	- fixed HexChat and Atril profiles
	- fixed disable-common.inc for mate-terminal
	- blacklisted escape-happy terminals in disable-common.inc
	- blacklisted g++
	- added xplayer, xreader, and xviewer profiles
	- added Brave profile
	- added Gitter profile
	- various organising
	- added LibreOffice profile
	- added pix profile
	- added audacity profile
	- fixed Telegram and qtox profiles
	- added Atom Beta and Atom profiles
	- tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles.
	- several private-bin conversions
	- added jitsi profile
	- pidgin private-bin conversion
	- added eom profile
	- added gnome-chess profile
	- added DOSBox profile
	- evince profile enhancement
graywolf (https://github.com/graywolf)
	- spelling fix
Dara Adib (https://github.com/daradib)
	- ssh profile fix
Tomasz Jan Góralczyk (https://github.com/tjg)
	- fixed Steam profile
pwnage-pineapple (https://github.com/pwnage-pineapple)
	- update Okular profile
Sergey Alirzaev (https://github.com/l29ah)
	- firejail.h enum fix
greigdp (https://github.com/greigdp)
	- Gajim IM client profile
	- fix Slack profile
Icaro Perseo (https://github.com/icaroperseo)
	- Icecat profile
	- several profile fixes
hamzadis (https://github.com/hamzadis)
	- added --overlay-named=name and --overlay-path=path	
Gaman Gabriel (https://github.com/stelariusinfinitek)
	- inox profile
greigdp (https://github.com/greigdp)
	- fixed spotify profile
	- added Slack profile
Laurent Declercq (https://github.com/nuxwin)
	- fixed test for shell interpreter in chroots
Franco (nextime) Lanza (https://github.com/nextime)
	- added --private-template/--private-home
xee5ch (https://github.com/xee5ch)
	- skypeforlinux profile
Peter Hogg (https://github.com/pigmonkey)
	- WeeChat profile
	- rtorrent profile
	- bitlbee profile fixes
Thomas Jarosch (https://github.com/thomasjfox)
	- disable keepassx in disable-passwdmgr.inc
	- added uudeview profile
	- added tar (gtar), unzip and unrar profile
	- added file profile
	- improved profile list
	- fixed small variable glitch in stat64() / lstat64() (libtracelog)
	- added lstat() / lstat64() support to libtrace
	- include mkuid.sh in make dist
Niklas Haas (https://github.com/haasn)
	- blacklisting for keybase.io's client
Jaykishan Mutkawoa (https://github.com/jmutkawoa)
	- cpio profile
Paupiah Yash (https://github.com/CaffeinatedStud)
	- gzip  profile
Akhil Hans Maulloo (https://github.com/kouul)
	- xz profile
Rahul Golam (https://github.com/technoLord)
	- strings profile
geg2048 (https://github.com/geg2048)
	- kwallet profile fixes
Simon Peter (https://github.com/probonopd)
	- set $APPIMAGE and $APPDIR environment variables
maces (https://github.com/maces)
	- Franz messenger profile
KellerFuchs (https://github.com/KellerFuchs)
	- nonewpriv support, extended profiles for this feature
	- make `restricted-network` prevent use of netfilter
	- disable-common.inc additions
ValdikSS (https://github.com/ValdikSS)
	- Psi+, Corebird, Konversation profiles
	- various profile fixes
avoidr (https://github.com/avoidr)
	- whitelist fix
	- recently-used.xbel fix
	- added parole profile
	- blacklist ncat
	- hostname support in profile file
	- Google Chrome profile rework
	- added cmus profile
	- man page fixes
	- add net iface support in profile files
	- paths fix
	- lots of profile fixes
	- added mcabber profile
	- fixed mpv profile
	- various other fixes
Ruan (https://github.com/ruany)
	- fixed hexchat profile
Vasya Novikov (https://github.com/vn971)
	- Wesnoth profile
	- Hedegewars profile
	- manpage fixes
	- fixed firecfg clean/clear issue
	- found the ugliest bug so far
curiosity-seeker (https://github.com/curiosity-seeker)
	- tightening unbound and dnscrypt-proxy profiles
	- dnsmasq profile
	- okular and gwenview profiles
	- cherrytree profile fixes
	- added quiterss profile
Matthew Gyurgyik (https://github.com/pyther)
	- rpm spec and several fixes
Joan Figueras (https://github.com/figue)
	- added abrowser profile
	- added Google-Play-Music-Desktop-Player
	- added cyberfox profile
Petter Reinholdtsen (pere@hungry.com)
	- Opera profile patch
n1trux (https://github.com/n1trux)
	- fix flashpeak-slimjet profile typos
Felipe Barriga Richards (https://github.com/fbarriga)
	- --private-etc fix
Alexander Stein (https://github.com/ajstein)
	- added profile for qutebrowser
Benjamin Kampmann (https://github.com/ligthyear)
	- Forward exit code from child process
dshmgh (https://github.com/dshmgh)
	- overlayfs fix for systems with /home mounted on a separate partition
yumkam (https://github.com/yumkam)
	- add compile-time option to restrict --net= to root only
	- man page fixes
mahdi1234 (https://github.com/mahdi1234)
	- cherrytree profile
	- Seamonkey profiles
jrabe (https://github.com/jrabe)
	- disallow access to kdbx files
	- Epiphany profile
	- Polari profile
	- qTox profile
	- X11 fixes
jgriffiths (https://github.com/jgriffiths)
	- make rpm packages support
Tom Mellor (https://github.com/kalegrill)
	- mupen64plus profile
Martin Carpenter (https://github.com/mcarpenter)
	- security audit and bug fixes
	- Centos 6.x support
pszxzsd (https://github.com/pszxzsd)
	-uGet profile
Rahiel Kasim (https://github.com/rahiel)
	- Mathematica profile
	- whitelisted Dropbox profile
	- whitelisted keysnail config for firefox
creideiki (https://github.com/creideiki)
	- make the sandbox process reap all children
sinkuu (https://github.com/sinkuu)
	- blacklisting kwalletd
	- fix symlink invocation for programs placing symlinks in $PATH
Bader Zaidan (https://github.com/BaderSZ)
	- Telegram profile
Holger Heinz (https://github.com/hheinz)
	- manpage work
Andrey Alekseenko (https://github.com/al42and)
	- fixing lintian warnings
	- fixed Skype profile
Ivan Kozik (https://github.com/ivan)
	- speed up sandbox exit
Christian Stadelmann (https://github.com/genodeftest)
	- profile fixes
pirate486743186 (https://github.com/pirate486743186)
	- KMail profile
Kaan Genç (https://github.com/SeriousBug)
	- dynamic allocation of noblacklist buffer
Veeti Paananen (https://github.com/veeti)
	- fixed Spotify profile
rogshdo (https://github.com/rogshdo)
	- BitlBee profile
Bruno Nova (https://github.com/brunonova)
	- whitelist fix
	- bash arguments fix
Matt Parnell (https://github.com/ilikenwf)
	- whitelisting for core firefox related functionality
Ondra Nekola (https://github.com/satai)
	- allow firefox theming with non-global themes
emacsomancer (https://github.com/emacsomancer)
	- added profile for Conkeror browser
Daan Bakker (https://github.com/dbakker)
	- protect shell startup files
Duncan Overbruck (https://github.com/Duncaen)
	- musl libc fix
	- utmp fix
andrew160 (https://github.com/andrew160)
	- profile and man pages fixes
Loïc Damien (https://github.com/dzamlo)
	- small fixes
greigdp (https://github.com/greigdp)
	- add Spotify profile
Mattias Wadman (https://github.com/wader)
	- seccomp errno filter support
Peter Millerchip (https://github.com/pmillerchip)
	- memory allocation fix
	- --private.keep to --private-home transition
	- support for files and directories starting with ~ in blacklist option
	- support for files and directories with spaces in blacklist option
	- lots of other fixes
sarneaud (https://github.com/sarneaud)
	- rewrite globbing code to fix various minor issues
	- added noblacklist command for profile files
	- various enhancements and bug fixes
Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
	- user namespace implementation
sshirokov (http://sourceforge.net/u/yshirokov/profile/)
	- Patch to output "Reading profile" to stderr instead of stdout
G4JC (http://sourceforge.net/u/gaming4jc/profile/)
	- ARM support
	- profile fixes
dewbasaur (https://github.com/dewbasaur)
	- block access to history files
	- Firefox PDF.js exploit (CVE-2015-4495) fixes
	- Steam profile
Michael Haas (https://github.com/mhaas)
	- bugfixes
mjudtmann (https://github.com/mjudtmann)
	- lock firejail configuration in disable-mgmt.inc
iiotx (https://github.com/iiotx)
	- use generic.profile by default
pstn (https://github.com/pstn)
	- added install-strip, make install without strip
Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
	- src/lib/libnetlink.c extracted from iproute2 software package
	
Copyright (C) 2014-2016 Firejail Authors