Latest:
firejail (0.9.56-LTS) baseline; urgency=low
* code based on Firejail version 0.9.56
* much smaller code base for SUID executable
* command line options removed:
--audit, --build, --cgroup, --chroot, --get, --ls, --output,
--output-stderr, --overlay, --overlay-named, --overlay-tmpfs,
--overlay-clean, --private-home, --private-bin, --private-etc,
--private-opt, --private-srv, --put, --rlimit*, --trace, --tracelog,
--x11*, --xephyr*
* compile-time options: --enable-apparmor, --disable-seccomp,
--disable-globalcfg, --disable-network, --disable-userns,
--disable-whitelist, --disable-suid, --enable-fatal-warnings,
--enable-busybox-workaround
-- netblue30 Sun, 21 Oct 2018 08:00:00 -0500
firejail (0.9.56) baseline; urgency=low
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
-- netblue30 Tue, 18 Sep 2018 08:00:00 -0500
firetools (0.9.52) baseline; urgency=low
* modif: moving to a grayscale color scheme
* feature: firewall support in stats window
* feature: AppArmor support in stats window
* feature: adding Signal to the default list of applications
* bugfixes and various user interface improvements
-- netblue30 Thu, 1 Mar 2018 13:00:00 -0500
Earlier:
firejail (0.9.54) baseline; urgency=low
* modif: --force removed
* modif: --csh, --zsh removed
* modif: --debug-check-filename removed
* modif: --git-install and --git-uninstall removed
* modif: support for private-bin, private-lib and shell none has been
disabled while running AppImage archives in order to be able to use
our regular profile files with AppImages.
* modif: restrictions for /proc, /sys and /run/user directories
are moved from AppArmor profile into firejail executable
* modif: unifying Chromium and Firefox browsers profiles.
All users of Firefox-based browsers who use addons and plugins
that read/write from ${HOME} will need to uncomment the includes for
firefox-common-addons.inc in firefox-common.profile.
* modif: split disable-devel.inc into disable-devel and
disable-interpreters.inc
* Firejail user access database (/etc/firejail/firejail.users,
man firejail-users)
* add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
* Spectre mitigation patch for gcc and clang compiler
* D-Bus handling (--nodbus)
* AppArmor support for overlayfs and chroot sandboxes
* AppArmor support for AppImages
* Enable AppArmor by default for a large number of programs
* firejail --apparmor.print option
* firemon --apparmor option
* apparmor yes/no flag in /etc/firejail/firejail.config
* seccomp syscall list update for glibc 2.26-10
* seccomp disassembler for --seccomp.print option
* seccomp machine code optimizer for default seccomp filters
* IPv6 DNS support
* whitelist support for overlay and chroot sandboxes
* private-dev support for overlay and chroot sandboxes
* private-tmp support for overlay and chroot sandboxes
* added sandbox name support in firemon
* firemon/prctl enhancements
* noblacklist support for /sys/module directory
* whitelist support for /sys/module directory
* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
* new profiles: discord-canary, pycharm-community, pycharm-professional,
* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
* new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
* new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
* new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
* new profiles: qmmp, sayonara
-- netblue30 Wed, 16 May 2018 08:00:00 -0500
firejail (0.9.52) baseline; urgency=low
* modif: --allow-private-blacklists was deprecated; blacklisting,
read-only, read-write, tmpfs and noexec are allowed in
private home directories
* modif: remount-proc-sys deprecated from firejail.config
* modif: follow-symlink-private-bin deprecated from firejail.config
* modif: --profile-path was deprecated
* enhancement: support Firejail user config directory in firecfg
* enhancement: disable DBus activation in firecfg
* enhancement; enumerate root directories in apparmor profile
* enhancement: /etc and /usr/share whitelisting support
* enhancement: globbing support for --private-bin
* feature: systemd-resolved integration
* feature: whitelisting /var directory in most profiles
* feature: GTK2, GTK3 and Qt4 private-lib support
* feature: --debug-private-lib
* feature: test deployment of private-lib for the following
applications: evince, galculator, gnome-calculator,
leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
atril, mate-color-select, tar, file, strings, gpicview,
eom, eog, gedit, pluma
* feature: --writable-run-user
* feature: --rlimit-as
* feature: --rlimit-cpu
* feature: --timeout
* feature: profile build tool (--build)
* feature: --netfilter.print
* feature: --netfilter6.print
* feature: netfilter template support
* new profiles: upstreamed many profiles from the following sources:
https://github.com/chiraag-nataraj/firejail-profiles,
https://github.com/nyancat18/fe,
https://aur.archlinux.org/packages/firejail-profiles.
* new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
brackets, calligra, calligraauthor, calligraconverter, calligraflow,
calligraplan, calligraplanwork, calligrasheets, calligrastage,
calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report
cower (Arch), kdeinit4
-- netblue30 Thu, 7 Dec 2017 08:00:00 -0500
firetools (0.9.50) baseline; urgency=low
* modif: removed the periodic window update for seccomp, caps,
and dns
* feature: memory deny exec stats support
* feature: print security profile name in stats window
* feature: protocol support in firejail-ui
* feature: nodvd support in firejail-ui
* feature: novideo support in firejail-ui
* feature: notv support in firejail-ui
* enhancement: save window size for fmgr and fstats upon exit
and restore it next time the program is started
* enhancement: updated default application list
* enhancement: rework icon search for firetools launcher
* enhancement: --enable-fatal-warnings compile configuration
* Travis CI integration
* bugfixes
-- netblue30 Sat, 30 Sep 2017 08:00:00 -0500
firejail (0.9.50) baseline; urgency=low
* modif: --output split in two commands, --output and --output-stderr
* feature: per-profile disable-mnt (--disable-mnt)
* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
* feature: private /lib directory (--private-lib)
* feature: disable CDROM/DVD drive (--nodvd)
* feature: disable DVB devices (--notv)
* feature: --profile.print
* enhancement: print all seccomp filters under --debug
* enhancement: /proc/sys mounting
* enhancement: rework IP address assingment for --net options
* enhancement: support for newer Xpra versions (2.1+) -
set xpra-attach yes in /etc/firejail/firejail.config
* enhancement: all profiles use a standard layout style
* enhancement: create /usr/local for firecfg if the directory doesn't exist
* enhancement: allow full paths in --private-bin
* seccomp feature: --memory-deny-write-execute
* seccomp feature: seccomp post-exec
* seccomp feature: block secondary architecture (--seccomp.block_secondary)
* seccomp feature: seccomp syscall groups
* seccomp enhancement: print all seccomp filters under --debug
* seccomp enhancement: default seccomp list update
* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
* new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
* new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
* new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
* new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
* new profiles: sqlitebrowse, Yandex Browser, minetest
* bugfixes
-- netblue30 Thu, 7 Sep 2017 08:00:00 -0500
firejail (0.9.48) baseline; urgency=low
* modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the screen
if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
* bugfixes
-- netblue30 Mon, 12 Jun 2017 08:00:00 -0500
firejail (0.9.46) baseline; urgency=low
* security: split most of networking code in a separate executable
* security: split seccomp filter code configuration in a separate executable
* security: split file copying in private option in a separate executable
* feature: disable gnupg and systemd directories under /run/user
* feature: test coverage (gcov) support
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
* feature: private /opt directory (--private-opt, profile support)
* feature: private /srv directory (--private-srv, profile support)
* feature: spoof machine-id (--machine-id, profile support)
* feature: allow blacklists under --private (--allow-private-blacklist,
profile support)
* feature: user-defined /etc/hosts file (--hosts-file, profile support)
* feature: support for the real /var/log directory (--writable-var-log,
profile support)
* feature: config support for firejail prompt in terminals
* feature: AppImage type 2 support
* feature: pass command line arguments to appimages
* feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
* feature: added a number of Python scripts for handling sandboxes
* feature: allow local customization using .local files under /etc/firejail
* feature: follow-symlink-as-user runtime config option in
/etc/firejail/firejail.config
* feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
* feature: xvfb X11 server support (--x11=xvfb)
* feature: allow /tmp directory in mkdir and mkfile profile commands
* feature: implemented --noblacklist command, profile support
* feature: config support to disable access to /mnt and /media (disable-mnt)
* feature: config support to disable join (join)
* feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
* feature: support overlay, overlay-named and overlay-tmpfs in profile files
* feature: allow PulseAudio sockets in --private-tmp
* feature: --fix-sound support in firecfg
* feature: added support for sandboxing Xpra, Xvfb and Xephyr in
independent sandboxes when started with firejail --x11
* feature: enable automatic X server sandboxing for --x11=xpra
and --x11=xephyr
* feature: support for Xpra extra params in firejail config file
* new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
* new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
* new profiles: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
* new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
* new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
* new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
* new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
* new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
* new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin,
* new profiles: mate-calc, mate-dictionary, mate-color-select, caja,
* new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes
* new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr
* new profiles: Blender, 2048-qt
* bugfixes
-- netblue30 Sun, 14 May 2017 08:00:00 -0500
firejail (0.9.44.10) baseline; urgency=low
* security: when using --x11=xorg and --net, incorrect processing of
the return code of /usr/bin/xauth could end up in starting the
sandbox without X11 security extension installed. Problem found/fixed
by Zack Weinberg
* bugfix: ~/.pki directory whitelisted and later blacklisted. This affects
most browsers, and disables the custom certificates installed by the user
* bugfix: firecfg config fix
* bugfix: gajim security profile fix
* bugfix: man page fix
* bugfix: force-nonewprivs fix for /etc/firejail/firejail.config
* bugfix: xephyr-extra-params fix for /etc/firejail/firejail.config
* bugfix: memory corruption in noblacklist processing
* bugfix: --quiet fix for Arch and Fedora systems
* bugfix: updated Keepass(x) profiles
* bugfix: firemon --nowrap problem
* bugfix: document firemon --nowrap in man page and in --help option
* bugfix: bash completion for --noblacklist command
* bugfix: vlc profile fix
* bugfix: fixed handling of .local profile files when the software is
installed in ~/.local directory
* bugfix: temporarily remove private-tmp from all profiles, until a fix for
.Xauthority file handling in KDE becomes available
* maintenance: --output cleanup
* maintenance: updated copyright statement in all files
-- netblue30 Sat, 18 Mar 2017 10:00:00 -0500
firejail (0.9.44.8) baseline; urgency=low
* bugfix: fix broken PulseAudio support
-- netblue30 Wed, 18 Jan 2017 10:00:00 -0500
firejail (0.9.44.6) baseline; urgency=low
* security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week; new CVE assigned after the release - CVE-2017-5940
* security: major cleanup of file copying code
* security: tightening the rules for --chroot and --overlay features
* bugfix: ported Gentoo compile patch
* bugfix: Nvidia drivers bug in --private-dev
* bugfix: fix ASSERT_PERMS_FD macro
* feature: allow local customization using .local files under /etc/firejail
backported from our development branch
* feature: spoof machine-id backported from our development branch
-- netblue30 Sun, 15 Jan 2017 10:00:00 -0500
firejail (0.9.44.4) baseline; urgency=low
* security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* security: disabled --allow-debuggers when running on kernel
versions prior to 4.8; a kernel bug in ptrace system call
allows a full bypass of seccomp filter; problem reported by
Lizzie Dixon (CVE-2017-5206)
* security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
-- netblue30 Sat, 7 Jan 2017 10:00:00 -0500
firejail (0.9.44.2) baseline; urgency=low
* security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
* secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
* security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
* security: several security enhancements
* bugfix: crashing VLC by pressing Ctrl-O
* bugfix: use user configured icons in KDE
* bugfix: mkdir and mkfile are not applied to private directories
* bugfix: cannot open files on Deluge running under KDE
* bugfix: --private=dir where dir is the user home directory
* bugfix: cannot start Vivaldi browser
* bugfix: cannot start mupdf
* bugfix: ssh profile problems
* bugfix: --quiet
* bugfix: quiet in git profile
* bugfix: memory corruption
-- netblue30 Fri, 2 Dec 2016 08:00:00 -0500
firejail (0.9.44) baseline; urgency=low
* CVE-2016-9016 submitted by Aleksey Manevich
* modifs: removed man firejail-config
* modifs: --private-tmp whitelists /tmp/.X11-unix directory
* modifs: Nvidia drivers added to --private-dev
* modifs: /srv supported by --whitelist
* feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
* feature: support starting/joining sandbox is a single command
(--join-or-start)
* feature: X11 detection support for --audit
* feature: assign a name to the interface connected to the bridge
(--veth-name)
* feature: all user home directories are visible (--allusers)
* feature: add files to sandbox container (--put)
* feature: blocking x11 (--x11=block)
* feature: X11 security extension (--x11=xorg)
* feature: disable 3D hardware acceleration (--no3d)
* feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* feature: move files in sandbox (--put)
* feature: accept wildcard patterns in user name field of restricted
shell login feature
* new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
* new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* new profiles: Flowblade, Eye of GNOME (eog), Evolution
* bugfixes
-- netblue30 Fri, 21 Oct 2016 08:00:00 -0500
firejail (0.9.42) baseline; urgency=low
* security: --whitelist deleted files, submitted by Vasya Novikov
* security: disable x32 ABI in seccomp, submitted by Jann Horn
* security: tighten --chroot, submitted by Jann Horn
* security: terminal sandbox escape, submitted by Stephan Sokolow
* security: several TOCTOU fixes submitted by Aleksey Manevich
* modifs: bringing back --private-home option
* modifs: deprecated --user option, please use "sudo -u username firejail"
* modifs: allow symlinks in home directory for --whitelist option
* modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
* modifs: recursive mkdir
* modifs: include /dev/snd in --private-dev
* modifs: seccomp filter update
* modifs: release archives moved to .xz format
* feature: AppImage support (--appimage)
* feature: AppArmor support (--apparmor)
* feature: Ubuntu snap support (/etc/firejail/snap.profile)
* feature: Sandbox auditing support (--audit)
* feature: remove environment variable (--rmenv)
* feature: noexec support (--noexec)
* feature: clean local overlay storage directory (--overlay-clean)
* feature: store and reuse overlay (--overlay-named)
* feature: allow debugging inside the sandbox with gdb and strace
(--allow-debuggers)
* feature: mkfile profile command
* feature: quiet profile command
* feature: x11 profile command
* feature: option to fix desktop files (firecfg --fix)
* compile time: Busybox support (--enable-busybox-workaround)
* compile time: disable overlayfs (--disable-overlayfs)
* compile time: disable whitlisting (--disable-whitelist)
* compile time: disable global config (--disable-globalcfg)
* run time: enable/disable overlayfs (overlayfs yes/no)
* run time: enable/disable quiet as default (quiet-by-default yes/no)
* run time: user-defined network filter (netfilter-default)
* run time: enable/disable whitelisting (whitelist yes/no)
* run time: enable/disable remounting of /proc and /sys
(remount-proc-sys yes/no)
* run time: enable/disable chroot desktop features (chroot-desktop yes/no)
* profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
* profiles: pix, audacity, xz, xzdec, gzip, cpio, less
* profiles: Atom Beta, Atom, jitsi, eom, uudeview
* profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
* profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
* bugfixes
-- netblue30 Thu, 8 Sept 2016 08:00:00 -0500
firejail (0.9.40) baseline; urgency=low
* added --nice option
* added --x11 option
* added --x11=xpra option
* added --x11=xephyr option
* added --cpu.print option
* added filetransfer options --ls and --get
* added --writable-etc and --writable-var options
* added --read-only option
* added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
* --version also prints compile options
* --output option also redirects stderr
* added compile-time option to restrict --net= to root only
* run time config support, man firejail-config
* added firecfg utility
* AppArmor fixes
* default seccomp filter update
* disable STUN/WebRTC in default netfilter configuration
* new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
* new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
* new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
* new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
* new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
* new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
* new profiles: generic Ubuntu snap application profile, xplayer
* new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
* new profiles: Brave, Gitter
* generic.profile renamed default.profile
* build rpm packages using "make rpms"
* bugfixes
-- netblue30 Sun, 29 May 2016 08:00:00 -0500
firejail (0.9.38.12) baseline; urgency=low
* bugfix: detect correct execute permissions for --shell=none
* bugfix: use an IP address of 0 when ARP-probing for unused IP addresses
* bugfix: fix cpu entry in firejail-profile man page
* bugfix: set correct mode for --tmpfs
* bugfix: accept program names in firejail bash completion
* bugfix: added --force option to --help screen
* bugfix: --quiet option
* bugfix: truncated output in snprintf
* bugfix: fix handling of /dev/shm in whitelists
* enhancement: quiet support in profile files
* maintenance: --output cleanup
* manitenance: libnetlink cleanup
* maintenance: updated terminal support in disable-common.inc
* maintenance: updated copyright statement in all files
* maintenance: testing suite update for Debian "stretch"
-- netblue30 Sat, 11 Nov 2017 10:00:00 -0500
firejail (0.9.38.10) baseline; urgency=low
* security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
* security: tightening the rules for --chroot
* bugfix: ported Gentoo compile patch
* bugfix: fix ASSERT_PERMS_FD macro
-- netblue30 Sun, 15 Jan 2017 10:00:00 -0500
firejail (0.9.38.8) baseline; urgency=low
* security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
-- netblue30 Sat, 7 Jan 2017 10:00:00 -0500
firejail (0.9.38.6) baseline; urgency=low
* security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
* bugfix: crashing VLC by pressing Ctrl-O
-- netblue30 Fri, 16 Dec 2016 10:00:00 -0500
firejail (0.9.38.4) baseline; urgency=low
* CVE-2016-7545 submitted by Aleksey Manevich
* bugfixes
-- netblue30 Mon, 10 Oct 2016 10:00:00 -0500
firejail (0.9.38.2) baseline; urgency=low
* security: --whitelist deleted files, submitted by Vasya Novikov
* security: disable x32 ABI, submitted by Jann Horn
* security: tighten --chroot, submitted by Jann Horn
* security: terminal sandbox escape, submitted by Stephan Sokolow
* feature: clean local overlay storage directory (--overlay-clean)
* bugfixes
-- netblue30 Tue, 23 Aug 2016 10:00:00 -0500
firejail (0.9.38) baseline; urgency=low
* IPv6 support (--ip6 and --netfilter6)
* --join command enhancement (--join-network, --join-filesystem)
* added --user command
* added --disable-network and --disable-userns compile time flags
* Centos 6 support
* symlink invocation
* added KMail, Seamonkey, Telegram, Mathematica, uGet,
* and mupen64plus profiles
* --chroot in user mode allowed only if seccomp support is available
* in current Linux kernel (CVE-2016-10123)
* deprecated --private-home feature
* the first protocol list installed takes precedence
* --tmpfs option allowed only running as root (CVE-2016-10117)
* added --private-tmp option
* weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121)
* bugfixes
-- netblue30 Tue, 2 Feb 2016 10:00:00 -0500
firejail (0.9.36) baseline; urgency=low
* added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
parole and rtorrent profiles
* Google Chrome profile rework
* added google-chrome-stable profile
* added google-chrome-beta profile
* added google-chrome-unstable profile
* Opera profile rework
* added opera-beta profile
* added --noblacklist option
* added --profile-path option
* added --force option
* whitelist command enhancements
* prevent user name enumeration
* added /etc/firejail/nolocal.net network filter
* added /etc/firejail/webserver.net network filter
* blacklisting firejail configuration by default
* allow default gateway configuration for --interface option
* --debug enhancements: --debug-check-filenames, --debug-blacklists,
--debug-whitelists
* filesystem log
* libtrace enhancements, tracing opendir call
* added --tracelog option
* added "name" command to profile files
* added "hostname" command to profile files
* added automated feature testing framework
* Debian reproducible build
* bugfixes
-- netblue30 Sun, 27 Dec 2015 09:00:00 -0500
firejail (0.9.34) baseline; urgency=low
* added --ignore option
* added --protocol option
* support dual i386/amd64 seccomp filters
* added Google Chrome profile
* added Steam, Skype, Wine and Conkeror profiles
* bugfixes
-- netblue30 Sat, 7 Nov 2015 08:00:00 -0500
firejail (0.9.32) baseline; urgency=low
* added --interface option
* added --mtu option
* added --private-bin option
* added --nosound option
* added --hostname option
* added --quiet option
* added seccomp errno support
* added FBReader default profile
* added Spotify default profile
* lots of default security profile changes
* fixed a security problem on multi-user systems
* bugfixes
-- netblue30 Wed, 21 Oct 2015 08:00:00 -0500
firejail (0.9.30) baseline; urgency=low
* added a disable-history.inc profile as a result of Firefox PDF.js exploit;
disable-history.inc included in all default profiles
* Firefox PDF.js exploit (CVE-2015-4495) fixes
* added --private-etc option
* added --env option
* added --whitelist option
* support ${HOME} token in include directive in profile files
* --private.keep is transitioned to --private-home
* support ~ and blanks in blacklist option
* support "net none" command in profile files
* using /etc/firejail/generic.profile by default for user sessions
* using /etc/firejail/server.profile by default for root sessions
* added build --enable-fatal-warnings configure option
* added persistence to --overlay option
* added --overlay-tmpfs option
* make install-strip implemented, make install renamed
* bugfixes
-- netblue30 Mon, 14 Sept 2015 08:00:00 -0500
firejail (0.9.28) baseline; urgency=low
* network scanning, --scan option
* interface MAC address support, --mac option
* IP address range, --iprange option
* traffic shaping, --bandwidth option
* reworked printing of network status at startup
* man pages rework
* added firejail-login man page
* added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
profiles
* added an /etc/firejail/disable-common.inc file to hold common directory
blacklists
* blacklist Opera and Chrome/Chromium config directories in profile files
* support noroot option for profile files
* enabled noroot in default profile files
* bugfixes
-- netblue30 Sat, 1 Aug 2015 08:00:00 -0500
firejail (0.9.26) baseline; urgency=low
* private dev directory
* private.keep option for whitelisting home files in a new private directory
* user namespaces support, noroot option
* added Deluge and qBittorent profiles
* bugfixes
-- netblue30 Thu, 30 Apr 2015 08:00:00 -0500
firejail (0.9.24) baseline; urgency=low
* whitelist and blacklist seccomp filters
* doubledash option
* --shell=none support
* netfilter file support in profile files
* dns server support in profile files
* added --dns.print option
* added default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem.
* added --caps.drop=all in default profiles
* new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
* clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
* Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
* two build patches from Reiner Herman (tickets 11, 12)
* man page patch from Reiner Herman (ticket 13)
* output patch (ticket 15) from sshirokov
-- netblue30 Sun, 5 Apr 2015 08:00:00 -0500
firejail (0.9.22) baseline; urgency=low
* Replaced --noip option with --ip=none
* Container stdout logging and log rotation
* Added process_vm_readv, process_vm_writev and mknod to
* default seccomp blacklist
* Added CAP_MKNOD to default caps blacklist
* Blacklist and whitelist custom Linux capabilities filters
* macvlan device driver support for --net option
* DNS server support, --dns option
* Netfilter support
* Monitor network statistics, --netstats option
* Added profile for Mozilla Thunderbird/Icedove
* - --overlay support for Linux kernels 3.18+
* Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
* Bugfix: check uid/gid for cgroup
-- netblue30 Mon, 9 Mar 2015 09:00:00 -0500
firejail (0.9.20) baseline; urgency=low
* utmp, btmp and wtmp enhancements
* create empty /var/log/wtmp and /var/log/btmp files in sandbox
* generate a new /var/run/utmp file in sandbox
* CPU affinity, --cpu option
* Linux control groups support, --cgroup option
* Opera web browser support
* VLC support
* Added "empty" attribute to seccomp command to remove the default
* syscall list form seccomp blacklist
* Added --nogroups option to disable supplementary groups for regular
* users. root user always runs without supplementary groups.
* firemon enhancements
* display the command that started the sandbox
* added --caps option to display capabilities for all sandboxes
* added --cgroup option to display the control groups for all sandboxes
* added --cpu option to display CPU affinity for all sandboxes
* added --seccomp option to display seccomp setting for all sandboxes
* New compile time options: --disable-chroot, --disable-bind
* bugfixes
-- netblue30 Mon, 02 Feb 2015 08:00:00 -0500
firejail (0.9.18) baseline; urgency=low
* Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
* Support for tracing setreuid, setregid, setresuid, setresguid syscalls
* Added profiles for transmission-gtk and transmission-qt
* bugfixes
-- netblue30 Fri, 25 Dec 2014 10:00:00 -0500
firejail (0.9.16) baseline; urgency=low
* Configurable private home directory
* Configurable default user shell
* Software configuration support for --docdir and DESTDIR
* Profile file support for include, caps, seccomp and private keywords
* Dropbox profile file
* Linux capabilities and seccomp filters enabled by default for Firefox,
Midori, Evince and Dropbox
* bugfixes
-- netblue30 Tue, 4 Nov 2014 10:00:00 -0500
firejail (0.9.14) baseline; urgency=low
* Linux capabilities and seccomp filters are automatically enabled in
chroot mode (--chroot option) if the sandbox is started as regular user
* Added support for user defined seccomp blacklists
* Added syscall trace support
* Added --tmpfs option
* Added --balcklist option
* Added --read-only option
* Added --bind option
* Logging enhancements
* --overlay option was reactivated
* Added firemon support to print the ARP table for each sandbox
* Added firemon support to print the route table for each sandbox
* Added firemon support to print interface information for each sandbox
* bugfixes
-- netblue30 Tue, 15 Oct 2014 10:00:00 -0500
firejail (0.9.12.2) baseline; urgency=low
* Fix for pulseaudio problems
* --overlay option was temporarily disabled in this build
-- netblue30 Mon, 29 Sept 2014 07:00:00 -0500
firejail (0.9.12.1) baseline; urgency=low
* Fix for pulseaudio problems
* --overlay option was temporarily disabled in this build
-- netblue30 Mon, 22 Sept 2014 09:00:00 -0500
firejail (0.9.12) baseline; urgency=low
* Added capabilities support
* Added support for CentOS 7
* bugfixes
-- netblue30 Mon, 15 Sept 2014 10:00:00 -0500
firejail (0.9.10) baseline; urgency=low
* Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot
* Fixed --top option CPU utilization calculation
* Implemented --tree option in firejail and firemon
* Implemented --join=name option
* Implemented --shutdown option
* Preserve the current working directory if possible
* Cppcheck and clang errors cleanup
* Added a Chromium web browser profile
-- netblue30 Thu, 28 Aug 2014 07:00:00 -0500
firejail (0.9.8.1) baseline; urgency=low
* FIxed a number of bugs introduced in 0.9.8
-- netblue30 Fri, 25 Jul 2014 07:25:00 -0500
firejail (0.9.8) baseline; urgency=low
* Implemented nowrap mode for firejail --list command option
* Added --top option in both firejail and firemon
* seccomp filter support
* Added pid support for firemon
* bugfixes
-- netblue30 Tue, 24 Jul 2014 08:51:00 -0500
firejail (0.9.6) baseline; urgency=low
* Mounting tmpfs on top of /var/log, required by several server programs
* Server fixes for /var/lib and /var/cache
* Private mode fixes
* csh and zsh default shell support
* Chroot mode fixes
* Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd,
-- netblue30 Sat, 7 Jun 2014 09:00:00 -0500
firejail (0.9.4) baseline; urgency=low
* Fixed resolv.conf on Ubuntu systems using DHCP
* Fixed resolv.conf on Debian systems using resolvconf package
* Fixed /var/lock directory
* Fixed /var/tmp directory
* Fixed symbolic links in profile files
* Added profiles for evince, midori
-- netblue30 Sun, 4 May 2014 08:00:00 -0500
firejail (0.9.2) baseline; urgency=low
* Checking IP address passed with --ip option using ARP; exit if the address
is already present
* Using a lock file during ARP address assignment in order to removed a race
condition.
* Several fixes to --private option; it also mounts a tmpfs filesystem on top
of /tmp
* Added user access check for profile file
* Added --defaultgw option
* Added support of --noip option; it is necessary for DHCP setups
* Added syslog support
* Added support for "tmpfs" and "read-only" profile commands
* Added an expect-based testing framework for the project
* Added bash completion support
* Added support for multiple networks
-- netblue30 Fri, 25 Apr 2014 08:00:00 -0500
firejail (0.9) baseline; urgency=low
* First beta version
-- netblue30 Sat, 12 Apr 2014 09:00:00 -0500
Advertisements
Why are your downloads not signed or hashed?
LikeLike
I added signatures for the latest version. Look into .asc file.
LikeLike
Great! Can you confirm the key fingerprint: F951 1649 95F5 C400 6A73 411E 2CCB 36AD FC58 49A7
LikeLike
The fingerprint is good. I have the full public key printed on the download page here: https://firejail.wordpress.com/download-2/
LikeLike
Pingback: [CSS] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321) – sec.uno
There is a fairly new downloader on the scene for Linux that you might consider building a profile for. It is called Persepolis Download Manager. It can be found here: https://persepolisdm.github.io/ It is similar to Internet Download Manager though it is not at that stage in its development yet.
LikeLike
Thanks, I’ll take a look.
LikeLike
I downloaded from your site firejail-0.9.44.10-1.x86_64.rpm and installed it on my Fedora 25 host (fully up-to-date). Seems to work fine.
However I needed to modify a supplied profile (transmission-gtk.profile), so I copied that to ~/.config/firejail and then ran “firejail transmission-gtk” again to make sure it was working. Nope.
The problem was that firejail found and started processing my .config copy OK but when it processed the line “include /etc/firejail/disable-common.inc” and attempted to execute the first line of *that* file (“include /etc/firejail/disable-common.local”) it failed because “no such file or directory”.
I then created an (empty *.local” in /etc/firejail for each of the *.inc files containing an include directive like this.
Then everything worked. I don’t know why these “.local” includes don’t cause trouble when the *.inc
file found in /etc/firejail is processed by firejail but causes trouble when the *.inc file is in ~/.config/firejail.
Suggest you allow these .local files to not-exist, or pre-create empty ones. (I do think having this feature
is a good idea — *if* installing a new release will not override any .local files — as it is handy to be able to
add restrictions or whatever for generic local consumption in /etc/firejail without having these changes disappear after an update of firejail. Perhaps a separate (sub-)directory in /etc for them would be better…)
LikeLike
I said: “I don’t know why these “.local” includes don’t cause trouble when the *.inc
file found in /etc/firejail is processed by firejail but causes trouble when the *.inc file is in ~/.config/firejail.”
That was wrong: I meant ” *.profile file”, not the “*.inc file”. I.e. I copied transmission-gtk.profile to ~/.config/firejail and *then* firejail couldn’t handle the “include….local” inside /etc/firejail/*.inc files. But obviously firejail was not unhappy when it processed the same transmission-gtk.profile in /etc/firejail.
Sorry about that.
LikeLike
No problem. Install 0.9.46-rc1 from my download page (https://sourceforge.net/projects/firejail/files/firejail/). There are quite a lot of other fixes, including some of the .local profile file handling. 0.9.46 will be released in the next two weeks anyway.
LikeLike
Note: I really don’t wish to see these “replies” show up in the webpage: I just couldn’t find any other way to send you a bug-report! 🙂
LikeLike
Thanks! I was doubtful about using the rc1 without encouragement such as you have just given. I will do as you suggest.
LikeLike
Hello.
I am having some issues with the new versions (0.9.46), after running sudo firecfg.
Namely:
1. Opening files in file manager won’t call firejail. Example, opening a video file will not make use of firejail or the firejail vlc profile.
2. Wanting to create a “.local” file to some of the profiles (so I can have my own customization) I tried “sudo gedit” and it didn’t work. Which to a certain extent makes sense (gedit profile has the noroot option, so gedit can’t be exploited). But how do I make use of gedit to edit system configuration files and so on? I used nano for this, but if we have noroot on all of the editors, we will be left with no way to edit our own system.
3. when I run “firejail –list” I get things like “6865:trisquel:firejail –list ” and “4343:trisquel:/usr/bin/firejail /usr/bin/nautilus -n” and “6847:trisquel:/usr/bin/firejail /usr/bin/vlc –started-from-file”. What are these? Shouldn’t it be “1234:trisquel:firejail nautilus” and “5678:trisquel:firejail vlc” ??
Thanks!
LikeLike
> 6847:trisquel:/usr/bin/firejail /usr/bin/vlc –started-from-file
How did you started this? It looks like you clicked on a desktop manager menu or you clicked the video file in the file manager – this is where “–started-from-file” comes from. It should always be there, unless you start vlc manually with “firejail vlc”.
The desktop manager menus should mostly work, there are here and there some applications that need to be fixed. Most of the problems are with the file manager. On some older distributions (like Ubuntu 16.04 or Debian stable) the mime-type packages are messed up. They have been fixed in later versions (like Ubuntu 17.04, Debian testsing).
There are lots of problems with the file manager in Gnome 3. We hope Gnome will fix them soon.
Running gedit as root: “sudo /usr/bin/gedit”. You can also remove the symbolic link for gedit and run it unsandboxed – usually text editors are not a security concern. To remove the link run: “sudo rm /usr/local/bin/gedit”.
LikeLike
Why do we have profiles for text editors if they are not a concern?
Anyway, if I remove the symlink it will be added again when I update firejail and run firecfg right?
As for the vlc issue, I don’t recall, and right now I have cleaned all symlinks. I am thinking about adding one by one (is that possible? Maybe I should just make a backup copy of all profiles and delete all those I don’t want to have symlinks created?)
As for my main question: shouldn’t double clicking a mp4 file open vlc INSIDE the firejail sandbox?
Thanks
LikeLike
Hey,
Some bug reports:
The simple-scan profile makes my printer/scanner disappear. I can still print using it but Scanner application says there is no scanner connected to the computer. I have not the time right now to investigate what is happening but want to let you guys know about it. If more info is necessary ask please, in reply to this comment.
Also, nautilus inside firejail cannot access my 1Terabyte usb disk. It says that I have not the right permissions. Did chown and got to access the disk but can’t see the files inside. Removing nautilus from /usr/local/bin solved the issue.
Also, would like to request profiles for:
mplayer2
smplayer
I am using a copied profile from gnome-mplayer but you guys can probably do a better job than me.
Thanks.
LikeLike
Try “firejail –noprofile simple-scan”. If this works, it means on or more lines in /etc/firejail/simple-scan.profile are creating the problem. Comment out the lines in that file one by one (add a #). Let me know if you find it.
I’ll look into mplayer2 and smplayer.
LikeLike
I don’t have easy access to the printer/scanner (it’s in another room, don’t use it very often). But I will try and let you know if/when I can get a look into it.
LikeLike
Hi netblue30,
same “disappearing scanner”-problem here, and I think I found the offending line in /etc/firejail/simple-scan.profile. It’s “protocol unix,inet,inet6”.
Since you are not able to reproduce this, I would guess that it’s something printer/manufacturer specific.
LikeLike
Grab smplayer and mpayer2 profiles for here: https://github.com/netblue30/firejail/tree/master/etc
LikeLike
Hey, thanks again.
Still couldn’t look at the simple-scan issue.
When I copy a profile into /etc/firejail/appname.profile, and run sudo firecfg, shouldn’t that new appname also be automatically firejailed when run from terminal? the curl profile is working ok, still gotta try it a little bit more, but I have to run “firejail curl” instead of it being automatically called. I suppose firecfg relies in it’s own list and not the profiles in the firejail folder??
LikeLike
If you are not on the latest version (0.9.48), try to install it. There are all sort of fixes there.
To start programs automatically, you also need to add a symbolic link to /usr/bin/firejail in /usr/local/bin directory. In the man page, look at “DESKTOP INTEGRATION” section.
I still cannot reproduce your simple-scan problem. The best thing to do would be to put an issue on github (https://github.com/netblue30/firejail) maybe somebody comes up with an idea.
LikeLike
Oh and another request:
curl
Seeing as it interacts with the internet it could really use a profile to make it more secure.
Thanks
LikeLike
I put a profile in git. Grab it from here: https://github.com/netblue30/firejail/blob/master/etc/curl.profile
LikeLike
Thanks. Will try it and let you know how it goes for me.
LikeLike
Hola, he intentado iniciar Gimp en una sóla instancia pero no he podido, alguna sugerencia?
LikeLike
hello.
i have been using firejail for a few months, without any problems. unfortunately, i just updated systemd on arch linux, and firejail can no longer resolve DNS, either with browser of from a simple firejail shell session.
i just tried with the DNS argument `firejail –dns` but still no luck.
running firefox or curl without a firejail container can definitely resolve DNS.
is this an OK place to report bugs ? or is github better ?
LikeLike
Put it on github. There are a number of Arch users there, maybe they run into the same problem.
LikeLike
actually, a recent systemd update broke DNS for many.
a simple:
`mv /etc/nsswitch.conf.pacnew /etc/nsswitch.conf`
fixed the issue. so definitely a distro specific problem.
thanks for firejail!
LikeLike
Stumbled onto this app. Very impressed. keep up good work
LikeLike
Thanks
LikeLike
Pingback: Episode 18 | This Week in Linux – TuxDigital
“Enable AppArmor by default for a large number of programs”
Is this for Ubuntu only? Or does it work for Linux Mint as well?
LikeLike
It is for any platform.
LikeLike
Thanks! Glad to see you consistently adding new features that help Linux as a whole.
LikeLike
Thanks!
LikeLike
Hello. Long time Firejail user here. Love it and thank you so much for creating and improving it.
I’ve been using it successfully with torbrowser until the latest #8 update. I tried the latest Firejail RC with no success. Torbrowser reports “your tab just crashed”. Won’t bring up a website at all.
I’m using buntu 18.04. Torbrowser starts up all right but won’t go anywhere using Firejail.
I’m not savvy enough to figure it out on my own. Thanks.
LikeLike
Thanks for the report. We’ve been having some problems lately with tor browser – https://github.com/netblue30/firejail/issues/2110.
We have a fixed on the master branch in github. There is some more testing coming, and the final release will be by the end of the month.
LikeLike