diff --git a/README.md b/README.md index 0624dceb0..57f29a240 100644 --- a/README.md +++ b/README.md @@ -346,119 +346,9 @@ See `man firecfg` for details. Note: Broken symlinks are ignored when searching for an executable in `$PATH`, so uninstalling without doing the above should not cause issues. -## Latest released version: 0.9.78 +## Latest released version: 0.9.80 -This is an emergency release due to GTK library changes: - -``` -Applications that use glycin 2.0.0 or later via gdk-pixbuf2 -(examples: Firefox, Thunderbird, GIMP) crash. - -The library glycin provides a set of "safe" image format loaders -to gdk-pixbuf2, another library which is widely used in GTK-based -applications for loading images. - -As of gdk-pixbuf2 2.44.1, the calls to glycin loaders are wrapped in -bubblewrap. -``` - -For details, see [#6906](https://github.com/netblue30/firejail/issues/6906). - -## Current development version: 0.9.79 - -### --profile=filename|appname rework - -Issue [#6896](https://github.com/netblue30/firejail/issues/6896): Require a -full path or a relative path for the filename. - -```text - --profile=filename|appname - Load a custom security profile from filename, or use the name of - a specific application. - - If the command line option --profile is not provided, Firejail - will attempt to extract the appname from the target program file‐ - name. It will then search ~/.config/firejail directory for a - suitable profile, followed by a search in /etc/firejail/direc‐ - tory. - - Example: - $ firejail /usr/bin/firefox - Reading profile /home/netblue/.config/firejail/firefox.profile - Reading profile /etc/firejail/firefox.profile - Reading profile /etc/firejail/firefox-common.profile - [...] - - When using a filename, please include a full path or a relative - path. - - $ firejail --profile=./firefox.profile /usr/bin/firefox - Reading profile ./firefox.profile - Reading profile /etc/firejail/firefox.profile - Reading profile /etc/firejail/firefox-common.profile - [...] - - --profile=appname comes in handy when running appimages: - - $ firejail --appimage --profile=firefox firefox- - nightly-148.0.r20260103-x86_64.AppImage - Reading profile /home/netblue/.config/firejail/firefox.profile - Reading profile /etc/firejail/firefox.profile - Reading profile /etc/firejail/firefox-common.profile - [...] - - See man 5 firejail-profile for profile file syntax information. - For profile resolution details see https://github.com/net‐ - blue30/firejail/wiki/Creating-Profiles. -``` - -### --unhide-pid1 - -```text - --unhide-pid1 - Pid 1 is always present inside Firejail sandbox. By restricting - access to /proc kernel interface, general tools like ps are un‐ - able to view and access this process. --unhide-pid1 option dis‐ - ables this functionality. Example: - - $ firejail --name=test ### by default pid 1 is not visible - [...] - Child process initialized in 59.41 ms - $ ps a - PID TTY STAT TIME COMMAND - 4 ? S 0:00 /bin/bash - 5 ? R+ 0:00 ps a - $ exit - Parent is shutting down, bye… - - $ firejail --name=test --unhide-pid1 ### pid 1 is visible - [...] - Child process initialized in 58.29 ms - $ ps a - PID TTY STAT TIME COMMAND - 1 ? S 0:00 firejail --name=test --unhide-pid1 - 4 ? S 0:00 /bin/bash - 6 ? R+ 0:00 ps a - $ exit - Parent is shutting down, bye… -``` - -### --hostname-randomize - -```text - --hostname-randomize - Set sandbox hostname to a random value generated by firejail. - This is incompatible with --hostname. - - Example: - $ firejail --hostname-randomize /usr/bin/firefox - Note: Changing the hostname may cause breakage related to - networking (see #7048 - ) and may - cause X11 programs to crash on startup due to not being able to - authenticate to the X server (see #7062 - ). -``` +## Current development version: 0.9.81 ### Landlock support - ongoing/experimental @@ -523,32 +413,33 @@ Warning: multiple caps in /etc/firejail/transmission-daemon.profile Warning: multiple caps in /etc/firejail/trivalent.profile Stats: - profiles 1336 - include local profile 1335 (include profile-name.local) - include globals 1301 (include globals.local) - blacklist ~/.ssh 1195 (include disable-common.inc) - seccomp 1207 - capabilities 1329 - noexec 1208 (include disable-exec.inc) - noroot 1099 - memory-deny-write-execute 321 - restrict-namespaces 1045 - apparmor 860 - private-bin 814 - private-dev 1169 - private-etc 837 - private-cache 861 + profiles 1342 + include local profile 1341 (include profile-name.local) + include globals 1307 (include globals.local) + blacklist ~/.ssh 1201 (include disable-common.inc) + seccomp 1213 + capabilities 1335 + noexec 1214 (include disable-exec.inc) + noroot 1105 + memory-deny-write-execute 320 + restrict-namespaces 1048 + apparmor 869 + private-bin 817 + private-dev 1172 + private-etc 842 + private-cache 865 private-lib 86 - private-tmp 1030 - whitelist home directory 656 - whitelist var 969 (include whitelist-var-common.inc) - whitelist run/user 1299 (include whitelist-runuser-common.inc + private-tmp 1036 + whitelist home directory 662 + whitelist var 975 (include whitelist-var-common.inc) + whitelist run/user 1305 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 755 (include whitelist-usr-share-common.inc + whitelist usr/share 760 (include whitelist-usr-share-common.inc net none 452 - dbus-user none 761 - dbus-user filter 202 - dbus-system none 964 + dbus-user none 766 + dbus-user filter 206 + dbus-system none 970 dbus-system filter 13 + ```