diff --git a/README.md b/README.md index fde2d8664..736c1cf3f 100644 --- a/README.md +++ b/README.md @@ -267,64 +267,12 @@ See `man firecfg` for details. Note: Broken symlinks are ignored when searching for an executable in `$PATH`, so uninstalling without doing the above should not cause issues. -## Latest released version: 0.9.72 +## Latest released version: 0.9.74 -## Current development version: 0.9.73 +## Current development version: 0.9.75 -### --keep-shell-rc -```text - --keep-shell-rc - By default, when using a private home directory, firejail copies - files from the system's user home template (/etc/skel) into it, - which overrides attempts to whitelist the original files (such - as ~/.bashrc and ~/.zshrc). This option disables this feature, - and enables the user to whitelist the original files. -``` - -### private-etc rework - -```text - --private-etc, --private-etc=file,directory,@group - The files installed by --private-etc are copies of the original - system files from /etc directory. By default, the command - brings in a skeleton of files and directories used by most - console tools: - - $ firejail --private-etc dig debian.org - - For X11/GTK/QT/Gnome/KDE programs add @x11 group as a - parameter. Example: - - $ firejail --private-etc=@x11,gcrypt,python* gimp - - gcrypt and /etc/python* directories are not part of the generic - @x11 group. File globbing is supported. - - For games, add @games group: - - $ firejail --private-etc=@games,@x11 warzone2100 - - Sound and networking files are included automatically, unless - --nosound or --net=none are specified. Files for encrypted - TLS/SSL protocol are in @tls-ca group. - - $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org - - Note: The easiest way to extract the list of /etc files accessed - by your program is using strace utility: - - $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc -``` - -We keep the list of groups in -[src/include/etc_groups.h](src/include/etc_groups.h). - -Discussion: - -* [private-etc rework](https://github.com/netblue30/firejail/discussions/5610) - -### Landlock support +### Landlock support - ongoing/experimental * Added on #6078, which is based on #5315 from ChrysoliteAzalea/landlock * Compile-time detection based on linux/landlock.h - if the header is found, @@ -384,33 +332,35 @@ No include .local found in /etc/firejail/noprofile.profile Warning: multiple caps in /etc/firejail/tidal-hifi.profile Warning: multiple caps in /etc/firejail/tqemu.profile Warning: multiple caps in /etc/firejail/transmission-daemon.profile +Warning: cannot open youtube-music-desktop-app or /etc/firejail/youtube-music-desktop-app, while processing /etc/firejail/youtube-music-desktop-app.profile +No include .local found in /etc/firejail/youtube-music-desktop-app.profile Stats: - profiles 1305 - include local profile 1304 (include profile-name.local) - include globals 1271 (include globals.local) - blacklist ~/.ssh 1167 (include disable-common.inc) - seccomp 1178 - capabilities 1298 - noexec 1178 (include disable-exec.inc) - noroot 1077 - memory-deny-write-execute 309 - restrict-namespaces 1026 - apparmor 833 - private-bin 790 - private-dev 1140 - private-etc 811 + profiles 1324 + include local profile 1323 (include profile-name.local) + include globals 1290 (include globals.local) + blacklist ~/.ssh 1183 (include disable-common.inc) + seccomp 1195 + capabilities 1317 + noexec 1197 (include disable-exec.inc) + noroot 1092 + memory-deny-write-execute 320 + restrict-namespaces 1034 + apparmor 850 + private-bin 801 + private-dev 1158 + private-etc 824 private-lib 85 - private-tmp 1004 - whitelist home directory 642 - whitelist var 950 (include whitelist-var-common.inc) - whitelist run/user 1268 (include whitelist-runuser-common.inc + private-tmp 1020 + whitelist home directory 654 + whitelist var 965 (include whitelist-var-common.inc) + whitelist run/user 1287 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 732 (include whitelist-usr-share-common.inc - net none 443 - dbus-user none 738 - dbus-user filter 192 - dbus-system none 939 + whitelist usr/share 746 (include whitelist-usr-share-common.inc + net none 450 + dbus-user none 754 + dbus-user filter 196 + dbus-system none 956 dbus-system filter 13 ``` diff --git a/RELNOTES b/RELNOTES index 0806b8772..dc7857ec8 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,7 @@ +firejail (0.9.74) baseline; urgency=low + * work in progress + -- netblue30 Mon, 24 Mar 2025 09:00:00 -0500 + firejail (0.9.74) baseline; urgency=low * security: fix sscanf rv checks (CodeQL) (#6184) * feature: private-etc rework: improve handling of /etc/resolv.conf and add diff --git a/configure b/configure index 90619385a..2aafe08c7 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for firejail 0.9.74. +# Generated by GNU Autoconf 2.71 for firejail 0.9.75. # # Report bugs to . # @@ -610,8 +610,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.74' -PACKAGE_STRING='firejail 0.9.74' +PACKAGE_VERSION='0.9.75' +PACKAGE_STRING='firejail 0.9.75' PACKAGE_BUGREPORT='https://github.com/netblue30/firejail/issues' PACKAGE_URL='https://firejail.wordpress.com' @@ -1327,7 +1327,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.74 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.75 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1389,7 +1389,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.74:";; + short | recursive ) echo "Configuration of firejail 0.9.75:";; esac cat <<\_ACEOF @@ -1516,7 +1516,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.74 +firejail configure 0.9.75 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -1625,7 +1625,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.74, which was +It was created by firejail $as_me 0.9.75, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -5093,7 +5093,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.74, which was +This file was extended by firejail $as_me 0.9.75, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -5149,7 +5149,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -firejail config.status 0.9.74 +firejail config.status 0.9.75 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index d67d218ea..c8b568e09 100644 --- a/configure.ac +++ b/configure.ac @@ -12,7 +12,7 @@ # AC_PREREQ([2.68]) -AC_INIT([firejail], [0.9.74], [https://github.com/netblue30/firejail/issues], +AC_INIT([firejail], [0.9.75], [https://github.com/netblue30/firejail/issues], [], [https://firejail.wordpress.com]) AC_CONFIG_SRCDIR([src/firejail/main.c])