starting 0.9.53

README.md

@@ -96,157 +96,4 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 
 `````
-# Current development version: 0.9.51
+# Current development version: 0.9.53
-
-## Whitelisting, globbing etc.
-
-We deployed a whitelist for /var directory ("include /etc/firejail/whitelist-var-common.inc").
-It is currently done for 115 applications.
-
-We added globbing support for --private-bin and whitelisting support for /etc and /usr/share.
-
---private-lib was enhanced to autodetect GTK2, GTK3 and Qt4 libraries. In the next release we do a test run with this option enabled
-for the following applications: evince, galculator, gnome-calculator,
-    leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
-    atril, mate-color-select, tar, file, strings, gpicview,
-    eom, eog, gedit, pluma
-
-Just for fun, this is a private-bin/private-lib Firefox running on Debian 9:
-`````
-$ firejail --private-bin=firefox,firefox-esr,sh,which --private-lib=firefox-esr firefox
-`````
-
-
-## Profile build  tool
-`````
-$ firejail --build appname
-$ firejail --build=appname.profile appname
-`````
-The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
-
-Example:
-`````
-$ firejail --build /usr/bin/vlc ~/Videos/test.mp4
-
-[...]
-
-############################################
-# /usr/bin/vlc profile
-############################################
-# Persistent global definitions
-# include /etc/firejail/globals.local
-
-### basic blacklisting
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
-
-### home directory whitelisting
-whitelist ~/Videos
-whitelist ~/.local/share/vlc
-whitelist ~/.config/vlc
-include /etc/firejail/whitelist-common.inc
-
-### filesystem
-private-tmp
-private-dev
-private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
-whitelist /var/lib/menu-xdg
-# private-bin vlc,
-
-### security filters
-caps.drop all
-nonewprivs
-seccomp
-# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create
-# 76 syscalls total
-# Probably you will need to add more syscalls to seccomp.keep. Look for
-# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
-# running your sandbox.
-
-### network
-protocol unix,netlink,
-net none
-
-### environment
-shell none
-$
-`````
-
-## New command line and profile options
-`````
-      --writable-run-user
-              This    options    disables   the   default   blacklisting   of
-              run/user/$UID/systemd and /run/user/$UID/gnupg.
-
-              Example:
-              $ sudo firejail --writable-run-user
-
-       --rlimit-as=number
-              Set the maximum size of the process's virtual  memory  (address
-              space) in bytes.
-
-       --rlimit-cpu=number
-              Set  the  maximum limit, in seconds, for the amount of CPU time
-              each sandboxed process  can consume. When the limit is reached,
-              the processes are killed.
-
-              The  CPU  limit  is  a limit on CPU seconds rather than elapsed
-              time. CPU seconds is basically how many  seconds  the  CPU  has
-              been  in  use  and  does not necessarily directly relate to the
-              elapsed time. Linux kernel keeps track of CPU seconds for  each
-              process independently.
-
-       --timeout=hh:mm:ss
-              Kill  the sandbox automatically after the time has elapsed. The
-              time is specified in hours/minutes/seconds format.
-
-              $ firejail --timeout=01:30:00 firefox
-
-      --debug-private-lib
-              Debug messages for --private-lib option.
-
-       --netfilter=filename,arg1,arg2,arg3 ...
-              This  is  the  template  version of the previous command. $ARG1,
-              $ARG2, $ARG3 ... in the firewall script are replaced with  arg1,
-              arg2,  arg3  ...  passed on the command line. Up to 16 arguments
-              are supported.  Example:
-
-              $ firejail --net=eth0 --ip=192.168.1.105 \
-              --netfilter=/etc/firejail/tcpserver.net,5001 server-program
-
-       --netfilter.print=name|pid
-              Print  the  firewall installed in the sandbox specified by name
-              or PID. Example:
-
-              $ firejail --name=browser --net=eth0 --netfilter firefox &
-              $ firejail --netfilter.print=browser
-
-       --netfilter6.print=name|pid
-              Print the IPv6 firewall installed in the sandbox  specified  by
-              name or PID. Example:
-
-              $ firejail --name=browser --net=eth0 --netfilter firefox &
-              $ firejail --netfilter6.print=browser
-
-`````
-
-## New profiles:
-
-terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu,
-amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter,
-calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
-calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
-imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
-ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
-conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
-aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass,
-kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch),
-kdeinit4
-
-Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles,
-https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles.

RELNOTES

@@ -1,3 +1,7 @@
+firejail (0.9.52) baseline; urgency=low
+  * work in progress
+ -- netblue30 <netblue30@yahoo.com>  Tue, 12 Dec 2017 08:00:00 -0500
+
 firejail (0.9.52) baseline; urgency=low
   * modif: --allow-private-blacklists was deprecated; blacklisting,
     read-only, read-write, tmpfs and noexec are allowed in
@@ -43,7 +47,6 @@ firejail (0.9.52) baseline; urgency=low
       xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
       kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report
       cower (Arch), kdeinit4
-
  -- netblue30 <netblue30@yahoo.com>  Thu, 7 Dec 2017 08:00:00 -0500
 
 firejail (0.9.50~rc1) baseline; urgency=low

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.52.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.53.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.52'
+PACKAGE_VERSION='0.9.53'
-PACKAGE_STRING='firejail 0.9.52'
+PACKAGE_STRING='firejail 0.9.53'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.52 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.53 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1338,7 +1338,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.52:";;
+     short | recursive ) echo "Configuration of firejail 0.9.53:";;
    esac
   cat <<\_ACEOF
 
@@ -1446,7 +1446,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.52
+firejail configure 0.9.53
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.52, which was
+It was created by firejail $as_me 0.9.53, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.52, which was
+This file was extended by firejail $as_me 0.9.53, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4421,7 +4421,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.52
+firejail config.status 0.9.53
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.52, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.53, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])