github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6
firejail/RELNOTES
netblue30 01b741aa80 RELNOTES and some more testing
2026-02-25 15:14:15 -05:00

1634 lines
83 KiB
Text
Raw Blame History

firejail (0.9.79) baseline; urgency=low
* work in progress
* security: --profile=FILE with just a filename has security implications
and should be highly discouraged; a full or relative file path is required
for --profile=filename (#6896)
* security: updated the list of terminal emulators that can be used for
sandbox escape (cbf4308)
* feature: --debug-syscall-groups command (88a75a6 etc.)
* feature: hide/unhide PID 1 inside the sandbox, command and profile
option (#7046)
* feature: --keep-hostname command and profile option (#7048)
* feature: adding apparmor profiles for --nettrace command (c133313)
* feature: add support for the new XDG-compliant Firefox config
directory (#7040)
* compile time: compile fix for --enable-only-syscfg-profiles ./config
option (d1a58de)
* compile time: removed ./configure --disable-man option (a655b7d)
* compile time: removed ./configure --disable-usertmpfs option (b214d08)
* compile time: include architecture-specific headers (#7000)
* modif: reorganize & update syscall groups (#7024 etc.)
* modif: make Xephyr default for --x11 option - currently Xpra is not
available in Debian/Ubuntu and derivatives (cbb7a38)
* bugfix: /home/user is mounted with noexec when --private is used (#6921)
* bugfix: Void Linux/musl libc compile fixes (e602396, 0949685)
* bugfix: added link-local addresses to 'nolocal' firewall configs (#7054)
* bugfix: map sandbox hostname to ipv6 in /etc/hosts (#7077)
* docs: man: non-ASCII hyphens - copy pasting commands fails on command
line (#5903)
* docs: various other fixes and changes
* ci: gitlab: install missing git-buildpackage dependency (#7017)
* ci: gcov testing scripts update
* ci: update various automated tests
* ci: update and fixes for make test-compile
* profiles: yt-dlp: support deno JavaScript engine to fix YouTube (#6999)
* profiles: yt-dlp: support browser cookies for authenticated downloads
(#7030)
* profiles: add deno paths (#7032, 2ba2f2d)
* profiles: vesktop: fix screen sharing (#7043, b59005c)
* profiles: disable by default several systemd tools (ca934a2)
* profiles: fix allowing netcat in playonlinux and ssh profiles (#7059)
* new profiles: fragments (#7023, 97871d7, f712b9a)
* new profiles: srb2 (#6996, 9882aa0)
* new profiles: zen, zen-bin, zen-browser (#7029, 09e376d, fa6bfd7)
* cleanup various files (including RELNOTES) after release 0.9.78
-- netblue30 <netblue30@yahoo.com> Sat, 3 Jan 2026 11:00:00 -0500
firejail (0.9.78) baseline; urgency=low
* feature: add arg-max-count / arg-max-len to firejail.config (#4633 #6878)
* feature: add env-max-count / env-max-len to firejail.config (#3678 #6951)
* feature: add --xephyr-extra-params= command (#6952)
* feature: replace bubblewrap (bwrap) in the sandbox with a dummy program
(fbwrap) to work around issues with glycin 2.0.0 via gdk-pixbuf2 and add
--allow-bwrap command to force the use of the real bwrap (#6906 #7009)
* modif: firemon: improve debug message code (#6856)
* modif: rlimit: allow uppercase suffixes (#6890)
* modif: rlimit: use uppercase suffixes in the code/docs (#6891)
* modif: rlimit: improve error messages (#6893)
* modif: update and add syscalls for several architectures (#6956 #6961)
* modif: check for --version during early init (#6972)
* removal: --disable-globalcfg configure option (#6984)
* removal: overlayfs support/--overlay commands (#6994)
* removal: Intrusion Detection System (IDS)/fids (#6995)
* bugfix: remove /usr/share + "runner:root" CI workaround (#6844)
* bugfix: firemon: fix inconsistent debug message format (#6854)
* bugfix: fix potential infinite loop in checkcfg (-fanalyzer) (#6859)
* bugfix: fnettrace-icmp: fix uninitialized vars (cppcheck) (#6869)
* bugfix: firemon: avoid cmd double-free in procevent_monitor (#6792 #6846)
* bugfix: firemon: fix potential memory leak in procevent_monitor (#6872)
* bugfix: firecfg: fix parsing filenames with multiple ".desktop" (#6865
#6871)
* bugfix: fix French translation for ${PICTURES} macro (#6942)
* bugfix: add missing macros in profile.template (#6948)
* bugfix: check for --quiet/--debug earlier during init (#6969)
* bugfix: disable apparmor if --allow-debuggers (#6882)
* bugfix: firecfg: skip snap-packaged programs to avoid breaking them on
Ubuntu desktop (#7008)
* build: cppcheck: ignore src/lib/syscalls.c (#6868)
* build: cppcheck: use --check-level=exhaustive (#6877)
* build: add script to generate syscall headers (#6960 #6990)
* build: add sort-profiles target for sort.py (#7004)
* tests: rlimit: add missing tests for rlimit-as / rlimit-cpu (#6895)
* tests: man: fix timeout error (#6949)
* tests: man: disable test due to timeout (#6955)
* tests: fix test-appimage on Arch and Debian 13 (#7007)
* ci: allow new github domain for codeql download (#6845)
* ci: standardize "apt-get install" step name (#6862)
* ci: speed-up main build & add build-gcc (#6864)
* ci: cppcheck: upgrade ubuntu-22.04 to ubuntu-24.04 (#6874)
* ci: codespell: upgrade ubuntu-22.04 to ubuntu-24.04 (#6873)
* ci: codeql-cpp: print config.log if configure fails (#7003)
* docs: man: improve strace usage and add refs (#6851)
* docs: add debian/ubuntu links to README.md (#6850)
* docs: github: clarify how to attach logs (#6858)
* docs: rlimit: improve text and use base-2 units (#6894)
* docs: man: clarify what ipc-namespace affects (#6930)
* docs: improve build/install commands (#6962)
* docs: add distribution-specific build/install instructions (#6964)
* docs: clarify that only latest and dev versions are supported (#6965)
* docs: always use full path to program in examples (#6963)
* profiles: thunderbird: fix ignoring wruc (#6839 #6852)
* profiles: wine: disable noinput so gamepads work (#6866 #6867)
* profiles: qutebrowser: whitelist /usr/share/pdf.js (#6875)
* profiles: firefox-common: add a comment about mpris (#6876)
* profiles: qutebrowser: add comment about qute-pass support (#6879)
* profiles: add missing mailcap entries (#6883 #6884)
* profiles: organize blacklist sections as per profile.template (#6885)
* profiles: godot: allow ~/.local/share/Trash (#6904)
* profiles: wusc: add /usr/share/glycin-loaders (#6907)
* profiles: wusc: add /usr/share/gtk-4.0 (#6909)
* profiles: mullvad-browser: allow readlink and realpath (#6923)
* profiles: blink-common-hardened: disable noroot to fix saving files (#6920)
* profiles: steam: allow ~/.local/share/doublefine (#6937)
* profiles: wusc: add /usr/share/gtksourceview-5 (#6947)
* profiles: ssh: add `${RUNUSER}/openssh_agent` socket path (#6975)
* profiles: brave: add `org.mpris.MediaPlayer2.brave.*` (#6980)
* profiles: hashcat: fix runtime errors (#6364 #6888)
* new profile: ne (text editor) (ae22e5610)
* new profile: trivalent (#6900)
* new profile: openra (#7005)
* new profile: gzdoom, lzdoom, uzdoom (#7010)
* new profile: quakespasm (#7014)
-- netblue30 <netblue30@yahoo.com> Sat, 3 Jan 2026 11:00:00 -0500
firejail (0.9.76) baseline; urgency=low
* feature: use globbing in hardcoded numbered /dev paths (#2723 #6704)
* feature: add warn command (#6710)
* feature: use non-blocking flock calls (#6761)
* modif: block TPM devices & turn notpm command into keep-dev-tpm (#6698)
* modif: improve error messages in mountinfo.c (#6711)
* modif: use "Error:" in errExit message (#6716)
* modif: keep tss group if keep-dev-tpm is used (#6718)
* modif: keep /dev/tpmrm devices if keep-dev-tpm is used (#6719)
* modif: keep tcm/tcmrm devices if keep-dev-tpm is used (#6724)
* modif: improve "Failed mount" error messages in util.c (#6747)
* modif: improve fcopy error messages in check() (#6801)
* modif: fcopy: try normal case first instead of last in check() (#6804)
* modif: improve new network namespace error message (#6824)
* modif: improve error messages in sandbox.c/sbox.c (#6825)
* bugfix: fix flock debug messages going to stderr (#6712)
* bugfix: add missing selinux relabeling for /dev paths (#6734)
* bugfix: fix potential deadlock with flock + SIGTSTP (#6729 #6750)
* bugfix: fcopy: add /usr/share + "runner:root" exception to fix CI (#6797
#6803)
* bugfix: fcopy: allow /etc/resolv.conf owned by systemd-resolve (#4545
#6808)
* bugfix: fix "Not enforcing Landlock" message always being printed (#6806)
* bugfix: add NULL check for cmdline in find_child() (#6840)
* build: use TARNAME in SYSCONFDIR/VARDIR (#6713)
* build: add localstatedir and use in VARDIR (#6715)
* build: replace _SYSCONFDIR_ with @sysconfdir@ (#6737)
* ci: upgrade debian:buster to debian:bullseye (#6832)
* docs: improve URL formatting in man pages (#6706)
* docs: clarify --private bug in man pages (#6805)
* docs: fix man formatting of landlock.enforce (#6807)
* profiles: split commands that increase/reduce access (#6687)
* profiles: firefox: add comment about creating PWA shortcuts (#6689)
* profiles: add more xorg paths (#6708)
* profiles: fix include of deprecated disable-X11.inc (uppercase) (#6709)
* profiles: godot: remove noinput so gamepads work (#6707)
* profiles: remove mkdir ~/.pki (#6732)
* profiles: mpv: remove mkfile ~/.netrc (#6735)
* profiles: curl: allow ~/.netrc (#6736)
* profiles: discord-common: add env to private-bin (#6738)
* profiles: firecfg: disable checksum programs (#6755)
* profiles: rssguard: allow lua (#6758 #6759)
* profiles: wine: allow python to fix Epic Games Launcher (#6762 #6763)
* profiles: wusc: add /usr/share/xkeyboard-config-2 (#6773 #6775)
* profiles: chafa: quiet output (#6777)
* profiles: ripperx/sound-juicer: fix profile name typos (#6780)
* profiles: ani-cli: add mpv to private-etc for plugins access (#6779)
* profiles: use private-etc groups in more profiles (#6783)
* profiles: firecfg: disable foliate (#6784)
* profiles: finish converting private-opt to whitelist (#6785)
* profiles: replace hosts.conf with host.conf in private-etc (#6791)
* profiles: makedeb: allow dpkg (#6816)
* profiles: kate: fix network access (#6815 #6823)
* profiles: keepassxc: add x11 group to private-etc (#6827 #6828)
* profiles: allow org.kde.kwalletd6 for Plasma 6 systems (#6819)
* profiles: xreader: disable no3d to fix startup (#6829)
* profiles: firefox: add alternative tridactylrc path (#6720 #6721)
* new profile: ansel (#6751)
-- netblue30 <netblue30@yahoo.com> Wed, 30 Jul 2025 11:00:00 -0500
firejail (0.9.74) baseline; urgency=low
* security: fix sscanf rv checks (CodeQL) (#6184)
* feature: private-etc rework: improve handling of /etc/resolv.conf and add
private-etc groups (#6400 #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643
#5650 #5681 #5737 #5844 #5989 #6016 #6104 #5655 #6435 #6514 #6515)
* feature: Add "keep-shell-rc" command and option (#1127 #5634)
* feature: Print the argument when failing with "too long arguments" (#5677)
* feature: a random hostname is assigned to each sandbox unless
overwritten using --hostname command
* feature: add IPv6 support for --net.print option
* feature: QUIC (HTTP/3) support in --nettrace
* feature: add seccomp filters for --restrict-namespaces
* feature: stats support for --nettrace
* feature: add doas support in firecfg and jailcheck (#5899 #5900)
* feature: firecfg: add firecfg.d & add ignore command (#2097 #5245 #5876
#6153 #6268)
* feature: expand simple macros in more commands (--chroot= --netfilter=
--netfilter6= --trace=) (#6032 #6109)
* feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200
#6228 #6260 #6302 #6305)
* feature: add support for comm, coredump, and prctl procevents in firemon
(#6414 #6415)
* feature: add notpm command & keep tpm devices in private-dev (#6379 #6390)
* feature: fshaper.sh: support tc on NixOS (#6426 #6431)
* feature: add aarch64 syscalls (#5821 #6574)
* feature: add --disable-sandbox-check configure flag (#6592)
* feature: block /dev/ntsync & add keep-dev-ntsync command (#6655 #6660)
* modif: Stop forwarding own double-dash to the shell (#5599 #5600)
* modif: Prevent sandbox name (--name=) and host name (--hostname=)
from containing only digits (#5578 #5741)
* modif: Escape control characters of the command line (#5613)
* modif: Allow mostly only ASCII letters and digits for sandbox name
(--name=) and host name (--hostname=) (#5708 #5856)
* modif: make private-lib a configure-time option, disabled by default (see
--enable-private-lib) (b689b69f6 #5727 #5732)
* modif: Improve --version/--help & print version on startup (#5829 #6172)
* modif: improve errExit error messages (#5871)
* modif: drop deprecated 'shell' option references (#5894)
* modif: keep pipewire group unless nosound is used (#5992 #5993)
* modif: fcopy: use lstat when copying directory (#5378 #5957)
* modif: private-dev: keep /dev/kfd unless no3d is used (#6380)
* modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387)
* modif: clarify error messages in profile.c (#6605)
* modif: keep plugdev group unless nou2f is used (#6664)
* removal: firemon: remove --interface option (it duplicates the firejail
--net.print= option) (0e48f9933)
* removal: remove support for LTS and firetunnel (db09546f2)
* bugfix: fix --hostname and --hosts-file commands
* bugfix: fix examples in firejail-local AppArmor profile (#5717)
* bugfix: arp.c: ensure positive timeout on select(2) (#5806)
* bugfix: Wrong syscall names for s390_pci_mmio_read and s390_pci_mmio_write
(#5965 #5976)
* bugfix: firejail --ls reports wrong file sizes for large files (#5982
#6086)
* bugfix: fix startup race condition for /run/firejail directory (#6307)
* bugfix: fix various resource leaks (#6367)
* bugfix: profstats: fix restrict-namespaces max count (#6369)
* bugfix: remove --noautopulse from --help and zsh comp (#6401)
* bugfix: parse --debug before using it (#6579)
* bugfix: fix possible memory leak in fs_home.c (#6598)
* bugfix: do not interact with dbus directory if dbus proxy is disabled
(#6591)
* bugfix: firecfg: check full .desktop filename in check_profile() (#6674)
* build: auto-generate syntax files (#5627)
* build: mark all phony targets as such (#5637)
* build: mkdeb.sh: pass all arguments to ./configure (#5654)
* build: deb: enable apparmor by default & remove deb-apparmor (#5668)
* build: Fix whitespace and add .editorconfig (#5674)
* build: remove for loop initial declarations to fix building with old
compilers (#5778)
* build: enable compiler warnings by default (#5842)
* build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859)
* build: disable all built-in implicit make rules (#5864)
* build: organize and standardize make vars and targets (#5866)
* build: fix seccomp filters and man pages always being rebuilt when running
make (#5156 #5898)
* build: fix hardcoded make & remove unnecessary distclean targets (#5911)
* build: dist and asc improvements (#5916)
* build: fix some shellcheck issues & use config.sh in more scripts (#5927)
* build: firecfg.config sorting improvements (#5942)
* build: codespell improvements (#5955)
* build: add missing makefile dep & syntax improvements (#5956)
* build: sort.py: use case-sensitive sorting (#6070)
* build: mkrpm.sh: append instead of override configure args (#6126)
* build: use CPPFLAGS instead of INCLUDE in compile targets (#6159)
* build: use full paths on compile/link targets (#6158)
* build: automatically generate header dependencies (#6164)
* build: improve main clean target (#6186)
* build: mkrpm.sh improvements (#6196)
* build: move errExit macro into inline function (#6217)
* build: allow overriding certain tools & sync targets with CI (#6222)
* build: reduce hardcoding and inconsistencies & add installcheck target
(#6230 #6620)
* build: sort.py: filter empty and duplicate items (#6261)
* build: fix "warning: "_FORTIFY_SOURCE" redefined" (#6282 #6283)
* build: sort.py: add -h/-i/-n/-- options (#6290 #6339 #6562)
* build: add strip target and simplify install targets (#6342)
* build: remove clean dependency from cppcheck targets (#6343)
* build: allow overriding common tools (#6354)
* build: standardize install commands (#6366)
* build: improve reliability/portability of date command usage (#6403 #6404)
* build: sort.py: strip whitespace in profiles (#6556)
* build: sort.py: fix whitespace in entire profile (#6593)
* build: sort.py: quote diff lines (#6594)
* build: remove cppcheck-old target/job (#6676)
* ci: always update the package db before installing packages (#5742)
* ci: fix codeql unable to download its own bundle (#5783)
* ci: split configure/build/install commands on gitlab (#5784)
* ci: fix swapped name/email arguments in debian_ci (#5795)
* ci: formatting and misc improvements (#5802)
* ci: run for every branch instead of just master (#5815)
* ci: upgrade debian:stretch to debian:buster (#5818)
* ci: standardize apt-get update/install & misc improvements (#5857)
* ci: Update step-security/harden-runner and update allowed endpoints (#5953)
* ci: whitelist paths, reorganize workflows & speed-up tests (#5960 #6627)
* ci: fix dependabot duplicated workflow runs (#5984)
* ci: allow running workflows manually (#6026)
* ci: add timeout limits (#6178)
* ci: make dependabot updates monthly and bump PR limit (#6338)
* contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057
#6059)
* contrib/vim: match profile files more broadly (#5850)
* contrib/vim: add ftplugin file (based on cfg.vim) (#6680)
* test: split individual test groups in github workflows
* test: add chroot, appimage and network tests in github workflows
* docs: remove apparmor options in --help when building without apparmor
support (#5589)
* docs: fix typos (#5693)
* docs: markdown formatting and misc improvements (#5757)
* docs: add uninstall instructions to README.md (#5812)
* docs: add precedence info to manpage & fix noblacklist example (#6358
#6359)
* docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382)
* docs: man: format and sort some private- items (#6398)
* docs: man: improve blacklist/whitelist examples with spaces (#6425)
* docs: add build_issue.md issue template (#6423)
* docs: man: sort commands (firejail.1) (#6451)
* docs: man: fix bold in command TPs (#6472)
* docs: man: fix wrong escapes (#6474)
* docs: github: streamline environment in issue templates (#6471 #6607)
* docs: fix typos of --enable-selinux configure option (#6526)
* docs: clarify intro and build section in README (#6524)
* docs: clarify that other tools may not be in PPA (#6407)
* docs: use GitHub issues as the bug reporting address (#6525)
* docs: update distribution table & add note in SECURITY.md (#6624)
* docs: clarify unmaintained status of overlayfs in configure.ac (#6632)
* docs: improve whitelist and blacklist descriptions in man pages (#6622)
* docs: note that --build may generate a non-functional profile (#6653)
* legal: selinux.c: Split Copyright notice & use same license as upstream
(#5667)
* profiles: qutebrowser: fix links not opening in the existing instance
(#5601 #5618)
* profiles: clarify userns comments (#5686)
* profiles: bulk rename electron to electron-common (#5700)
* profiles: streamline seccomp socket comment (#5735)
* profiles: drop hostname option from all profiles (#5702)
* profiles: move read-only config entries to disable-common.inc (#5763)
* profiles: standardize on just "GTK" on comments (#5794)
* profiles: bleachbit: allow erasing Trash contents (#5337 #5902)
* profiles: improvements to profiles using private (#5946)
* profiles: standardize commented code and eol comments (#5987)
* profiles: disable-common: add more suid programs (#6049 #6051 #6052)
* profiles: replace private-opt with whitelist & document private-opt issues
(#6021)
* profiles: drop paths already in wusc (#6218)
* profiles: deny access to ~/.config/autostart (#6257)
* profiles: replace x11 socket blacklist with disable-X11.inc (#6286)
* profiles: sort blacklist sections (#6289)
* profiles: rename disable-X11.inc to disable-x11.inc (#6294)
* profiles: add allow-nodejs.inc to profile.template (#6298)
* profiles: add allow-php.inc to profile.template (#6299)
* profiles: clarify and add opengl-game to profile.template (#6300)
* profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309)
* profiles: libreoffice: support signing documents with GPG (#6352 #6353)
* profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
* profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6413 #6473)
* profiles: nextcloud: fix access to ~/Nextcloud (#5877 #6478)
* profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#5816 #6479)
* profiles: firecfg: disable text editors (#6002 #6477)
* profiles: browsers: centralize/sync/improve comments (#6486)
* profiles: keepassxc: add new socket location (#5447 #6391)
* profiles: signal-desktop: allow org.freedesktop.secrets (#6498)
* profiles: firefox-common: allow org.freedesktop.portal.Documents (#6444
#6499)
* profiles: keepassxc: allow access to ssh-agent socket (#3314 #6531)
* profiles: firecfg.config: disable dnsmasq (#6533)
* profiles: game-launchers: disable nou2f (#6534)
* profiles: anki: fix opening, allow media & add to firecfg (#6544 #6545)
* profiles: wget: allow ~/.local/share/wget (#6542)
* profiles: wget: unify wget2 into wget profile (#6551)
* profiles: tesseract: disable private-tmp to fix ocrmypdf (#6550 #6552)
* profiles: ensure allow-lua where mpv is allowed (#6555)
* profiles: video-players: add missing /usr/share paths (#6557)
* profiles: clamav: add /etc/clamav (#6565)
* profiles: lutris: add comment for gamescope workaround (#6192)
* profiles: disable-common: add bubblejail paths (#6571)
* profiles: fix misc in kmail/transmission-qt & add kontact.profile (#5905)
* profiles: misc changes and self-ref fixes in ghostwriter/peek (#5648)
* profiles: firecfg: fix sha384sum & add b2sum/cksum (#6578)
* profiles: refactor com.github.johnfactotum.Foliate into foliate.profile
(#6582)
* profiles: anki: fix dark mode detection & misc changes (#6581)
* profiles: tor: add memory-deny-write-execute (#6641)
* profiles: torbrowser-launcher: move path from dc to dp (#6640)
* profiles: ytmdesktop: add redirect & whitelist /opt/ytmdesktop (#6662
#6666)
* profiles: seahorse: add redirect org.gnome.seahorse.Application (#6658
#6673)
* profiles: godot: ignore noexec in home to fix addons (#6686)
* new profiles: qpdf and redirects (fix-qdf, qpdf, zlib-flate) (#5675)
* new profiles: parsecd (#5646 #5682)
* new profiles: lobster (#5706 #5847 #5885 #6155)
* new profiles: ani-cli (#5707 #5733 #5892 #5954)
* new profiles: discord redirects (DiscordPTB, discord-ptb) (#5729)
* new profiles: jami and postman (#5691)
* new profiles: mov-cli (#5710 #5884 #5924 #6304)
* new profiles: standard-notes (#5761)
* new profiles: url-eater (#5780)
* new profiles: fbreader redirect (FBReader) (d88c8d4391)
* new profiles: rssguard (#5881)
* new profiles: mullvad-browser (#5887)
* new profiles: sniffnet (#5920)
* new profiles: daisy (#5935)
* new profiles: reader (#5934)
* new profiles: journal-viewer (#5943)
* new profiles: clac (#5947)
* new profiles: blender redirect (blender-3.6) (#6013)
* new profiles: fluffychat (#6007)
* new profiles: lettura (#6027)
* new profiles: brz and bzr (Breezy) (#6028)
* new profiles: floorp (#6030 #6263 #6683)
* new profiles: tidal-hifi (#6008 #6009)
* new profiles: termshark (#6039)
* new profiles: tiny-rdm (#6083)
* new profiles: rawtherapee (#6180)
* new profiles: electron-cash (#6181)
* new profiles: gnome-boxes (#6226)
* new profiles: virt-manager (#6227)
* new profiles: ledger-live-desktop (#6219)
* new profiles: lz4 and redirects (#6241)
* new profiles: qt5ct (#6249)
* new profiles: qt6ct (#6250)
* new profiles: green-recoder (#6237)
* new profiles: bpftop (#6231)
* new profiles: erd (#6236)
* new profiles: lyriek (#6245)
* new profiles: statusof (#6253)
* new profiles: cloneit (#6232)
* new profiles: deadlink (#6233)
* new profiles: dexios (#6234)
* new profiles: koreader (#6243)
* new profiles: editorconfiger (#6235)
* new profiles: localsend_app (#6244)
* new profiles: rymdport (#6251)
* new profiles: textroom (#6254)
* new profiles: tvnamer (#6256)
* new profiles: mimetype (#6247)
* new profiles: session-desktop (#6259)
* new profiles: metadata-cleaner (#6246)
* new profiles: tqemu (#6255)
* new profiles: gh (GitHub CLI) (#6293)
* new profiles: axel (#6315)
* new profiles: several kids programs (alienblaster geki2 geki3 lbreakouthd
tuxtype typespeed) (4c5f55899)
* new profiles: loupe (#6327 #6333)
* new profiles: d-spy (#6328)
* new profiles: nhex (#6341)
* new profiles: armcord (#6365)
* new profiles: dtui (#6422)
* new profiles: singularity (Endgame: Singularity) (#6463)
* new profiles: prismlauncher (#6558)
* new profiles: irssi (#6549)
* new profiles: syncthing (#6536)
* new profiles: obsidian (#6314)
* new profiles: b3sum (blake3) (#6577)
* new profiles: aria2p/aria2rpc (#6583 #6609)
* new profiles: buku (#6584)
* new profiles: monero-wallet-cli (#6586)
* new profiles: tremc (#6590)
* new profiles: device-flasher.linux (CalyxOS) (#6616)
* new profiles: hledger/hledger-ui (#6585)
* new profiles: ncmpcpp (#6587)
* new profiles: pyradio (#6589)
* new profiles: vesktop (#6654)
* new profiles: nsxiv (#6588)
* new profiles: remmina-file-wrapper (#6669)
* new profiles: ouch (#6678)
* new profiles: xarchiver (#6679)
-- netblue30 <netblue30@yahoo.com> Mon, 24 Mar 2025 09:00:00 -0500
firejail (0.9.72) baseline; urgency=low
* feature: On failing to remount a fuse filesystem, give warning instead of
erroring out (#5240 #5242)
* feature: Update syscall tables and seccomp groups (#5188)
* feature: improve force-nonewprivs security guarantees (#5217 #5271)
* feature: add support for restricting the creation of Linux namespaces
(--restrict-namespaces, --restrict-namespaces=), implemented as a seccomp
filter for both 64 and 32 bit architectures (#4939 #5259)
* feature: add support for custom AppArmor profiles (--apparmor=) (#5274
#5316 #5317 #5475)
* feature: add support for ICMP in nettrace
* feature: add --dnstrace, --icmptrace, and --snitrace commands
* feature: Add basic gtksourceview language-spec (file type detection/syntax
highlighting for profiles) (#5502)
* feature: add restrict-namespaces to (almost) all applicable profiles (#5440
#5537)
* feature: add support for netlock in profile files
* modif: removed --cgroup= command (#5190 #5200)
* modif: set --shell=none as the default (#5190)
* modif: removed --shell= command (#5190 #5196 #5209)
* modif: disabled firetunnel by default in configure.ac (#5190)
* modif: disabled chroot by default in /etc/firejail/firejail.config (#5190)
* modif: disabled private-lib by default in /etc/firejail/firejail.config
(#5190 #5216)
* modif: disabled tracelog by default in /etc/firejail/firejail.config
(#5190)
* modif: removed grsecurity support
* modif: stop hiding blacklisted files in /etc by default and add a new
etc-hide-blacklisted option to firejail.config that enables the previous
behavior (disabled by default) (#5010 #5230 #5591 #5595)
* bugfix: Flood of seccomp audit log entries (#5207)
* bugfix: --netlock does not work (Error: no valid sandbox) (#5312)
* build: deduplicate configure-time vars into new config files (#5140 #5284)
* build: fix file mode of shell scripts (644 -> 755) (#5206)
* build: reduce autoconf input files from 32 to 2 (#5219)
* build: add dist build directory to .gitignore (#5248)
* build: add autoconf auto-generation comment to input files (#5251)
* build: Add files make uninstall forgot to remove (#5283)
* build: add and use TARNAME instead of NAME for paths (#5310)
* build: only install ids.config when --enable-ids is set (#5356 #5357)
* build: Remove deprecated syntax and modernize shell test scripts (#5370)
* build: Fix musl warnings (#5421 #5431)
* build: sort.py improvements (#5429)
* build: deduplicate makefiles (#5478)
* build: fix formatting and misc in configure (#5488)
* build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS (#5504)
* build: make shell commands more portable in firejail.vim (#5577)
* ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275)
* ci: ignore git-related paths and the project license (#5249)
* ci: Harden GitHub Actions (StepSecurity) (#5439)
* ci: sort and ignore more paths (#5481)
* ci: whitelist needed endpoints and block access to sudo (#5485)
* docs: fix typos (#5189 #5349)
* docs: mention risk of SUID binaries and also firejail-users(5) (#5288
#5290)
* docs: set vim filetype on man pages for syntax highlighting (#5296)
* docs: note that blacklist/whitelist follow symlinks (#5344)
* docs: Add IRC channel info to README.md (#5361)
* docs: man: Note that some commands can be disabled in firejail.config
(#5366)
* docs: Add gist note to bug_report.md (#5398)
* docs: clarify that --appimage should appear before --profile (#5402 #5451)
* docs: add more Firefox examples to the firejail-local AppArmor profile
(#5493)
* docs: Fix broken Restrict-DBus wiki link on profile.template (#5554)
* docs: Remove invalid --profile-path from --help (#5585 #5586)
* new profiles: gdu, makedeb, gtk-lbry-viewer, lbry-viewer, tuir, chafa,
* new profiles: godot3, cinelerra-gg, tesseract, avidemux3_qt5,
* new profiles: avidemux3_cli, avidemux3_jobs_qt5, ssmtp, chatterino,
* new profiles: linuxqq, qq, electron-hardened.inc.profile,
-- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500
firejail (0.9.70) baseline; urgency=low
* security: CVE-2022-31214 - root escalation in --join logic
Reported by Matthias Gerstner, working exploit code was provided to our
development team. In the same time frame, the problem was independently
reported by Birk Blechschmidt. Full working exploit code was also provided.
* feature: enable shell tab completion with --tab (#4936)
* feature: disable user profiles at compile time (#4990)
* feature: Allow resolution of .local names with avahi-daemon in the apparmor
profile (#5088)
* feature: always log seccomp errors (#5110)
* feature: firecfg --guide, guided user configuration (#5111)
* feature: --oom, kernel OutOfMemory-killer (#5122)
* modif: --ids feature needs to be enabled at compile time (#5155)
* modif: --nettrace only available to root user
* rework: whitelist restructuring (#4985)
* rework: firemon, speed up and lots of fixes
* bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
* bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
* bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
* bugfix: fix printing in evince (#5011)
* bugfix: gcov: fix gcov functions always declared as dummy (#5028)
* bugfix: Stop warning on safe supplementary group clean (#5114)
* build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
* build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154)
* ci: replace centos (EOL) with almalinux (#4912)
* ci: fix --version not printing compile-time features (#5147)
* ci: print version after install & fix apparmor support on build_apparmor
(#5148)
* docs: Refer to firejail.config in configuration files (#4916)
* docs: firejail.config: add warning about allow-tray (#4946)
* docs: mention that the protocol command accumulates (#5043)
* docs: mention inconsistent homedir bug involving --private=dir (#5052)
* docs: mention capabilities(7) on --caps (#5078)
* new profiles: onionshare, onionshare-cli, opera-developer, songrec
* new profiles: node-gyp, npx, semver, ping-hardened
* removed profiles: nvm
-- netblue30 <netblue30@yahoo.com> Thu, 9 Jun 2022 09:00:00 -0500
firejail (0.9.68) baseline; urgency=low
* security: on Ubuntu, the PPA is now recommended over the distro package
(see README.md) (#4748)
* security: bugfix: private-cwd leaks access to the entire filesystem
(#4780); reported by Hugo Osvaldo Barrera
* feature: remove (some) environment variables with auth-tokens (#4157)
* feature: ALLOW_TRAY condition (#4510 #4599)
* feature: add basic Firejail support to AppArmor base abstraction (#3226
#4628)
* feature: intrusion detection system (--ids-init, --ids-check)
* feature: deterministic shutdown command (--deterministic-exit-code,
--deterministic-shutdown) (#928 #3042 #4635)
* feature: noprinters command (#4607 #4827)
* feature: network monitor (--nettrace)
* feature: network locker (--netlock) (#4848)
* feature: whitelist-ro profile command (#4740)
* feature: disable pipewire with --nosound (#4855)
* feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
* feature: Allow apostrophe in whitelist and blacklist (#4614)
* feature: AppImage support in --build command (#4878)
* modifs: exit code: distinguish fatal signals by adding 128 (#4533)
* modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
* modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
* modifs: nogroups now stopped causing certain system groups to be dropped,
which are now controlled by the relevant "no" options instead (such as
nosound -> drop audio group), which fixes device access issues on systems
not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
* removal: --disable-whitelist at compile time
* removal: whitelist=yes/no in /etc/firejail/firejail.config
* bugfix: Fix sndio support (#4362 #4365)
* bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
* bugfix: --build clears the environment (#4460 #4467)
* bugfix: firejail hangs with net parameter (#3958 #4476)
* bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
* bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
* bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
* bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
* bugfix: Firejail rejects empty arguments (#4395)
* bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
* bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
* bugfix: private-etc does not work with symlinks (#4887)
* bugfix: Hardware key not detected on keepassxc (#4883)
* build: allow building with address sanitizer (#4594)
* build: Stop linking pthread (#4695)
* build: Configure cleanup and improvements (#4712)
* ci: add profile checks for sorting disable-programs.inc and
firecfg.config and for the required arguments in private-etc (#2739 #4643)
* ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
* docs: Add new command checklist to CONTRIBUTING.md (#4413)
* docs: Rework bug report issue template and add both a question and a
feature request template (#4479 #4515 #4561)
* docs: fix contradictory descriptions of machine-id ("preserves" vs
"spoofs") (#4689)
* docs: Document that private-bin and private-etc always accumulate (#4078)
* new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
* new includes: disable-proc.inc (#4521)
* removed includes: disable-passwordmgr.inc (#4454 #4461)
* new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
* new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
* new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
* new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
* new profiles: imv, retroarch, torbrowser, CachyBrowser,
* new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
* new profiles: Seafile, neovim, com.github.tchx84.Flatseal
-- netblue30 <netblue30@yahoo.com> Sun, 6 Feb 2022 09:00:00 -0500
firejail (0.9.66) baseline; urgency=low
* deprecated --audit options, replaced by jailcheck utility
* deprecated follow-symlink-as-user from firejail.config
* new firejail.config settings: private-bin, private-etc
* new firejail.config settings: private-opt, private-srv
* new firejail.config settings: whitelist-disable-topdir
* new firejail.config settings: seccomp-filter-add
* removed kcmp syscall from seccomp default filter
* rename --noautopulse to keep-config-pulse
* filtering environment variables
* zsh completion
* command line: --mkdir, --mkfile
* --protocol now accumulates
* Jolla/SailfishOS patches
* private-lib rework
* whitelist rework
* jailtest utility for testing running sandboxes
* capabilities list update
* faccessat2 syscall support
* --private-dev keeps /dev/input
* added --noinput to disable /dev/input
* add support for subdirs in --private-etc
* compile time: --enable-force-nonewprivs
* compile time: --disable-output
* compile time: --enable-lts
* subdirs support in private-etc
* input devices support in private-dev, --no-input
* support trailing comments on profile lines
* new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
* ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
* avidemux, calligragemini, vmware-player, vmware-workstation
* gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr
* PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum
* bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum
* sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway
* alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper,
* colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
* glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
* neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
* cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer
* links2, xlinks2, googler, ddgr, tin
-- netblue30 <netblue30@yahoo.com> Mon, 28 Jun 2021 09:00:00 -0500
firejail (0.9.64.4) baseline; urgency=low
* disabled overlayfs, pending multiple fixes (CVE-2021-26910)
-- netblue30 <netblue30@yahoo.com> Sun, 7 Feb 2021 09:00:00 -0500
firejail (0.9.64.2) baseline; urgency=low
* allow --tmpfs inside $HOME for unprivileged users
* --disable-usertmpfs compile time option
* allow AF_BLUETOOTH via --protocol=bluetooth
* Setup guide for new users: contrib/firejail-welcome.sh
* implement netns in profiles
* added nolocal6.net IPv6 network filter
* new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
* new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
* new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
* new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
* new profiles: guvcview, pkglog, kdiff3, CoyIM
-- netblue30 <netblue30@yahoo.com> Tue, 26 Jan 2021 09:00:00 -0500
firejail (0.9.64) baseline; urgency=low
* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from
killing the process to returning EPERM to the caller. To get the
previous behaviour, use --seccomp-error-action=kill or
syscall:kill syntax when constructing filters, or override in
/etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
With this version nodbus is deprecated, in favor of dbus-user none and
dbus-system none and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
* new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
* new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
* new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
* new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
* new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
* new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
* new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
* new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
* new profiles: swell-foop, fdns, five-or-more, steam-runtime
* new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
* new profiles: gapplication, openarena_ded, element-desktop, cawbird
* new profiles: freetube, strawberry, jitsi-meet-desktop
* new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
* new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
* new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
* new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
* new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
* new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
* new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
* new profiles: qrencode, ytmdesktop, twitch
* new profiles: xournalpp, chromium-freeworld, equalx
-- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 08:00:00 -0500
firejail (0.9.62) baseline; urgency=low
* added file-copy-limit in /etc/firejail/firejail.config
* profile templates (/usr/share/doc/firejail)
* allow-debuggers support in profiles
* several seccomp enhancements
* compiler flags autodetection
* move chroot entirely from path based to file descriptor based mounts
* whitelisting /usr/share in a large number of profiles
* new scripts in contrib: gdb-firejail.sh and sort.py
* enhancement: whitelist /usr/share in some profiles
* added signal mediation to apparmor profile
* new conditions: HAS_X11, HAS_NET
* new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
* new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
* new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
* new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
* new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
* new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
* new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
* new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
* new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
* new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
* new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
* new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
* new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
* new profiles: electron-mail, gist, gist-paste
-- netblue30 <netblue30@yahoo.com> Sat, 28 Dec 2019 08:00:00 -0500
firejail (0.9.60) baseline; urgency=low
* security bug reported by Austin Morton:
Seccomp filters are copied into /run/firejail/mnt, and are writable
within the jail. A malicious process can modify files from inside the
jail. Processes that are later joined to the jail will not have seccomp
filters applied.
* memory-deny-write-execute now also blocks memfd_create
* add private-cwd option to control working directory within jail
* blocking system D-Bus socket with --nodbus
* bringing back Centos 6 support
* drop support for flatpak/snap packages
* new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
* new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
* new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
* new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
* new profiles: netactview, redshift, devhelp, assogiate, subdownloader
* new profiles: font-manager, exfalso, gconf-editor, dconf-editor
* new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
* new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
* new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
* new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
* new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
* new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
* new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
* new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
* new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
* new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
* new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
-- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500
firejail (0.9.58,2) baseline; urgency=low
* cgroup flag in /etc/firejail/firejail.config file
* name-change flag in /etc/firejail.config file
* --name rework
* new profiles: klavaro, vscodium
* browser profiles fixes
* various other bugfixes
-- netblue30 <netblue30@yahoo.com> Fri, 8 Feb 2019 08:00:00 -0500
firejail (0.9.58) baseline; urgency=low
* --disable-mnt rework
* --net.print command
* GitLab CI/CD integration: disto specific builds
* profile parser enhancements and conditional handling support
for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F
* profile name support
* added explicit nonewprivs support to join option
* new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
* new profiles: devilspie, devilspie2, easystroke, github-desktop, min
* new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
* new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
* new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
* new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
* new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
* new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
* new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley
* new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland
* new profiles: supertuxkart, ghostwriter, gajim-history-manager
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 26 Jan 2019 08:00:00 -0500
firejail (0.9.56) baseline; urgency=low
* modif: removed CFG_CHROOT_DESKTOP configuration option
* modif: removed compile time --enable-network=restricted
* modif: removed compile time --disable-bind
* modif: --net=none allowed even if networking was disabled at compile
time or at run time
* modif: allow system users to run the sandbox
* support wireless devices in --net option
* support tap devices in --net option (tunneling support)
* allow IP address configuration if the parent interface specified
by --net is not configured (--netmask)
* support for firetunnel utility
* disable U2F devices (--nou2f)
* add --private-cache to support private ~/.cache
* support full paths in private-lib
* globbing support in private-lib
* support for local user directories in firecfg (--bindir)
* new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
* new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
* new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
* new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
* new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
* new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
* new profiles: start-tor-browser.desktop
-- netblue30 <netblue30@yahoo.com> Tue, 18 Sep 2018 08:00:00 -0500
firejail (0.9.54) baseline; urgency=low
* modif: --force removed
* modif: --csh, --zsh removed
* modif: --debug-check-filename removed
* modif: --git-install and --git-uninstall removed
* modif: support for private-bin, private-lib and shell none has been
disabled while running AppImage archives in order to be able to use
our regular profile files with AppImages.
* modif: restrictions for /proc, /sys and /run/user directories
are moved from AppArmor profile into firejail executable
* modif: unifying Chromium and Firefox browsers profiles.
All users of Firefox-based browsers who use addons and plugins
that read/write from ${HOME} will need to uncomment the includes for
firefox-common-addons.inc in firefox-common.profile.
* modif: split disable-devel.inc into disable-devel and
disable-interpreters.inc
* Firejail user access database (/etc/firejail/firejail.users,
man firejail-users)
* add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
* Spectre mitigation patch for gcc and clang compiler
* D-Bus handling (--nodbus)
* AppArmor support for overlayfs and chroot sandboxes
* AppArmor support for AppImages
* Enable AppArmor by default for a large number of programs
* firejail --apparmor.print option
* firemon --apparmor option
* apparmor yes/no flag in /etc/firejail/firejail.config
* seccomp syscall list update for glibc 2.26-10
* seccomp disassembler for --seccomp.print option
* seccomp machine code optimizer for default seccomp filters
* IPv6 DNS support
* whitelist support for overlay and chroot sandboxes
* private-dev support for overlay and chroot sandboxes
* private-tmp support for overlay and chroot sandboxes
* added sandbox name support in firemon
* firemon/prctl enhancements
* noblacklist support for /sys/module directory
* whitelist support for /sys/module directory
* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
* new profiles: discord-canary, pycharm-community, pycharm-professional,
* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
* new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
* new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
* new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
* new profiles: qmmp, sayonara
-- netblue30 <netblue30@yahoo.com> Wed, 16 May 2018 08:00:00 -0500
firejail (0.9.52) baseline; urgency=low
* modif: --allow-private-blacklists was deprecated; blacklisting,
read-only, read-write, tmpfs and noexec are allowed in
private home directories
* modif: remount-proc-sys deprecated from firejail.config
* modif: follow-symlink-private-bin deprecated from firejail.config
* modif: --profile-path was deprecated
* enhancement: support Firejail user config directory in firecfg
* enhancement: disable DBus activation in firecfg
* enhancement; enumerate root directories in apparmor profile
* enhancement: /etc and /usr/share whitelisting support
* enhancement: globbing support for --private-bin
* feature: systemd-resolved integration
* feature: whitelisting /var directory in most profiles
* feature: GTK2, GTK3 and Qt4 private-lib support
* feature: --debug-private-lib
* feature: test deployment of private-lib for the following
applications: evince, galculator, gnome-calculator,
leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
atril, mate-color-select, tar, file, strings, gpicview,
eom, eog, gedit, pluma
* feature: --writable-run-user
* feature: --rlimit-as
* feature: --rlimit-cpu
* feature: --timeout
* feature: profile build tool (--build)
* feature: --netfilter.print
* feature: --netfilter6.print
* feature: netfilter template support
* new profiles: upstreamed many profiles from the following sources:
https://github.com/chiraag-nataraj/firejail-profiles,
https://github.com/nyancat18/fe,
https://aur.archlinux.org/packages/firejail-profiles.
* new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
brackets, calligra, calligraauthor, calligraconverter, calligraflow,
calligraplan, calligraplanwork, calligrasheets, calligrastage,
calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report
cower (Arch), kdeinit4
-- netblue30 <netblue30@yahoo.com> Thu, 7 Dec 2017 08:00:00 -0500
firejail (0.9.50) baseline; urgency=low
* modif: --output split in two commands, --output and --output-stderr
* feature: per-profile disable-mnt (--disable-mnt)
* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
* feature: private /lib directory (--private-lib)
* feature: disable CDROM/DVD drive (--nodvd)
* feature: disable DVB devices (--notv)
* feature: --profile.print
* enhancement: print all seccomp filters under --debug
* enhancement: /proc/sys mounting
* enhancement: rework IP address assignment for --net options
* enhancement: support for newer Xpra versions (2.1+) -
set xpra-attach yes in /etc/firejail/firejail.config
* enhancement: all profiles use a standard layout style
* enhancement: create /usr/local for firecfg if the directory doesn't exist
* enhancement: allow full paths in --private-bin
* seccomp feature: --memory-deny-write-execute
* seccomp feature: seccomp post-exec
* seccomp feature: block secondary architecture (--seccomp.block_secondary)
* seccomp feature: seccomp syscall groups
* seccomp enhancement: print all seccomp filters under --debug
* seccomp enhancement: default seccomp list update
* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
* new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
* new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
* new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
* new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
* new profiles: sqlitebrowse, Yandex Browser, minetest
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 30 Sep 2017 08:00:00 -0500
firejail (0.9.50~rc1) baseline; urgency=low
* release pending!
* modif: --output split in two commands, --output and --output-stderr
* feature: per-profile disable-mnt (--disable-mnt)
* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
* feature: private /lib directory (--private-lib)
* feature: disable CDROM/DVD drive (--nodvd)
* feature: disable DVB devices (--notv)
* feature: --profile.print
* enhancement: print all seccomp filters under --debug
* enhancement: /proc/sys mounting
* enhancement: rework IP address assignment for --net options
* enhancement: support for newer Xpra versions (2.1+) -
set xpra-attach yes in /etc/firejail/firejail.config
* enhancement: all profiles use a standard layout style
* enhancement: create /usr/local for firecfg if the directory doesn't exist
* enhancement: allow full paths in --private-bin
* seccomp feature: --memory-deny-write-execute
* seccomp feature: seccomp post-exec
* seccomp feature: block secondary architecture (--seccomp.block_secondary)
* seccomp feature: seccomp syscall groups
* seccomp enhancement: print all seccomp filters under --debug
* seccomp enhancement: default seccomp list update
* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
* new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
* new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
* new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
* new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
* new profiles: sqlitebrowse, Yandex Browser, minetest
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500
firejail (0.9.48) baseline; urgency=low
* modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the screen
if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 08:00:00 -0500
firejail (0.9.46) baseline; urgency=low
* security: split most of networking code in a separate executable
* security: split seccomp filter code configuration in a separate executable
* security: split file copying in private option in a separate executable
* feature: disable gnupg and systemd directories under /run/user
* feature: test coverage (gcov) support
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
* feature: private /opt directory (--private-opt, profile support)
* feature: private /srv directory (--private-srv, profile support)
* feature: spoof machine-id (--machine-id, profile support)
* feature: allow blacklists under --private (--allow-private-blacklist,
profile support)
* feature: user-defined /etc/hosts file (--hosts-file, profile support)
* feature: support for the real /var/log directory (--writable-var-log,
profile support)
* feature: config support for firejail prompt in terminals
* feature: AppImage type 2 support
* feature: pass command line arguments to appimages
* feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
* feature: added a number of Python scripts for handling sandboxes
* feature: allow local customization using .local files under /etc/firejail
* feature: follow-symlink-as-user runtime config option in
/etc/firejail/firejail.config
* feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
* feature: xvfb X11 server support (--x11=xvfb)
* feature: allow /tmp directory in mkdir and mkfile profile commands
* feature: implemented --noblacklist command, profile support
* feature: config support to disable access to /mnt and /media (disable-mnt)
* feature: config support to disable join (join)
* feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
* feature: support overlay, overlay-named and overlay-tmpfs in profile files
* feature: allow PulseAudio sockets in --private-tmp
* feature: --fix-sound support in firecfg
* feature: added support for sandboxing Xpra, Xvfb and Xephyr in
independent sandboxes when started with firejail --x11
* feature: enable automatic X server sandboxing for --x11=xpra
and --x11=xephyr
* feature: support for Xpra extra params in firejail config file
* new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
* new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
* new profiles: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
* new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
* new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
* new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
* new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
* new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
* new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin,
* new profiles: mate-calc, mate-dictionary, mate-color-select, caja,
* new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes
* new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr
* new profiles: Blender, 2048-qt
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sun, 14 May 2017 08:00:00 -0500
firejail (0.9.44.10) baseline; urgency=low
* security: when using --x11=xorg and --net, incorrect processing of
the return code of /usr/bin/xauth could end up in starting the
sandbox without X11 security extension installed. Problem found/fixed
by Zack Weinberg
* bugfix: ~/.pki directory whitelisted and later blacklisted. This affects
most browsers, and disables the custom certificates installed by the user
* bugfix: firecfg config fix
* bugfix: gajim security profile fix
* bugfix: man page fix
* bugfix: force-nonewprivs fix for /etc/firejail/firejail.config
* bugfix: xephyr-extra-params fix for /etc/firejail/firejail.config
* bugfix: memory corruption in noblacklist processing
* bugfix: --quiet fix for Arch and Fedora systems
* bugfix: updated Keepass(x) profiles
* bugfix: firemon --nowrap problem
* bugfix: document firemon --nowrap in man page and in --help option
* bugfix: bash completion for --noblacklist command
* bugfix: vlc profile fix
* bugfix: fixed handling of .local profile files when the software is
installed in ~/.local directory
* bugfix: temporarily remove private-tmp from all profiles, until a fix for
.Xauthority file handling in KDE becomes available
* maintenance: --output cleanup
* maintenance: updated copyright statement in all files
-- netblue30 <netblue30@yahoo.com> Sat, 18 Mar 2017 10:00:00 -0500
firejail (0.9.44.8) baseline; urgency=low
* bugfix: fix broken PulseAudio support
-- netblue30 <netblue30@yahoo.com> Wed, 18 Jan 2017 10:00:00 -0500
firejail (0.9.44.6) baseline; urgency=low
* security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week,
new CVE code assigned after release: CVE-2017-5940
* security: major cleanup of file copying code
* security: tightening the rules for --chroot and --overlay features
* bugfix: ported Gentoo compile patch
* bugfix: Nvidia drivers bug in --private-dev
* bugfix: fix ASSERT_PERMS_FD macro
* feature: allow local customization using .local files under /etc/firejail
backported from our development branch
* feature: spoof machine-id backported from our development branch
-- netblue30 <netblue30@yahoo.com> Sun, 15 Jan 2017 10:00:00 -0500
firejail (0.9.44.4) baseline; urgency=low
* security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* security: disabled --allow-debuggers when running on kernel
versions prior to 4.8; a kernel bug in ptrace system call
allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
(CVE-2017-5206)
* security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
-- netblue30 <netblue30@yahoo.com> Sat, 7 Jan 2017 10:00:00 -0500
firejail (0.9.44.2) baseline; urgency=low
* security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
* security: TOCTOU exploit for --get and --put found by Daniel Hodson
* security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
* security: several security enhancements
* bugfix: crashing VLC by pressing Ctrl-O
* bugfix: use user configured icons in KDE
* bugfix: mkdir and mkfile are not applied to private directories
* bugfix: cannot open files on Deluge running under KDE
* bugfix: --private=dir where dir is the user home directory
* bugfix: cannot start Vivaldi browser
* bugfix: cannot start mupdf
* bugfix: ssh profile problems
* bugfix: --quiet
* bugfix: quiet in git profile
* bugfix: memory corruption
-- netblue30 <netblue30@yahoo.com> Fri, 2 Dec 2016 08:00:00 -0500
firejail (0.9.44) baseline; urgency=low
* CVE-2016-9016 submitted by Aleksey Manevich
* modifs: removed man firejail-config
* modifs: --private-tmp whitelists /tmp/.X11-unix directory
* modifs: Nvidia drivers added to --private-dev
* modifs: /srv supported by --whitelist
* feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
* feature: support starting/joining sandbox is a single command
(--join-or-start)
* feature: X11 detection support for --audit
* feature: assign a name to the interface connected to the bridge
(--veth-name)
* feature: all user home directories are visible (--allusers)
* feature: add files to sandbox container (--put)
* feature: blocking x11 (--x11=block)
* feature: X11 security extension (--x11=xorg)
* feature: disable 3D hardware acceleration (--no3d)
* feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* feature: move files in sandbox (--put)
* feature: accept wildcard patterns in user name field of restricted
shell login feature
* new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
* new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* new profiles: Flowblade, Eye of GNOME (eog), Evolution
* bugfixes
-- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500
firejail (0.9.42) baseline; urgency=low
* security: --whitelist deleted files, submitted by Vasya Novikov
* security: disable x32 ABI in seccomp, submitted by Jann Horn
* security: tighten --chroot, submitted by Jann Horn
* security: terminal sandbox escape, submitted by Stephan Sokolow
* security: several TOCTOU fixes submitted by Aleksey Manevich
* modifs: bringing back --private-home option
* modifs: deprecated --user option, please use "sudo -u username firejail"
* modifs: allow symlinks in home directory for --whitelist option
* modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
* modifs: recursive mkdir
* modifs: include /dev/snd in --private-dev
* modifs: seccomp filter update
* modifs: release archives moved to .xz format
* feature: AppImage support (--appimage)
* feature: AppArmor support (--apparmor)
* feature: Ubuntu snap support (/etc/firejail/snap.profile)
* feature: Sandbox auditing support (--audit)
* feature: remove environment variable (--rmenv)
* feature: noexec support (--noexec)
* feature: clean local overlay storage directory (--overlay-clean)
* feature: store and reuse overlay (--overlay-named)
* feature: allow debugging inside the sandbox with gdb and strace
(--allow-debuggers)
* feature: mkfile profile command
* feature: quiet profile command
* feature: x11 profile command
* feature: option to fix desktop files (firecfg --fix)
* compile time: Busybox support (--enable-busybox-workaround)
* compile time: disable overlayfs (--disable-overlayfs)
* compile time: disable whitelisting (--disable-whitelist)
* compile time: disable global config (--disable-globalcfg)
* run time: enable/disable overlayfs (overlayfs yes/no)
* run time: enable/disable quiet as default (quiet-by-default yes/no)
* run time: user-defined network filter (netfilter-default)
* run time: enable/disable whitelisting (whitelist yes/no)
* run time: enable/disable remounting of /proc and /sys
(remount-proc-sys yes/no)
* run time: enable/disable chroot desktop features (chroot-desktop yes/no)
* profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
* profiles: pix, audacity, xz, xzdec, gzip, cpio, less
* profiles: Atom Beta, Atom, jitsi, eom, uudeview
* profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
* profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
* bugfixes
-- netblue30 <netblue30@yahoo.com> Thu, 8 Sept 2016 08:00:00 -0500
firejail (0.9.40) baseline; urgency=low
* added --nice option
* added --x11 option
* added --x11=xpra option
* added --x11=xephyr option
* added --cpu.print option
* added filetransfer options --ls and --get
* added --writable-etc and --writable-var options
* added --read-only option
* added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
* --version also prints compile options
* --output option also redirects stderr
* added compile-time option to restrict --net= to root only
* run time config support, man firejail-config
* added firecfg utility
* AppArmor fixes
* default seccomp filter update
* disable STUN/WebRTC in default netfilter configuration
* new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
* new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
* new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
* new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
* new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
* new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
* new profiles: generic Ubuntu snap application profile, xplayer
* new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
* new profiles: Brave, Gitter
* generic.profile renamed default.profile
* build rpm packages using "make rpms"
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sun, 29 May 2016 08:00:00 -0500
firejail (0.9.38.10) baseline; urgency=low
* security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
new CVE code assigned after release: CVE-2017-5940
* security: tightening the rules for --chroot
* bugfix: ported Gentoo compile patch
* bugfix: fix ASSERT_PERMS_FD macro
-- netblue30 <netblue30@yahoo.com> Sun, 15 Jan 2017 10:00:00 -0500
firejail (0.9.38.8) baseline; urgency=low
* security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
-- netblue30 <netblue30@yahoo.com> Sat, 7 Jan 2017 10:00:00 -0500
firejail (0.9.38.6) baseline; urgency=low
* security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
* bugfix: crashing VLC by pressing Ctrl-O
-- netblue30 <netblue30@yahoo.com> Fri, 16 Dec 2016 10:00:00 -0500
firejail (0.9.38.4) baseline; urgency=low
* CVE-2016-7545 submitted by Aleksey Manevich
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 10 Oct 2016 10:00:00 -0500
firejail (0.9.38.2) baseline; urgency=low
* security: --whitelist deleted files, submitted by Vasya Novikov
* security: disable x32 ABI, submitted by Jann Horn
* security: tighten --chroot, submitted by Jann Horn
* security: terminal sandbox escape, submitted by Stephan Sokolow
* feature: clean local overlay storage directory (--overlay-clean)
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 23 Aug 2016 10:00:00 -0500
firejail (0.9.38) baseline; urgency=low
* IPv6 support (--ip6 and --netfilter6)
* --join command enhancement (--join-network, --join-filesystem)
* added --user command
* added --disable-network and --disable-userns compile time flags
* Centos 6 support
* symlink invocation
* added KMail, Seamonkey, Telegram, Mathematica, uGet,
* and mupen64plus profiles
* --chroot in user mode allowed only if seccomp support is available
* in current Linux kernel (CVE-2016-10123)
* deprecated --private-home feature
* the first protocol list installed takes precedence
* --tmpfs option allowed only running as root (CVE-2016-10117)
* added --private-tmp option
* weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121)
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500
firejail (0.9.36) baseline; urgency=low
* added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
parole and rtorrent profiles
* Google Chrome profile rework
* added google-chrome-stable profile
* added google-chrome-beta profile
* added google-chrome-unstable profile
* Opera profile rework
* added opera-beta profile
* added --noblacklist option
* added --profile-path option
* added --force option
* whitelist command enhancements
* prevent user name enumeration
* added /etc/firejail/nolocal.net network filter
* added /etc/firejail/webserver.net network filter
* blacklisting firejail configuration by default
* allow default gateway configuration for --interface option
* --debug enhancements: --debug-check-filenames, --debug-blacklists,
--debug-whitelists
* filesystem log
* libtrace enhancements, tracing opendir call
* added --tracelog option
* added "name" command to profile files
* added "hostname" command to profile files
* added automated feature testing framework
* Debian reproducible build
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sun, 27 Dec 2015 09:00:00 -0500
firejail (0.9.34) baseline; urgency=low
* added --ignore option
* added --protocol option
* support dual i386/amd64 seccomp filters
* added Google Chrome profile
* added Steam, Skype, Wine and Conkeror profiles
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 7 Nov 2015 08:00:00 -0500
firejail (0.9.32) baseline; urgency=low
* added --interface option
* added --mtu option
* added --private-bin option
* added --nosound option
* added --hostname option
* added --quiet option
* added seccomp errno support
* added FBReader default profile
* added Spotify default profile
* lots of default security profile changes
* fixed a security problem on multi-user systems
* bugfixes
-- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2015 08:00:00 -0500
firejail (0.9.30) baseline; urgency=low
* added a disable-history.inc profile as a result of Firefox PDF.js exploit;
disable-history.inc included in all default profiles
* Firefox PDF.js exploit (CVE-2015-4495) fixes
* added --private-etc option
* added --env option
* added --whitelist option
* support ${HOME} token in include directive in profile files
* --private.keep is transitioned to --private-home
* support ~ and blanks in blacklist option
* support "net none" command in profile files
* using /etc/firejail/generic.profile by default for user sessions
* using /etc/firejail/server.profile by default for root sessions
* added build --enable-fatal-warnings configure option
* added persistence to --overlay option
* added --overlay-tmpfs option
* make install-strip implemented, make install renamed
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 14 Sept 2015 08:00:00 -0500
firejail (0.9.28) baseline; urgency=low
* network scanning, --scan option
* interface MAC address support, --mac option
* IP address range, --iprange option
* traffic shaping, --bandwidth option
* reworked printing of network status at startup
* man pages rework
* added firejail-login man page
* added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
profiles
* added an /etc/firejail/disable-common.inc file to hold common directory
blacklists
* blacklist Opera and Chrome/Chromium config directories in profile files
* support noroot option for profile files
* enabled noroot in default profile files
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 1 Aug 2015 08:00:00 -0500
firejail (0.9.26) baseline; urgency=low
* private dev directory
* private.keep option for whitelisting home files in a new private directory
* user namespaces support, noroot option
* added Deluge and qBittorent profiles
* bugfixes
-- netblue30 <netblue30@yahoo.com> Thu, 30 Apr 2015 08:00:00 -0500
firejail (0.9.24) baseline; urgency=low
* whitelist and blacklist seccomp filters
* doubledash option
* --shell=none support
* netfilter file support in profile files
* dns server support in profile files
* added --dns.print option
* added default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem.
* added --caps.drop=all in default profiles
* new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
* clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
* Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
* two build patches from Reiner Herman (tickets 11, 12)
* man page patch from Reiner Herman (ticket 13)
* output patch (ticket 15) from sshirokov
-- netblue30 <netblue30@yahoo.com> Sun, 5 Apr 2015 08:00:00 -0500
firejail (0.9.22) baseline; urgency=low
* Replaced --noip option with --ip=none
* Container stdout logging and log rotation
* Added process_vm_readv, process_vm_writev and mknod to
* default seccomp blacklist
* Added CAP_MKNOD to default caps blacklist
* Blacklist and whitelist custom Linux capabilities filters
* macvlan device driver support for --net option
* DNS server support, --dns option
* Netfilter support
* Monitor network statistics, --netstats option
* Added profile for Mozilla Thunderbird/Icedove
* - --overlay support for Linux kernels 3.18+
* Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
* Bugfix: check uid/gid for cgroup
-- netblue30 <netblue30@yahoo.com> Mon, 9 Mar 2015 09:00:00 -0500
firejail (0.9.20) baseline; urgency=low
* utmp, btmp and wtmp enhancements
* create empty /var/log/wtmp and /var/log/btmp files in sandbox
* generate a new /var/run/utmp file in sandbox
* CPU affinity, --cpu option
* Linux control groups support, --cgroup option
* Opera web browser support
* VLC support
* Added "empty" attribute to seccomp command to remove the default
* syscall list form seccomp blacklist
* Added --nogroups option to disable supplementary groups for regular
* users. root user always runs without supplementary groups.
* firemon enhancements
* display the command that started the sandbox
* added --caps option to display capabilities for all sandboxes
* added --cgroup option to display the control groups for all sandboxes
* added --cpu option to display CPU affinity for all sandboxes
* added --seccomp option to display seccomp setting for all sandboxes
* New compile time options: --disable-chroot, --disable-bind
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 02 Feb 2015 08:00:00 -0500
firejail (0.9.18) baseline; urgency=low
* Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
* Support for tracing setreuid, setregid, setresuid, setresguid syscalls
* Added profiles for transmission-gtk and transmission-qt
* bugfixes
-- netblue30 <netblue30@yahoo.com> Fri, 25 Dec 2014 10:00:00 -0500
firejail (0.9.16) baseline; urgency=low
* Configurable private home directory
* Configurable default user shell
* Software configuration support for --docdir and DESTDIR
* Profile file support for include, caps, seccomp and private keywords
* Dropbox profile file
* Linux capabilities and seccomp filters enabled by default for Firefox,
Midori, Evince and Dropbox
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 4 Nov 2014 10:00:00 -0500
firejail (0.9.14) baseline; urgency=low
* Linux capabilities and seccomp filters are automatically enabled in
chroot mode (--chroot option) if the sandbox is started as regular user
* Added support for user defined seccomp blacklists
* Added syscall trace support
* Added --tmpfs option
* Added --balcklist option
* Added --read-only option
* Added --bind option
* Logging enhancements
* --overlay option was reactivated
* Added firemon support to print the ARP table for each sandbox
* Added firemon support to print the route table for each sandbox
* Added firemon support to print interface information for each sandbox
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 15 Oct 2014 10:00:00 -0500
firejail (0.9.12.2) baseline; urgency=low
* Fix for pulseaudio problems
* --overlay option was temporarily disabled in this build
-- netblue30 <netblue30@yahoo.com> Mon, 29 Sept 2014 07:00:00 -0500
firejail (0.9.12.1) baseline; urgency=low
* Fix for pulseaudio problems
* --overlay option was temporarily disabled in this build
-- netblue30 <netblue30@yahoo.com> Mon, 22 Sept 2014 09:00:00 -0500
firejail (0.9.12) baseline; urgency=low
* Added capabilities support
* Added support for CentOS 7
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 15 Sept 2014 10:00:00 -0500
firejail (0.9.10) baseline; urgency=low
* Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot
* Fixed --top option CPU utilization calculation
* Implemented --tree option in firejail and firemon
* Implemented --join=name option
* Implemented --shutdown option
* Preserve the current working directory if possible
* Cppcheck and clang errors cleanup
* Added a Chromium web browser profile
-- netblue30 <netblue30@yahoo.com> Thu, 28 Aug 2014 07:00:00 -0500
firejail (0.9.8.1) baseline; urgency=low
* FIxed a number of bugs introduced in 0.9.8
-- netblue30 <netblue30@yahoo.com> Fri, 25 Jul 2014 07:25:00 -0500
firejail (0.9.8) baseline; urgency=low
* Implemented nowrap mode for firejail --list command option
* Added --top option in both firejail and firemon
* seccomp filter support
* Added pid support for firemon
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 24 Jul 2014 08:51:00 -0500
firejail (0.9.6) baseline; urgency=low
* Mounting tmpfs on top of /var/log, required by several server programs
* Server fixes for /var/lib and /var/cache
* Private mode fixes
* csh and zsh default shell support
* Chroot mode fixes
* Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd,
-- netblue30 <netblue30@yahoo.com> Sat, 7 Jun 2014 09:00:00 -0500
firejail (0.9.4) baseline; urgency=low
* Fixed resolv.conf on Ubuntu systems using DHCP
* Fixed resolv.conf on Debian systems using resolvconf package
* Fixed /var/lock directory
* Fixed /var/tmp directory
* Fixed symbolic links in profile files
* Added profiles for evince, midori
-- netblue30 <netblue30@yahoo.com> Sun, 4 May 2014 08:00:00 -0500
firejail (0.9.2) baseline; urgency=low
* Checking IP address passed with --ip option using ARP; exit if the address
is already present
* Using a lock file during ARP address assignment in order to removed a race
condition.
* Several fixes to --private option; it also mounts a tmpfs filesystem on top
of /tmp
* Added user access check for profile file
* Added --defaultgw option
* Added support of --noip option; it is necessary for DHCP setups
* Added syslog support
* Added support for "tmpfs" and "read-only" profile commands
* Added an expect-based testing framework for the project
* Added bash completion support
* Added support for multiple networks
-- netblue30 <netblue30@yahoo.com> Fri, 25 Apr 2014 08:00:00 -0500
firejail (0.9) baseline; urgency=low
* First beta version
-- netblue30 <netblue30@yahoo.com> Sat, 12 Apr 2014 09:00:00 -0500
Reference in a new issue View git blame Copy permalink