mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
312 lines
11 KiB
Text
312 lines
11 KiB
Text
Firejail is a SUID sandbox program that reduces the risk of security
|
|
breaches by restricting the running environment of untrusted applications
|
|
using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
|
|
Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
|
|
VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
|
|
DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
|
|
Pidgin, Quassel and XChat.
|
|
|
|
Firejail also expands the restricted shell facility found in bash by adding
|
|
Linux namespace support. It supports sandboxing specific users upon login.
|
|
|
|
Download: http://sourceforge.net/projects/firejail/files/
|
|
Build and install: ./configure && make && sudo make install
|
|
Documentation and support: https://firejail.wordpress.com/
|
|
Development: https://github.com/netblue30/firejail
|
|
License: GPL v2
|
|
|
|
Firejail Authors:
|
|
|
|
netblue30 (netblue30@yahoo.com)
|
|
Reiner Herrmann (https://github.com/reinerh)
|
|
- a number of build patches
|
|
- man page fixes
|
|
- Debian and Ubuntu integration
|
|
- clang-analyzer fixes
|
|
- Debian reproducible build
|
|
- unit testing framework
|
|
- moved build to .xz
|
|
- detached signatures for source archive
|
|
- recursive mkdir
|
|
Aleksey Manevich (https://github.com/manevich)
|
|
- several profile fixes
|
|
- fix problem with relative path in storage_find function
|
|
- fix build for systems without bash
|
|
- fix double quotes/single quotes problem
|
|
- big rework of argument processing subsystem
|
|
- --join fixes
|
|
- spliting up cmdline.c
|
|
- Busybox support
|
|
- X11 support rewrite
|
|
- gether shell selection code in one place
|
|
- fixed several TOCTOU security problems
|
|
- added --fix option to firecfg utility
|
|
- read_pid fix
|
|
- added --x11=block options
|
|
- x11 xpra, xphyr, none profile commands
|
|
- added --join-or-start command
|
|
- CVE-2016-7545
|
|
Fred-Barclay (https://github.com/Fred-Barclay)
|
|
- added Vivaldi, Atril profiles
|
|
- added PaleMoon profile
|
|
- split Icedove and Thunderbird profiles
|
|
- added 0ad profile
|
|
- fixed version for .deb packages
|
|
- added Warzone2100 profile
|
|
- blacklisted VeraCrypt
|
|
- added Gpredict profile
|
|
- added Aweather, Stellarium profiles
|
|
- fixed HexChat and Atril profiles
|
|
- fixed disable-common.inc for mate-terminal
|
|
- blacklisted escape-happy terminals in disable-common.inc
|
|
- blacklisted g++
|
|
- added xplayer, xreader, and xviewer profiles
|
|
- added Brave profile
|
|
- added Gitter profile
|
|
- various organising
|
|
- added LibreOffice profile
|
|
- added pix profile
|
|
- added audacity profile
|
|
- fixed Telegram and qtox profiles
|
|
- added Atom Beta and Atom profiles
|
|
- tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles.
|
|
- several private-bin conversions
|
|
- added jitsi profile
|
|
- pidgin private-bin conversion
|
|
- added eom profile
|
|
- added gnome-chess profile
|
|
- added DOSBox profile
|
|
- evince profile enhancement
|
|
Mike Frysinger (vapier@gentoo.org)
|
|
- Gentoo compile patch
|
|
valoq (https://github.com/valoq)
|
|
- LibreOffice profile fixes
|
|
- cherrytree profile fixes
|
|
- added support for /srv in --whitelist feature
|
|
- Eye of GNOME and Evolution profiles
|
|
Rafael Cavalcanti (https://github.com/rccavalcanti)
|
|
- chromium profile fixes for Arch Linux
|
|
Deelvesh Bunjun (https://github.com/DeelveshBunjun)
|
|
- added xpdf profile
|
|
vismir2 (https://github.com/vismir2)
|
|
- claws-mail, mutt, git, emacs, vim profiles
|
|
Dara Adib (https://github.com/daradib)
|
|
- ssh profile fix
|
|
- evince profile fix
|
|
vismir2 (https://github.com/vismir2)
|
|
- feh, ranger, 7z, keepass, keepassx and zathura profiles
|
|
- lots of profile fixes
|
|
graywolf (https://github.com/graywolf)
|
|
- spelling fix
|
|
Tomasz Jan Góralczyk (https://github.com/tjg)
|
|
- fixed Steam profile
|
|
pwnage-pineapple (https://github.com/pwnage-pineapple)
|
|
- update Okular profile
|
|
Sergey Alirzaev (https://github.com/l29ah)
|
|
- firejail.h enum fix
|
|
greigdp (https://github.com/greigdp)
|
|
- Gajim IM client profile
|
|
- fix Slack profile
|
|
Icaro Perseo (https://github.com/icaroperseo)
|
|
- Icecat profile
|
|
- several profile fixes
|
|
hamzadis (https://github.com/hamzadis)
|
|
- added --overlay-named=name and --overlay-path=path
|
|
Gaman Gabriel (https://github.com/stelariusinfinitek)
|
|
- inox profile
|
|
greigdp (https://github.com/greigdp)
|
|
- fixed spotify profile
|
|
- added Slack profile
|
|
Laurent Declercq (https://github.com/nuxwin)
|
|
- fixed test for shell interpreter in chroots
|
|
Franco (nextime) Lanza (https://github.com/nextime)
|
|
- added --private-template/--private-home
|
|
xee5ch (https://github.com/xee5ch)
|
|
- skypeforlinux profile
|
|
Peter Hogg (https://github.com/pigmonkey)
|
|
- WeeChat profile
|
|
- rtorrent profile
|
|
- bitlbee profile fixes
|
|
Thomas Jarosch (https://github.com/thomasjfox)
|
|
- disable keepassx in disable-passwdmgr.inc
|
|
- added uudeview profile
|
|
- added tar (gtar), unzip and unrar profile
|
|
- added file profile
|
|
- improved profile list
|
|
- fixed small variable glitch in stat64() / lstat64() (libtracelog)
|
|
- added lstat() / lstat64() support to libtrace
|
|
- include mkuid.sh in make dist
|
|
Niklas Haas (https://github.com/haasn)
|
|
- blacklisting for keybase.io's client
|
|
Jaykishan Mutkawoa (https://github.com/jmutkawoa)
|
|
- cpio profile
|
|
Paupiah Yash (https://github.com/CaffeinatedStud)
|
|
- gzip profile
|
|
Akhil Hans Maulloo (https://github.com/kouul)
|
|
- xz profile
|
|
Rahul Golam (https://github.com/technoLord)
|
|
- strings profile
|
|
geg2048 (https://github.com/geg2048)
|
|
- kwallet profile fixes
|
|
Simon Peter (https://github.com/probonopd)
|
|
- set $APPIMAGE and $APPDIR environment variables
|
|
maces (https://github.com/maces)
|
|
- Franz messenger profile
|
|
KellerFuchs (https://github.com/KellerFuchs)
|
|
- nonewpriv support, extended profiles for this feature
|
|
- make `restricted-network` prevent use of netfilter
|
|
- disable-common.inc additions
|
|
ValdikSS (https://github.com/ValdikSS)
|
|
- Psi+, Corebird, Konversation profiles
|
|
- various profile fixes
|
|
avoidr (https://github.com/avoidr)
|
|
- whitelist fix
|
|
- recently-used.xbel fix
|
|
- added parole profile
|
|
- blacklist ncat
|
|
- hostname support in profile file
|
|
- Google Chrome profile rework
|
|
- added cmus profile
|
|
- man page fixes
|
|
- add net iface support in profile files
|
|
- paths fix
|
|
- lots of profile fixes
|
|
- added mcabber profile
|
|
- fixed mpv profile
|
|
- various other fixes
|
|
Ruan (https://github.com/ruany)
|
|
- fixed hexchat profile
|
|
Vasya Novikov (https://github.com/vn971)
|
|
- Wesnoth profile
|
|
- Hedegewars profile
|
|
- manpage fixes
|
|
- fixed firecfg clean/clear issue
|
|
- found the ugliest bug so far
|
|
curiosity-seeker (https://github.com/curiosity-seeker)
|
|
- tightening unbound and dnscrypt-proxy profiles
|
|
- dnsmasq profile
|
|
- okular and gwenview profiles
|
|
- cherrytree profile fixes
|
|
- added quiterss profile
|
|
Matthew Gyurgyik (https://github.com/pyther)
|
|
- rpm spec and several fixes
|
|
Joan Figueras (https://github.com/figue)
|
|
- added abrowser profile
|
|
- added Google-Play-Music-Desktop-Player
|
|
- added cyberfox profile
|
|
Petter Reinholdtsen (pere@hungry.com)
|
|
- Opera profile patch
|
|
n1trux (https://github.com/n1trux)
|
|
- fix flashpeak-slimjet profile typos
|
|
Felipe Barriga Richards (https://github.com/fbarriga)
|
|
- --private-etc fix
|
|
Alexander Stein (https://github.com/ajstein)
|
|
- added profile for qutebrowser
|
|
Benjamin Kampmann (https://github.com/ligthyear)
|
|
- Forward exit code from child process
|
|
dshmgh (https://github.com/dshmgh)
|
|
- overlayfs fix for systems with /home mounted on a separate partition
|
|
yumkam (https://github.com/yumkam)
|
|
- add compile-time option to restrict --net= to root only
|
|
- man page fixes
|
|
mahdi1234 (https://github.com/mahdi1234)
|
|
- cherrytree profile
|
|
- Seamonkey profiles
|
|
jrabe (https://github.com/jrabe)
|
|
- disallow access to kdbx files
|
|
- Epiphany profile
|
|
- Polari profile
|
|
- qTox profile
|
|
- X11 fixes
|
|
jgriffiths (https://github.com/jgriffiths)
|
|
- make rpm packages support
|
|
Tom Mellor (https://github.com/kalegrill)
|
|
- mupen64plus profile
|
|
Martin Carpenter (https://github.com/mcarpenter)
|
|
- security audit and bug fixes
|
|
- Centos 6.x support
|
|
pszxzsd (https://github.com/pszxzsd)
|
|
-uGet profile
|
|
Rahiel Kasim (https://github.com/rahiel)
|
|
- Mathematica profile
|
|
- whitelisted Dropbox profile
|
|
- whitelisted keysnail config for firefox
|
|
creideiki (https://github.com/creideiki)
|
|
- make the sandbox process reap all children
|
|
sinkuu (https://github.com/sinkuu)
|
|
- blacklisting kwalletd
|
|
- fix symlink invocation for programs placing symlinks in $PATH
|
|
Bader Zaidan (https://github.com/BaderSZ)
|
|
- Telegram profile
|
|
Holger Heinz (https://github.com/hheinz)
|
|
- manpage work
|
|
Andrey Alekseenko (https://github.com/al42and)
|
|
- fixing lintian warnings
|
|
- fixed Skype profile
|
|
Ivan Kozik (https://github.com/ivan)
|
|
- speed up sandbox exit
|
|
Christian Stadelmann (https://github.com/genodeftest)
|
|
- profile fixes
|
|
pirate486743186 (https://github.com/pirate486743186)
|
|
- KMail profile
|
|
Kaan Genç (https://github.com/SeriousBug)
|
|
- dynamic allocation of noblacklist buffer
|
|
Veeti Paananen (https://github.com/veeti)
|
|
- fixed Spotify profile
|
|
rogshdo (https://github.com/rogshdo)
|
|
- BitlBee profile
|
|
Bruno Nova (https://github.com/brunonova)
|
|
- whitelist fix
|
|
- bash arguments fix
|
|
Matt Parnell (https://github.com/ilikenwf)
|
|
- whitelisting for core firefox related functionality
|
|
Ondra Nekola (https://github.com/satai)
|
|
- allow firefox theming with non-global themes
|
|
emacsomancer (https://github.com/emacsomancer)
|
|
- added profile for Conkeror browser
|
|
Daan Bakker (https://github.com/dbakker)
|
|
- protect shell startup files
|
|
Duncan Overbruck (https://github.com/Duncaen)
|
|
- musl libc fix
|
|
- utmp fix
|
|
andrew160 (https://github.com/andrew160)
|
|
- profile and man pages fixes
|
|
Loïc Damien (https://github.com/dzamlo)
|
|
- small fixes
|
|
greigdp (https://github.com/greigdp)
|
|
- add Spotify profile
|
|
Mattias Wadman (https://github.com/wader)
|
|
- seccomp errno filter support
|
|
Peter Millerchip (https://github.com/pmillerchip)
|
|
- memory allocation fix
|
|
- --private.keep to --private-home transition
|
|
- support for files and directories starting with ~ in blacklist option
|
|
- support for files and directories with spaces in blacklist option
|
|
- lots of other fixes
|
|
sarneaud (https://github.com/sarneaud)
|
|
- rewrite globbing code to fix various minor issues
|
|
- added noblacklist command for profile files
|
|
- various enhancements and bug fixes
|
|
Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
|
|
- user namespace implementation
|
|
sshirokov (http://sourceforge.net/u/yshirokov/profile/)
|
|
- Patch to output "Reading profile" to stderr instead of stdout
|
|
G4JC (http://sourceforge.net/u/gaming4jc/profile/)
|
|
- ARM support
|
|
- profile fixes
|
|
dewbasaur (https://github.com/dewbasaur)
|
|
- block access to history files
|
|
- Firefox PDF.js exploit (CVE-2015-4495) fixes
|
|
- Steam profile
|
|
Michael Haas (https://github.com/mhaas)
|
|
- bugfixes
|
|
mjudtmann (https://github.com/mjudtmann)
|
|
- lock firejail configuration in disable-mgmt.inc
|
|
iiotx (https://github.com/iiotx)
|
|
- use generic.profile by default
|
|
pstn (https://github.com/pstn)
|
|
- added install-strip, make install without strip
|
|
Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
|
|
- src/lib/libnetlink.c extracted from iproute2 software package
|
|
|
|
Copyright (C) 2014-2016 Firejail Authors
|