From 32254c20905a3eb5b279a4d327bc3fb789d77ce7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 13 May 2017 09:51:21 -0400 Subject: [PATCH] 0.9.47 development --- README.md | 158 +-------------------------------------------------- configure | 18 +++--- configure.ac | 2 +- 3 files changed, 12 insertions(+), 166 deletions(-) diff --git a/README.md b/README.md index fdcca9e6e76..4aa2e66b368 100644 --- a/README.md +++ b/README.md @@ -62,161 +62,7 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ````` -# Current development version: 0.9.45 -````` - -````` -## Desktop integration - -All --fix functionality is done by default in firecfg, --fix option was removed. Clicking on a program -in desktop manager menu should start the program automatically in a sandbox if a profile -is available in /etc/firejail. We cover about 300 different applications in this moment on all major desktop managers. - -Symlinks for the common file managers are installed in /usr/local/bin by firecfg. -File managers are usually started by default at login time, and will be sandboxed. -Clicking on a file in the file manager will start the corresponding program in the same sandbox as the file manager. -For example, clicking on a video file will start a sandboxed VLC running the video. -We support in this moment XFCE, LXDE, MATE, Cinnamon and KDE. - -## AppImage - -Added AppImage type 2 support, and support for passing command line arguments to appimages. -````` - -````` -## X11 sandboxing support -In this release we add support for Xvfb (X virtual framebuffer), an in-memory X display server. -Xvfb allows the user to run graphical applications without a display (e.g., browser tests on a CI server) -while also having the ability to take screenshots. - - - --x11=xvfb - Start Xvfb X11 server and attach the sandbox to this server. - Xvfb, short for X virtual framebuffer, performs all graphical - operations in memory without showing any screen output. Xvfb is - mainly used for remote access and software testing on headless - servers. +# Current development version: 0.9.47 - On Debian platforms Xvfb is installed with the command sudo apt- - get install xvfb. This feature is not available when running as - root. +Upcoming release 0.9.46 was moved on 0.9.46-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.46-bugfixes - Example: remote VNC access - - On the server we start a sandbox using Xvfb and openbox window - manager. The default size of Xvfb screen is 800x600 - it can be - changed in /etc/firejail/firejail.config (xvfb-screen). Some - sort of networking (--net) is required in order to isolate the - abstract sockets used by other X servers. - - $ firejail --net=none --x11=xvfb openbox - - *** Attaching to Xvfb display 792 *** - - Reading profile /etc/firejail/openbox.profile - Reading profile /etc/firejail/disable-common.inc - Reading profile /etc/firejail/disable-common.local - Parent pid 5400, child pid 5401 - - On the server we also start a VNC server and attach it to the - display handled by our Xvfb server (792). - - $ x11vnc -display :792 - - On the client machine we start a VNC viewer and use it to con‐ - nect to our server: - - $ vncviewer - - -## New command line options -````` - --private-opt=file,directory - Build a new /opt in a temporary filesystem, and copy the files - and directories in the list. If no listed file is found, /opt - directory will be empty. All modifications are discarded when - the sandbox is closed. - - Example: - $ firejail --private-opt=firefox /opt/firefox/firefox - - --private-srv=file,directory - Build a new /srv in a temporary filesystem, and copy the files - and directories in the list. If no listed file is found, /srv - directory will be empty. All modifications are discarded when - the sandbox is closed. - - Example: - # firejail --private-srv=www /etc/init.d/apache2 start - - --machine-id - Spoof id number in /etc/machine-id file - a new random id is - generated inside the sandbox. - - Example: - $ firejail --machine-id - - --allow-private-blacklist - Allow blacklisting files in private home directory. By default - these blacklists are disabled. - - Example: - $ firejail --allow-private-blacklist --private=~/priv-dir - --blacklist=~/.mozilla - - --hosts-file=file - Use file as /etc/hosts. - - Example: - $ firejail --hosts-file=~/myhosts firefox - - --writable-var-log - Use the real /var/log directory, not a clone. By default, a - tmpfs is mounted on top of /var/log directory, and a skeleton - filesystem is created based on the original /var/log. - - Example: - $ sudo firejail --writable-var-log - - --git-install - Download, compile and install mainline git version of Firejail - from the official repository on GitHub. The software is - installed in /usr/local/bin, and takes precedence over the (old) - version installed in /usr/bin. If for any reason the new version - doesn't work, the user can uninstall it using --git-uninstall - command and revert to the old version. - - Prerequisites: git and compile support are required for this com‐ - mand to work. On Debian/Ubuntu systems this support is installed - using "sudo apt-get install build-essential git". - - Example: - - $ firejail --git-install - - --git-uninstall - Remove the Firejail version previously installed in - /usr/local/bin using --git-install command. - - Example: - - $ firejail --git-uninstall - - - --nowhitelist=dirname_or_filename - Disable whitelist for this directory or file. - -````` -## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, -amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit, -gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, -goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, -simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, -xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, -PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, -Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file, -Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, -Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM, Dia, FontForge, Geany, Hugin, -mate-calc, mate-dictionary, mate-color-select, caja, galculator, Nemo, gnome-font-viewer, gucharmap, -knotes, clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr, Blender, 2048-qt diff --git a/configure b/configure index 44de314fece..4e28ac15319 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.46~rc1. +# Generated by GNU Autoconf 2.69 for firejail 0.9.47. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.46~rc1' -PACKAGE_STRING='firejail 0.9.46~rc1' +PACKAGE_VERSION='0.9.47' +PACKAGE_STRING='firejail 0.9.47' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1265,7 +1265,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.46~rc1 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.47 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1326,7 +1326,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.46~rc1:";; + short | recursive ) echo "Configuration of firejail 0.9.47:";; esac cat <<\_ACEOF @@ -1434,7 +1434,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.46~rc1 +firejail configure 0.9.47 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1736,7 +1736,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.46~rc1, which was +It was created by firejail $as_me 0.9.47, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4355,7 +4355,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.46~rc1, which was +This file was extended by firejail $as_me 0.9.47, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4409,7 +4409,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.46~rc1 +firejail config.status 0.9.47 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index c6048ca61e0..594a7abf884 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.46~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.47, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h])