Tags: topimiettinen/firejail
Tags
Version 0.9.48
* modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the screen
if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
* bugfixes
Version 0.9.46
* security: split most of networking code in a separate executable
* security: split seccomp filter code configuration in a separate executable
* security: split file copying in private option in a separate executable
* feature: disable gnupg and systemd directories under /run/user
* feature: test coverage (gcov) support
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
* feature: private /opt directory (--private-opt, profile support)
* feature: private /srv directory (--private-srv, profile support)
* feature: spoof machine-id (--machine-id, profile support)
* feature: allow blacklists under --private (--allow-private-blacklist,
profile support)
* feature: user-defined /etc/hosts file (--hosts-file, profile support)
* feature: support for the real /var/log directory (--writable-var-log,
profile support)
* feature: config support for firejail prompt in terminals
* feature: AppImage type 2 support
* feature: pass command line arguments to appimages
* feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
* feature: added a number of Python scripts for handling sandboxes
* feature: allow local customization using .local files under /etc/firejail
* feature: follow-symlink-as-user runtime config option in
/etc/firejail/firejail.config
* feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
* feature: xvfb X11 server support (--x11=xvfb)
* feature: allow /tmp directory in mkdir and mkfile profile commands
* feature: implemented --noblacklist command, profile support
* feature: config support to disable access to /mnt and /media (disable-mnt)
* feature: config support to disable join (join)
* feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
* feature: support overlay, overlay-named and overlay-tmpfs in profile files
* feature: allow PulseAudio sockets in --private-tmp
* feature: --fix-sound support in firecfg
* feature: added support for sandboxing Xpra, Xvfb and Xephyr in
independent sandboxes when started with firejail --x11
* feature: enable automatic X server sandboxing for --x11=xpra
and --x11=xephyr
* feature: support for Xpra extra params in firejail config file
* new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
* new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
* new profiles: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
* new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
* new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
* new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
* new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
* new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
* new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin,
* new profiles: mate-calc, mate-dictionary, mate-color-select, caja,
* new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes
* new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr
* new profiles: Blender, 2048-qt
* bugfixes
Version 0.9.46~rc1
* development version, work in progress
* security: split most of networking code in a separate executable
* security: split seccomp filter code configuration in a separate executable
* security: split file copying in private option in a separate executable
* feature: disable gnupg and systemd directories under /run/user
* feature: test coverage (gcov) support
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
* feature: private /opt directory (--private-opt, profile support)
* feature: private /srv directory (--private-srv, profile support)
* feature: spoof machine-id (--machine-id, profile support)
* feature: allow blacklists under --private (--allow-private-blacklist,
profile support)
* feature: user-defined /etc/hosts file (--hosts-file, profile support)
* feature: support for the real /var/log directory (--writable-var-log,
profile support)
* feature: config support for firejail prompt in terminals
* feature: AppImage type 2 support
* feature: pass command line arguments to appimages
* feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
* feature: added a number of Python scripts for handling sandboxes
* feature: allow local customization using .local files under /etc/firejail
* feature: follow-symlink-as-user runtime config option in
/etc/firejail/firejail.config
* feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
* feature: xvfb X11 server support (--x11=xvfb)
* feature: allow /tmp directory in mkdir and mkfile profile commands
* feature: implemented --noblacklist command, profile support
* feature: config support to disable access to /mnt and /media (disable-mnt)
* feature: config support to disable join (join)
* feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
* new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
* new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
* new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa
* new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView
* bugfixes
Version 0.9.44.10
* security: when using --x11=xorg and --net, incorrect processing of
the return code of /usr/bin/xauth could end up in starting the
sandbox without X11 security extension installed. Problem found/fixed
by Zack Weinberg
* bugfix: ~/.pki directory whitelisted and later blacklisted. This affects
most browsers, and disables the custom certificates installed by the user
* bugfix: firecfg config fix
* bugfix: gajim security profile fix
* bugfix: man page fix
* bugfix: force-nonewprivs fix for /etc/firejail/firejail.config
* bugfix: xephyr-extra-params fix for /etc/firejail/firejail.config
* bugfix: memory corruption in noblacklist processing
* bugfix: --quiet fix for Arch and Fedora systems
* bugfix: updated Keepass(x) profiles
* bugfix: firemon --nowrap problem
* bugfix: document firemon --nowrap in man page and in --help option
* bugfix: bash completion for --noblacklist command
* bugfix: vlc profile fix
* bugfix: fixed handling of .local profile files when the software is
installed in ~/.local directory
* bugfix: temporarily remove private-tmp from all profiles, until a fix for
.Xauthority file handling in KDE becomes available
* maintenance: --output cleanup
* maintenance: updated copyright statement in all files
Version 0.9.44.6 * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week * security: major cleanup of file copying code * security: tightening the rules for --chroot and --overlay features * bugfix: ported Gentoo compile patch * bugfix: Nvidia drivers bug in --private-dev * bugfix: fix ASSERT_PERMS_FD macro * feature: allow local customization using .local files under /etc/firejail backported from our development branch * feature: spoof machine-id backported from our development branch
Version 0.9.38.10 * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week * security: tightening the rules for --chroot * bugfix: ported Gentoo compile patch * bugfix: fix ASSERT_PERMS_FD macro
PreviousNext