firejail (0.9.54~rc1) baseline; urgency=low
* work in progress
* modif: --force removed
* modif: --csh, --zsh removed
* modif: --debug-check-filename removed
* modif: --git-install and --git-uninstall removed
* modif: support for private-bin, private-lib and shell none has been
disabled while running AppImage archives in order to be able to use
our regular profile files with AppImages.
* modif: restrictions for /proc, /sys and /run/user directories
are moved from AppArmor profile into firejail executable
* modif: unifying Chromium and Firefox browsers profiles.
All users of Firefox-based browsers who use addons and plugins
that read/write from ${HOME} will need to uncomment the includes for
firefox-common-addons.inc in firefox-common.profile.
* modif: split disable-devel.inc into disable-devel and
disable-interpreters.inc
* Firejail user access database (/etc/firejail/firejail.users,
man firejail-users)
* add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
* Spectre mitigation patch for gcc and clang compiler
* D-Bus handling (--nodbus)
* AppArmor support for overlayfs and chroot sandboxes
* AppArmor support for AppImages
* Enable AppArmor by default for a large number of programs
* firejail --apparmor.print option
* firemon --apparmor option
* apparmor yes/no flag in /etc/firejail/firejail.config
* seccomp syscall list update for glibc 2.26-10
* seccomp disassembler for --seccomp.print option
* seccomp machine code optimizer for default seccomp filters
* IPv6 DNS support
* whitelist support for overlay and chroot sandboxes
* private-dev support for overlay and chroot sandboxes
* private-tmp support for overlay and chroot sandboxes
* added sandbox name support in firemon
* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
* new profiles: discord-canary, pycharm-community, pycharm-professional,
* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
* new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
* new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
* new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind
-- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500
firejail (0.9.52) baseline; urgency=low
* modif: --allow-private-blacklists was deprecated; blacklisting,
read-only, read-write, tmpfs and noexec are allowed in
private home directories
* modif: remount-proc-sys deprecated from firejail.config
* modif: follow-symlink-private-bin deprecated from firejail.config
* modif: --profile-path was deprecated
* enhancement: support Firejail user config directory in firecfg
* enhancement: disable DBus activation in firecfg
* enhancement; enumerate root directories in apparmor profile
* enhancement: /etc and /usr/share whitelisting support
* enhancement: globbing support for --private-bin
* feature: systemd-resolved integration
* feature: whitelisting /var directory in most profiles
* feature: GTK2, GTK3 and Qt4 private-lib support
* feature: --debug-private-lib
* feature: test deployment of private-lib for the following
applications: evince, galculator, gnome-calculator,
leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
atril, mate-color-select, tar, file, strings, gpicview,
eom, eog, gedit, pluma
* feature: --writable-run-user
* feature: --rlimit-as
* feature: --rlimit-cpu
* feature: --timeout
* feature: profile build tool (--build)
* feature: --netfilter.print
* feature: --netfilter6.print
* feature: netfilter template support
* new profiles: upstreamed many profiles from the following sources:
https://github.com/chiraag-nataraj/firejail-profiles,
https://github.com/nyancat18/fe,
https://aur.archlinux.org/packages/firejail-profiles.
* new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
brackets, calligra, calligraauthor, calligraconverter, calligraflow,
calligraplan, calligraplanwork, calligrasheets, calligrastage,
calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report
cower (Arch), kdeinit4
-- netblue30 <netblue30@yahoo.com> Thu, 7 Dec 2017 08:00:00 -0500
firejail (0.9.50) baseline; urgency=low
* modif: --output split in two commands, --output and --output-stderr
* feature: per-profile disable-mnt (--disable-mnt)
* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
* feature: private /lib directory (--private-lib)
* feature: disable CDROM/DVD drive (--nodvd)
* feature: disable DVB devices (--notv)
* feature: --profile.print
* enhancement: print all seccomp filters under --debug
* enhancement: /proc/sys mounting
* enhancement: rework IP address assingment for --net options
* enhancement: support for newer Xpra versions (2.1+) -
set xpra-attach yes in /etc/firejail/firejail.config
* enhancement: all profiles use a standard layout style
* enhancement: create /usr/local for firecfg if the directory doesn't exist
* enhancement: allow full paths in --private-bin
* seccomp feature: --memory-deny-write-execute
* seccomp feature: seccomp post-exec
* seccomp feature: block secondary architecture (--seccomp.block_secondary)
* seccomp feature: seccomp syscall groups
* seccomp enhancement: print all seccomp filters under --debug
* seccomp enhancement: default seccomp list update
* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
* new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
* new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
* new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
* new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
* new profiles: sqlitebrowse, Yandex Browser, minetest
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 30 Sep 2017 08:00:00 -0500
firejail (0.9.50~rc1) baseline; urgency=low
* release pending!
* modif: --output split in two commands, --output and --output-stderr
* feature: per-profile disable-mnt (--disable-mnt)
* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
* feature: private /lib directory (--private-lib)
* feature: disable CDROM/DVD drive (--nodvd)
* feature: disable DVB devices (--notv)
* feature: --profile.print
* enhancement: print all seccomp filters under --debug
* enhancement: /proc/sys mounting
* enhancement: rework IP address assingment for --net options
* enhancement: support for newer Xpra versions (2.1+) -
set xpra-attach yes in /etc/firejail/firejail.config
* enhancement: all profiles use a standard layout style
* enhancement: create /usr/local for firecfg if the directory doesn't exist
* enhancement: allow full paths in --private-bin
* seccomp feature: --memory-deny-write-execute
* seccomp feature: seccomp post-exec
* seccomp feature: block secondary architecture (--seccomp.block_secondary)
* seccomp feature: seccomp syscall groups
* seccomp enhancement: print all seccomp filters under --debug
* seccomp enhancement: default seccomp list update
* new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
* new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
* new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
* new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
* new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
* new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
* new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
* new profiles: sqlitebrowse, Yandex Browser, minetest
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500
firejail (0.9.48) baseline; urgency=low
* modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the screen
if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 08:00:00 -0500
firejail (0.9.46) baseline; urgency=low
* security: split most of networking code in a separate executable
* security: split seccomp filter code configuration in a separate executable
* security: split file copying in private option in a separate executable
* feature: disable gnupg and systemd directories under /run/user
* feature: test coverage (gcov) support
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
* feature: private /opt directory (--private-opt, profile support)
* feature: private /srv directory (--private-srv, profile support)
* feature: spoof machine-id (--machine-id, profile support)
* feature: allow blacklists under --private (--allow-private-blacklist,
profile support)
* feature: user-defined /etc/hosts file (--hosts-file, profile support)
* feature: support for the real /var/log directory (--writable-var-log,
profile support)
* feature: config support for firejail prompt in terminals
* feature: AppImage type 2 support
* feature: pass command line arguments to appimages
* feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
* feature: added a number of Python scripts for handling sandboxes
* feature: allow local customization using .local files under /etc/firejail
* feature: follow-symlink-as-user runtime config option in
/etc/firejail/firejail.config
* feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
* feature: xvfb X11 server support (--x11=xvfb)
* feature: allow /tmp directory in mkdir and mkfile profile commands
* feature: implemented --noblacklist command, profile support
* feature: config support to disable access to /mnt and /media (disable-mnt)
* feature: config support to disable join (join)
* feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
* feature: support overlay, overlay-named and overlay-tmpfs in profile files
* feature: allow PulseAudio sockets in --private-tmp
* feature: --fix-sound support in firecfg
* feature: added support for sandboxing Xpra, Xvfb and Xephyr in
independent sandboxes when started with firejail --x11
* feature: enable automatic X server sandboxing for --x11=xpra
and --x11=xephyr
* feature: support for Xpra extra params in firejail config file
* new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
* new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
* new profiles: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
* new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
* new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
* new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
* new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
* new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
* new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin,
* new profiles: mate-calc, mate-dictionary, mate-color-select, caja,
* new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes
* new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr
* new profiles: Blender, 2048-qt
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sun, 14 May 2017 08:00:00 -0500
firejail (0.9.44.10) baseline; urgency=low
* security: when using --x11=xorg and --net, incorrect processing of
the return code of /usr/bin/xauth could end up in starting the
sandbox without X11 security extension installed. Problem found/fixed
by Zack Weinberg
* bugfix: ~/.pki directory whitelisted and later blacklisted. This affects
most browsers, and disables the custom certificates installed by the user
* bugfix: firecfg config fix
* bugfix: gajim security profile fix
* bugfix: man page fix
* bugfix: force-nonewprivs fix for /etc/firejail/firejail.config
* bugfix: xephyr-extra-params fix for /etc/firejail/firejail.config
* bugfix: memory corruption in noblacklist processing
* bugfix: --quiet fix for Arch and Fedora systems
* bugfix: updated Keepass(x) profiles
* bugfix: firemon --nowrap problem
* bugfix: document firemon --nowrap in man page and in --help option
* bugfix: bash completion for --noblacklist command
* bugfix: vlc profile fix
* bugfix: fixed handling of .local profile files when the software is
installed in ~/.local directory
* bugfix: temporarily remove private-tmp from all profiles, until a fix for
.Xauthority file handling in KDE becomes available
* maintenance: --output cleanup
* maintenance: updated copyright statement in all files
-- netblue30 <netblue30@yahoo.com> Sat, 18 Mar 2017 10:00:00 -0500
firejail (0.9.44.8) baseline; urgency=low
* bugfix: fix broken PulseAudio support
-- netblue30 <netblue30@yahoo.com> Wed, 18 Jan 2017 10:00:00 -0500
firejail (0.9.44.6) baseline; urgency=low
* security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week,
new CVE code assigned after release: CVE-2017-5940
* security: major cleanup of file copying code
* security: tightening the rules for --chroot and --overlay features
* bugfix: ported Gentoo compile patch
* bugfix: Nvidia drivers bug in --private-dev
* bugfix: fix ASSERT_PERMS_FD macro
* feature: allow local customization using .local files under /etc/firejail
backported from our development branch
* feature: spoof machine-id backported from our development branch
-- netblue30 <netblue30@yahoo.com> Sun, 15 Jan 2017 10:00:00 -0500
firejail (0.9.44.4) baseline; urgency=low
* security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* security: disabled --allow-debuggers when running on kernel
versions prior to 4.8; a kernel bug in ptrace system call
allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
(CVE-2017-5206)
* security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
-- netblue30 <netblue30@yahoo.com> Sat, 7 Jan 2017 10:00:00 -0500
firejail (0.9.44.2) baseline; urgency=low
* security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
* secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
* security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
* security: several security enhancements
* bugfix: crashing VLC by pressing Ctrl-O
* bugfix: use user configured icons in KDE
* bugfix: mkdir and mkfile are not applied to private directories
* bugfix: cannot open files on Deluge running under KDE
* bugfix: --private=dir where dir is the user home directory
* bugfix: cannot start Vivaldi browser
* bugfix: cannot start mupdf
* bugfix: ssh profile problems
* bugfix: --quiet
* bugfix: quiet in git profile
* bugfix: memory corruption
-- netblue30 <netblue30@yahoo.com> Fri, 2 Dec 2016 08:00:00 -0500
firejail (0.9.44) baseline; urgency=low
* CVE-2016-9016 submitted by Aleksey Manevich
* modifs: removed man firejail-config
* modifs: --private-tmp whitelists /tmp/.X11-unix directory
* modifs: Nvidia drivers added to --private-dev
* modifs: /srv supported by --whitelist
* feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
* feature: support starting/joining sandbox is a single command
(--join-or-start)
* feature: X11 detection support for --audit
* feature: assign a name to the interface connected to the bridge
(--veth-name)
* feature: all user home directories are visible (--allusers)
* feature: add files to sandbox container (--put)
* feature: blocking x11 (--x11=block)
* feature: X11 security extension (--x11=xorg)
* feature: disable 3D hardware acceleration (--no3d)
* feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* feature: move files in sandbox (--put)
* feature: accept wildcard patterns in user name field of restricted
shell login feature
* new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
* new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* new profiles: Flowblade, Eye of GNOME (eog), Evolution
* bugfixes
-- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500
firejail (0.9.42) baseline; urgency=low
* security: --whitelist deleted files, submitted by Vasya Novikov
* security: disable x32 ABI in seccomp, submitted by Jann Horn
* security: tighten --chroot, submitted by Jann Horn
* security: terminal sandbox escape, submitted by Stephan Sokolow
* security: several TOCTOU fixes submitted by Aleksey Manevich
* modifs: bringing back --private-home option
* modifs: deprecated --user option, please use "sudo -u username firejail"
* modifs: allow symlinks in home directory for --whitelist option
* modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
* modifs: recursive mkdir
* modifs: include /dev/snd in --private-dev
* modifs: seccomp filter update
* modifs: release archives moved to .xz format
* feature: AppImage support (--appimage)
* feature: AppArmor support (--apparmor)
* feature: Ubuntu snap support (/etc/firejail/snap.profile)
* feature: Sandbox auditing support (--audit)
* feature: remove environment variable (--rmenv)
* feature: noexec support (--noexec)
* feature: clean local overlay storage directory (--overlay-clean)
* feature: store and reuse overlay (--overlay-named)
* feature: allow debugging inside the sandbox with gdb and strace
(--allow-debuggers)
* feature: mkfile profile command
* feature: quiet profile command
* feature: x11 profile command
* feature: option to fix desktop files (firecfg --fix)
* compile time: Busybox support (--enable-busybox-workaround)
* compile time: disable overlayfs (--disable-overlayfs)
* compile time: disable whitelisting (--disable-whitelist)
* compile time: disable global config (--disable-globalcfg)
* run time: enable/disable overlayfs (overlayfs yes/no)
* run time: enable/disable quiet as default (quiet-by-default yes/no)
* run time: user-defined network filter (netfilter-default)
* run time: enable/disable whitelisting (whitelist yes/no)
* run time: enable/disable remounting of /proc and /sys
(remount-proc-sys yes/no)
* run time: enable/disable chroot desktop features (chroot-desktop yes/no)
* profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
* profiles: pix, audacity, xz, xzdec, gzip, cpio, less
* profiles: Atom Beta, Atom, jitsi, eom, uudeview
* profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
* profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
* bugfixes
-- netblue30 <netblue30@yahoo.com> Thu, 8 Sept 2016 08:00:00 -0500
firejail (0.9.40) baseline; urgency=low
* added --nice option
* added --x11 option
* added --x11=xpra option
* added --x11=xephyr option
* added --cpu.print option
* added filetransfer options --ls and --get
* added --writable-etc and --writable-var options
* added --read-only option
* added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
* --version also prints compile options
* --output option also redirects stderr
* added compile-time option to restrict --net= to root only
* run time config support, man firejail-config
* added firecfg utility
* AppArmor fixes
* default seccomp filter update
* disable STUN/WebRTC in default netfilter configuration
* new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
* new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
* new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
* new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
* new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
* new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
* new profiles: generic Ubuntu snap application profile, xplayer
* new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
* new profiles: Brave, Gitter
* generic.profile renamed default.profile
* build rpm packages using "make rpms"
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sun, 29 May 2016 08:00:00 -0500
firejail (0.9.38.10) baseline; urgency=low
* security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
new CVE code assigned after release: CVE-2017-5940
* security: tightening the rules for --chroot
* bugfix: ported Gentoo compile patch
* bugfix: fix ASSERT_PERMS_FD macro
-- netblue30 <netblue30@yahoo.com> Sun, 15 Jan 2017 10:00:00 -0500
firejail (0.9.38.8) baseline; urgency=low
* security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
-- netblue30 <netblue30@yahoo.com> Sat, 7 Jan 2017 10:00:00 -0500
firejail (0.9.38.6) baseline; urgency=low
* security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
* bugfix: crashing VLC by pressing Ctrl-O
-- netblue30 <netblue30@yahoo.com> Fri, 16 Dec 2016 10:00:00 -0500
firejail (0.9.38.4) baseline; urgency=low
* CVE-2016-7545 submitted by Aleksey Manevich
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 10 Oct 2016 10:00:00 -0500
firejail (0.9.38.2) baseline; urgency=low
* security: --whitelist deleted files, submitted by Vasya Novikov
* security: disable x32 ABI, submitted by Jann Horn
* security: tighten --chroot, submitted by Jann Horn
* security: terminal sandbox escape, submitted by Stephan Sokolow
* feature: clean local overlay storage directory (--overlay-clean)
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 23 Aug 2016 10:00:00 -0500
firejail (0.9.38) baseline; urgency=low
* IPv6 support (--ip6 and --netfilter6)
* --join command enhancement (--join-network, --join-filesystem)
* added --user command
* added --disable-network and --disable-userns compile time flags
* Centos 6 support
* symlink invocation
* added KMail, Seamonkey, Telegram, Mathematica, uGet,
* and mupen64plus profiles
* --chroot in user mode allowed only if seccomp support is available
* in current Linux kernel (CVE-2016-10123)
* deprecated --private-home feature
* the first protocol list installed takes precedence
* --tmpfs option allowed only running as root (CVE-2016-10117)
* added --private-tmp option
* weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121)
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500
firejail (0.9.36) baseline; urgency=low
* added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
parole and rtorrent profiles
* Google Chrome profile rework
* added google-chrome-stable profile
* added google-chrome-beta profile
* added google-chrome-unstable profile
* Opera profile rework
* added opera-beta profile
* added --noblacklist option
* added --profile-path option
* added --force option
* whitelist command enhancements
* prevent user name enumeration
* added /etc/firejail/nolocal.net network filter
* added /etc/firejail/webserver.net network filter
* blacklisting firejail configuration by default
* allow default gateway configuration for --interface option
* --debug enhancements: --debug-check-filenames, --debug-blacklists,
--debug-whitelists
* filesystem log
* libtrace enhancements, tracing opendir call
* added --tracelog option
* added "name" command to profile files
* added "hostname" command to profile files
* added automated feature testing framework
* Debian reproducible build
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sun, 27 Dec 2015 09:00:00 -0500
firejail (0.9.34) baseline; urgency=low
* added --ignore option
* added --protocol option
* support dual i386/amd64 seccomp filters
* added Google Chrome profile
* added Steam, Skype, Wine and Conkeror profiles
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 7 Nov 2015 08:00:00 -0500
firejail (0.9.32) baseline; urgency=low
* added --interface option
* added --mtu option
* added --private-bin option
* added --nosound option
* added --hostname option
* added --quiet option
* added seccomp errno support
* added FBReader default profile
* added Spotify default profile
* lots of default security profile changes
* fixed a security problem on multi-user systems
* bugfixes
-- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2015 08:00:00 -0500
firejail (0.9.30) baseline; urgency=low
* added a disable-history.inc profile as a result of Firefox PDF.js exploit;
disable-history.inc included in all default profiles
* Firefox PDF.js exploit (CVE-2015-4495) fixes
* added --private-etc option
* added --env option
* added --whitelist option
* support ${HOME} token in include directive in profile files
* --private.keep is transitioned to --private-home
* support ~ and blanks in blacklist option
* support "net none" command in profile files
* using /etc/firejail/generic.profile by default for user sessions
* using /etc/firejail/server.profile by default for root sessions
* added build --enable-fatal-warnings configure option
* added persistence to --overlay option
* added --overlay-tmpfs option
* make install-strip implemented, make install renamed
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 14 Sept 2015 08:00:00 -0500
firejail (0.9.28) baseline; urgency=low
* network scanning, --scan option
* interface MAC address support, --mac option
* IP address range, --iprange option
* traffic shaping, --bandwidth option
* reworked printing of network status at startup
* man pages rework
* added firejail-login man page
* added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
profiles
* added an /etc/firejail/disable-common.inc file to hold common directory
blacklists
* blacklist Opera and Chrome/Chromium config directories in profile files
* support noroot option for profile files
* enabled noroot in default profile files
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 1 Aug 2015 08:00:00 -0500
firejail (0.9.26) baseline; urgency=low
* private dev directory
* private.keep option for whitelisting home files in a new private directory
* user namespaces support, noroot option
* added Deluge and qBittorent profiles
* bugfixes
-- netblue30 <netblue30@yahoo.com> Thu, 30 Apr 2015 08:00:00 -0500
firejail (0.9.24) baseline; urgency=low
* whitelist and blacklist seccomp filters
* doubledash option
* --shell=none support
* netfilter file support in profile files
* dns server support in profile files
* added --dns.print option
* added default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem.
* added --caps.drop=all in default profiles
* new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
* clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
* Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
* two build patches from Reiner Herman (tickets 11, 12)
* man page patch from Reiner Herman (ticket 13)
* output patch (ticket 15) from sshirokov
-- netblue30 <netblue30@yahoo.com> Sun, 5 Apr 2015 08:00:00 -0500
firejail (0.9.22) baseline; urgency=low
* Replaced --noip option with --ip=none
* Container stdout logging and log rotation
* Added process_vm_readv, process_vm_writev and mknod to
* default seccomp blacklist
* Added CAP_MKNOD to default caps blacklist
* Blacklist and whitelist custom Linux capabilities filters
* macvlan device driver support for --net option
* DNS server support, --dns option
* Netfilter support
* Monitor network statistics, --netstats option
* Added profile for Mozilla Thunderbird/Icedove
* - --overlay support for Linux kernels 3.18+
* Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
* Bugfix: check uid/gid for cgroup
-- netblue30 <netblue30@yahoo.com> Mon, 9 Mar 2015 09:00:00 -0500
firejail (0.9.20) baseline; urgency=low
* utmp, btmp and wtmp enhancements
* create empty /var/log/wtmp and /var/log/btmp files in sandbox
* generate a new /var/run/utmp file in sandbox
* CPU affinity, --cpu option
* Linux control groups support, --cgroup option
* Opera web browser support
* VLC support
* Added "empty" attribute to seccomp command to remove the default
* syscall list form seccomp blacklist
* Added --nogroups option to disable supplementary groups for regular
* users. root user always runs without supplementary groups.
* firemon enhancements
* display the command that started the sandbox
* added --caps option to display capabilities for all sandboxes
* added --cgroup option to display the control groups for all sandboxes
* added --cpu option to display CPU affinity for all sandboxes
* added --seccomp option to display seccomp setting for all sandboxes
* New compile time options: --disable-chroot, --disable-bind
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 02 Feb 2015 08:00:00 -0500
firejail (0.9.18) baseline; urgency=low
* Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
* Support for tracing setreuid, setregid, setresuid, setresguid syscalls
* Added profiles for transmission-gtk and transmission-qt
* bugfixes
-- netblue30 <netblue30@yahoo.com> Fri, 25 Dec 2014 10:00:00 -0500
firejail (0.9.16) baseline; urgency=low
* Configurable private home directory
* Configurable default user shell
* Software configuration support for --docdir and DESTDIR
* Profile file support for include, caps, seccomp and private keywords
* Dropbox profile file
* Linux capabilities and seccomp filters enabled by default for Firefox,
Midori, Evince and Dropbox
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 4 Nov 2014 10:00:00 -0500
firejail (0.9.14) baseline; urgency=low
* Linux capabilities and seccomp filters are automatically enabled in
chroot mode (--chroot option) if the sandbox is started as regular user
* Added support for user defined seccomp blacklists
* Added syscall trace support
* Added --tmpfs option
* Added --balcklist option
* Added --read-only option
* Added --bind option
* Logging enhancements
* --overlay option was reactivated
* Added firemon support to print the ARP table for each sandbox
* Added firemon support to print the route table for each sandbox
* Added firemon support to print interface information for each sandbox
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 15 Oct 2014 10:00:00 -0500
firejail (0.9.12.2) baseline; urgency=low
* Fix for pulseaudio problems
* --overlay option was temporarily disabled in this build
-- netblue30 <netblue30@yahoo.com> Mon, 29 Sept 2014 07:00:00 -0500
firejail (0.9.12.1) baseline; urgency=low
* Fix for pulseaudio problems
* --overlay option was temporarily disabled in this build
-- netblue30 <netblue30@yahoo.com> Mon, 22 Sept 2014 09:00:00 -0500
firejail (0.9.12) baseline; urgency=low
* Added capabilities support
* Added support for CentOS 7
* bugfixes
-- netblue30 <netblue30@yahoo.com> Mon, 15 Sept 2014 10:00:00 -0500
firejail (0.9.10) baseline; urgency=low
* Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot
* Fixed --top option CPU utilization calculation
* Implemented --tree option in firejail and firemon
* Implemented --join=name option
* Implemented --shutdown option
* Preserve the current working directory if possible
* Cppcheck and clang errors cleanup
* Added a Chromium web browser profile
-- netblue30 <netblue30@yahoo.com> Thu, 28 Aug 2014 07:00:00 -0500
firejail (0.9.8.1) baseline; urgency=low
* FIxed a number of bugs introduced in 0.9.8
-- netblue30 <netblue30@yahoo.com> Fri, 25 Jul 2014 07:25:00 -0500
firejail (0.9.8) baseline; urgency=low
* Implemented nowrap mode for firejail --list command option
* Added --top option in both firejail and firemon
* seccomp filter support
* Added pid support for firemon
* bugfixes
-- netblue30 <netblue30@yahoo.com> Tue, 24 Jul 2014 08:51:00 -0500
firejail (0.9.6) baseline; urgency=low
* Mounting tmpfs on top of /var/log, required by several server programs
* Server fixes for /var/lib and /var/cache
* Private mode fixes
* csh and zsh default shell support
* Chroot mode fixes
* Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd,
-- netblue30 <netblue30@yahoo.com> Sat, 7 Jun 2014 09:00:00 -0500
firejail (0.9.4) baseline; urgency=low
* Fixed resolv.conf on Ubuntu systems using DHCP
* Fixed resolv.conf on Debian systems using resolvconf package
* Fixed /var/lock directory
* Fixed /var/tmp directory
* Fixed symbolic links in profile files
* Added profiles for evince, midori
-- netblue30 <netblue30@yahoo.com> Sun, 4 May 2014 08:00:00 -0500
firejail (0.9.2) baseline; urgency=low
* Checking IP address passed with --ip option using ARP; exit if the address
is already present
* Using a lock file during ARP address assignment in order to removed a race
condition.
* Several fixes to --private option; it also mounts a tmpfs filesystem on top
of /tmp
* Added user access check for profile file
* Added --defaultgw option
* Added support of --noip option; it is necessary for DHCP setups
* Added syslog support
* Added support for "tmpfs" and "read-only" profile commands
* Added an expect-based testing framework for the project
* Added bash completion support
* Added support for multiple networks
-- netblue30 <netblue30@yahoo.com> Fri, 25 Apr 2014 08:00:00 -0500
firejail (0.9) baseline; urgency=low
* First beta version
-- netblue30 <netblue30@yahoo.com> Sat, 12 Apr 2014 09:00:00 -0500