baserev update by copy to link target

• Files Changed
• Browse Source

- Use sysuser-tools to generate firejail group

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- update to version 0.9.72:
  * modif: move hardcoded apps recognized by default in uiapps file
  * modif: remove sandbox edit dialog and replace it with uiapps file
  * feature: added uiapps file for default and user apps configuration
  * feature: added a system network monitor in sandbox stats
  * feature: added apparmor support in firejail-ui
  * feature: added bluetooth support in firejail-ui
  * feature: print final sandbox configuration in firejail-ui
  * bugfixes

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch
  as they are integrated upstream
- update to version 0.9.70:
 - security: CVE-2022-31214 - root escalation in --join logic
 - Reported by Matthias Gerstner, working exploit code was provided to our
 - development team. In the same time frame, the problem was independently
 - reported by Birk Blechschmidt. Full working exploit code was also provided.
 - feature: enable shell tab completion with --tab (#4936)
 - feature: disable user profiles at compile time (#4990)
 - feature: Allow resolution of .local names with avahi-daemon in the apparmor
 - profile (#5088)
 - feature: always log seccomp errors (#5110)
 - feature: firecfg --guide, guided user configuration (#5111)
 - feature: --oom, kernel OutOfMemory-killer (#5122)
 - modif: --ids feature needs to be enabled at compile time (#5155)
 - modif: --nettrace only available to root user
 - rework: whitelist restructuring (#4985)
 - rework: firemon, speed up and lots of fixes
 - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
 - bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
 - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
 - bugfix: fix printing in evince (#5011)
 - bugfix: gcov: fix gcov functions always declared as dummy (#5028)
 - bugfix: Stop warning on safe supplementary group clean (#5114)
 - build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
 - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154)
 - ci: replace centos (EOL) with almalinux (#4912)
 - ci: fix --version not printing compile-time features (#5147)
 - ci: print version after install & fix apparmor support on build_apparmor
 - (#5148)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- fix bsc#1199148 CVE-2022-31214 by adding patch fix-CVE-2022-31214.patch
  using commits from upstream.

• Files Changed
• Browse Source

- add fix-internet-access.patch to fix boo#1196542

• Files Changed
• Browse Source

add apparmor directories to file list
Failed in the Request to Factory

• Files Changed
• Browse Source

- update to firejail 0.9.68:
 - security: on Ubuntu, the PPA is now recommended over the distro package
 - (see README.md) (#4748)
 - security: bugfix: private-cwd leaks access to the entire filesystem
 - (#4780); reported by Hugo Osvaldo Barrera
 - feature: remove (some) environment variables with auth-tokens (#4157)
 - feature: ALLOW_TRAY condition (#4510 #4599)
 - feature: add basic Firejail support to AppArmor base abstraction (#3226
 - #4628)
 - feature: intrusion detection system (--ids-init, --ids-check)
 - feature: deterministic shutdown command (--deterministic-exit-code,
 - --deterministic-shutdown) (#928 #3042 #4635)
 - feature: noprinters command (#4607 #4827)
 - feature: network monitor (--nettrace)
 - feature: network locker (--netlock) (#4848)
 - feature: whitelist-ro profile command (#4740)
 - feature: disable pipewire with --nosound (#4855)
 - feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
 - feature: Allow apostrophe in whitelist and blacklist (#4614)
 - feature: AppImage support in --build command (#4878)
 - modifs: exit code: distinguish fatal signals by adding 128 (#4533)
 - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
 - modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
 - modifs: nogroups now stopped causing certain system groups to be dropped,
 - which are now controlled by the relevant "no" options instead (such as
 - nosound -> drop audio group), which fixes device access issues on systems
 - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
 - removal: --disable-whitelist at compile time
 - removal: whitelist=yes/no in /etc/firejail/firejail.config
 - bugfix: Fix sndio support (#4362 #4365)

• Files Changed
• Browse Source

fix Factory (clean) staging

• Files Changed
• Browse Source

firejail 0.9.66

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 0.9.64.4:
  * disabled overlayfs, pending multiple fixes
  * fixed launch firefox for open url in telegram-desktop.profile

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 0.9.64.2:
  * allow --tmpfs inside $HOME for unprivileged users
  * --disable-usertmpfs compile time option
  * allow AF_BLUETOOTH via --protocol=bluetooth
  * setup guide for new users: contrib/firejail-welcome.sh
  * implement netns in profiles
  * added nolocal6.net IPv6 network filter
  * new profiles: spectacle, chromium-browser-privacy,
    gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer,
    gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu,
    authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg,
    mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

fix file

• Files Changed
• Browse Source

- packaging fixes

• Files Changed
• Browse Source