Name: firejail Version: 0.9.70 Release: 1%{?dist} Summary: Linux namespaces sandbox program License: GPLv2 Group: Development/Tools URL: https://firejail.wordpress.com Source0: https://downloads.sourceforge.net/project/%{name}/%{name}/%{name}-%{version}.tar.xz BuildRequires: gcc BuildRequires: make %description Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. %prep %autosetup -p 1 %build %configure --disable-apparmor %if 0%{?fedora} >= 30 #-fcf-protection (Fedora) and -mindirect-branch=thunk (Firejail) are incompatible #http://gcc.1065356.n8.nabble.com/Bug-target-87412-New-fcf-protection-and-mindirect-branch-thunk-are-incompatible-on-x86-64-td1515745.html CFLAGS=${CFLAGS%"-fcf-protection"} %make_build %else %make_build %endif %install %make_install %post chmod u+s %{_bindir}/firejail %files %doc %license %attr(0755, -, -) %{_bindir}/firejail %{_bindir}/firemon %{_bindir}/firecfg %{_bindir}/jailcheck %{_libdir}/firejail/fbuilder %{_libdir}/firejail/fcopy %{_libdir}/firejail/firejail-welcome.sh %{_libdir}/firejail/fix_private-bin.py* %{_libdir}/firejail/fj-mkdeb.py* %{_libdir}/firejail/fjclip.py* %{_libdir}/firejail/fjdisplay.py* %{_libdir}/firejail/fjresize.py* %{_libdir}/firejail/fids %{_libdir}/firejail/fldd %{_libdir}/firejail/fnet %{_libdir}/firejail/fnetfilter %{_libdir}/firejail/fnettrace %{_libdir}/firejail/fnettrace-dns %{_libdir}/firejail/fnettrace-sni %{_libdir}/firejail/ftee %{_libdir}/firejail/fsec-optimize %{_libdir}/firejail/fsec-print %{_libdir}/firejail/fseccomp %{_libdir}/firejail/fshaper.sh %{_libdir}/firejail/fzenity %{_libdir}/firejail/gdb-firejail.sh %{_libdir}/firejail/jail_prober.py %{_libdir}/firejail/libpostexecseccomp.so %{_libdir}/firejail/libtrace.so %{_libdir}/firejail/libtracelog.so %{_libdir}/firejail/profstats %{_libdir}/firejail/seccomp* %{_libdir}/firejail/sort.py* %{_libdir}/firejail/static-ip-map %{_libdir}/firejail/syscalls.sh %{_libdir}/firejail/update_deb.sh %{_datadir}/bash-completion/completions/firejail %{_datadir}/bash-completion/completions/firemon %{_datadir}/bash-completion/completions/firecfg %{_datadir}/zsh/site-functions/_firejail %{_datadir}/vim/vimfiles/ftdetect/firejail.vim %{_datadir}/vim/vimfiles/syntax/firejail.vim %{_docdir}/firejail %{_mandir}/man1/firejail.1.gz %{_mandir}/man1/firemon.1.gz %{_mandir}/man1/firecfg.1.gz %{_mandir}/man1/jailcheck.1.gz %{_mandir}/man5/firejail-login.5.gz %{_mandir}/man5/firejail-profile.5.gz %{_mandir}/man5/firejail-users.5.gz %config(noreplace) %{_sysconfdir}/firejail %changelog * Sun Aug 21 2022 Brandon Nielsen 0.9.70-1 - Update to 0.9.70 * Thu Sep 9 2021 Brandon Nielsen 0.9.66-1 - Update to 0.9.66 * Fri Mar 19 2021 Brandon Nielsen 0.9.64.4-1 - Update to 0.9.64.4 - Explicitly require make * Fri Oct 02 2020 Brandon Nielsen 0.9.62.4-1 - Update to 0.9.62.4 * Fri Jan 17 2020 Brandon Nielsen 0.9.62-1 - Update to 0.9.62 - Add missing %{?dist} tag * Tue May 28 2019 Brandon Nielsen 0.9.60-1 - Update to 0.9.60 * Tue May 28 2019 Brandon Nielsen 0.9.58.2-3 - Simplify removal of -fcf-protection from CFLAGS - Remove unecessary prefix definition * Mon Mar 25 2019 Brandon Nielsen 0.9.58.2-2 - Correct license - Don't use incompatible -fcf-protection and -mindirect-branch=thunk on FC30+ * Mon Mar 25 2019 Brandon Nielsen 0.9.58.2-1 - Update to 0.9.58.2 * Wed Oct 10 2018 Brandon Nielsen 0.9.56-1 - Update to 0.9.56 - Explicitly require GCC - Patch to explicitly specify python versions where appropriate * Fri Dec 22 2017 Brandon Nielsen 0.9.52-1 - Update to 0.9.52 - Change back to SourceForge - Correct license to GPLv2 * Tue Sep 26 2017 Brandon Nielsen 0.9.50-1 - Update to 0.9.50 - Change to GitHub link * Fri Jun 23 2017 Brandon Nielsen 0.9.48-1 - Update to 0.9.48 * Fri Mar 31 2017 Brandon Nielsen 0.9.44.10-1 - Update to 0.9.44.10 * Tue Nov 1 2016 Brandon Nielsen 0.9.44.4-1 - 0.9.44.4 release * Tue Nov 1 2016 Brandon Nielsen 0.9.44-2 - Set attributes on the binary for use as user * Tue Nov 1 2016 Brandon Nielsen 0.9.44-1 - 0.9.44 release * Fri Jan 29 2016 heiko 0.9.38-1 - specfile cleanup - use pkgconfig whereever possible - update to latest git snapshot * Mon Sep 14 2015 netblue30 0.9.30-1 - added a disable-history.inc profile as a result of Firefox PDF.js exploit; disable-history.inc included in all default profiles - Firefox PDF.js exploit (CVE-2015-4495) fixes - added --private-etc option - added --env option - added --whitelist option - support ${HOME} token in include directive in profile files - --private.keep is transitioned to --private-home - support ~ and blanks in blacklist option - support "net none" command in profile files - using /etc/firejail/generic.profile by default for user sessions - using /etc/firejail/server.profile by default for root sessions - added build --enable-fatal-warnings configure option - added persistence to --overlay option - added --overlay-tmpfs option - make install-strip implemented, make install renamed - bugfixes * Sat Aug 1 2015 netblue30 0.9.28-1 - network scanning, --scan option - interface MAC address support, --mac option - IP address range, --iprange option - traffic shaping, --bandwidth option - reworked printing of network status at startup - man pages rework - added firejail-login man page - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default profiles - added an /etc/firejail/disable-common.inc file to hold common directory blacklists - blacklist Opera and Chrome/Chromium config directories in profile files - support noroot option for profile files - enabled noroot in default profile files - bugfixes * Thu Apr 30 2015 netblue30 0.9.26-1 - private dev directory - private.keep option for whitelisting home files in a new private directory - user namespaces support, noroot option - added Deluge and qBittorent profiles - bugfixes * Sun Apr 5 2015 netblue30 0.9.24-1 - whitelist and blacklist seccomp filters - doubledash option - --shell=none support - netfilter file support in profile files - dns server support in profile files - added --dns.print option - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. - added --caps.drop=all in default profiles - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids - two build patches from Reiner Herman (tickets 11, 12) - man page patch from Reiner Herman (ticket 13) - output patch (ticket 15) from sshirokov * Mon Mar 9 2015 netblue30 0.9.22-1 - Replaced --noip option with --ip=none - Container stdout logging and log rotation - Added process_vm_readv, process_vm_writev and mknod to default seccomp blacklist - Added CAP_MKNOD to default caps blacklist - Blacklist and whitelist custom Linux capabilities filters - macvlan device driver support for --net option - DNS server support, --dns option - Netfilter support - Monitor network statistics, --netstats option - Added profile for Mozilla Thunderbird/Icedove - --overlay support for Linux kernels 3.18+ - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) - Bugfix: check uid/gid for cgroup * Fri Feb 6 2015 netblue30 0.9.20-1 - utmp, btmp and wtmp enhancements - create empty /var/log/wtmp and /var/log/btmp files in sandbox - generate a new /var/run/utmp file in sandbox - CPU affinity, --cpu option - Linux control groups support, --cgroup option - Opera web browser support - VLC support - Added "empty" attribute to seccomp command to remove the default - syscall list form seccomp blacklist - Added --nogroups option to disable supplementary groups for regular - users. root user always runs without supplementary groups. - firemon enhancements - display the command that started the sandbox - added --caps option to display capabilities for all sandboxes - added --cgroup option to display the control groups for all sandboxes - added --cpu option to display CPU affinity for all sandboxes - added --seccomp option to display seccomp setting for all sandboxes - New compile time options: --disable-chroot, --disable-bind - bugfixes * Sat Dec 27 2014 netblue30 0.9.18-1 - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls - Support for tracing setreuid, setregid, setresuid, setresguid syscalls - Added profiles for transmission-gtk and transmission-qt - bugfixes * Tue Nov 4 2014 netblue30 0.9.16-1 - Configurable private home directory - Configurable default user shell - Software configuration support for --docdir and DESTDIR - Profile file support for include, caps, seccomp and private keywords - Dropbox profile file - Linux capabilities and seccomp filters enabled by default for Firefox, Midori, Evince and Dropbox - bugfixes * Wed Oct 8 2014 netblue30 0.9.14-1 - Linux capabilities and seccomp filters are automatically enabled in chroot mode (--chroot option) if the sandbox is started as regular user - Added support for user defined seccomp blacklists - Added syscall trace support - Added --tmpfs option - Added --balcklist option - Added --read-only option - Added --bind option - Logging enhancements - --overlay option was reactivated - Added firemon support to print the ARP table for each sandbox - Added firemon support to print the route table for each sandbox - Added firemon support to print interface information for each sandbox - bugfixes * Tue Sep 16 2014 netblue30 0.9.12-1 - Added capabilities support - Added support for CentOS 7 - bugfixes