Name:		firejail
Version:	0.9.72
Release:	2%{?dist}
Summary:	Linux namespaces sandbox program
License:	GPL-2.0-or-later
Group:		Development/Tools
URL:		https://firejail.wordpress.com
Source0:	https://downloads.sourceforge.net/project/%{name}/%{name}/%{name}-%{version}.tar.xz
BuildRequires:	gcc
BuildRequires:	make

%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.

%prep
%autosetup -p 1

%build
%configure --disable-apparmor

%if 0%{?fedora} >= 30
#-fcf-protection (Fedora) and -mindirect-branch=thunk (Firejail) are incompatible
#http://gcc.1065356.n8.nabble.com/Bug-target-87412-New-fcf-protection-and-mindirect-branch-thunk-are-incompatible-on-x86-64-td1515745.html
CFLAGS=${CFLAGS%"-fcf-protection"} %make_build
%else
%make_build
%endif

%install
%make_install

%post
chmod u+s %{_bindir}/firejail

%files
%doc
%license
%attr(0755, -, -) %{_bindir}/firejail
%{_bindir}/firemon
%{_bindir}/firecfg
%{_bindir}/jailcheck
%{_libdir}/firejail/fbuilder
%{_libdir}/firejail/fcopy
%{_libdir}/firejail/firejail-welcome.sh
%{_libdir}/firejail/fix_private-bin.py*
%{_libdir}/firejail/fj-mkdeb.py*
%{_libdir}/firejail/fjclip.py*
%{_libdir}/firejail/fjdisplay.py*
%{_libdir}/firejail/fjresize.py*
%{_libdir}/firejail/fids
%{_libdir}/firejail/fldd
%{_libdir}/firejail/fnet
%{_libdir}/firejail/fnetfilter
%{_libdir}/firejail/fnettrace
%{_libdir}/firejail/fnettrace-icmp
%{_libdir}/firejail/fnettrace-dns
%{_libdir}/firejail/fnettrace-sni
%{_libdir}/firejail/ftee
%{_libdir}/firejail/fsec-optimize
%{_libdir}/firejail/fsec-print
%{_libdir}/firejail/fseccomp
%{_libdir}/firejail/fshaper.sh
%{_libdir}/firejail/fzenity
%{_libdir}/firejail/gdb-firejail.sh
%{_libdir}/firejail/jail_prober.py
%{_libdir}/firejail/libpostexecseccomp.so
%{_libdir}/firejail/libtrace.so
%{_libdir}/firejail/libtracelog.so
%{_libdir}/firejail/profstats
%{_libdir}/firejail/seccomp*
%{_libdir}/firejail/sort.py*
%{_libdir}/firejail/static-ip-map
%{_libdir}/firejail/syscalls.sh
%{_libdir}/firejail/update_deb.sh
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firemon
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/gtksourceview-5/language-specs/firejail-profile.lang
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%{_datadir}/zsh/site-functions/_firejail
%{_docdir}/firejail
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/jailcheck.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%config(noreplace) %{_sysconfdir}/firejail

%changelog
* Fri Sep 15 2023 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.72-2
- Change to SPDX license identifier

* Mon Jan 30 2023 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.72-1
- Update to 0.9.72
- Include fnettrace-icmp
- Include firejail-profile.lang gtksourceview lang file

* Sun Aug 21 2022 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.70-1
- Update to 0.9.70

* Thu Sep 9 2021 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.66-1
- Update to 0.9.66

* Fri Mar 19 2021 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.64.4-1
- Update to 0.9.64.4
- Explicitly require make

* Fri Oct 02 2020 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.62.4-1
- Update to 0.9.62.4

* Fri Jan 17 2020 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.62-1
- Update to 0.9.62
- Add missing %{?dist} tag

* Tue May 28 2019 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.60-1
- Update to 0.9.60

* Tue May 28 2019 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.58.2-3
- Simplify removal of -fcf-protection from CFLAGS
- Remove unecessary prefix definition

* Mon Mar 25 2019 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.58.2-2
- Correct license
- Don't use incompatible -fcf-protection and -mindirect-branch=thunk on FC30+

* Mon Mar 25 2019 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.58.2-1
- Update to 0.9.58.2

* Wed Oct 10 2018 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.56-1
- Update to 0.9.56
- Explicitly require GCC
- Patch to explicitly specify python versions where appropriate

* Fri Dec 22 2017 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.52-1
- Update to 0.9.52
- Change back to SourceForge
- Correct license to GPLv2

* Tue Sep 26 2017 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.50-1
- Update to 0.9.50
- Change to GitHub link

* Fri Jun 23 2017 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.48-1
- Update to 0.9.48

* Fri Mar 31 2017 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.44.10-1
- Update to 0.9.44.10

* Tue Nov 1 2016 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.44.4-1
- 0.9.44.4 release

* Tue Nov 1 2016 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.44-2
- Set attributes on the binary for use as user

* Tue Nov 1 2016 Brandon Nielsen <nielsenb@jetfuse.net> 0.9.44-1
- 0.9.44 release

* Fri Jan 29 2016 heiko <h.adams@gmail.com> 0.9.38-1
- specfile cleanup
- use pkgconfig whereever possible
- update to latest git snapshot

* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
 - added a disable-history.inc profile as a result of Firefox PDF.js exploit;
   disable-history.inc included in all default profiles
 - Firefox PDF.js exploit (CVE-2015-4495) fixes
 - added --private-etc option
 - added --env option
 - added --whitelist option
 - support ${HOME} token in include directive in profile files
 - --private.keep is transitioned to --private-home
 - support ~ and blanks in blacklist option
 - support "net none" command in profile files
 - using /etc/firejail/generic.profile by default for user sessions
 - using /etc/firejail/server.profile by default for root sessions
 - added build --enable-fatal-warnings configure option
 - added persistence to --overlay option
 - added --overlay-tmpfs option
 - make install-strip implemented, make install renamed
 - bugfixes

* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
 - network scanning, --scan option
 - interface MAC address support, --mac option
 - IP address range, --iprange option
 - traffic shaping, --bandwidth option
 - reworked printing of network status at startup
 - man pages rework
 - added firejail-login man page
 - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
   profiles
 - added an /etc/firejail/disable-common.inc file to hold common directory
   blacklists
 - blacklist Opera and Chrome/Chromium config directories in profile files
 - support noroot option for profile files
 - enabled noroot in default profile files
 - bugfixes

* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
 - private dev directory
 - private.keep option for whitelisting home files in a new private directory
 - user namespaces support, noroot option
 - added Deluge and qBittorent profiles
 - bugfixes

* Sun Apr 5 2015  netblue30 <netblue30@yahoo.com> 0.9.24-1
 - whitelist and blacklist seccomp filters
 - doubledash option
 - --shell=none support
 - netfilter file support in profile files
 - dns server support in profile files
 - added --dns.print option
 - added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
 - added --caps.drop=all in default profiles
 - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
 -        clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
 - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
 - two build patches from Reiner Herman (tickets 11, 12)
 - man page patch from Reiner Herman (ticket 13)
 - output patch (ticket 15) from sshirokov

* Mon Mar 9 2015  netblue30 <netblue30@yahoo.com> 0.9.22-1
 - Replaced --noip option with --ip=none
 - Container stdout logging and log rotation
 - Added process_vm_readv, process_vm_writev and mknod to
     default seccomp blacklist
 - Added CAP_MKNOD to default caps blacklist
 - Blacklist and whitelist custom Linux capabilities filters
 - macvlan device driver support for --net option
 - DNS server support, --dns option
 - Netfilter support
 - Monitor network statistics, --netstats option
 - Added profile for Mozilla Thunderbird/Icedove
 - --overlay support for Linux kernels 3.18+
 - Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
 - Bugfix: check uid/gid for cgroup

* Fri Feb 6 2015   netblue30 <netblue30@yahoo.com> 0.9.20-1
 - utmp, btmp and wtmp enhancements
 -    create empty /var/log/wtmp and /var/log/btmp files in sandbox
 -    generate a new /var/run/utmp file in sandbox
 - CPU affinity, --cpu option
 - Linux control groups support, --cgroup option
 - Opera web browser support
 - VLC support
 - Added "empty" attribute to seccomp command to remove the default
 -    syscall list form seccomp blacklist
 - Added --nogroups option to disable supplementary groups for regular
 -   users. root user always runs without supplementary groups.
 - firemon enhancements
 -   display the command that started the sandbox
 -   added --caps option to display capabilities for all sandboxes
 -   added --cgroup option to display the control groups for all sandboxes
 -   added --cpu option to display CPU affinity for all sandboxes
 -   added --seccomp option to display seccomp setting for all sandboxes
 - New compile time options: --disable-chroot, --disable-bind
 - bugfixes

* Sat Dec 27 2014  netblue30 <netblue30@yahoo.com> 0.9.18-1
 - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
 - Support for tracing setreuid, setregid, setresuid, setresguid syscalls
 - Added profiles for transmission-gtk and transmission-qt
 - bugfixes

* Tue Nov 4 2014  netblue30 <netblue30@yahoo.com> 0.9.16-1
 - Configurable private home directory
 - Configurable default user shell
 - Software configuration support for --docdir and DESTDIR
 - Profile file support for include, caps, seccomp and private keywords
 - Dropbox profile file
 - Linux capabilities and seccomp filters enabled by default for Firefox,
  Midori, Evince and Dropbox
 - bugfixes

* Wed Oct 8 2014  netblue30 <netblue30@yahoo.com> 0.9.14-1
 - Linux capabilities and seccomp filters are automatically enabled in
   chroot mode (--chroot option) if the sandbox is started as regular
   user
 - Added support for user defined seccomp blacklists
 - Added syscall trace support
 - Added --tmpfs option
 - Added --balcklist option
 - Added --read-only option
 - Added --bind option
 - Logging enhancements
 - --overlay option was reactivated
 - Added firemon support to print the ARP table for each sandbox
 - Added firemon support to print the route table for each sandbox
 - Added firemon support to print interface information for each sandbox
 - bugfixes

* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1
 - Added capabilities support
 - Added support for CentOS 7
 - bugfixes