firejail-zsh-completion-0.9.70-bp155.2.7 >  A ddٙI%z 10_f{Je$jVy@qlN;IO Ep,,ُsl '0g>JnϕD\Ī5=??n%CTy*Ӊ?ɁHl 92Bb,LQZ5qZ;Z1kvt?I>AºApU W tڱ.6V>UK<G* -|i>[j2ma3F2@˶jc8b㺪ýNB_*F<{ӯdJjr(wԳs<욐 7j)sz|F*ߜjμM vTU1b  x"zx3wr}6Xl)Br6$3*wu0JuJcj#FlU݆!9 f)GCN!LJ鿧18R JBR5<7d1657ef25ba4fe8c7d1dc7ccea34e6cbade754339d6106fcef3a91b34220d9403ded691fbafebbe5c9c1eef478c613566da5eb2fddٙI%z NèPP{%tM(h2<Ĩ[uɭ`}[G3NV%o̻DUO`.k^w3) `S^;7OֳI7rB*}c xe#bm}XY|5^2SȨ pDT,cMfW|v^{=DAz<6`nIX!檺>j&Lպ$v>\\4WTq2eN>B<τ_f?0V,hU5 ibWiz.]* @\=Znx:RU%]LZ֘8!itJ~}5%_14,`1Cf%=ӊ-By#Ȗ*,@ 4d=YgAd֨X' ;9} qz%|2N|I5lEx 7cTWi.ii?DZbԚ Oi02ipj >p>?d! + C|  0 < H ` & ,Db |(89 :FGHIXY\]0^{bcd0e5f8l:uLvdzyCfirejail-zsh-completion0.9.70bp155.2.7Firejail zsh completionOptional dependency offering zsh completion for firejailddوold-cirrus2SUSE Linux Enterprise 15 SP5openSUSEGPL-2.0-onlyhttps://bugs.opensuse.orgSystem/Shellshttps://firejail.wordpress.comlinuxx86_64F8A큤AA큤dd{ddوbZdd{dd{dd{75baeda48383f6cdbbccd190761b36d5a16e8ea6eb6ecac7bac5e5f93d44c95d8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643c1171a5186490599d8ae2b84d2f944db9b8eb65e132aa8189eebc7274868154arootrootrootrootrootrootrootrootrootrootrootrootfirejail-0.9.70-bp155.2.7.src.rpmfirejail-zsh-completionfirejail-zsh-completion(x86-64)    firejailrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)zsh0.9.703.0.4-14.6.0-14.0-15.2-14.14.3bx@b@b@a@``@`@__@_@_=@_5+@_.^l@^B@\@\T4[.[@[\[~Z1@YY@X|Xn5@X@WSWXW;Sebastian Wagner Sebastian Wagner Sebastian Wagner Sebastian Wagner Andreas Stieger Илья Индиго Илья Индиго Sebastian Wagner Sebastian Wagner Christian Boltz Paolo Stivanin Paolo Stivanin Sebastian Wagner Michael Vetter Marcus Rueckert Sebastian Wagner info@paolostivanin.comSebastian Wagner Markos Chandras Markos Chandras sebix+novell.com@sebix.atavindra@opensuse.orgaavindraa@gmail.comtiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.de- remove patches fix-internet-access.patch and fix-CVE-2022-31214.patch as they are integrated upstream - update to version 0.9.70: - security: CVE-2022-31214 - root escalation in --join logic - Reported by Matthias Gerstner, working exploit code was provided to our - development team. In the same time frame, the problem was independently - reported by Birk Blechschmidt. Full working exploit code was also provided. - feature: enable shell tab completion with --tab (#4936) - feature: disable user profiles at compile time (#4990) - feature: Allow resolution of .local names with avahi-daemon in the apparmor - profile (#5088) - feature: always log seccomp errors (#5110) - feature: firecfg --guide, guided user configuration (#5111) - feature: --oom, kernel OutOfMemory-killer (#5122) - modif: --ids feature needs to be enabled at compile time (#5155) - modif: --nettrace only available to root user - rework: whitelist restructuring (#4985) - rework: firemon, speed up and lots of fixes - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) - bugfix: nogroups + wrc prints confusing messages (#4930 #4933) - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954) - bugfix: fix printing in evince (#5011) - bugfix: gcov: fix gcov functions always declared as dummy (#5028) - bugfix: Stop warning on safe supplementary group clean (#5114) - build: remove ultimately unused INSTALL and RANLIB check macros (#5133) - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154) - ci: replace centos (EOL) with almalinux (#4912) - ci: fix --version not printing compile-time features (#5147) - ci: print version after install & fix apparmor support on build_apparmor - (#5148) - docs: Refer to firejail.config in configuration files (#4916) - docs: firejail.config: add warning about allow-tray (#4946) - docs: mention that the protocol command accumulates (#5043) - docs: mention inconsistent homedir bug involving --private=dir (#5052) - docs: mention capabilities(7) on --caps (#5078) - new profiles: onionshare, onionshare-cli, opera-developer, songrec - new profiles: node-gyp, npx, semver, ping-hardened - removed profiles: nvm- fix bsc#1199148 CVE-2022-31214 by adding patch fix-CVE-2022-31214.patch using commits from upstream.- add fix-internet-access.patch to fix boo#1196542- update to firejail 0.9.68: - security: on Ubuntu, the PPA is now recommended over the distro package - (see README.md) (#4748) - security: bugfix: private-cwd leaks access to the entire filesystem - (#4780); reported by Hugo Osvaldo Barrera - feature: remove (some) environment variables with auth-tokens (#4157) - feature: ALLOW_TRAY condition (#4510 #4599) - feature: add basic Firejail support to AppArmor base abstraction (#3226 - #4628) - feature: intrusion detection system (--ids-init, --ids-check) - feature: deterministic shutdown command (--deterministic-exit-code, - --deterministic-shutdown) (#928 #3042 #4635) - feature: noprinters command (#4607 #4827) - feature: network monitor (--nettrace) - feature: network locker (--netlock) (#4848) - feature: whitelist-ro profile command (#4740) - feature: disable pipewire with --nosound (#4855) - feature: Unset TMP if it doesn't exist inside of sandbox (#4151) - feature: Allow apostrophe in whitelist and blacklist (#4614) - feature: AppImage support in --build command (#4878) - modifs: exit code: distinguish fatal signals by adding 128 (#4533) - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669) - modifs: close file descriptors greater than 2 (--keep-fd) (#4845) - modifs: nogroups now stopped causing certain system groups to be dropped, - which are now controlled by the relevant "no" options instead (such as - nosound -> drop audio group), which fixes device access issues on systems - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851) - removal: --disable-whitelist at compile time - removal: whitelist=yes/no in /etc/firejail/firejail.config - bugfix: Fix sndio support (#4362 #4365) - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387) - bugfix: --build clears the environment (#4460 #4467) - bugfix: firejail hangs with net parameter (#3958 #4476) - bugfix: Firejail does not work with a custom hosts file (#2758 #4560) - bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586) - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606) - bugfix: firejail symlinks are not skipped with private-bin + globs (#4626) - bugfix: Firejail rejects empty arguments (#4395) - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235) - bugfix: Seccomp list output goes to stdout instead of stderr (#4328) - bugfix: private-etc does not work with symlinks (#4887) - bugfix: Hardware key not detected on keepassxc (#4883) - build: allow building with address sanitizer (#4594) - build: Stop linking pthread (#4695) - build: Configure cleanup and improvements (#4712) - ci: add profile checks for sorting disable-programs.inc and - firecfg.config and for the required arguments in private-etc (#2739 #4643) - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774) - docs: Add new command checklist to CONTRIBUTING.md (#4413) - docs: Rework bug report issue template and add both a question and a - feature request template (#4479 #4515 #4561) - docs: fix contradictory descriptions of machine-id ("preserves" vs - "spoofs") (#4689) - docs: Document that private-bin and private-etc always accumulate (#4078) - new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462) - new includes: disable-proc.inc (#4521) - removed includes: disable-passwordmgr.inc (#4454 #4461) - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego - new profiles: imv, retroarch, torbrowser, CachyBrowser, - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd, - new profiles: Seafile, neovim, com.github.tchx84.Flatseal- firejail 0.9.66: * deprecated --audit options, relpaced by jailcheck utility * deprecated follow-symlink-as-user from firejail.config * new firejail.config settings: private-bin, private-etc * new firejail.config settings: private-opt, private-srv * new firejail.config settings: whitelist-disable-topdir * new firejail.config settings: seccomp-filter-add * removed kcmp syscall from seccomp default filter * rename --noautopulse to keep-config-pulse * filtering environment variables * zsh completion * command line: --mkdir, --mkfile * --protocol now accumulates * jailtest utility for testing running sandboxes * faccessat2 syscall support * --private-dev keeps /dev/input * added --noinput to disable /dev/input * add support for subdirs in --private-etc * subdirs support in private-etc * input devices support in private-dev, --no-input * support trailing comments on profile lines * many new profiles - split shell completion into standard subpackages- Update to 0.9.64.4: * disabled overlayfs, pending multiple fixes * fixed launch firefox for open url in telegram-desktop.profile- Update to 0.9.64.2: * allow --tmpfs inside $HOME for unprivileged users * --disable-usertmpfs compile time option * allow AF_BLUETOOTH via --protocol=bluetooth * setup guide for new users: contrib/firejail-welcome.sh * implement netns in profiles * added nolocal6.net IPv6 network filter * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.- packaging fixes- Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski * new profiles: swell-foop, fdns, five-or-more, steam-runtime * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper * new profiles: gapplication, openarena_ded, element-desktop, cawbird * new profiles: freetube, strawberry, jitsi-meet-desktop * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send * new profiles: qrencode, ytmdesktop, twitch * new profiles: xournalpp, chromium-freeworld, equalx - remove firejail-0.9.62-fix-usr-etc.patch, included upstream - remove firejail-apparmor-3.0.diff, included upstream- Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with AppArmor 3.0 (add missing include )- Update to 0.9.62.4 * fix AppArmor broken in the previous release * miscellaneous fixes- Update to 0.9.62.2 * fix CVE-2020-17367 * fix CVE-2020-17368 * additional hardening and bug fixes - Remove fix-CVE-2020-17368.patch - Remove fix-CVE-2020-17367.patch- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986- Add firejail-0.9.62-fix-usr-etc.patch: Check /usr/etc not just /etc - Replace python interpreter line in sort.py- update to version 0.9.62 * added file-copy-limit in /etc/firejail/firejail.config * profile templates (/usr/share/doc/firejail) * allow-debuggers support in profiles * several seccomp enhancements * compiler flags autodetection * move chroot entirely from path based to file descriptor based mounts * whitelisting /usr/share in a large number of profiles * new scripts in conrib: gdb-firejail.sh and sort.py * enhancement: whitelist /usr/share in some profiles * added signal mediation to apparmor profile * new conditions: HAS_X11, HAS_NET * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123 * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123 * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird, * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc * new profiles: electron-mail, gist, gist-paste- update to version 0.9.60: * security bug reported by Austin Morton: Seccomp filters are copied into /run/firejail/mnt, and are writable within the jail. A malicious process can modify files from inside the jail. Processes that are later joined to the jail will not have seccomp filters applied. CVE-2019-12589 boo#1137139 * memory-deny-write-execute now also blocks memfd_create * add private-cwd option to control working directory within jail * blocking system D-Bus socket with --nodbus * bringing back Centos 6 support * drop support for flatpak/snap packages * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool * new profiles: netactview, redshift, devhelp, assogiate, subdownloader * new profiles: font-manager, exfalso, gconf-editor, dconf-editor * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata- update to version 0.9.58: * --disable-mnt rework * --net.print command * GitLab CI/CD integration: disto specific builds * profile parser enhancements and conditional handling support for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F * profile name support * added explicit nonewprivs support to join option * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms * new profiles: devilspie, devilspie2, easystroke, github-desktop, min * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley * new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland * new profiles: supertuxkart, ghostwriter, gajim-history-manager * bugfixes- update to version 0.9.56: * modif: removed CFG_CHROOT_DESKTOP configuration option * modif: removed compile time --enable-network=restricted * modif: removed compile time --disable-bind * modif: --net=none allowed even if networking was disabled at compile time or at run time * modif: allow system users to run the sandbox * support wireless devices in --net option * support tap devices in --net option (tunneling support) * allow IP address configuration if the parent interface specified by --net is not configured (--netmask) * support for firetunnel utility * disable U2F devices (--nou2f) * add --private-cache to support private ~/.cache * support full paths in private-lib * globbing support in private-lib * support for local user directories in firecfg (--bindir) * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois, * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3 * new profiles: start-tor-browser.desktop- Drop ldconfig calls since firejail libraries are installed in their own subdirectory which is not scanned by ldconfig.- Remove the rpmlintrc file since the warnings are no longer relevant.- Changed the permissions of the firejail executable to 4750. Setuid mode is used, but only allowed for users in the newly created group 'firejail' (boo#1059013). - Update to version 0.9.54: * modif: --force removed * modif: --csh, --zsh removed * modif: --debug-check-filename removed * modif: --git-install and --git-uninstall removed * modif: support for private-bin, private-lib and shell none has been disabled while running AppImage archives in order to be able to use our regular profile files with AppImages. * modif: restrictions for /proc, /sys and /run/user directories are moved from AppArmor profile into firejail executable * modif: unifying Chromium and Firefox browsers profiles. All users of Firefox-based browsers who use addons and plugins that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile. * modif: split disable-devel.inc into disable-devel and disable-interpreters.inc * Firejail user access database (/etc/firejail/firejail.users, man firejail-users) * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * Spectre mitigation patch for gcc and clang compiler * D-Bus handling (--nodbus) * AppArmor support for overlayfs and chroot sandboxes * AppArmor support for AppImages * Enable AppArmor by default for a large number of programs * firejail --apparmor.print option * firemon --apparmor option * apparmor yes/no flag in /etc/firejail/firejail.config * seccomp syscall list update for glibc 2.26-10 * seccomp disassembler for --seccomp.print option * seccomp machine code optimizer for default seccomp filters * IPv6 DNS support * whitelist support for overlay and chroot sandboxes * private-dev support for overlay and chroot sandboxes * private-tmp support for overlay and chroot sandboxes * added sandbox name support in firemon * firemon/prctl enhancements * noblacklist support for /sys/module directory * whitelist support for /sys/module directory * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, * new profiles: discord-canary, pycharm-community, pycharm-professional, * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes, * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud, * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind, * new profiles: qmmp, sayonara- Update to version 0.9.52: * New features + systemd-resolved integration + whitelisted /var in most profiles + GTK2, GTK3 and Qt4 private-lib support + --debug-private-lib + test deployment of private-lib for the some apps: evince, galculator, gnome-calculator, leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu, atril, mate-color-select, tar, file, strings, gpicview, eom, eog, gedit, pluma + netfilter template support + various new arguments * --writable-run-user * --rlimit-as * --rlimit-cpu * --timeout * --build (profile build tool) * --netfilter.print * --netfilter6.print * deprecations in modif + --allow-private-blacklists (blacklisting, read-only, read-write, tmpfs and noexec are allowed in private home directories + remount-proc-sys (firejail.config) + follow-symlink-private-bin (firejail.config) + --profile-path * enhancements + support Firejail user config directory in firecfg + disable DBus activation in firecfg + enumerate root directories in apparmor profile + /etc and /usr/share whitelisting support + globbing support for --private-bin * new profiles: upstreamed profiles from 3 sources: + https://github.com/chiraag-nataraj/firejail-profiles + https://github.com/nyancat18/fe + https://aur.archlinux.org/packages/firejail-profiles * new profiles: terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,imagej, karbon, 1kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish, cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass, kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report cower (Arch), kdeinit4 - Add full link to source tarball from sourceforge - Add asc file- Update to version 0.9.50: * New features: - per-profile disable-mnt (--disable-mnt) - per-profile support to set X11 Xephyr screen size (--xephyr-screen) - private /lib directory (--private-lib) - disable CDROM/DVD drive (--nodvd) - disable DVB devices (--notv) - --profile.print * modif: --output split in two commands, --output and --output-stderr * set xpra-attach yes in /etc/firejail/firejail.config * Enhancements: - print all seccomp filters under --debug - /proc/sys mounting - rework IP address assingment for --net options - support for newer Xpra versions (2.1+) - - all profiles use a standard layout style - create /usr/local for firecfg if the directory doesn't exist - allow full paths in --private-bin * New seccomp features: - --memory-deny-write-execute - seccomp post-exec - block secondary architecture (--seccomp.block_secondary) - seccomp syscall groups - print all seccomp filters under --debug - default seccomp list update * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, IntelliJ IDEA, Android Studio, electron, riot-web, Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img, soundconverter truecraft, gnome-twitch, tuxguitar, musescore, neverball sqlitebrowse, Yandex Browser, minetest- Update to version 0.9.48: * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent; please use ~/Downloads directory for saving files * modifs: AppArmor made optional; a warning is printed on the screen if the sandbox fails to load the AppArmor profile * feature: --novideo * feature: drop discretionary access control capabilities for root sandboxes * feature: added /etc/firejail/globals.local for global customizations * feature: profile support in overlayfs mode * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake * bugfixes- Update to version 0.9.44.4: * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) * disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206) * root exploit found by Sebastian Krahmer (CVE-2017-5180) - Update to version 0.9.44.6: * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week * major cleanup of file copying code * tightening the rules for --chroot and --overlay features * ported Gentoo compile patch * Nvidia drivers bug in --private-dev * fix ASSERT_PERMS_FD macro * allow local customization using .local files under /etc/firejail backported from our development branch * spoof machine-id backported from our development branch - Remove obsoleted patches: firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch- Update to version 0.9.44.2: Security fixes: * overwrite /etc/resolv.conf found by Martin Carpenter * TOCTOU exploit for –get and –put found by Daniel Hodson * invalid environment exploit found by Martin Carpenter * several security enhancements Bugfixes: * crashing VLC by pressing Ctrl-O * use user configured icons in KDE * mkdir and mkfile are not applied to private directories * cannot open files on Deluge running under KDE * –private=dir where dir is the user home directory * cannot start Vivaldi browser * cannot start mupdf * ssh profile problems * –quiet * quiet in git profile * memory corruption - Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259): firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch- Update to version 0.9.44: * CVE-2016-7545 submitted by Aleksey Manevich Modifications: * removed man firejail-config * –private-tmp whitelists /tmp/.X11-unix directory * Nvidia drivers added to –private-dev * /srv supported by –whitelist New features: * allow user access to /sys/fs (–noblacklist=/sys/fs) * support starting/joining sandbox is a single command (–join-or-start) * X11 detection support for –audit * assign a name to the interface connected to the bridge (–veth-name) * all user home directories are visible (–allusers) * add files to sandbox container (–put) * blocking x11 (–x11=block) * X11 security extension (–x11=xorg) * disable 3D hardware acceleration (–no3d) * x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * move files in sandbox (–put) * accept wildcard patterns in user name field of restricted shell login feature New profiles: * qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * feh, ranger, zathura, 7z, keepass, keepassx, * claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * Flowblade, Eye of GNOME (eog), Evolution- Update to version 0.9.42: Security fixes: * –whitelist deleted files * disable x32 ABI in seccomp * tighten –chroot * terminal sandbox escape * several TOCTOU fixes Behavior changes: * bringing back –private-home option * deprecated –user option, please use “sudo -u username firejail” * allow symlinks in home directory for –whitelist option * Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes” * recursive mkdir * include /dev/snd in –private-dev * seccomp filter update * release archives moved to .xz format New features: * AppImage support (–appimage) * AppArmor support (–apparmor) * Ubuntu snap support (/etc/firejail/snap.profile) * Sandbox auditing support (–audit) * remove environment variable (–rmenv) * noexec support (–noexec) * clean local overlay storage directory (–overlay-clean) * store and reuse overlay (–overlay-named) * allow debugging inside the sandbox with gdb and strace (–allow-debuggers) * mkfile profile command * quiet profile command * x11 profile command * option to fix desktop files (firecfg –fix) Build options: * Busybox support (–enable-busybox-workaround) * disable overlayfs (–disable-overlayfs) * disable whitlisting (–disable-whitelist) * disable global config (–disable-globalcfg) Runtime options: * enable/disable overlayfs (overlayfs yes/no) * enable/disable quiet as default (quiet-by-default yes/no) * user-defined network filter (netfilter-default) * enable/disable whitelisting (whitelist yes/no) * enable/disable remounting of /proc and /sys (remount-proc-sys yes/no) * enable/disable chroot desktop features (chroot-desktop yes/no) New/updated profiels: * Gitter, gThumb, mpv, Franz messenger, LibreOffice * pix, audacity, xz, xzdec, gzip, cpio, less * Atom Beta, Atom, jitsi, eom, uudeview * tar (gtar), unzip, unrar, file, skypeforlinux, * inox, Slack, gnome-chess. Gajim IM client, DOSBox - Enable apparmor support- Update to version 0.9.40: * Added firecfg utility * New options: -nice, -cpu.print, -writable-etc, -writable-var, - read-only * X11 support: -x11 option (-x11=xpra, -x11=xephr) * Filetransfer options: –ls and –get * Added mkdir, ipc-namespace, and nosound profile commands * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands * Run time config support, man firejail-config * AppArmor fixes * Default seccomp filter update * Disable STUN/WebRTC in default netfilter configuration * Lots of new profiles- initial package: 0.9.38old-cirrus2 16843308880.9.70-bp155.2.70.9.70-bp155.2.7firejail-basefirejail-zsh-completionCOPYINGzshsite-functions_firejail/etc/apparmor.d/abstractions/base.d//usr/share/licenses//usr/share/licenses/firejail-zsh-completion//usr/share//usr/share/zsh//usr/share/zsh/site-functions/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Backports:SLE-15-SP5/standard/30044224b06664103fb7ef4cdb64d0a9-firejailcpioxz5x86_64-suse-linuxASCII textdirectoryZH Ӆ! Aʇ$(firejail and zsh)utf-8619a13ea49359451b0948ac925d28ee010cb29260e8d540ca66f30b9be619548? 7zXZ !t/+n] crv(vX0!nl5q*!xq"Jk*`vpj,ju+8>UNVHp_rӃt:$RTckDx\<h+w" uЮM'eǮimЀχH}֑+cc(Z>@D8>Ј~Zn?3KmV "cyjG1] Y *O"axEG "|t'dXiByw j&ZFkp6D 讐#4߈M!?2 /$cu[j # r^p˥gPK X<<ۭ\{ٚHs/` %l/ LL #-i7e6p /ժDUTЋC;B,#zz\WCݔ*is~[֊MṄڱ ):D5()c3;$%- 6*"?׾72d"X۸ (DRJIxmJ:~9]Ն.{='3+tfڌ[܉?Q@rĐZKO¦3 ]tKh mݤR-Wu:NjIJޓaand/_7$qX6)6D2mn8*G>L( Z 4ۣf /rq>Z Z$0C4?b:8JcKD%}*u"ƓE2 Ήą=K M$!z2* p(4"n ޚ BzykC_a ɴz~`Dy*?hŚ;ػǶɥ|y*AEtP2bф S$խv^VjXְ+#װfпw%wjZfMDּن?f@[=G-6R{-= E× vB1zӎLv@nQңmuPJT2wV;hI7z"M,}Ҿ{>Wנg]^&WE02U V2,͠asb,aL̈dX>Vt-Fc{/1tn#WVt*+z}[% T8mB^H}('׷L8 Zјp6#L)*}4֍3+g9S8[%FEsgD '@:@qI}@z.+v ,,*,Ղl[.PTu76FU94wZX,cF SVZ*;#+3feoSX+{0O ݅?H8?eDޏkxpx|Uz_A9=!hW H7 &5& Ike B7Hh1 K[~%-j5}j61l"'Dc|ҹgnz`0f8`@1<9GXc?/&a,!eIb& @6D\5c`nTuAw(aqw6%`=h%e#XAv1^EbkS>5#|NOU|dj+)x4PWr]zaeHA^Qȱ$\RY|\lc'^_:'9Tf$* VzC a3K:ۉ7wϠo\ P_P} ;!դƏaKn؁j%|lH>MXUsCi yW\3_ bc1uJYdp.If #aD-YS7&wFg#tu*cܠ|UV=MQ׸r?7H?Kfii"_+*!{{R>L/pM|ӏ$cDrD;Urs:MR+G!2&=;318XFGtނ@ڧcQ޲} ij%tDg\7;OqN>8_pPԵ$dlx?drJ~=@(i9)\,*vaCR$o%g&zx4.zvVk3_hH盏Mx!2fVÎ0~OZa~=VaA[A΍ @fe$'{..u-aOyJ;ld]iR g {9)3\nLLm`<9 ^ =2@@lnJRUr#p #޹668Mם䳃],wsn}c>Y .kA*)^?b3%#tm5Fɍ{[94>ɻd#{4jE4,XdHɯb]͎V'BFdh,YKxjkxPGo [-'x}}׬hzaغ4s`<n}\2ҹD(QGC7m,ba |s *+pSZe;u R)׭*hծ#b <zdF%s,?HWæi<pLF'̸7_X#wbB-2| u] g+i86S]sF 0bzPXm8FqY3uWk0g5ĝOtyi-=1!I6>nxQ:?Y{{PCAj .A͗)Z\A6=" DIJz3g͢J`brUZ1%#KOZ73E,MGlkuN5ńѧ 0t/U䐽B^<$(eK3{[3HI Yԁ ?sTAyqC\NXk^a1h&m̸B,|2-:z˖ hz2P}(:afF@,VP料cp>t50.|QX=Ku\r: [8sz1Ped;1:! ԇιp ͩ,k^XB‹%7)!ڍ@,:F ˪zׂ["ٯ ^+$rQ|p P~Y/@KU]9mwX066Yhk uZ8ɿi}?LhU^Y0;o9 T 3MzQ,sDЎ)6'^_gbB8Ȃ)ox9LbQurDA8b$l)ͥ&E˲]D ]9 Wa'vsG] DcR"6o{O2R~X<+(L)Lza?$>e/ěV=(ZV9$*G ђhnAo; sZea4$~⮔n攨wEf[x ͞G';-`Bk搵cc5/UL]$ t^gd[zmRc;uxID!i/FA|lctA3 sT?߉*V4`x B EU7j_QC'b~{Tahn {jOOn^Gn۱JX]wǐ3䰟(g .nBK]*[,8.yĂn5%c4amI0LGLX\]{YmG4/LeUg vQT n̑ʖYJDE$׮畣C(|ytZ_B4+ >ITe| ߵ_J \Xꭻ:1$S9}7 2QۗTJbE'L:7ŰO°ZxZr|,`h,@u[|El_usP6wʙD}HHù3]nl| P972CJˀ 9J$)lcthevanfm;MOZdL`h:ШF: ĢJKP>3مMLo^\U( |K:l*vU0wS?0rm1e)$ 8 DFNm 7JwSB+jp&!ע4 S[yCه41S |ƛ,ksȆa=}?rfL]snEY\rZf[CX[Y1g %ދu5ålw[PS5$dF:ц8 #/斾ZԦ8 dd(#< d\ HӁ*TQ݃tv}tgf}SP2_a}AޘjI$ \Q|{t%03dـgDXV*d GZܐ,Ǝ'ŮpsϮ:d&h4 {[j /uS F;pʠǑ' k.쁀1RR*|Lkj<ŧkD47:aZލSV%RHA(!T뛒$i\ r{/u$8HQC緽0h뽀*rH(( 9y&hDjEb}6fJQL<(ϪpYrS-=jx1 إlRA|269;mxp4c/;?X 3=n|VL(LPum/bi1tduٗ100y95y &[}h(3*H_w]G*3 `(;v1hzM~)VOAǸ9УfYV&o ]1&Ny25ԭ^[^ϰo6cq'c%fƒKOtE <Ǿɴ;Q](- &vE/qhO?@xyI)Q]J=)@9š=a_ܼ? sw-]ˆv.Rt1*Z^qjWW5])uNb'g$}g[^WjSnMϬ.D^=NySo!lg,g3u%WC◅l}b2E%xɜOytY#= .|YLޞJVdV2F~ZI'N1'ӓd&8X.u%Tu^NGCi O&x|87"qF8J=4$XvCO,}xw.Vh]AcZ=UvP8 X5C*o'`ha)tQh.$>@LCt8l}WEiƀi#O;\D-Pfv@]xpZ}f!D

Wr#Cg(/_%Ol7dcѝUh^=Y&nTS|tqb\jb(aٙArysuq .t >y/)8B/ ?O`E톊26JۿI;/Gg0iL6{!2ݨPV dqz}AH!v_ض]Bԧ4믝..xzc%|"N(<oyDv?9ߍ T݂;cd+ޛ8DVG0J@'8h7%vbsq3/B[ȧd9߿FVQLV)硱 l*ff7<q0HvZ9 &7$O&{e{h2$t'>M=5_qS|GΫƖvCARK('%hZpa֟v\OӸ>Gɯ+wQCt[q hgNR4`K;iu%$u+la*6ڲO|)[p,=ʶZDvJ@1$\P^8MUy1(25U Έ8K76mW.P6Q:,GNYNI[|:\F H,mGQs pe!ecd w`J4~^ gEu$8A m-4 N0F6)BR5AcE ma恥_k8]b_&9H]tzƖ޸7(IA* 5 +M_/vr5R *)* $e9eP}-825k-č.NJx Fɉ- wޞMb[Dci%Kĵ*N?`Yd"ەrJVM ?M4SeJ:^S:r5j8җ5÷Yt)\%~i+3`cx4zVY@mCfR$+$}43[ 1U: K=UG1襗+5HjN?IP+C! \.ĀtuvrLyxM 5@C-96|xl1[)IVZ _GUstyv*vl4{ERL0fs'z]}lG*n GNrMHP$RlYb=FeӮُYPִ9֟*u66+ŗV2pXIP)Bs@Vc-k9OtֺLWD]8"jg(g.)@tSby<*b0nY[h"(CZT7 2B{q igzz(4Z[~ *fwO|r/$w<~#KmAawGDerhY/rؼPEjD +@P񘩣]p@oy,BpY(Hkk"/xDWUS,fx*IYMuϮY6}uSN)#+]DBIȯŚaXp2ɢms꯾)HuvZnZR0`d\yS^j]EBլ;SJTu?x̉-0nqpJ&\ꯂJ9c nR6 *|"&P ^H@0*!.28Z1oP2D:Nрq2kfݔd#\/o䵡U>YVǿ*HDz^QlYr,2߿=ou)?^UZ'XN;HOmW,x3[{*( d&-ZыvpDR%`$7!YV%obv)g,+V5]'*vAO?#up Tpdh#PŠC6e W)*5 ' &Cy@6s