firejail-zsh-completion-0.9.70-bp154.2.3.1 4>$  Apb!!M@eeeQgoIW2o5MC1To.B%q? ^wmXd ztjl7U^d= EYxioxfVLmQe;jt-Qbi Fu& BfydxAu|5&+TNz߇ W*P@vaYxZkz?ʆXmr,huIz֏YlHY6p ﰙ0Ƅ>6d673624379bfdff651ffb3674f9f6926f7ff81b273e324725534064781bec008a9d44a345d67006964b0ddc8402cf8babe4d3ecb!!M@eeefv] @4+u*lZ݈+fū>_]le~[+9.aCIL 5s2A[]!RY9>о7]e~.q)@LVE2fe0!mm sxQrs#ASA0sh pJtr\Y'gyy2;ks:~TZzfoXo:ZZo:okoڃ\XKAE-6Ll$e %>p>?d! - E  0 < H ` & ,Db(89:F[GpHIXY\]^;bcd+e0f3l5uHv`zuCfirejail-zsh-completion0.9.70bp154.2.3.1Firejail zsh completionOptional dependency offering zsh completion for firejailbs390zl24SUSE Linux Enterprise 15openSUSEGPL-2.0-onlyhttp://bugs.opensuse.orgSystem/Shellshttps://firejail.wordpress.comlinuxs390xF8A큤AA큤bbbZbbb75baeda48383f6cdbbccd190761b36d5a16e8ea6eb6ecac7bac5e5f93d44c95d8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643c1171a5186490599d8ae2b84d2f944db9b8eb65e132aa8189eebc7274868154arootrootrootrootrootrootrootrootrootrootrootrootfirejail-0.9.70-bp154.2.3.1.src.rpmfirejail-zsh-completionfirejail-zsh-completion(s390-64)    firejailrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)zsh0.9.703.0.4-14.6.0-14.0-15.2-14.14.3bx@a@``@`@__@_@_=@_5+@_.^l@^B@\@\T4[.[@[\[~Z1@YY@X|Xn5@X@WSWXW;Sebastian Wagner Sebastian Wagner Andreas Stieger Илья Индиго Илья Индиго Sebastian Wagner Sebastian Wagner Christian Boltz Paolo Stivanin Paolo Stivanin Sebastian Wagner Michael Vetter Marcus Rueckert Sebastian Wagner info@paolostivanin.comSebastian Wagner Markos Chandras Markos Chandras sebix+novell.com@sebix.atavindra@opensuse.orgaavindraa@gmail.comtiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.de- update to version 0.9.70: - fix bsc#1199148 CVE-2022-31214 - security: CVE-2022-31214 - root escalation in --join logic - Reported by Matthias Gerstner, working exploit code was provided to our - development team. In the same time frame, the problem was independently - reported by Birk Blechschmidt. Full working exploit code was also provided. - feature: enable shell tab completion with --tab (#4936) - feature: disable user profiles at compile time (#4990) - feature: Allow resolution of .local names with avahi-daemon in the apparmor - profile (#5088) - feature: always log seccomp errors (#5110) - feature: firecfg --guide, guided user configuration (#5111) - feature: --oom, kernel OutOfMemory-killer (#5122) - modif: --ids feature needs to be enabled at compile time (#5155) - modif: --nettrace only available to root user - rework: whitelist restructuring (#4985) - rework: firemon, speed up and lots of fixes - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) - bugfix: nogroups + wrc prints confusing messages (#4930 #4933) - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954) - bugfix: fix printing in evince (#5011) - bugfix: gcov: fix gcov functions always declared as dummy (#5028) - bugfix: Stop warning on safe supplementary group clean (#5114) - build: remove ultimately unused INSTALL and RANLIB check macros (#5133) - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154) - ci: replace centos (EOL) with almalinux (#4912) - ci: fix --version not printing compile-time features (#5147) - ci: print version after install & fix apparmor support on build_apparmor - (#5148) - docs: Refer to firejail.config in configuration files (#4916) - docs: firejail.config: add warning about allow-tray (#4946) - docs: mention that the protocol command accumulates (#5043) - docs: mention inconsistent homedir bug involving --private=dir (#5052) - docs: mention capabilities(7) on --caps (#5078) - new profiles: onionshare, onionshare-cli, opera-developer, songrec - new profiles: node-gyp, npx, semver, ping-hardened - removed profiles: nvm- update to firejail 0.9.68: - security: on Ubuntu, the PPA is now recommended over the distro package - (see README.md) (#4748) - security: bugfix: private-cwd leaks access to the entire filesystem - (#4780); reported by Hugo Osvaldo Barrera - feature: remove (some) environment variables with auth-tokens (#4157) - feature: ALLOW_TRAY condition (#4510 #4599) - feature: add basic Firejail support to AppArmor base abstraction (#3226 - #4628) - feature: intrusion detection system (--ids-init, --ids-check) - feature: deterministic shutdown command (--deterministic-exit-code, - --deterministic-shutdown) (#928 #3042 #4635) - feature: noprinters command (#4607 #4827) - feature: network monitor (--nettrace) - feature: network locker (--netlock) (#4848) - feature: whitelist-ro profile command (#4740) - feature: disable pipewire with --nosound (#4855) - feature: Unset TMP if it doesn't exist inside of sandbox (#4151) - feature: Allow apostrophe in whitelist and blacklist (#4614) - feature: AppImage support in --build command (#4878) - modifs: exit code: distinguish fatal signals by adding 128 (#4533) - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669) - modifs: close file descriptors greater than 2 (--keep-fd) (#4845) - modifs: nogroups now stopped causing certain system groups to be dropped, - which are now controlled by the relevant "no" options instead (such as - nosound -> drop audio group), which fixes device access issues on systems - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851) - removal: --disable-whitelist at compile time - removal: whitelist=yes/no in /etc/firejail/firejail.config - bugfix: Fix sndio support (#4362 #4365) - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387) - bugfix: --build clears the environment (#4460 #4467) - bugfix: firejail hangs with net parameter (#3958 #4476) - bugfix: Firejail does not work with a custom hosts file (#2758 #4560) - bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586) - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606) - bugfix: firejail symlinks are not skipped with private-bin + globs (#4626) - bugfix: Firejail rejects empty arguments (#4395) - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235) - bugfix: Seccomp list output goes to stdout instead of stderr (#4328) - bugfix: private-etc does not work with symlinks (#4887) - bugfix: Hardware key not detected on keepassxc (#4883) - build: allow building with address sanitizer (#4594) - build: Stop linking pthread (#4695) - build: Configure cleanup and improvements (#4712) - ci: add profile checks for sorting disable-programs.inc and - firecfg.config and for the required arguments in private-etc (#2739 #4643) - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774) - docs: Add new command checklist to CONTRIBUTING.md (#4413) - docs: Rework bug report issue template and add both a question and a - feature request template (#4479 #4515 #4561) - docs: fix contradictory descriptions of machine-id ("preserves" vs - "spoofs") (#4689) - docs: Document that private-bin and private-etc always accumulate (#4078) - new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462) - new includes: disable-proc.inc (#4521) - removed includes: disable-passwordmgr.inc (#4454 #4461) - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego - new profiles: imv, retroarch, torbrowser, CachyBrowser, - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd, - new profiles: Seafile, neovim, com.github.tchx84.Flatseal- firejail 0.9.66: * deprecated --audit options, relpaced by jailcheck utility * deprecated follow-symlink-as-user from firejail.config * new firejail.config settings: private-bin, private-etc * new firejail.config settings: private-opt, private-srv * new firejail.config settings: whitelist-disable-topdir * new firejail.config settings: seccomp-filter-add * removed kcmp syscall from seccomp default filter * rename --noautopulse to keep-config-pulse * filtering environment variables * zsh completion * command line: --mkdir, --mkfile * --protocol now accumulates * jailtest utility for testing running sandboxes * faccessat2 syscall support * --private-dev keeps /dev/input * added --noinput to disable /dev/input * add support for subdirs in --private-etc * subdirs support in private-etc * input devices support in private-dev, --no-input * support trailing comments on profile lines * many new profiles - split shell completion into standard subpackages- Update to 0.9.64.4: * disabled overlayfs, pending multiple fixes * fixed launch firefox for open url in telegram-desktop.profile- Update to 0.9.64.2: * allow --tmpfs inside $HOME for unprivileged users * --disable-usertmpfs compile time option * allow AF_BLUETOOTH via --protocol=bluetooth * setup guide for new users: contrib/firejail-welcome.sh * implement netns in profiles * added nolocal6.net IPv6 network filter * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.- packaging fixes- Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski * new profiles: swell-foop, fdns, five-or-more, steam-runtime * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper * new profiles: gapplication, openarena_ded, element-desktop, cawbird * new profiles: freetube, strawberry, jitsi-meet-desktop * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send * new profiles: qrencode, ytmdesktop, twitch * new profiles: xournalpp, chromium-freeworld, equalx - remove firejail-0.9.62-fix-usr-etc.patch, included upstream - remove firejail-apparmor-3.0.diff, included upstream- Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with AppArmor 3.0 (add missing include )- Update to 0.9.62.4 * fix AppArmor broken in the previous release * miscellaneous fixes- Update to 0.9.62.2 * fix CVE-2020-17367 * fix CVE-2020-17368 * additional hardening and bug fixes - Remove fix-CVE-2020-17368.patch - Remove fix-CVE-2020-17367.patch- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986- Add firejail-0.9.62-fix-usr-etc.patch: Check /usr/etc not just /etc - Replace python interpreter line in sort.py- update to version 0.9.62 * added file-copy-limit in /etc/firejail/firejail.config * profile templates (/usr/share/doc/firejail) * allow-debuggers support in profiles * several seccomp enhancements * compiler flags autodetection * move chroot entirely from path based to file descriptor based mounts * whitelisting /usr/share in a large number of profiles * new scripts in conrib: gdb-firejail.sh and sort.py * enhancement: whitelist /usr/share in some profiles * added signal mediation to apparmor profile * new conditions: HAS_X11, HAS_NET * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123 * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123 * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird, * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc * new profiles: electron-mail, gist, gist-paste- update to version 0.9.60: * security bug reported by Austin Morton: Seccomp filters are copied into /run/firejail/mnt, and are writable within the jail. A malicious process can modify files from inside the jail. Processes that are later joined to the jail will not have seccomp filters applied. CVE-2019-12589 boo#1137139 * memory-deny-write-execute now also blocks memfd_create * add private-cwd option to control working directory within jail * blocking system D-Bus socket with --nodbus * bringing back Centos 6 support * drop support for flatpak/snap packages * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool * new profiles: netactview, redshift, devhelp, assogiate, subdownloader * new profiles: font-manager, exfalso, gconf-editor, dconf-editor * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata- update to version 0.9.58: * --disable-mnt rework * --net.print command * GitLab CI/CD integration: disto specific builds * profile parser enhancements and conditional handling support for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F * profile name support * added explicit nonewprivs support to join option * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms * new profiles: devilspie, devilspie2, easystroke, github-desktop, min * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley * new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland * new profiles: supertuxkart, ghostwriter, gajim-history-manager * bugfixes- update to version 0.9.56: * modif: removed CFG_CHROOT_DESKTOP configuration option * modif: removed compile time --enable-network=restricted * modif: removed compile time --disable-bind * modif: --net=none allowed even if networking was disabled at compile time or at run time * modif: allow system users to run the sandbox * support wireless devices in --net option * support tap devices in --net option (tunneling support) * allow IP address configuration if the parent interface specified by --net is not configured (--netmask) * support for firetunnel utility * disable U2F devices (--nou2f) * add --private-cache to support private ~/.cache * support full paths in private-lib * globbing support in private-lib * support for local user directories in firecfg (--bindir) * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois, * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3 * new profiles: start-tor-browser.desktop- Drop ldconfig calls since firejail libraries are installed in their own subdirectory which is not scanned by ldconfig.- Remove the rpmlintrc file since the warnings are no longer relevant.- Changed the permissions of the firejail executable to 4750. Setuid mode is used, but only allowed for users in the newly created group 'firejail' (boo#1059013). - Update to version 0.9.54: * modif: --force removed * modif: --csh, --zsh removed * modif: --debug-check-filename removed * modif: --git-install and --git-uninstall removed * modif: support for private-bin, private-lib and shell none has been disabled while running AppImage archives in order to be able to use our regular profile files with AppImages. * modif: restrictions for /proc, /sys and /run/user directories are moved from AppArmor profile into firejail executable * modif: unifying Chromium and Firefox browsers profiles. All users of Firefox-based browsers who use addons and plugins that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile. * modif: split disable-devel.inc into disable-devel and disable-interpreters.inc * Firejail user access database (/etc/firejail/firejail.users, man firejail-users) * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * Spectre mitigation patch for gcc and clang compiler * D-Bus handling (--nodbus) * AppArmor support for overlayfs and chroot sandboxes * AppArmor support for AppImages * Enable AppArmor by default for a large number of programs * firejail --apparmor.print option * firemon --apparmor option * apparmor yes/no flag in /etc/firejail/firejail.config * seccomp syscall list update for glibc 2.26-10 * seccomp disassembler for --seccomp.print option * seccomp machine code optimizer for default seccomp filters * IPv6 DNS support * whitelist support for overlay and chroot sandboxes * private-dev support for overlay and chroot sandboxes * private-tmp support for overlay and chroot sandboxes * added sandbox name support in firemon * firemon/prctl enhancements * noblacklist support for /sys/module directory * whitelist support for /sys/module directory * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, * new profiles: discord-canary, pycharm-community, pycharm-professional, * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes, * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud, * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind, * new profiles: qmmp, sayonara- Update to version 0.9.52: * New features + systemd-resolved integration + whitelisted /var in most profiles + GTK2, GTK3 and Qt4 private-lib support + --debug-private-lib + test deployment of private-lib for the some apps: evince, galculator, gnome-calculator, leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu, atril, mate-color-select, tar, file, strings, gpicview, eom, eog, gedit, pluma + netfilter template support + various new arguments * --writable-run-user * --rlimit-as * --rlimit-cpu * --timeout * --build (profile build tool) * --netfilter.print * --netfilter6.print * deprecations in modif + --allow-private-blacklists (blacklisting, read-only, read-write, tmpfs and noexec are allowed in private home directories + remount-proc-sys (firejail.config) + follow-symlink-private-bin (firejail.config) + --profile-path * enhancements + support Firejail user config directory in firecfg + disable DBus activation in firecfg + enumerate root directories in apparmor profile + /etc and /usr/share whitelisting support + globbing support for --private-bin * new profiles: upstreamed profiles from 3 sources: + https://github.com/chiraag-nataraj/firejail-profiles + https://github.com/nyancat18/fe + https://aur.archlinux.org/packages/firejail-profiles * new profiles: terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,imagej, karbon, 1kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish, cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass, kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report cower (Arch), kdeinit4 - Add full link to source tarball from sourceforge - Add asc file- Update to version 0.9.50: * New features: - per-profile disable-mnt (--disable-mnt) - per-profile support to set X11 Xephyr screen size (--xephyr-screen) - private /lib directory (--private-lib) - disable CDROM/DVD drive (--nodvd) - disable DVB devices (--notv) - --profile.print * modif: --output split in two commands, --output and --output-stderr * set xpra-attach yes in /etc/firejail/firejail.config * Enhancements: - print all seccomp filters under --debug - /proc/sys mounting - rework IP address assingment for --net options - support for newer Xpra versions (2.1+) - - all profiles use a standard layout style - create /usr/local for firecfg if the directory doesn't exist - allow full paths in --private-bin * New seccomp features: - --memory-deny-write-execute - seccomp post-exec - block secondary architecture (--seccomp.block_secondary) - seccomp syscall groups - print all seccomp filters under --debug - default seccomp list update * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, IntelliJ IDEA, Android Studio, electron, riot-web, Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img, soundconverter truecraft, gnome-twitch, tuxguitar, musescore, neverball sqlitebrowse, Yandex Browser, minetest- Update to version 0.9.48: * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent; please use ~/Downloads directory for saving files * modifs: AppArmor made optional; a warning is printed on the screen if the sandbox fails to load the AppArmor profile * feature: --novideo * feature: drop discretionary access control capabilities for root sandboxes * feature: added /etc/firejail/globals.local for global customizations * feature: profile support in overlayfs mode * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake * bugfixes- Update to version 0.9.44.4: * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) * disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206) * root exploit found by Sebastian Krahmer (CVE-2017-5180) - Update to version 0.9.44.6: * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week * major cleanup of file copying code * tightening the rules for --chroot and --overlay features * ported Gentoo compile patch * Nvidia drivers bug in --private-dev * fix ASSERT_PERMS_FD macro * allow local customization using .local files under /etc/firejail backported from our development branch * spoof machine-id backported from our development branch - Remove obsoleted patches: firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch- Update to version 0.9.44.2: Security fixes: * overwrite /etc/resolv.conf found by Martin Carpenter * TOCTOU exploit for –get and –put found by Daniel Hodson * invalid environment exploit found by Martin Carpenter * several security enhancements Bugfixes: * crashing VLC by pressing Ctrl-O * use user configured icons in KDE * mkdir and mkfile are not applied to private directories * cannot open files on Deluge running under KDE * –private=dir where dir is the user home directory * cannot start Vivaldi browser * cannot start mupdf * ssh profile problems * –quiet * quiet in git profile * memory corruption - Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259): firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch- Update to version 0.9.44: * CVE-2016-7545 submitted by Aleksey Manevich Modifications: * removed man firejail-config * –private-tmp whitelists /tmp/.X11-unix directory * Nvidia drivers added to –private-dev * /srv supported by –whitelist New features: * allow user access to /sys/fs (–noblacklist=/sys/fs) * support starting/joining sandbox is a single command (–join-or-start) * X11 detection support for –audit * assign a name to the interface connected to the bridge (–veth-name) * all user home directories are visible (–allusers) * add files to sandbox container (–put) * blocking x11 (–x11=block) * X11 security extension (–x11=xorg) * disable 3D hardware acceleration (–no3d) * x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * move files in sandbox (–put) * accept wildcard patterns in user name field of restricted shell login feature New profiles: * qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * feh, ranger, zathura, 7z, keepass, keepassx, * claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * Flowblade, Eye of GNOME (eog), Evolution- Update to version 0.9.42: Security fixes: * –whitelist deleted files * disable x32 ABI in seccomp * tighten –chroot * terminal sandbox escape * several TOCTOU fixes Behavior changes: * bringing back –private-home option * deprecated –user option, please use “sudo -u username firejail” * allow symlinks in home directory for –whitelist option * Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes” * recursive mkdir * include /dev/snd in –private-dev * seccomp filter update * release archives moved to .xz format New features: * AppImage support (–appimage) * AppArmor support (–apparmor) * Ubuntu snap support (/etc/firejail/snap.profile) * Sandbox auditing support (–audit) * remove environment variable (–rmenv) * noexec support (–noexec) * clean local overlay storage directory (–overlay-clean) * store and reuse overlay (–overlay-named) * allow debugging inside the sandbox with gdb and strace (–allow-debuggers) * mkfile profile command * quiet profile command * x11 profile command * option to fix desktop files (firecfg –fix) Build options: * Busybox support (–enable-busybox-workaround) * disable overlayfs (–disable-overlayfs) * disable whitlisting (–disable-whitelist) * disable global config (–disable-globalcfg) Runtime options: * enable/disable overlayfs (overlayfs yes/no) * enable/disable quiet as default (quiet-by-default yes/no) * user-defined network filter (netfilter-default) * enable/disable whitelisting (whitelist yes/no) * enable/disable remounting of /proc and /sys (remount-proc-sys yes/no) * enable/disable chroot desktop features (chroot-desktop yes/no) New/updated profiels: * Gitter, gThumb, mpv, Franz messenger, LibreOffice * pix, audacity, xz, xzdec, gzip, cpio, less * Atom Beta, Atom, jitsi, eom, uudeview * tar (gtar), unzip, unrar, file, skypeforlinux, * inox, Slack, gnome-chess. Gajim IM client, DOSBox - Enable apparmor support- Update to version 0.9.40: * Added firecfg utility * New options: -nice, -cpu.print, -writable-etc, -writable-var, - read-only * X11 support: -x11 option (-x11=xpra, -x11=xephr) * Filetransfer options: –ls and –get * Added mkdir, ipc-namespace, and nosound profile commands * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands * Run time config support, man firejail-config * AppArmor fixes * Default seccomp filter update * Disable STUN/WebRTC in default netfilter configuration * Lots of new profiles- initial package: 0.9.38s390zl24 16555388790.9.70-bp154.2.3.10.9.70-bp154.2.3.1firejail-basefirejail-zsh-completionCOPYINGzshsite-functions_firejail/etc/apparmor.d/abstractions/base.d//usr/share/licenses//usr/share/licenses/firejail-zsh-completion//usr/share//usr/share/zsh//usr/share/zsh/site-functions/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protectionobs://build.opensuse.org/openSUSE:Maintenance:17525/openSUSE_Backports_SLE-15-SP4_Update/13701da324d2f631c933cc90f4ea9054-firejail.openSUSE_Backports_SLE-15-SP4_Updatecpioxz5s390x-suse-linuxASCII textdirectorysԵS_͡)(firejail and zsh)utf-842d5b2c7a4ef6ebbcb2382461119a9d026886785bcdcadf03d3119cf1d202191? 7zXZ !t/+h] crv(vX0T& $jEcqA%>B9,!koM gť[R'-k&Jjwc1 U G-Ub8pSS79nH0+5b+gC 4_ib`@fA+!G?!D[h$BSZ/7WY1f,rQA_Uz=d.S28qGk#J(kMW5|V?;e980J}kT`u46I9Ls>c_۽pġmy}4~NnոxiIM U>6Buu33 l;x•ok/-KbBb%db2%EFb^+.a`m?O84sM]YdY\*dśGb\Lk{FeW0l4Yo`QLLEcy'k:/:I2x mTnV2$5tJ%bAbuɉ΂PCϹ'C;]65u2>c4?\Dy6m  ㇄SQŌ %#DWF>* ŀ M_ѐd&26GXpH b9XrQ FL!gfdhgO._K-X55:AȒ3NAvLƧb~)C(ݥqֻ)tcGC:bs\ʺihON'N9fGsCJ/Bِx~]@ D |!OMt1kqlr$UmNő|c~9n* H)bp >09u?Ď"=n+ug"q@G>Gԁ@`A׹l{&¬dF̴^#iԺ=9Y)ݪ#?8 sKTNWMHeY(w_ ܊,ws욝ݏȭxTÂ!g;[TNd? s\89o"qrWe v^G{H$Ԏ@mժMCY !%A<z\5AD;TpJ u!էw|W}^b(c -E+Yld8u$@w0Ք#9{;Ki=sfE~}*Y`A5\>vJB]b=Y]6nwٹzK 0qQh9 PrYjIm8Fz#yfٝ)eG?F9dU򭦋i"q->y_R<S}k+2}zӜFM] X6m5[@1DKG+DDEՁen/E&< *r[R=&I'$; ;0BH@ 2m6M`X}j5|(C2 z|44>o4 2jտ)RL5^|jYg 9X~0:`hŝcJDZ+2emC:E#TF\G2 ZOS<k>YTҝ;߀PBe) xnez_.ȪJQ^*)\E׆+Obs(LֻRrssrhF^2+4y!7T^E./A163sl[K4H_ZT]&ҠhBLYd4*jRݳbtpwm_%B ƚ2A|Ȗ}lneH44GZ&ASVk7;K4˕Ķ@I ̵2%_%2 WBլIcKg6JJPJ W^XM_hW!EpiSZRn_ TFmFնt_Hl$\'R(Ț6ԝ+-&@+S`,)Н/?-%!+#8A93UCX42A^bKYZm<#^"icx3j\ƶz:o;B+Ű׍YƇN[-jwF0&Zu1P U""&PeLK3ˍ_pJ9Qbύ]8۟{< h$?&("PSj nUtuhܑ'Z ) $tnar<$a".hhS[(zL Hjr`I,N [#iτBcz7+GR'SZWQR|j^C}AKT&J9)4`qa1Tٕ>WA ݮ3z+R" Q`MŰi sWp2-^:9X~>MGuJX&/P>ئYě[`<"Dro]3ovwt$u?{:bpN}Mqg̏e1ePؗbUzR\?1z_Cr4׬[[$(AF,t%õtS^г7^9}JAŘ("3'A uMg!ZyI);?OGb2 tcm";(T]یԭGvq?sOnVW?4ԆfR:617vq5c?bPI.FnEUV#I? 1!n-f>SzjT/tH<2?SGwޟHV&&}'"&յȢnGxzb f4^C,N!زVN)A^3U(>dm!šT*MYmr:RÃjUvsy9x #n `S ~C"?̼V[2}$~/C6x%P7c M{/}im=?ǣ$ ywg>^5fE+F`'e5<D\A*h09x,HC.^}]h_`]Zvڒ!%-ݓà*hSY[c V>6!yhV: gv_EXcbEθD-N;ܞu/!HJJgNZfBwgHY¶ 9ј¢J,AR.nu 8ԞY˃3p67Byh:' |jI3s<G Qe5x(aEun!t?JF~*.Z֯`hU*EN! K0AOD-_\P2hJSjzC3)7 xH5'3QjL,kbu#|*rbN5ʷEUzPZJo(ӗ[>~K AP*[(ǔB1c UB ~sr8~-XW=j|gJWN鯗dMʂh@p:r4b2ӠlAtN/JO;7g-ۋ,24ʳ0aIL-$P>2?R .PqeDv,sb$`Ơ ')c$y;r30וw +L=!FfHjzT6߮Zq˼tQkݐ򮋖R&keŲa \MweWH 4tN'W M)<:-H 8SE<غIo?8h[J%Ca_r\$&]I*-0ށ?E=m-&#`s7%Xy][,9QDҠL:}̓ ("(+:u;UmFTX1c,VO3(rcmMqRh؁ R_KKW1.+.9NZ}kp6CP!7M>V͞eQ֍,2J#je9[|AKQ'ywD4Ih5ggНҮzBo l°DˊSJvG\K6gxnRhmGƑ)l;WT T25}e)ԲngA0mO.ʠ.5c[Zyɷ+'ͳ*zb՛=Df7J H!  lvɆ.,#ϲ%-BRlWLɠ>T%]wf]bz'.iXBt}P'}HCRV>J?.]2Lp90|ȉbU  ~@pmx) 1E7G"ʎ×LB"SU3;'PUc-#\o>kQ% 2 :_x^e^ _}IT P/P+iy*V4jעa}ZF0͡b* ImE(T/; uu >g-g6|h41>#sXOkȸUnK߷y@X~n=6fYvyt5%8J2`yL(l[I`U@'l7C[ *'Lp'l{zfX,I jڞF  rAQ5\\+|RQ!io}I0 KݡxcP^ԘPZT0^מn|3Dp oLѼSiK9㤜8p@PչZ0ܟɌ%evPG%!ۗ=N%JxadeVp?N{DιզsXt:Tr8ho>oĕ^aĮ Oe\m@, ]mJ^i™G&njϭ鈉OY6ZCZ4xv;P{(@ ))-fAUTsiy0LR;Y+*b91/ߎ\wX,Ӳu:w gخͱZ嘮>2}eH1KkZ.P6A͔zGHӹ&r̂}`y}0*@; P(iutn B*0wW"WeTѯQZzIyg?46o\.~f,:O@]A6UU2*nI(j>GR!h,/WQ2 ҪȠks̾<9 )+)eG3lրU%Z6U=$K+1CG:- t,]_}a9l5N]oqzZ6< -eVϺ۞fݡ]S]o H9Hݑ֙](ȫooQ0/소=m[{68,P(ߙKss)&TYݑҕi7Z|+f,2#ELc*A4d5Ks6%@ܲL;Y5@P9VKȕ-(-K4\u&^j7c%h-N`]$V{av~iP&ˠa4eJEpwX\Qipu q"σzuX;eDR'e$v+o.+XqnPs@n!nqwhQ^'n߳$#J.E$RI7L@W]-!lg!He)"HF.IsVĬ+.Ͳ3XEcZc>vJ /+ώm"|Zt.u>yzYuMFD6+o-\[w~qKT!& a7WW=͚˒7bC^9u*`{!N6-GJTBzEø-#"WւxU.|BCtJAj1xu;0Bg R