firejail-zsh-completion-0.9.70-bp154.2.3.1 4>$  Apb!M@eeeRؓC'{i̧Qu2a|}u? ".oOg\y}f궘Qii-MEx)u2]틾y I '']:ݢ :hFk&5ɒ7-#ue(% ::-Kޏb1: s%IGufqpB ]$ch>¾wxճ) 楠<^(nP[6P#Yd9!*},RJa932fafc6a8754b8b9a532add7aebe635a6f7cc4abef51ba2f958156466e8b5ac7f0e1f55359421622b6d7eb887fe5920625bd90b!M@eeeWg\ "=O a &mlt/@L+ r6=lS;U <ߥ:pTԊc/AP􎘧2ѯ}ESO!>3}pBTr}A2U>?QUHl+>p>?d! - E  , 8 D \ " (@^|x(89:FSGhHIXY\]^3bc{d#e(f+l-u@vXzmCfirejail-zsh-completion0.9.70bp154.2.3.1Firejail zsh completionOptional dependency offering zsh completion for firejailblamb16SUSE Linux Enterprise 15openSUSEGPL-2.0-onlyhttp://bugs.opensuse.orgSystem/Shellshttps://firejail.wordpress.comlinuxx86_64F8A큤AA큤bbbZbbb75baeda48383f6cdbbccd190761b36d5a16e8ea6eb6ecac7bac5e5f93d44c95d8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643c1171a5186490599d8ae2b84d2f944db9b8eb65e132aa8189eebc7274868154arootrootrootrootrootrootrootrootrootrootrootrootfirejail-0.9.70-bp154.2.3.1.src.rpmfirejail-zsh-completionfirejail-zsh-completion(x86-64)    firejailrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)zsh0.9.703.0.4-14.6.0-14.0-15.2-14.14.3bx@a@``@`@__@_@_=@_5+@_.^l@^B@\@\T4[.[@[\[~Z1@YY@X|Xn5@X@WSWXW;Sebastian Wagner Sebastian Wagner Andreas Stieger Илья Индиго Илья Индиго Sebastian Wagner Sebastian Wagner Christian Boltz Paolo Stivanin Paolo Stivanin Sebastian Wagner Michael Vetter Marcus Rueckert Sebastian Wagner info@paolostivanin.comSebastian Wagner Markos Chandras Markos Chandras sebix+novell.com@sebix.atavindra@opensuse.orgaavindraa@gmail.comtiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.detiwai@suse.de- update to version 0.9.70: - fix bsc#1199148 CVE-2022-31214 - security: CVE-2022-31214 - root escalation in --join logic - Reported by Matthias Gerstner, working exploit code was provided to our - development team. In the same time frame, the problem was independently - reported by Birk Blechschmidt. Full working exploit code was also provided. - feature: enable shell tab completion with --tab (#4936) - feature: disable user profiles at compile time (#4990) - feature: Allow resolution of .local names with avahi-daemon in the apparmor - profile (#5088) - feature: always log seccomp errors (#5110) - feature: firecfg --guide, guided user configuration (#5111) - feature: --oom, kernel OutOfMemory-killer (#5122) - modif: --ids feature needs to be enabled at compile time (#5155) - modif: --nettrace only available to root user - rework: whitelist restructuring (#4985) - rework: firemon, speed up and lots of fixes - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) - bugfix: nogroups + wrc prints confusing messages (#4930 #4933) - bugfix: openSUSE Leap - whitelist-run-common.inc (#4954) - bugfix: fix printing in evince (#5011) - bugfix: gcov: fix gcov functions always declared as dummy (#5028) - bugfix: Stop warning on safe supplementary group clean (#5114) - build: remove ultimately unused INSTALL and RANLIB check macros (#5133) - build: mkdeb.sh.in: pass remaining arguments to ./configure (#5154) - ci: replace centos (EOL) with almalinux (#4912) - ci: fix --version not printing compile-time features (#5147) - ci: print version after install & fix apparmor support on build_apparmor - (#5148) - docs: Refer to firejail.config in configuration files (#4916) - docs: firejail.config: add warning about allow-tray (#4946) - docs: mention that the protocol command accumulates (#5043) - docs: mention inconsistent homedir bug involving --private=dir (#5052) - docs: mention capabilities(7) on --caps (#5078) - new profiles: onionshare, onionshare-cli, opera-developer, songrec - new profiles: node-gyp, npx, semver, ping-hardened - removed profiles: nvm- update to firejail 0.9.68: - security: on Ubuntu, the PPA is now recommended over the distro package - (see README.md) (#4748) - security: bugfix: private-cwd leaks access to the entire filesystem - (#4780); reported by Hugo Osvaldo Barrera - feature: remove (some) environment variables with auth-tokens (#4157) - feature: ALLOW_TRAY condition (#4510 #4599) - feature: add basic Firejail support to AppArmor base abstraction (#3226 - #4628) - feature: intrusion detection system (--ids-init, --ids-check) - feature: deterministic shutdown command (--deterministic-exit-code, - --deterministic-shutdown) (#928 #3042 #4635) - feature: noprinters command (#4607 #4827) - feature: network monitor (--nettrace) - feature: network locker (--netlock) (#4848) - feature: whitelist-ro profile command (#4740) - feature: disable pipewire with --nosound (#4855) - feature: Unset TMP if it doesn't exist inside of sandbox (#4151) - feature: Allow apostrophe in whitelist and blacklist (#4614) - feature: AppImage support in --build command (#4878) - modifs: exit code: distinguish fatal signals by adding 128 (#4533) - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669) - modifs: close file descriptors greater than 2 (--keep-fd) (#4845) - modifs: nogroups now stopped causing certain system groups to be dropped, - which are now controlled by the relevant "no" options instead (such as - nosound -> drop audio group), which fixes device access issues on systems - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851) - removal: --disable-whitelist at compile time - removal: whitelist=yes/no in /etc/firejail/firejail.config - bugfix: Fix sndio support (#4362 #4365) - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387) - bugfix: --build clears the environment (#4460 #4467) - bugfix: firejail hangs with net parameter (#3958 #4476) - bugfix: Firejail does not work with a custom hosts file (#2758 #4560) - bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586) - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606) - bugfix: firejail symlinks are not skipped with private-bin + globs (#4626) - bugfix: Firejail rejects empty arguments (#4395) - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235) - bugfix: Seccomp list output goes to stdout instead of stderr (#4328) - bugfix: private-etc does not work with symlinks (#4887) - bugfix: Hardware key not detected on keepassxc (#4883) - build: allow building with address sanitizer (#4594) - build: Stop linking pthread (#4695) - build: Configure cleanup and improvements (#4712) - ci: add profile checks for sorting disable-programs.inc and - firecfg.config and for the required arguments in private-etc (#2739 #4643) - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774) - docs: Add new command checklist to CONTRIBUTING.md (#4413) - docs: Rework bug report issue template and add both a question and a - feature request template (#4479 #4515 #4561) - docs: fix contradictory descriptions of machine-id ("preserves" vs - "spoofs") (#4689) - docs: Document that private-bin and private-etc always accumulate (#4078) - new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462) - new includes: disable-proc.inc (#4521) - removed includes: disable-passwordmgr.inc (#4454 #4461) - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego - new profiles: imv, retroarch, torbrowser, CachyBrowser, - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd, - new profiles: Seafile, neovim, com.github.tchx84.Flatseal- firejail 0.9.66: * deprecated --audit options, relpaced by jailcheck utility * deprecated follow-symlink-as-user from firejail.config * new firejail.config settings: private-bin, private-etc * new firejail.config settings: private-opt, private-srv * new firejail.config settings: whitelist-disable-topdir * new firejail.config settings: seccomp-filter-add * removed kcmp syscall from seccomp default filter * rename --noautopulse to keep-config-pulse * filtering environment variables * zsh completion * command line: --mkdir, --mkfile * --protocol now accumulates * jailtest utility for testing running sandboxes * faccessat2 syscall support * --private-dev keeps /dev/input * added --noinput to disable /dev/input * add support for subdirs in --private-etc * subdirs support in private-etc * input devices support in private-dev, --no-input * support trailing comments on profile lines * many new profiles - split shell completion into standard subpackages- Update to 0.9.64.4: * disabled overlayfs, pending multiple fixes * fixed launch firefox for open url in telegram-desktop.profile- Update to 0.9.64.2: * allow --tmpfs inside $HOME for unprivileged users * --disable-usertmpfs compile time option * allow AF_BLUETOOTH via --protocol=bluetooth * setup guide for new users: contrib/firejail-welcome.sh * implement netns in profiles * added nolocal6.net IPv6 network filter * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.- packaging fixes- Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski * new profiles: swell-foop, fdns, five-or-more, steam-runtime * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper * new profiles: gapplication, openarena_ded, element-desktop, cawbird * new profiles: freetube, strawberry, jitsi-meet-desktop * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send * new profiles: qrencode, ytmdesktop, twitch * new profiles: xournalpp, chromium-freeworld, equalx - remove firejail-0.9.62-fix-usr-etc.patch, included upstream - remove firejail-apparmor-3.0.diff, included upstream- Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with AppArmor 3.0 (add missing include )- Update to 0.9.62.4 * fix AppArmor broken in the previous release * miscellaneous fixes- Update to 0.9.62.2 * fix CVE-2020-17367 * fix CVE-2020-17368 * additional hardening and bug fixes - Remove fix-CVE-2020-17368.patch - Remove fix-CVE-2020-17367.patch- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986- Add firejail-0.9.62-fix-usr-etc.patch: Check /usr/etc not just /etc - Replace python interpreter line in sort.py- update to version 0.9.62 * added file-copy-limit in /etc/firejail/firejail.config * profile templates (/usr/share/doc/firejail) * allow-debuggers support in profiles * several seccomp enhancements * compiler flags autodetection * move chroot entirely from path based to file descriptor based mounts * whitelisting /usr/share in a large number of profiles * new scripts in conrib: gdb-firejail.sh and sort.py * enhancement: whitelist /usr/share in some profiles * added signal mediation to apparmor profile * new conditions: HAS_X11, HAS_NET * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123 * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123 * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird, * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc * new profiles: electron-mail, gist, gist-paste- update to version 0.9.60: * security bug reported by Austin Morton: Seccomp filters are copied into /run/firejail/mnt, and are writable within the jail. A malicious process can modify files from inside the jail. Processes that are later joined to the jail will not have seccomp filters applied. CVE-2019-12589 boo#1137139 * memory-deny-write-execute now also blocks memfd_create * add private-cwd option to control working directory within jail * blocking system D-Bus socket with --nodbus * bringing back Centos 6 support * drop support for flatpak/snap packages * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool * new profiles: netactview, redshift, devhelp, assogiate, subdownloader * new profiles: font-manager, exfalso, gconf-editor, dconf-editor * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata- update to version 0.9.58: * --disable-mnt rework * --net.print command * GitLab CI/CD integration: disto specific builds * profile parser enhancements and conditional handling support for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F * profile name support * added explicit nonewprivs support to join option * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms * new profiles: devilspie, devilspie2, easystroke, github-desktop, min * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley * new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland * new profiles: supertuxkart, ghostwriter, gajim-history-manager * bugfixes- update to version 0.9.56: * modif: removed CFG_CHROOT_DESKTOP configuration option * modif: removed compile time --enable-network=restricted * modif: removed compile time --disable-bind * modif: --net=none allowed even if networking was disabled at compile time or at run time * modif: allow system users to run the sandbox * support wireless devices in --net option * support tap devices in --net option (tunneling support) * allow IP address configuration if the parent interface specified by --net is not configured (--netmask) * support for firetunnel utility * disable U2F devices (--nou2f) * add --private-cache to support private ~/.cache * support full paths in private-lib * globbing support in private-lib * support for local user directories in firecfg (--bindir) * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd, * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois, * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3 * new profiles: start-tor-browser.desktop- Drop ldconfig calls since firejail libraries are installed in their own subdirectory which is not scanned by ldconfig.- Remove the rpmlintrc file since the warnings are no longer relevant.- Changed the permissions of the firejail executable to 4750. Setuid mode is used, but only allowed for users in the newly created group 'firejail' (boo#1059013). - Update to version 0.9.54: * modif: --force removed * modif: --csh, --zsh removed * modif: --debug-check-filename removed * modif: --git-install and --git-uninstall removed * modif: support for private-bin, private-lib and shell none has been disabled while running AppImage archives in order to be able to use our regular profile files with AppImages. * modif: restrictions for /proc, /sys and /run/user directories are moved from AppArmor profile into firejail executable * modif: unifying Chromium and Firefox browsers profiles. All users of Firefox-based browsers who use addons and plugins that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile. * modif: split disable-devel.inc into disable-devel and disable-interpreters.inc * Firejail user access database (/etc/firejail/firejail.users, man firejail-users) * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * Spectre mitigation patch for gcc and clang compiler * D-Bus handling (--nodbus) * AppArmor support for overlayfs and chroot sandboxes * AppArmor support for AppImages * Enable AppArmor by default for a large number of programs * firejail --apparmor.print option * firemon --apparmor option * apparmor yes/no flag in /etc/firejail/firejail.config * seccomp syscall list update for glibc 2.26-10 * seccomp disassembler for --seccomp.print option * seccomp machine code optimizer for default seccomp filters * IPv6 DNS support * whitelist support for overlay and chroot sandboxes * private-dev support for overlay and chroot sandboxes * private-tmp support for overlay and chroot sandboxes * added sandbox name support in firemon * firemon/prctl enhancements * noblacklist support for /sys/module directory * whitelist support for /sys/module directory * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, * new profiles: discord-canary, pycharm-community, pycharm-professional, * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes, * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud, * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind, * new profiles: qmmp, sayonara- Update to version 0.9.52: * New features + systemd-resolved integration + whitelisted /var in most profiles + GTK2, GTK3 and Qt4 private-lib support + --debug-private-lib + test deployment of private-lib for the some apps: evince, galculator, gnome-calculator, leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu, atril, mate-color-select, tar, file, strings, gpicview, eom, eog, gedit, pluma + netfilter template support + various new arguments * --writable-run-user * --rlimit-as * --rlimit-cpu * --timeout * --build (profile build tool) * --netfilter.print * --netfilter6.print * deprecations in modif + --allow-private-blacklists (blacklisting, read-only, read-write, tmpfs and noexec are allowed in private home directories + remount-proc-sys (firejail.config) + follow-symlink-private-bin (firejail.config) + --profile-path * enhancements + support Firejail user config directory in firecfg + disable DBus activation in firecfg + enumerate root directories in apparmor profile + /etc and /usr/share whitelisting support + globbing support for --private-bin * new profiles: upstreamed profiles from 3 sources: + https://github.com/chiraag-nataraj/firejail-profiles + https://github.com/nyancat18/fe + https://aur.archlinux.org/packages/firejail-profiles * new profiles: terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,imagej, karbon, 1kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish, cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass, kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report cower (Arch), kdeinit4 - Add full link to source tarball from sourceforge - Add asc file- Update to version 0.9.50: * New features: - per-profile disable-mnt (--disable-mnt) - per-profile support to set X11 Xephyr screen size (--xephyr-screen) - private /lib directory (--private-lib) - disable CDROM/DVD drive (--nodvd) - disable DVB devices (--notv) - --profile.print * modif: --output split in two commands, --output and --output-stderr * set xpra-attach yes in /etc/firejail/firejail.config * Enhancements: - print all seccomp filters under --debug - /proc/sys mounting - rework IP address assingment for --net options - support for newer Xpra versions (2.1+) - - all profiles use a standard layout style - create /usr/local for firecfg if the directory doesn't exist - allow full paths in --private-bin * New seccomp features: - --memory-deny-write-execute - seccomp post-exec - block secondary architecture (--seccomp.block_secondary) - seccomp syscall groups - print all seccomp filters under --debug - default seccomp list update * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, IntelliJ IDEA, Android Studio, electron, riot-web, Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img, soundconverter truecraft, gnome-twitch, tuxguitar, musescore, neverball sqlitebrowse, Yandex Browser, minetest- Update to version 0.9.48: * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent; please use ~/Downloads directory for saving files * modifs: AppArmor made optional; a warning is printed on the screen if the sandbox fails to load the AppArmor profile * feature: --novideo * feature: drop discretionary access control capabilities for root sandboxes * feature: added /etc/firejail/globals.local for global customizations * feature: profile support in overlayfs mode * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake * bugfixes- Update to version 0.9.44.4: * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) * disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206) * root exploit found by Sebastian Krahmer (CVE-2017-5180) - Update to version 0.9.44.6: * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week * major cleanup of file copying code * tightening the rules for --chroot and --overlay features * ported Gentoo compile patch * Nvidia drivers bug in --private-dev * fix ASSERT_PERMS_FD macro * allow local customization using .local files under /etc/firejail backported from our development branch * spoof machine-id backported from our development branch - Remove obsoleted patches: firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch- Update to version 0.9.44.2: Security fixes: * overwrite /etc/resolv.conf found by Martin Carpenter * TOCTOU exploit for –get and –put found by Daniel Hodson * invalid environment exploit found by Martin Carpenter * several security enhancements Bugfixes: * crashing VLC by pressing Ctrl-O * use user configured icons in KDE * mkdir and mkfile are not applied to private directories * cannot open files on Deluge running under KDE * –private=dir where dir is the user home directory * cannot start Vivaldi browser * cannot start mupdf * ssh profile problems * –quiet * quiet in git profile * memory corruption - Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259): firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch- Update to version 0.9.44: * CVE-2016-7545 submitted by Aleksey Manevich Modifications: * removed man firejail-config * –private-tmp whitelists /tmp/.X11-unix directory * Nvidia drivers added to –private-dev * /srv supported by –whitelist New features: * allow user access to /sys/fs (–noblacklist=/sys/fs) * support starting/joining sandbox is a single command (–join-or-start) * X11 detection support for –audit * assign a name to the interface connected to the bridge (–veth-name) * all user home directories are visible (–allusers) * add files to sandbox container (–put) * blocking x11 (–x11=block) * X11 security extension (–x11=xorg) * disable 3D hardware acceleration (–no3d) * x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * move files in sandbox (–put) * accept wildcard patterns in user name field of restricted shell login feature New profiles: * qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * feh, ranger, zathura, 7z, keepass, keepassx, * claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * Flowblade, Eye of GNOME (eog), Evolution- Update to version 0.9.42: Security fixes: * –whitelist deleted files * disable x32 ABI in seccomp * tighten –chroot * terminal sandbox escape * several TOCTOU fixes Behavior changes: * bringing back –private-home option * deprecated –user option, please use “sudo -u username firejail” * allow symlinks in home directory for –whitelist option * Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes” * recursive mkdir * include /dev/snd in –private-dev * seccomp filter update * release archives moved to .xz format New features: * AppImage support (–appimage) * AppArmor support (–apparmor) * Ubuntu snap support (/etc/firejail/snap.profile) * Sandbox auditing support (–audit) * remove environment variable (–rmenv) * noexec support (–noexec) * clean local overlay storage directory (–overlay-clean) * store and reuse overlay (–overlay-named) * allow debugging inside the sandbox with gdb and strace (–allow-debuggers) * mkfile profile command * quiet profile command * x11 profile command * option to fix desktop files (firecfg –fix) Build options: * Busybox support (–enable-busybox-workaround) * disable overlayfs (–disable-overlayfs) * disable whitlisting (–disable-whitelist) * disable global config (–disable-globalcfg) Runtime options: * enable/disable overlayfs (overlayfs yes/no) * enable/disable quiet as default (quiet-by-default yes/no) * user-defined network filter (netfilter-default) * enable/disable whitelisting (whitelist yes/no) * enable/disable remounting of /proc and /sys (remount-proc-sys yes/no) * enable/disable chroot desktop features (chroot-desktop yes/no) New/updated profiels: * Gitter, gThumb, mpv, Franz messenger, LibreOffice * pix, audacity, xz, xzdec, gzip, cpio, less * Atom Beta, Atom, jitsi, eom, uudeview * tar (gtar), unzip, unrar, file, skypeforlinux, * inox, Slack, gnome-chess. Gajim IM client, DOSBox - Enable apparmor support- Update to version 0.9.40: * Added firecfg utility * New options: -nice, -cpu.print, -writable-etc, -writable-var, - read-only * X11 support: -x11 option (-x11=xpra, -x11=xephr) * Filetransfer options: –ls and –get * Added mkdir, ipc-namespace, and nosound profile commands * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands * Run time config support, man firejail-config * AppArmor fixes * Default seccomp filter update * Disable STUN/WebRTC in default netfilter configuration * Lots of new profiles- initial package: 0.9.38lamb16 16555383360.9.70-bp154.2.3.10.9.70-bp154.2.3.1firejail-basefirejail-zsh-completionCOPYINGzshsite-functions_firejail/etc/apparmor.d/abstractions/base.d//usr/share/licenses//usr/share/licenses/firejail-zsh-completion//usr/share//usr/share/zsh//usr/share/zsh/site-functions/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protectionobs://build.opensuse.org/openSUSE:Maintenance:17525/openSUSE_Backports_SLE-15-SP4_Update/13701da324d2f631c933cc90f4ea9054-firejail.openSUSE_Backports_SLE-15-SP4_Updatecpioxz5x86_64-suse-linuxASCII textdirectory8ͮ3lB)d:(firejail and zsh)utf-8f42b9e4b0fa7aaf1ad693c24280ea52015eb3a3fa54586013b120b50a0abeabd? 7zXZ !t/+l] crv(vX0T&'Xm,*.<395)&rgT|9[]3)!5dؤqM!Bx!7-+3xyb;]p&)~/,Xnq T[8X(j*Kը@md*^jnG 8Hׁ6(Ӌ}cW,\=h(UP|s̽Cщ.6B݊M9 "zU_b~Dw3l#=T}c#T!F6GTq5"6n$YAl;h5lk/HfB\6kty^~fXBm}:uޫgCOїK0 X#o5賂*+G}nI W7սHX:lo7~ƶSJ|"h涴xlm6?0٭7*}_:f) rUam^uD ( `{T#;(0PH(h'v ]M+YY,IâRnDV4i>= 50r1HUȰʝ>(EFB9v| kU{d "u.]_Bhj\&S̙j]>H۴aFr2d/xo[C]X&+/ c1W3 yҢ gNX\sᥒa`F"l@yB^֔߇Eq#FNr?r y鲳YR >ͷSdnz5L$@n2=VPa-ϩ>2~*QS5%@xN/ۺv̓qS>0k@OF~ic&`n rIuOilH_Xa{Cstw[W0_%Q:Cxn(ݢL˭|Lpjh"QoӦĬ  G~9~~Rz@rE-H8q̪̹goŵP|Nu(uאͿzr Kz-Ѵg TDzBx*O48B1x~d3@(]Xq0YR4ĎitM2}e<)>g=Ȣ1vMm_Ӹ)zZl U4%n.o-!wO GyY"P^YQVsG/ą]$rWlgks60C?ZQb|VLe!nx\n$y(!Ey5[bf0;s"8Q3 ݻ>p?}v?KѾ鬙LJK$vXFj`DXPOw& P%`8$Ԅ8ٕ,cgbÇ5 Y$ue~tl}(2eЕR]Ν^z4ɛss_a~S^?ܛcR36/i~y )__gyVrh><*шcՁޒ)!y 4 CmYV+%ǧFi.Lʮ͘d2__<ʯ=]s *?P:.wX8ww;'D}*+'/KΚRZ1)fl|R/1ztWfA )I`Feav( o"K|L w'0ɀ6&O&sқA2|g³a-p2CYADhgUL,GVujQwĿ?5>5/6ĻSDI; zXۧ{@ NOl{ [X{mU_+/pUL"68&̋?"#9`n{TQOp5'Y"e<",M79Df$9yܔ~SԵ<8sلV;v{9`*p He^Y&0 EXS?2<9^CGoX⿝uXbOUy˞2|PY<ާ+Isy`q>(Y^ȨXr' )!H"Udn~Ԓ"qFUp9`z<$hk9Ѵ|y =%R)PXBD\OIV\ u2jj/x* #WT&wݱۦl~NE9ethE+[QCxN:V8]XIr՞_Tӡcs$,>^)XKC.NS5vR%wŠ|zcw7j5 ҠZbjc7p)x™qpP.Qԍ>W6FP%Cq,_m1 }r_|҅c^D 40ȆD ]%G-ayFT7IPV~SvyhբLDF NĒHYhPդ:4ӣk=/9Q eo gёB gHyYb&YEB@9!Ccy;ʮ<1(u鞸PO97,|n ~暞GN#+ 5Ћ3ǟr/ac .i*yޓAB"qReT58<杪!9PuHi6Fru2,-.+ c7[OPK&Kl+j#8azj9z|R^zQRIz!hU&ҷʀ^j f+ 7{DV#yyGb`eeԆ-T}6\s ࡲ7>IxlBLD'T-ڽ)R='a? &.c7e[i2JK͇zyz0"^, N3A96;,i+dAj A&aCĶ'haq&\U\tyZ0(6Zgh| M]t#7[/S#lGg ʹkɇ3[} qXI-Av +fTcmsSq 6 7g _"`[wĤ &;m q~)ܧ[[C eh΂]:{C%k}wA O) {mrZ@KUiγbSU`f€:)dW)?zʶ4K=} ,JN1Y%$) |+nts. 4p߂'?qМ#Nv.\]iy_2WB}^PCH%٫9bW#tbK^m1vOS8<*zbjw>_5=h-8=$j4P3UJ y\yh m֛wC$׋D,d۳]j3Z8Q\G/ E"|Jl.u^{Iǫ[FhUq/`EW_@/yǛUthl#,Y @ŵ>lqVn >ic9#݌'\5z{V/71"xm_Ay[FpeF܅3.`*g}M7HWXX9 QSW@ZL: w/=)AarOtyF35~\Q9K)(T_;#9Pػ{/4U wnBG~;apOAx?`CK7׊r(ɮݗ.ïDezԙY\`+;gDk 5Ka [Zu͊[r=&Dϕ:Kݹ`㵥xb?VJ:*_ʖoKen18dFĢ%g<U 'd hW {T0F%j.[if5d "RzK,je'~CK\txpr{}㸾9̣ x;ʼ0:n_1u<%.<`lOؒ\XkL0!S:p[736<: ^lF! d?LHRӽY$ƖgP_bm\RTž.06UUBsCC{:Ҋi%WJ<|dp*-_y2^FN!I|KEנ&Z Y[leZQ..i潑eיw]$M:&@j8w#d(d0&렅oU*Iu;/&UD¶mZ1r7!/tݿINM)u+j>Y ycմ+A'^I7iR>^YRl3sh = l-Cy$fژ10,du$/+x%L* ö|@qoCiaZ3 o[!5CoX#} cɹjU ׉ GD 1jG;0fRz+DQꌏ:ㆇ - )(L}CWg)=Å㏓uflTnY E۩i[ֿZ;QH-H0F&hSyjsܕ 7TtV^8&I#֘$o^v*tF]u8%8vVޔ( \&'/!U HAH9A>y?g3rB=y`H*ݔ/;tlv|Et?vG}/7 %i&k+a0='k) Jr_bD}c$x E<)`gb 1ǜP9VsY4mhlnݾ. pF~v&D[Mh㟬agUYk^=0 XdЛHl'd6h߯Rȋhu\-e''Q3 y q1y,N6F E8-Uh:~Sׄ'^dר aMry?GAϐJs[m0JmgUpq7DyQz`A\(-rv.c$4놴nV'H\O9RǛaٔf4Gmu:c""*ѮzgSg8P2.~ E 4n2-H ]M ݈]֟0D4+%+ ZۄšCYC?ekAtݦQ-}8'. 'Ic6F6Qb6Iy sz#aL| yEf]Y qCҢsMF%@7ݼk:T+XLgVU$׹C7M:@Ţthuüq§ 3PQ|^X/ݡcnX5j %+o Ljd ; =bwBE`QPs57cPFJ(+[Um A@T;;N,< gͽ(4B\)~mBa!(Yh+x-Ea͵%y|I*#'T֚ ƢAPCNƸ:&qZɌXkWGFiRNBC?,WA3D]'7? b΅ 41&02C>Ar#MZ;d!̨ ^hޚRƣRp%G`!랴Y QJS1 "d}͘$E5Ì[6 }*'7d .)Ep4H~|҇^+ ੽B+YTT|#0yiOt|wcn8Ӕ>h;cȜKO cUhrpDtOų6K=w zެЫ-1}|e1!%RG!#(&\PQTA}%'U|ԏ<8dTwU_ZŴ .@vR7960J\u0&#RO^ ?P0Be> %:$-ӔZƄWc5ɑ++6*C#"VQXLތ=fmgIC]w`@ )zy"@-ƻF&N_7\u3aYI:N/ 'zhTX2nO ([i^vZs嗕BSu31kH - $[Bεl25q6jiv49R~[)dm8ഗ#LTnHNL[n5^&J7d+n Esʨkj#eӚAb~j<-9PvϯlϏMJz'muH2q;msDdiUIZ.C88A&7b(1n۫iVa*;WB3|lXtU~<&M˻ytJF4z'Vkd'cf/j@6nVd~e|$y60GJj zm`(HlW|qdȫ:pYÊggc M}W<|pY8!^wFjPvRhcS.8Be=P,fh <lz#ܮ@<:zv5AH=Ĩ1VՋC2YQ3! 󌿧Q]GeQI*I<[>YPKjH*!(w+П9 ctpٰWXH V/xuDad"uf\tnfa4rUIAUPZ5Kp˷`2f6K;?bk?絋LvѬ4b2841n_} ~{pi 3A/׹YrR/\h2,5J1<:[q@.҄m֧+8dR G4)][e&h5fwY]{M/q悔,tZ/ʂs_5J#]%utT'&ߍ$+DMtP'C7D(V<+nY&s9k/ܷ * [s EC ƥ68mv`Oz={wB +Yk&pPj.B fI&I#R2=[ZN /Dyw 9n#0?{7 w_HJp)]z%7;5eȮ'ʺx\|nxI3T&SEv Y,} 6MH2] Nw U#PEvTO =^lp-gw6{] Qv4zW(\_"BnT"wC٠Y7}YGM`w?*HMF&Щ.+˟\e[s5d#_rY؁He o^%ط݆N=6 FV #4q]Nmh 5Az|xG˖{tyGSۨGϩjGAxNY=[ 䳶znM -`g0+9-(yvaLw=UMٚ9NcE/PwU?C^JFGOUmc8ɻgj‡5BKD:]ook`L83:YlzI;݄hmOv\~vuEuZa-J ,(<`Jxq~NZD*3BAN [W1E'ţVؗP:DF0~SvAt)(UF RXa>g X" =L &O5p#y_YnvxXtD09h9V+ʣ RDY3Z[{m#ag<_悏3,%'YfY;VHm-KMđS$v&4Ђcn4~-և]!a{'V}}믈~ ]H+[5jU# j2?Rjw% #nfglk1F2ViS&H6V>"))`IT,aFg<a ^eyJa&Kw{!YoVdZ̓uzw?CaWM^ i&]cwG0XܔބTx(Jq fh8J 0YlK =Gg*{