%global commit 8600e859d9dd88bae0bebacdea6962943df8b9ad %global githash %(c=%{commit}; echo ${c:0:7}) %global gitdate 20171212 %global gittime 1945 Name: firejail Version: 0.9.52 Release: 1%{?dist} Epoch: 1 Summary: Linux namespaces sandbox program License: GPL+ Group: Development/Tools Source0: https://github.com/netblue30/firejail/archive/%{commit}/%{name}-v%{version}-%{githash}.tar.gz URL: https://github.com/netblue30/firejail Obsoletes: firejail = 0.9.45 %description Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. %prep %setup -q -n %{name}-%{commit} %build %configure --prefix=%{_prefix} --disable-apparmor make %{?_smp_mflags} %install %make_install chmod u+s %{buildroot}%{_bindir}/firejail rm -rf %{buildroot}%{_libdir}/debug/usr/lib64/firejail %clean rm -rf %{buildroot} %files %doc %license %attr(0755, -, -) %{_bindir}/firejail %{_bindir}/firemon %{_bindir}/firecfg %{_libdir}/firejail/faudit %{_libdir}/firejail/fbuilder %{_libdir}/firejail/fnetfilter %{_libdir}/firejail/fcopy %{_libdir}/firejail/fseccomp %{_libdir}/firejail/ftee %{_libdir}/firejail/fnet %{_libdir}/firejail/seccomp %{_libdir}/firejail/seccomp.32 %{_libdir}/firejail/seccomp.64 %{_libdir}/firejail/seccomp.debug %{_libdir}/firejail/fshaper.sh %{_libdir}/firejail/libtrace.so %{_libdir}/firejail/libtracelog.so %{_libdir}/firejail/firecfg.config %{_libdir}/firejail/fjresize.* %{_libdir}/firejail/fjdisplay.* %{_libdir}/firejail/fjclip.* %{_libdir}/firejail/fix_private-bin.* %{_libdir}/firejail/fj-mkdeb.* %{_libdir}/firejail/fldd %{_libdir}/firejail/libpostexecseccomp.so %{_libdir}/firejail/seccomp.block_secondary %{_libdir}/firejail/seccomp.mdwx %{_datarootdir}/bash-completion/completions/firejail %{_datarootdir}/bash-completion/completions/firemon %{_datarootdir}/bash-completion/completions/firecfg %{_docdir}/firejail %{_mandir}/man1/firejail.1.gz %{_mandir}/man1/firemon.1.gz %{_mandir}/man1/firecfg.1.gz %{_mandir}/man5/firejail-login.5.gz %{_mandir}/man5/firejail-profile.5.gz %config(noreplace) %{_sysconfdir}/firejail %changelog * Fri Jan 29 2016 heiko 0.9.38-1 - specfile cleanup - use pkgconfig whereever possible - update to latest git snapshot * Mon Sep 14 2015 netblue30 0.9.30-1 - added a disable-history.inc profile as a result of Firefox PDF.js exploit; disable-history.inc included in all default profiles - Firefox PDF.js exploit (CVE-2015-4495) fixes - added --private-etc option - added --env option - added --whitelist option - support ${HOME} token in include directive in profile files - --private.keep is transitioned to --private-home - support ~ and blanks in blacklist option - support "net none" command in profile files - using /etc/firejail/generic.profile by default for user sessions - using /etc/firejail/server.profile by default for root sessions - added build --enable-fatal-warnings configure option - added persistence to --overlay option - added --overlay-tmpfs option - make install-strip implemented, make install renamed - bugfixes * Sat Aug 1 2015 netblue30 0.9.28-1 - network scanning, --scan option - interface MAC address support, --mac option - IP address range, --iprange option - traffic shaping, --bandwidth option - reworked printing of network status at startup - man pages rework - added firejail-login man page - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default profiles - added an /etc/firejail/disable-common.inc file to hold common directory blacklists - blacklist Opera and Chrome/Chromium config directories in profile files - support noroot option for profile files - enabled noroot in default profile files - bugfixes * Thu Apr 30 2015 netblue30 0.9.26-1 - private dev directory - private.keep option for whitelisting home files in a new private directory - user namespaces support, noroot option - added Deluge and qBittorent profiles - bugfixes * Sun Apr 5 2015 netblue30 0.9.24-1 - whitelist and blacklist seccomp filters - doubledash option - --shell=none support - netfilter file support in profile files - dns server support in profile files - added --dns.print option - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. - added --caps.drop=all in default profiles - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids - two build patches from Reiner Herman (tickets 11, 12) - man page patch from Reiner Herman (ticket 13) - output patch (ticket 15) from sshirokov * Mon Mar 9 2015 netblue30 0.9.22-1 - Replaced --noip option with --ip=none - Container stdout logging and log rotation - Added process_vm_readv, process_vm_writev and mknod to default seccomp blacklist - Added CAP_MKNOD to default caps blacklist - Blacklist and whitelist custom Linux capabilities filters - macvlan device driver support for --net option - DNS server support, --dns option - Netfilter support - Monitor network statistics, --netstats option - Added profile for Mozilla Thunderbird/Icedove - --overlay support for Linux kernels 3.18+ - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) - Bugfix: check uid/gid for cgroup * Fri Feb 6 2015 netblue30 0.9.20-1 - utmp, btmp and wtmp enhancements - create empty /var/log/wtmp and /var/log/btmp files in sandbox - generate a new /var/run/utmp file in sandbox - CPU affinity, --cpu option - Linux control groups support, --cgroup option - Opera web browser support - VLC support - Added "empty" attribute to seccomp command to remove the default - syscall list form seccomp blacklist - Added --nogroups option to disable supplementary groups for regular - users. root user always runs without supplementary groups. - firemon enhancements - display the command that started the sandbox - added --caps option to display capabilities for all sandboxes - added --cgroup option to display the control groups for all sandboxes - added --cpu option to display CPU affinity for all sandboxes - added --seccomp option to display seccomp setting for all sandboxes - New compile time options: --disable-chroot, --disable-bind - bugfixes * Sat Dec 27 2014 netblue30 0.9.18-1 - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls - Support for tracing setreuid, setregid, setresuid, setresguid syscalls - Added profiles for transmission-gtk and transmission-qt - bugfixes * Tue Nov 4 2014 netblue30 0.9.16-1 - Configurable private home directory - Configurable default user shell - Software configuration support for --docdir and DESTDIR - Profile file support for include, caps, seccomp and private keywords - Dropbox profile file - Linux capabilities and seccomp filters enabled by default for Firefox, Midori, Evince and Dropbox - bugfixes * Wed Oct 8 2014 netblue30 0.9.14-1 - Linux capabilities and seccomp filters are automatically enabled in chroot mode (--chroot option) if the sandbox is started as regular user - Added support for user defined seccomp blacklists - Added syscall trace support - Added --tmpfs option - Added --balcklist option - Added --read-only option - Added --bind option - Logging enhancements - --overlay option was reactivated - Added firemon support to print the ARP table for each sandbox - Added firemon support to print the route table for each sandbox - Added firemon support to print interface information for each sandbox - bugfixes * Tue Sep 16 2014 netblue30 0.9.12-1 - Added capabilities support - Added support for CentOS 7 - bugfixes