openSUSE-SU-2022:0037-1

Описание

This update for firejail fixes the following issues:

• Update Leap 15.3 package to 0.9.68 (boo#1195880)

update to firejail 0.9.68:

• security: on Ubuntu, the PPA is now recommended over the distro package
• (see README.md) (#4748)
• security: bugfix: private-cwd leaks access to the entire filesystem
• (#4780); reported by Hugo Osvaldo Barrera
• feature: remove (some) environment variables with auth-tokens (#4157)
• feature: ALLOW_TRAY condition (#4510 #4599)
• feature: add basic Firejail support to AppArmor base abstraction (#3226
• #4628)
• feature: intrusion detection system (--ids-init, --ids-check)
• feature: deterministic shutdown command (--deterministic-exit-code,
• --deterministic-shutdown) (#928 #3042 #4635)
• feature: noprinters command (#4607 #4827)
• feature: network monitor (--nettrace)
• feature: network locker (--netlock) (#4848)
• feature: whitelist-ro profile command (#4740)
• feature: disable pipewire with --nosound (#4855)
• feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
• feature: Allow apostrophe in whitelist and blacklist (#4614)
• feature: AppImage support in --build command (#4878)
• modifs: exit code: distinguish fatal signals by adding 128 (#4533)
• modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
• modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
• modifs: nogroups now stopped causing certain system groups to be dropped,
• which are now controlled by the relevant 'no' options instead (such as
• nosound -> drop audio group), which fixes device access issues on systems
• not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
• removal: --disable-whitelist at compile time
• removal: whitelist=yes/no in /etc/firejail/firejail.config
• bugfix: Fix sndio support (#4362 #4365)
• bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
• bugfix: --build clears the environment (#4460 #4467)
• bugfix: firejail hangs with net parameter (#3958 #4476)
• bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
• bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
• bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
• bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
• bugfix: Firejail rejects empty arguments (#4395)
• bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
• bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
• bugfix: private-etc does not work with symlinks (#4887)
• bugfix: Hardware key not detected on keepassxc (#4883)
• build: allow building with address sanitizer (#4594)
• build: Stop linking pthread (#4695)
• build: Configure cleanup and improvements (#4712)
• ci: add profile checks for sorting disable-programs.inc and
• firecfg.config and for the required arguments in private-etc (#2739 #4643)
• ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
• docs: Add new command checklist to CONTRIBUTING.md (#4413)
• docs: Rework bug report issue template and add both a question and a
• feature request template (#4479 #4515 #4561)
• docs: fix contradictory descriptions of machine-id ('preserves' vs
• 'spoofs') (#4689)
• docs: Document that private-bin and private-etc always accumulate (#4078)
• new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
• new includes: disable-proc.inc (#4521)
• removed includes: disable-passwordmgr.inc (#4454 #4461)
• new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
• new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
• new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
• new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
• new profiles: imv, retroarch, torbrowser, CachyBrowser,
• new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
• new profiles: Seafile, neovim, com.github.tchx84.Flatseal

firejail 0.9.66:

• deprecated --audit options, relpaced by jailcheck utility
• deprecated follow-symlink-as-user from firejail.config
• new firejail.config settings: private-bin, private-etc
• new firejail.config settings: private-opt, private-srv
• new firejail.config settings: whitelist-disable-topdir
• new firejail.config settings: seccomp-filter-add
• removed kcmp syscall from seccomp default filter
• rename --noautopulse to keep-config-pulse
• filtering environment variables
• zsh completion
• command line: --mkdir, --mkfile
• --protocol now accumulates
• jailtest utility for testing running sandboxes
• faccessat2 syscall support
• --private-dev keeps /dev/input
• added --noinput to disable /dev/input
• add support for subdirs in --private-etc
• subdirs support in private-etc
• input devices support in private-dev, --no-input
• support trailing comments on profile lines
• many new profiles

• split shell completion into standard subpackages