forked from netblue30/firejail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
1349 lines (1330 loc) · 50.1 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Firejail is a SUID sandbox program that reduces the risk of security breaches
by restricting the running environment of untrusted applications using Linux
namespaces and seccomp-bpf.
It includes sandbox profiles for many programs, including Iceweasel/Mozilla
Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audacious,
Clementine, Rhythmbox, Totem, Deluge, qBittorrent, DeaDBeeF, Dropbox, Empathy,
FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel, and XChat.
Firejail also expands the restricted shell facility found in bash by adding
Linux namespace support. It supports sandboxing specific users upon login.
Download: https://sourceforge.net/projects/firejail/files/
Build and install: ./configure && make && sudo make install
Documentation and support: https://firejail.wordpress.com/
Video Channel: https://www.brighteon.com/channels/netblue30
Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
Development: https://github.com/netblue30/firejail
License: GPL v2
Please report all security vulnerabilities to:
Compile and install the mainline version from GitHub:
git clone https://github.com/netblue30/firejail.git
cd firejail
./configure && make && sudo make install-strip
On Debian/Ubuntu you will need to install git and gcc.
To build with AppArmor support (which is usually used on Debian, Ubuntu,
openSUSE and derivatives), install the AppArmor development libraries and
pkg-config and use the `--enable-apparmor` ./configure option:
sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
To build with SELinux support (which is usually used on Fedora, RHEL and
derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the
`--enable-selinux` ./configure option.
We build our release firejail.tar.xz and firejail.deb packages using the
following commands:
make distclean && ./configure && make deb
Maintainer:
- netblue30 ([email protected])
Committers:
- chiraag-nataraj (https://github.com/chiraag-nataraj)
- crass (https://github.com/crass)
- ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- curiosityseeker (https://github.com/curiosityseeker)
- glitsj16 (https://github.com/glitsj16)
- Fred-Barclay (https://github.com/Fred-Barclay)
- Kelvin M. Klann (https://github.com/kmk3)
- Kristóf Marussy (https://github.com/kris7t)
- Neo00001 (https://github.com/Neo00001)
- pirate486743186 (https://github.com/pirate486743186)
- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
- rusty-snake (https://github.com/rusty-snake)
- smitsohu (https://github.com/smitsohu)
- SkewedZeppelin (https://github.com/SkewedZeppelin)
- startx2017 (https://github.com/startx2017)
maintainer)
- Topi Miettinen (https://github.com/topimiettinen)
- veloute (https://github.com/veloute)
- Vincent43 (https://github.com/Vincent43)
- netblue30 ([email protected])
---
Firejail Authors (alphabetical order):
0x7969 (https://github.com/0x7969)
- fix wire-desktop.profile
- add ferdi.profile
0x9fff00 (https://github.com/0x9fff00)
- add Colossal Order to steam.profile
7twin (https://github.com/7twin_)
- fix typos
- fix flameshot raw screenshots
1dnrr (https://github.com/1dnrr)
- add pybitmessage profile
a1346054 (https://github.com/a1346054)
- add missing final newlines in various files
- Remove deprecated syntax and modernize shell test scripts
Ádler Jonas Gross (https://github.com/adgross)
- AppArmor fix
Adrian L. Shaw (https://github.com/adrianlshaw)
- add profanity profile
- add barrirer profile
- add profile for Beyond All Reason
- RPCS3 profile
Aidan Gauland (https://github.com/aidalgol)
- added electron, riot-web and npm profiles
- whitelist Bohemia Interactive config dir for Steam
Akhil Hans Maulloo (https://github.com/kouul)
- xz profile
Albin Kauffmann (https://github.com/albinou)
- Firefox and Chromium profile fixes
- info to allow screen sharing in profiles
Alexandre Provencio (https://github.com/aleprovencio)
- fix qutebrowser not opening tabs
Alex Leahu (https://github.com/alxjsn)
- fix screen sharing configuration on Wayland
Alexey Kuznetsov ([email protected])
- src/lib/libnetlink.c extracted from iproute2 software package
Aleksey Manevich (https://github.com/manevich)
- several profile fixes
- fix problem with relative path in storage_find function
- fix build for systems without bash
- fix double quotes/single quotes problem
- big rework of argument processing subsystem
- --join fixes
- splitting up cmdline.c
- Busybox support
- X11 support rewrite
- gether shell selection code in one place
- fixed several TOCTOU security problems
- added --fix option to firecfg utility
- read_pid fix
- added --x11=block options
- x11 xpra, xphyr, none profile commands
- added --join-or-start command
- CVE-2016-7545
Alexander Gerasiov (https://github.com/gerasiov)
- read-only ~/.ssh/authorized_keys
- profile updates
- fcopy: Use lstat when copy directory
Alexander Stein (https://github.com/ajstein)
- added profile for qutebrowser
alkim0 (https://github.com/alkim0)
- warn when encountering EIO during remount
- Add profile for chafa
amano-kenji (https://github.com/amano-kenji)
- fix private-etc in qutebrowser profile
Amin Vakil (https://github.com/aminvakil)
- whois profile fix
- added profile for strawberry
- w3m profile fix
- disable seccomp in wireshark profile
Ammon Smith (https://github.com/ammongit)
- Add DBus filter rules specific to firefox-developer-edition
Andreas Hunkeler (https://github.com/Karneades)
- Add profile for official Linux Teams application
Andrey Alekseenko (https://github.com/al42and)
- fixing lintian warnings
- fixed Skype profile
andrew160 (https://github.com/andrew160)
- profile and man pages fixes
Andrew Branson (https://github.com/abranson)
- 32bit ARM syscall table
announ (https://github.com/announ)
- mpv and youtube-dl profile fixes
- git profile fix
- evince profile fix
Antoine Catton (https://github.com/acatton)
- add keep-shell-rc command and option
Anton Shestakov (https://github.com/antonv6)
- add whitelist items for uim
- allow /etc/vulkan in steam profile
- allow ~/.cache/wine in lutris and wine profile
- support MangoHud in steam profile
Antonio Russo (https://github.com/aerusso)
- enumerate root directories in apparmor profile
- fix join-or-start
- wusc fixes
- okular profile fixes
- manpage fixes
aoand (https://github.com/aoand)
- seccomp fix: allow numeric syscalls
Arne Welzel (https://github.com/awelzel)
- ignore SIGTTOU during flush_stdin()
archaon616 (https://github.com/archaon616)
- steam.profile: allow Factorio, Zomboid
Atrate (https://github.com/Atrate)
- BetterDiscord support
Austin Morton (https://github.com/apmorton)
- deterministic-exit-code option
- private-cwd options
Austin S. Hemmelgarn (https://github.com/Ferroin)
- unbound profile update
Avi Lumelsky (https://github.com/avilum)
- syscall.sh improvements
avallach2000 (https://github.com/avallach2000(
- fix qbittorrent profile
- support for changing appearance of the Qt6 apps with qt6ct
avoidr (https://github.com/avoidr)
- whitelist fix
- recently-used.xbel fix
- added parole profile
- blacklist ncat
- hostname support in profile file
- Google Chrome profile rework
- added cmus profile
- man page fixes
- add net iface support in profile files
- paths fix
- lots of profile fixes
- added mcabber profile
- fixed mpv profile
- various other fixes
Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- add support for custom AppArmor profiles (--apparmor=)
- add Landlock support
backspac (https://github.com/backspac)
- firecfg fixes
- add steam-runtime alias
Bader Zaidan (https://github.com/BaderSZ)
- Telegram profile
Bandie (https://github.com/Bandie)
- fixed riot-desktop
Barış Ekin Yıldırım (https://github.com/circuitshaker)
- removing net none from code.profile
Bart Bakker (https://github.com/bjpbakker)
- multimc5: fix exec of LWJGL libraries
bbhtt (https://github.com/bbhtt)
- improvements to balsa,fractal,gajim,trojita profiles
- improvements to nheko, spectral, feh, links, lynx, smplayer profiles
- added alacarte, com.github.bleakgrey.tootle, photoflare profiles
- add profiles for MS Edge dev build for Linux and Librewolf
- fixes to cheese, authenticator, liferea
- add profile for straw-viewer
- email clients whitelisting and fixes
Benjamin Kampmann (https://github.com/ligthyear)
- Forward exit code from child process
BeautyYuYanli (https://github.com/BeautyYuYanli)
- add linuxqq and qq profiles
bitfreak25 (https://github.com/bitfreak25)
- added PlayOnLinux profile
- minetest profile fix
- added sylpheed profile
bn0785ac (https://github.com/bn0785ac)
- fixed bnox, dnox profiles
- support all tor-browser langpacks
- chromium canary (inox-family) fixes
- allow multithreading for cin and natron
- fix dbus access for libreoffice on KDE
- fix inox, add snox profile
BogDan Vatra (https://github.com/bog-dan-ro)
- zoom profile
Brad Ackerman
- blacklist Bitwarden config in disable-passwdmgr.inc
briaeros (https://github.com/briaeros)
- fix command test in jail_prober.py
botherer (https://github.com/botherder)
- add CoyIM profile
Bruno Nova (https://github.com/brunonova)
- whitelist fix
- bash arguments fix
Bundy01 (https://github.com/Bundy01)
- fixup geary
- add gradio profile
- update virtualbox.profile
- Quodlibet profile
- update apparmor firejail-local for Brave + ipfs
bymoz089 (https://github.com/bymoz089)
- add timezone access to make libical functional
BytesTuner (https://github.com/BytesTuner)
- provided keepassxc profile
caoliver (https://github.com/caoliver)
- network system fixes
Carlo Abelli (https://github.com/carloabelli)
- fixed udiskie profile
- Allow mbind syscall for GIMP
- fixed simple-scan
Case_Of (https://github.com/CaseOf)
- added Seafile profile
Cat (https://github.com/ecat3)
- prevent tmux connecting to an existing session
cayday (https://github.com/caydey)
- added ~/Private blacklist in disable-common.inc
- added quiet to some CLI profiles
Christian Pinedo (https://github.com/chrpinedo)
- added nicotine profile
- allow python3 in totem profile
creideiki (https://github.com/creideiki)
- make the sandbox process reap all children
- tor browser profile fix
chiraag-nataraj (https://github.com/chiraag-nataraj)
- support for newer Xpra versions (2.1+)
- added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles
- added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles
- added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles
- added tor, x-terminal-emulator, zart profiles
Christian Stadelmann (https://github.com/genodeftest)
- profile fixes
- evolution profile fix
Clayton Williams (https://github.com/gosre)
- addition of RLIMIT_AS
CodeWithMa (https://github.com/CodeWithMa)
- mpv.profile: add new XDG_STATE_HOME path
corecontingency (https://https://github.com/corecontingency)
- tighten private-bin and etc for torbrowser-launcher.profile
- added i2prouter profile
- add several games to steam and disable-programs
crass (https://github.com/crass)
- extract_command_name fixes
- update appimage size calculation to newest code from libappimage
- firejail should look for processes with names exactly named
croket (https://github.com/crocket)
- fix librewolf profile
- added profiles for imv, retroarch, and torbrowser
- fix dino profile
- fix wireshark profile
- prevent emptty /usr/share in google-chrome profiles
cubercsl (https://github.com/cubercsl)
- add linuxqq and qq profiles
curiosity-seeker (https://github.com/curiosity-seeker - old)
curiosityseeker (https://github.com/curiosityseeker - new)
- tightening unbound and dnscrypt-proxy profiles
- correct and tighten QuiteRss profile
- dnsmasq profile
- okular and gwenview profiles
- cherrytree profile fixes
- added quiterss profile
- added guayadeque profile
- added VirtualBox.profile
- various other profile fixes
- added digiKam profile
- write-protection for thumbnailer dir
- added gramps, newsboat, freeoffice-planmaker profiles
- added freeoffice-textmaker, freeoffice-presentations profiles
- added cantata profile
- updated keypassxc profile
- added syscalls.sh, which determine the necessary syscalls for a program
- fixed conky profile
- thunderbird.profile: harden and enable the rules necessary to make
Firefox open links
D357R0Y3R (https://github.com/D357R0Y3R)
- added floorp to firejail.config
da2x (https://github.com/da2x)
- matched RPM license tag
Daan Bakker (https://github.com/dbakker)
- protect shell startup files
Danil Semelenov (https://github.com/sgtpep)
- blacklist the Electron Cash Wallet
- blacklist s3cmd and s3fs configs
- blacklist Ethereum, Monero wallets
- blacklist Dash Core wallet
Dara Adib (https://github.com/daradib)
- ssh profile fix
- evince profile fix
- linphone profile fix
Dario Pellegrini (https://github.com/dpellegr)
- allowing links in netns
David Fetter (https://github.com/davidfetter)
- bump up copyright years
David Thole (https://github.com/TheDarkTrumpet)
- added profile for teams-for-linux
Davide Beatrici (https://github.com/davidebeatrici)
- steam.profile: correctly blacklist unneeded directories in user's home
- minetest fixes
- map /dev/input with "--private-dev", add "--no-input" option to disable it
- whitelist /usr/share/TelegramDesktop in telegram.profile
- allow access to ~/.cache/winetricks
David Hyrule (https://github.com/Svaag)
- remove nou2f in ssh profile
Deelvesh Bunjun (https://github.com/DeelveshBunjun)
- added xpdf profile
DefaultUser (https://github.com/DefaultUser)
- neochat: Allow netlink
Denis Subbotin (https://github.com/mr-tron)
- telegram.profile: allow ~/.local/share/telegram-desktop
Denys Havrysh (https://github.com/vutny)
- update SkypeForLinux profile for latest version
- removed outdated Skype profile
dewbasaur (https://github.com/dewbasaur)
- block access to history files
- Firefox PDF.js exploit (CVE-2015-4495) fixes
- Steam profile
DiGitHubCap (https://github.com/DiGitHubCap)
- deluge profile fix
- fix qt5ct colour schemes and QSS
Dieter Plaetinck (https://github.com/Dieterbe)
- qutebrowser: update MPRIS name for qutebrowser-qt6
- fix email-common.profile
- fix claws-mail profile
Disconnect3d (https://github.com/disconnect3d)
- code cleanup
dm9pZCAq (https://github.com/dm9pZCAq)
- fix for compilation under musl
dmfreemon (https://github.com/dmfreemon)
- add sandbox name or name of private directory to the window title
when xpra is used
- handle malloc() failures; use gnu_basename() instead of basenaem()
Dmitriy Chestnykh (https://github.com/chestnykh)
- add ability to disable user profiles at compile time
- lookup xauth in PATH
Dpeta (https://github.com/Dpeta)
- add Chatterino profile
dshmgh (https://github.com/dshmgh)
- overlayfs fix for systems with /home mounted on a separate partition
Duncan Overbruck (https://github.com/Duncaen)
- musl libc fix
- utmp fix
- fix install for --disable-seccomp software configurations
Eduard Tolosa (https://github.com/Edu4rdSHL)
- fixed and hardened qpdfview.profile
- fixed gajim.profile
Eklektisk (https://github.com/Eklektisk)
- update librewolf.profile: use new d-bus message bus
emacsomancer (https://github.com/emacsomancer)
- added profile for Conkeror browser
Emil Gedda (https://github.com/EmilGedda)
- fix multicast CIDR address in nolocal.net
eventyrer (https://github.com/eventyrer)
- update gnome-mplayer.profile
Ethan R (https://github.com/AN3223)
- add allow-perl.inc to w3m.profile
Fabian Würfl (https://github.com/BafDyce)
- fixed race condition when creating a new directory
- Liferea profile
Felipe Barriga Richards (https://github.com/fbarriga)
- --private-etc fix
Felix Pehla (https://github.com/FelixPehla)
- fix fractal profile
fenuks (https://github.com/fenuks)
- fix sound in games using FMOD
- allow /opt/tor-browser for Tor Browser profile
fkrone (https://github.com/fkrone)
- fix Zoom profile
Fidel Ramos (https://github.com/haplo)
- added Ledger Live profile
- fixed geeqie profile
- added rawtherapee profile
- added electron-cache profile
Florian Begusch (https://github.com/florianbegusch)
- (la)tex profiles
- fixed transmission-common.profile
- fixed standardnotes-desktop.profile
- fix jailprober.py
floxo (https://github.com/floxo)
- fixed qml disk cache issue
Foemass (https://github.com/Foemass)
- documentation
Franco (nextime) Lanza (https://github.com/nextime)
- added --private-template/--private-home
František Polášek (https://github.com/fandaa)
- fix QOwnNotes profile
fuelflo (https://github.com/fuelflo)
- added rambox profile
Fred-Barclay (https://github.com/Fred-Barclay)
- lots of profile fixes
- added Vivaldi, Atril profiles
- added PaleMoon profile
- split Icedove and Thunderbird profiles
- added 0ad profile
- fixed version for .deb packages
- added Warzone2100 profile
- blacklisted VeraCrypt
- added Gpredict profile
- added Aweather, Stellarium profiles
- fixed HexChat and Atril profiles
- fixed disable-common.inc for mate-terminal
- blacklisted escape-happy terminals in disable-common.inc
- blacklisted g++
- added xplayer, xreader, and xviewer profiles
- added Brave profile
- added Gitter profile
- various organising
- added LibreOffice profile
- added pix profile
- added audacity profile
- fixed Telegram and qtox profiles
- added Atom Beta and Atom profiles
- tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles
- several private-bin conversions
- added jitsi profile
- pidgin private-bin conversion
- added eom profile
- added gnome-chess profile
- added DOSBox profile
- evince profile enhancement
- tightened Spotify profile
- added xiphos and Tor Browser Bundle profiles
- added xed and pluma profiles
- added Cryptocat profile
- added wireshark profile
- uudeview profile fix
- fixed palemoon and qbittorrent profiles
- compile/install scripts for --git-install/--git-uninstall commands
- tighten keepassx
- added Thunar profile
- added mousepad, qpicview, and cvlc profiles
- added BibleTime profile
- added caja and galculator profiles
- added Catfish profile
Frederik Olesen (https://github.com/Freso)
- added many vim profiles
Frostbyte4664 (https://github.com/Frostbyte4664)
- steam.profile: Allow Baba Is You
- blender-3.6 redirect
g3ngr33n (https://github.com/g3ngr33n)
- fix musl compilation
G4JC (https://sourceforge.net/u/gaming4jc/profile/)
- ARM support
- profile fixes
Gaman Gabriel (https://github.com/stelariusinfinitek)
- inox profile
geg2048 (https://github.com/geg2048)
- kwallet profile fixes
glitsj16 (https://github.com/glitsj16)
- evince-previewer, evince-thumbnailer profiles
- gnome-recipes, gnome-logs profiles
- fixed private-lib for gnome-calculator
- gunzip, bunzip2 profiles
- enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles
- atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes
- acat, adiff, als, apack, arepack, aunpack profiles,
- fix sqlitebrowser blacklist
- spelling fixes
- bitblbee profile fixes
- fix firefox common addons
- many profile fixes
- profile fixes: file, strings, claws-mail,
- new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
- new profiles: devilspie, devilspie2, easystroke, github-desktop, min
- new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
- new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
- new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
- new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
- new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
- new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
- new profiles: masterpdfeditor
glu8716 (https://github.com/glu8716)
- nicotine: support Fcitx and dconf via dbus-user filter
gm10 (https://github.com/gm10)
- get_user() do not use the unreliable getlogin()
GovanifY (https://github.com/GovanifY)
- Blacklisting openrc paths by defaults
graywolf (https://github.com/graywolf)
- spelling fix
greigdp (https://github.com/greigdp)
- Gajim IM client profile
- fixed spotify profile
- added Slack profile
- add Spotify profile
grizzlyuser (https://github.com/grizzlyuser)
- added support for youtube-dl in smplayer profile
GSI (https://github.com/GSI)
- added Uzbl browser profile
haarp (https://github.com/haarp)
- Allow sound for hexchat
- discord-common.profile: harden & allow notifications
hamzadis (https://github.com/hamzadis)
- added --overlay-named=name and --overlay-path=path
Hans-Christoph Steiner (https://github.com/eighthave)
- added xournal profile
Harald Kubota (https://github.com/haraldkubota)
- zsh completion
Harry Seiler (https://github.com/Xunil73)
- allow netlink in pigdin
hawkey116477 (https://github.com/hawkeye116477)
- added Waterfox profile
- updated Cyberfox profile
- updated Waterfox profile
Helmut Grohne (https://github.com/helmutg)
- compiler support in the build system - Debian bug #869707
hhzek0014 (https://github.com/hhzek0014)
- updated bibletime.profile
hknaack (https://github.com/hknaack)
- Kate profile fixes
- seamonkey.profile: support enigmail/gpg
- Avidemux tools support
hlein (https://github.com/hlein)
- strip out \r's from jail prober
- make env/arg sanity check failure messages more useful
- relocate firecfg.config to /etc/firejail/
- fix display profile for Gentoo distribution
Holger Heinz (https://github.com/hheinz)
- manpage work
Hotty Capy (https://github.com/hotcapy)
- softmaker-common.profile: add fstab to private-etc
Haowei Yu (https://github.com/sfc-gh-hyu)
- add configure options when building rpm
Icaro Perseo (https://github.com/icaroperseo)
- Icecat profile
- several profile fixes
Ilya Pankratov (https://github.com/i-pankrat)
- profstats fix
- fix various memory resource leaks
Igor Bukanov (https://github.com/ibukanov)
- found/fiixed privilege escalation in --hosts-file option
iiotx (https://github.com/iiotx)
- use generic.profile by default
Impyy (https://github.com/Impyy)
- added mumble profile
intika (https://github.com/intika)
- added musixmatch profile
irandms (https://github.com/irandms)
- man firecfg fixes
irregulator (https://github.com/irregulator)
- thunderbird profile fixes for debian stretch
Irvine (https://github.com/Irvinehimself)
- added conky profile
- added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles
Ivan (https://github.com/ordinary-dev)
- fix telegram profile
Ivan Kozik (https://github.com/ivan)
- speed up sandbox exit
Jaykishan Mutkawoa (https://github.com/jmutkawoa)
- cpio profile
James Elford (https://github.com/jelford)
- pass password manager support
- removed shell none from ssh-agent configuration, fixing the infinite loop
- added gcloud profile
- blacklist sensitive cloud provider files in disable-common
Jan-Niclas (https://github.com/0x6a61)
- moved rules from firefox-common.profile to firefox.profile
- blacklist /*firefox* except for firefox itself
- fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox
Jan Sonntag (https://github.com/jmetrius)
- added OpenStego profile
- allow common access to EGL External platform configuration directory
Jean Lucas (https://github.com/flacks)
- fix Discord profile
- add AnyDesk profile
- add WebStorm profile
- add XMind profile
- add Whalebird profile
- add zulip profile
- add nvm to list of disabled interpreters
- fixes for tor-browser-* profiles
- alias for riot-desktop
- add gnome-mpv profile
- fix wire profile
- fix itch profile
- add Beaker profile
- fixes for gnome-music
- allow reading of system-wide Flatpak locale in gajim profile
Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth)
- fixed spotify.profile
Jeff Squyres (https://github.com/jsquyres)
- various manpage fixes
- cmdline.c: optionally quote the resulting command line
Jericho (https://github.com/attritionorg)
- spelling
Jesse Smith (https://github.com/slicer69)
- added QupZilla profile
jgriffiths (https://github.com/jgriffiths)
- make rpm packages support
Joan Figueras (https://github.com/figue)
- added abrowser profile
- added Google-Play-Music-Desktop-Player
- added cyberfox profile
John Mullee (https://github.com/jmullee)
- fix empty-string assignment in whitelisting code
Jonas Heinrich (https://github.com/onny)
- added signal-desktop profile
- fixed franz profile
- remove /etc/hosts is_link check for NixOS
- whitelist for NixOS to resolve binary paths in user environment
- NixOS fix OpenGL app support
Jose Riha (https://github.com/jose1711)
- added meteo-qt profile
- created qgis, links, xlinks profiles
- extended profile.template with comments
- some typo and comment fixes in profile.template
- Make it possible for cheese app to save pictures too
- Add davfs2 secrets file to blacklist
- Add profile for udiskie
- fix udiskie.profile
- improve hints for allowing browser access to Gnome extensions connector
- fix warshow, jumpnbump, tremulous, blobwars profile fixes
- drop noinput for games with gampad/joystick support
- goldendict profile fix
- whitelist /usr/share/nextcloud to allow access to translation files
- fix clipgrab profile
- fix Hugin profile
jrabe (https://github.com/jrabe)
- disallow access to kdbx files
- Epiphany profile
- Polari profile
- qTox profile
- X11 fixes
jtrv (https://github.com/jtrv)
- tidal-hifi profile
juan (https://github.com/nyancat18)
- fixed Kdenlive, Shotcut profiles
- new profiles for Cinelerra, Cliqz, Bluefish
- profile hardening
k4leg (https://github.com/k4leg)
- fix PyCharm profiles
Kaan Genç (https://github.com/SeriousBug)
- dynamic allocation of noblacklist buffer
Karoshi42 (https://github.com/karoshi42)
- update dino-im.profile
KellerFuchs (https://github.com/KellerFuchs)
- nonewpriv support, extended profiles for this feature
- make `restricted-network` prevent use of netfilter
- disable-common.inc additions
- make mutt and msmtp's rc files read-only
- added support for .local profile files in /etc/firejail
- fixed Cryptocat profile
- make ~/.local read-only
Kelvin (https://github.com/kmk3)
- disable ldns utilities, dnssec-*, khost, unbound-host
- sort DNS / RUNUSER paths
- improve bug_report.md
- fix keypassxc
- blacklist oksh shell in disable-shell.inc
Kishore96in (https://github.com/Kishore96in)
- added falkon profile
- kxmlgui fixes
- okular profile fixes
- jitsi-meet-desktop profile
- konversatin profile fix
- added Neochat profile
- added whitelist-1793-workaround.inc
KOLANICH (https://github.com/KOLANICH)
- added symlink fixer fix_private-bin.py in contrib section
- update fix_private-bin.py
- fix meld
- temporary fix to the bug caused by apparmor profiles stacking
kortewegdevries (https://github.com/kortewegdevries)
- a whole bunch of new profiles and fixes
- whitelisting evolution, kmail
Kristóf Marussy (https://github.com/kris7t)
- dns support
kuesji koesnu (https://github.com/kuesji)
- unit suffixes for rlimit-fsize and rlimit-as
- util.c and firejail.h fixes
- better parser for size strings
Kunal Mehta (https://github.com/legoktm)
- converted all links to https in manpages
kzsa (https://github.com/kzsa)
- wusc: add /usr/share/locale-langpack (LC_MESSAGES)
laniakea64 (https://github.com/laniakea64)
- added fj-mkdeb.py script to build deb packages
Lari Rauno (https://github.com/tuutti)
- qutebrowser profile fixes
Laurent Declercq (https://github.com/nuxwin)
- fixed test for shell interpreter in chroots
LaurentGH (https://github.com/LaurentGH)
- allow private-bin parameters to be absolute paths
layderv (https://github.com/layderv)
- prevent sandbox name from containing only digits
- clean escape control characters from the command line
- check hostname syntax
lecso7 (https://github.com/lecso7)
- added goldendict profile
- allow evince to read .cbz file format
leukimi (https://github.com/leukimi)
- 0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed
Loïc Damien (https://github.com/dzamlo)
- small fixes
Liorst4 (https://github.com/Liorst4)
- Preserve CFLAGS given to configure in common.mk.in
- fix emacs config to load as read-write
- disable browser drm by default
- minetest fixes
Lockdis (https://github.com/Lockdis)
- Added crow, nyx, and google-earth-pro profiles
luca0N (https://github.com/luca0N)
- fixed crawl profile
Lukáš Krejčí (https://github.com/lskrejci)
- fixed parsing of --keep-var-tmp
luzpaz (https://github.com/luzpaz)
- code spelling fixes
lxeiqr (https://github.com/lxeiqr)
- fix sndio support
Mace Muilman (https://github.com/mace015)
- google-chrome{,beta,unstable} flags
maces (https://github.com/maces)
- Franz messenger profile
Madura A (https://github.com/manushanga)
- floader
mahdi1234 (https://github.com/mahdi1234)
- cherrytree profile
- Seamonkey profiles
mammo0 (https://github.com/mammo0)
- remove 'text/plain' from firejail-profile.lang.in
Manuel Dipolt (https://github.com/xeniter)
- stack alignment for the ARM Architecture
Marek Küthe (https://github.com/marek22k)
- allow loading plugins in gajim
- allow bsfilter in email-common.profile
- email-common.profile: allow clamav plugin for claws-mail
- VSCodium: Fix developing Arduino
Martin Carpenter (https://github.com/mcarpenter)
- security audit and bug fixes
- Centos 6.x support
Martin Dosch ([email protected])
- support for gnome-shell integration addon in Firefox
(Bug-Debian: https://bugs.debian.org/872720)
Martin Sandsmark (https://github.com/sandsmark)
- songrec profile
Martynas Janonis (https://github.com/mjanonis)
- update wrc for Arch Linux
Matt Parnell (https://github.com/ilikenwf)
- whitelisting for core firefox related functionality
Mattias Wadman (https://github.com/wader)
- seccomp errno filter support
Matthew Gyurgyik (https://github.com/pyther)
- rpm spec and several fixes
Matthew Cline (https://github.com/matthew-cline)
- steam profile and dropbox profile fixes
matu3ba (https://github.com/matu3ba)
- evince hardening, dbus removed
- fix dia profile
- several template fixes
maxice8 (https://github.com/maxice8)
- fixed missing header
Melvin Vermeeren (https://github.com/melvinvermeeren)
- added teamspeak3 profile
- added --noautopulse command line option
Michael Haas (https://github.com/mhaas)
- bugfixes
Michael Hoffmann (https://github.com/brisad)
- added support for subdirs in private-etc
Michele Sorcinelli (https://github.com/michelesr)
- fix ssh profile
Mike Frysinger ([email protected])
- Gentoo compile patch
minus7 (https://github.com/minus7)
- fix hanging arp_check
mirabellette (https://github.com/mirabellette)
- add comment to thunderbird.profile to allow Firefox to load profiles
mjudtmann (https://github.com/mjudtmann)
- lock firejail configuration in disable-mgmt.inc
Mohammed Anas (https://github.com/mhmdanas)
- fix dbus notifications
- fix libEGL warning for abiword
m00nwtchr (https://github.com/m00nwtchr)
- Whitelist electron-flags.conf for all versions of electron
- electron profile updates
- Fix glob pattern and update other profiles/includes (electron profile)
mustaqimM (https://github.com/mustaqimM)
- added profile for Nylas Mail
n1trux (https://github.com/n1trux)
- fix flashpeak-slimjet profile typos
nblock (https://github.com/nblock)
- cmus: allow access to resolv.conf
neirenoir (https://github.com/neirenoir) and noir <[email protected]>
- fixed Blender profile being unable to import numpy
Neo00001 (https://github.com/Neo00001)
- add vmware profile
- update virtualbox profile
- update telegram profile
- add spectacle profile
- add kdiff3 profile
Neotamandua (https://github.com/Neotamandua)
- add Discord PTB profile
netcarver (https://github.com/netcarver)
- prevent access to LUKS keyfile
NetSysFire (https://github.com/NetSysFire)
- update weechat profile
- update megaglest profile
- added parsecd profile
- fix minecraft-launcher.profile
Nick Fox (https://github.com/njfox)
- add a profile alias for code-oss
- add code-oss config directory
- fix wire-desktop.profile on arch
NickMolloy (https://github.com/NickMolloy)
- ARP address length fix
Nico (https://github.com/dr460nf1r3)
- added FireDragon profile
Nicola Davide Mannarelli (https://github.com/nidamanx)
- fix "Could not create AF_NETLINK socket"
- added nextcloud profiles
- Firefox, KeepassXC, Telegram fixes
Niklas Haas (https://github.com/haasn)
- blacklisting for keybase.io's client
Niklas Goerke (https://github.com/Niklas974)
- update QOwnNotes profile
Nikos Chantziaras (https://github.com/realnc)
- fix audio support for Discord
nolanl (https://github.com/nolanl)
- added localtime to signal-desktop's profile
nutta-git (https://github.com/nutta-git)
- steam.profile: allow process_vm_readv syscall
- lutris.profile: allow more syscalls
- steam.profile: update novideo comment for webcam motion trackers
nyancat18 (https://github.com/nyancat18)
- added ardour4, dooble, karbon, krita profiles
nya1 (https://github.com/nya1)
- remove apparmor options in --help when building without apparmor support
Ondra Nekola (https://github.com/satai)
- allow firefox theming with non-global themes
OndrejMalek (https://github.com/OndrejMalek)
- various manpage fixes
Ondřej Nový (https://github.com/onovy)
- allow video for Signal profile
- added Mattermost desktop profile
- hardened Zoom profile
- hardened Signal desktop profile
Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec)
- prevent thunderbird conflicts when firefox is running
- add join-or-start to pluma to open multiple files in tabs
- fixes to keepassxc, thunderbird and pluma
Panzerfather (https://github.com/Panzerfather)
- allow eog to access user's trash
Patrick Schleizer (https://github.com/adrelanos)
- fix tb-starter-wrapper profile
Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
- user namespace implementation
Paul Moore <[email protected]>
-src/fsec-print/print.c extracted from libseccomp software package
Paupiah Yash (https://github.com/CaffeinatedStud)
- gzip profile
Pawel (https://github.com/grimskies)
- make --join return exit code of the invoked program
Pedro Riberio (https://github.com/pedrib)
- fix typo in pycharm-professional include
Peter Millerchip (https://github.com/pmillerchip)
- memory allocation fix
- --private.keep to --private-home transition
- support for files and directories starting with ~ in blacklist option
- support for files and directories with spaces in blacklist option
- lots of other fixes
- implement the --allow-private-blacklist option
Peter Hogg (https://github.com/pigmonkey)
- WeeChat profile
- rtorrent profile
- bitlbee profile fixes
- mutt profile fixes
- fixes for youtube-dl in mpv profile
Peter Sanford (https://github.com/psanford)
- fix QtWebEngine in zoom
Petter Reinholdtsen ([email protected])
- Opera profile patch
PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
- fix quiterss profile
- added profile for gnome-ring
pholodniak (https://github.com/pholodniak)
- profstats fixes
pianoslum (https://github.com/pianoslum)
- nodbus breaking evince two-page-view warning
pirate486743186 (https://github.com/pirate486743186)
- KMail profile
- mpsyt profile
- fix youtube-dl and mpv
- fix gnome-mpv profile
- fix gunzip profile
- reorganizing youtube-viewers
- fix pluma profile
- whitelist /var/lib/aspell
- mcomix fixes
- fixing engrampa profile
- adding qcomicbook and pipe-viewer in disable-programs
- newsboat/newsbeuter profiles
- fix atril profile
- reorganizing links browsers
- added rtv, alpine, mcomix, qcomicbook, googler, ddgr profiles
- w3m, zahura, profile.template fixes
Pixel Fairy (https://github.com/xahare)
- added fjclip.py, fjdisplay.py and fjresize.py in contrib section
PizzaDude (https://github.com/pizzadude)
- add mpv support to smplayer
- added profile for torbrowser-launcher
- added profile for sayonara and qmmp
- remove tracelog from Firefox profile
- fix welcome.sh
polyzen (https://github.com/polyzen)
- fixed wusc issue with mpv/Vulkan
powerjungle (https://github.com/powerjungle)
- fixed multimc
probonopd (https://github.com/probonopd)
- automatic build on Travis CI
pshpsh (https://github.com/pshpsh)
- added FossaMail profile
pstn (https://github.com/pstn)
- added install-strip, make install without strip
pszxzsd (https://github.com/pszxzsd)
-uGet profile
pwnage-pineapple (https://github.com/pwnage-pineapple)
- update Okular profile
qdii (https://github.com/qdii)
- added notpm command & keep tpm devices in private-dev
Quentin Retornaz (https://github.com/qretornaz-adapei42)
- microsoft-edge profiles fixes
Quentin Minster (https://github.com/laomaiweng)
- propagate --quiet to children Firejail'ed processes
- nodbus enhancements/bugfixes
- added vim syntax and ftdetect files
- Allow exec from /usr/libexec & co. with AppArmor
ra1nb0w (https://github.com/ra1nb0w)
- fix vmware profile
Rafael Cavalcanti (https://github.com/rccavalcanti)
- chromium profile fixes for Arch Linux
Rahiel Kasim (https://github.com/rahiel)
- Mathematica profile
- whitelisted Dropbox profile
- whitelisted keysnail config for firefox
- added telegram-desktop profile
Rahul Golam (https://github.com/technoLord)
- strings profile
RandomVoid (https://github.com/RandomVoid)
- fix building C# projects in Godot
- fix Lutris profile
- fix running games with enabled Feral GameMode in Lutris
Raphaël Droz (https://github.com/drzraf)
- zoom profile fixes
realaltffour (https://github.com/realaltffour)
- add lynx support to newsboat profile