forked from netblue30/firejail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
1030 lines (1014 loc) · 38 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
Pidgin, Quassel, and XChat.
Firejail also expands the restricted shell facility found in bash by adding
Linux namespace support. It supports sandboxing specific users upon login.
Download: https://sourceforge.net/projects/firejail/files/
Build and install: ./configure && make && sudo make install
Documentation and support: https://firejail.wordpress.com/
Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
Development: https://github.com/netblue30/firejail
License: GPL v2
Please report all security vulnerabilities at [email protected]
Compile and install mainline version from GitHub:
$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure && make && sudo make install-strip
On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
development libraries and pkg-config are required when using --apparmor
./configure option:
$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
Maintainer:
- netblue30 ([email protected])
Committers
- chiraag-nataraj (https://github.com/chiraag-nataraj)
- crass (https://github.com/crass)
- curiosityseeker (https://github.com/curiosityseeker)
- glitsj16 (https://github.com/glitsj16)
- Fred-Barclay (https://github.com/Fred-Barclay)
- Kelvin M. Klann (https://github.com/kmk3)
- Kristóf Marussy (https://github.com/kris7t)
- Neo00001 (https://github.com/Neo00001)
- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
- rusty-snake (https://github.com/rusty-snake)
- smitsohu (https://github.com/smitsohu)
- SkewedZeppelin (https://github.com/SkewedZeppelin)
- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
- Topi Miettinen (https://github.com/topimiettinen)
- veloute (https://github.com/veloute)
- Vincent43 (https://github.com/Vincent43)
- netblue30 ([email protected])
Firejail Authors (alphabetical order)
0x7969 (https://github.com/0x7969)
- fix wire-desktop.profile
- add ferdi.profile
7twin (https://github.com/7twin_)
- fix typos
- fix flameshot raw screenshots
1dnrr (https://github.com/1dnrr)
- add pybitmessage profile
Ádler Jonas Gross (https://github.com/adgross)
- AppArmor fix
Adrian L. Shaw (https://github.com/adrianlshaw)
- add profanity profile
- add barrirer profile
Aidan Gauland (https://github.com/aidalgol)
- added electron, riot-web and npm profiles
- whitelist Bohemia Interactive config dir for Steam
Akhil Hans Maulloo (https://github.com/kouul)
- xz profile
Albin Kauffmann (https://github.com/albinou)
- Firefox and Chromium profile fixes
- info to allow screen sharing in profiles
Alexey Kuznetsov ([email protected])
- src/lib/libnetlink.c extracted from iproute2 software package
Aleksey Manevich (https://github.com/manevich)
- several profile fixes
- fix problem with relative path in storage_find function
- fix build for systems without bash
- fix double quotes/single quotes problem
- big rework of argument processing subsystem
- --join fixes
- splitting up cmdline.c
- Busybox support
- X11 support rewrite
- gether shell selection code in one place
- fixed several TOCTOU security problems
- added --fix option to firecfg utility
- read_pid fix
- added --x11=block options
- x11 xpra, xphyr, none profile commands
- added --join-or-start command
- CVE-2016-7545
Alexander Gerasiov (https://github.com/gerasiov)
- read-only ~/.ssh/authorized_keys
- profile updates
Alexander Stein (https://github.com/ajstein)
- added profile for qutebrowser
Amin Vakil (https://github.com/aminvakil)
- whois profile fix
- added profile for strawberry
- w3m profile fix
Andreas Hunkeler (https://github.com/Karneades)
- Add profile for offical Linux Teams application
Andrey Alekseenko (https://github.com/al42and)
- fixing lintian warnings
- fixed Skype profile
andrew160 (https://github.com/andrew160)
- profile and man pages fixes
Andrew Branson (https://github.com/abranson)
- 32bit ARM syscall table
announ (https://github.com/announ)
- mpv and youtube-dl profile fixes
- git profile fix
- evince profile fix
Anton Shestakov (https://github.com/antonv6)
- add whitelist items for uim
Antonio Russo (https://github.com/aerusso)
- enumerate root directories in apparmor profile
- fix join-or-start
- wusc fixes
- okular profile fixes
- manpage fixes
aoand (https://github.com/aoand)
- seccomp fix: allow numeric syscalls
Arne Welzel (https://github.com/awelzel)
- ignore SIGTTOU during flush_stdin()
Atrate (https://github.com/Atrate)
- BetterDiscord support
Austin Morton (https://github.com/apmorton)
- deterministic-exit-code option
- private-cwd options
Austin S. Hemmelgarn (https://github.com/Ferroin)
- unbound profile update
Avi Lumelsky (https://github.com/avilum)
- syscall.sh improvements
avoidr (https://github.com/avoidr)
- whitelist fix
- recently-used.xbel fix
- added parole profile
- blacklist ncat
- hostname support in profile file
- Google Chrome profile rework
- added cmus profile
- man page fixes
- add net iface support in profile files
- paths fix
- lots of profile fixes
- added mcabber profile
- fixed mpv profile
- various other fixes
backspac (https://github.com/backspac)
- firecfg fixes
- add steam-runtime alias
Bader Zaidan (https://github.com/BaderSZ)
- Telegram profile
Bandie (https://github.com/Bandie)
- fixed riot-desktop
Barış Ekin Yıldırım (https://github.com/circuitshaker)
- removing net none from code.profile
bbhtt (https://github.com/bbhtt)
- improvements to balsa,fractal,gajim,trojita profiles
- improvements to nheko, spectral, feh, links, lynx, smplayer profiles
- added alacarte, com.github.bleakgrey.tootle, photoflare profiles
- add profiles for MS Edge dev build for Linux and Librewolf
- fixes to cheese, authenticator, liferea
- add profile for straw-viewer
- email clients whitelisting and fixes
Benjamin Kampmann (https://github.com/ligthyear)
- Forward exit code from child process
bitfreak25 (https://github.com/bitfreak25)
- added PlayOnLinux profile
- minetest profile fix
- added sylpheed profile
bn0785ac (https://github.com/bn0785ac)
- fixed bnox, dnox profiles
- support all tor-browser langpacks
- chromium canary (inox-family) fixes
- allow multithreading for cin and natron
- fix dbus access for libreoffice on KDE
- fix inox, add snox profile
BogDan Vatra (https://github.com/bog-dan-ro)
- zoom profile
Brad Ackerman
- blacklist Bitwarden config in disable-passwdmgr.inc
briaeros (https://github.com/briaeros)
- fix command test in jail_prober.py
botherer (https://github.com/botherder)
- add CoyIM profile
Bruno Nova (https://github.com/brunonova)
- whitelist fix
- bash arguments fix
Bundy01 (https://github.com/Bundy01)
- fixup geary
- add gradio profile
- update virtualbox.profile
BytesTuner (https://github.com/BytesTuner)
- provided keepassxc profile
caoliver (https://github.com/caoliver)
- network system fixes
Carlo Abelli (https://github.com/carloabelli)
- fixed udiskie profile
- Allow mbind syscall for GIMP
- fixed simple-scan
Cat (https://github.com/ecat3)
- prevent tmux connecting to an existing session
Christian Pinedo (https://github.com/chrpinedo)
- added nicotine profile
- allow python3 in totem profile
creideiki (https://github.com/creideiki)
- make the sandbox process reap all children
- tor browser profile fix
chiraag-nataraj (https://github.com/chiraag-nataraj)
- support for newer Xpra versions (2.1+)
- added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles
- added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles
- added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles
- added tor, x-terminal-emulator, zart profiles
Christian Stadelmann (https://github.com/genodeftest)
- profile fixes
- evolution profile fix
Clayton Williams (https://github.com/gosre)
- addition of RLIMIT_AS
corecontingency (https://https://github.com/corecontingency)
- tighten private-bin and etc for torbrowser-launcher.profile
- added i2prouter profile
- add several games to steam and disable-programs
crass (https://github.com/crass)
- extract_command_name fixes
- update appimage size calculation to newest code from libappimage
- firejail should look for processes with names exactly named
curiosity-seeker (https://github.com/curiosity-seeker - old)
curiosityseeker (https://github.com/curiosityseeker - new)
- tightening unbound and dnscrypt-proxy profiles
- correct and tighten QuiteRss profile
- dnsmasq profile
- okular and gwenview profiles
- cherrytree profile fixes
- added quiterss profile
- added guayadeque profile
- added VirtualBox.profile
- various other profile fixes
- added digiKam profile
- write-protection for thumbnailer dir
- added gramps, newsboat, freeoffice-planmaker profiles
- added freeoffice-textmaker, freeoffice-presentations profiles
- added cantata profile
- updated keypassxc profile
- added syscalls.sh, which determine the necessary syscalls for a program
- fixed conky profile
- thunderbird.profile: harden and enable the rules necessary to make Firefox open links
da2x (https://github.com/da2x)
- matched RPM license tag
Daan Bakker (https://github.com/dbakker)
- protect shell startup files
Danil Semelenov (https://github.com/sgtpep)
- blacklist the Electron Cash Wallet
- blacklist s3cmd and s3fs configs
- blacklist Ethereum, Monero wallets
- blacklist Dash Core wallet
Dara Adib (https://github.com/daradib)
- ssh profile fix
- evince profile fix
- linphone profile fix
Dario Pellegrini (https://github.com/dpellegr)
- allowing links in netns
David Thole (https://github.com/TheDarkTrumpet)
- added profile for teams-for-linux
Davide Beatrici (https://github.com/davidebeatrici)
- steam.profile: correctly blacklist unneeded directories in user's home
- minetest fixes
David Hyrule (https://github.com/Svaag)
- remove nou2f in ssh profile
Deelvesh Bunjun (https://github.com/DeelveshBunjun)
- added xpdf profile
Denys Havrysh (https://github.com/vutny)
- update SkypeForLinux profile for latest version
- removed outdated Skype profile
dewbasaur (https://github.com/dewbasaur)
- block access to history files
- Firefox PDF.js exploit (CVE-2015-4495) fixes
- Steam profile
DiGitHubCap (https://github.com/DiGitHubCap)
- deluge profile fix
- fix qt5ct colour schemes and QSS
Disconnect3d (https://github.com/disconnect3d)
- code cleanup
dmfreemon (https://github.com/dmfreemon)
- add sandbox name or name of private directory to the window title when xpra is used
- handle malloc() failures; use gnu_basename() instead of basenaem()
dshmgh (https://github.com/dshmgh)
- overlayfs fix for systems with /home mounted on a separate partition
Duncan Overbruck (https://github.com/Duncaen)
- musl libc fix
- utmp fix
- fix install for --disable-seccomp software configurations
Eduard Tolosa (https://github.com/Edu4rdSHL)
- fixed and hardened qpdfview.profile
- fixed gajim.profile
emacsomancer (https://github.com/emacsomancer)
- added profile for Conkeror browser
Emil Gedda (https://github.com/EmilGedda)
- fix multicast CIDR address in nolocal.net
eventyrer (https://github.com/eventyrer)
- update gnome-mplayer.profile
Ethan R (https://github.com/AN3223)
- add allow-perl.inc to w3m.profile
Fabian Würfl (https://github.com/BafDyce)
- fixed race condition when creating a new directory
- Liferea profile
Felipe Barriga Richards (https://github.com/fbarriga)
- --private-etc fix
fenuks (https://github.com/fenuks)
- fix sound in games using FMOD
Florian Begusch (https://github.com/florianbegusch)
- (la)tex profiles
- fixed transmission-common.profile
- fixed standardnotes-desktop.profile
floxo (https://github.com/floxo)
- fixed qml disk cache issue
Franco (nextime) Lanza (https://github.com/nextime)
- added --private-template/--private-home
František Polášek (https://github.com/fandaa)
- fix QOwnNotes profile
fuelflo (https://github.com/fuelflo)
- added rambox profile
Fred-Barclay (https://github.com/Fred-Barclay)
- lots of profile fixes
- added Vivaldi, Atril profiles
- added PaleMoon profile
- split Icedove and Thunderbird profiles
- added 0ad profile
- fixed version for .deb packages
- added Warzone2100 profile
- blacklisted VeraCrypt
- added Gpredict profile
- added Aweather, Stellarium profiles
- fixed HexChat and Atril profiles
- fixed disable-common.inc for mate-terminal
- blacklisted escape-happy terminals in disable-common.inc
- blacklisted g++
- added xplayer, xreader, and xviewer profiles
- added Brave profile
- added Gitter profile
- various organising
- added LibreOffice profile
- added pix profile
- added audacity profile
- fixed Telegram and qtox profiles
- added Atom Beta and Atom profiles
- tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles
- several private-bin conversions
- added jitsi profile
- pidgin private-bin conversion
- added eom profile
- added gnome-chess profile
- added DOSBox profile
- evince profile enhancement
- tightened Spotify profile
- added xiphos and Tor Browser Bundle profiles
- added xed and pluma profiles
- added Cryptocat profile
- added wireshark profile
- uudeview profile fix
- fixed palemoon and qbittorrent profiles
- compile/install scripts for --git-install/--git-uninstall commands
- tighten keepassx
- added Thunar profile
- added mousepad, qpicview, and cvlc profiles
- added BibleTime profile
- added caja and galculator profiles
- added Catfish profile
Frederik Olesen (https://github.com/Freso)
- added many vim profiles
g3ngr33n (https://github.com/g3ngr33n)
- fix musl compilation
G4JC (https://sourceforge.net/u/gaming4jc/profile/)
- ARM support
- profile fixes
Gaman Gabriel (https://github.com/stelariusinfinitek)
- inox profile
geg2048 (https://github.com/geg2048)
- kwallet profile fixes
glitsj16 (https://github.com/glitsj16)
- evince-previewer, evince-thumbnailer profiles
- gnome-recipes, gnome-logs profiles
- fixed private-lib for gnome-calculator
- gunzip, bunzip2 profiles
- enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles
- atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes
- acat, adiff, als, apack, arepack, aunpack profiles,
- fix sqlitebrowser blacklist
- spelling fixes
- bitblbee profile fixes
- fix firefox common addons
- many profile fixes
- profile fixes: file, strings, claws-mail,
- new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
- new profiles: devilspie, devilspie2, easystroke, github-desktop, min
- new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
- new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
- new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
- new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
- new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
- new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
- new profiles: masterpdfeditor
gm10 (https://github.com/gm10)
- get_user() do not use the unreliable getlogin()
GovanifY (https://github.com/GovanifY)
- Blacklisting openrc paths by defaults
graywolf (https://github.com/graywolf)
- spelling fix
greigdp (https://github.com/greigdp)
- Gajim IM client profile
- fixed spotify profile
- added Slack profile
- add Spotify profile
grizzlyuser (https://github.com/grizzlyuser)
- added support for youtube-dl in smplayer profile
GSI (https://github.com/GSI)
- added Uzbl browser profile
haarp (https://github.com/haarp)
- Allow sound for hexchat
hamzadis (https://github.com/hamzadis)
- added --overlay-named=name and --overlay-path=path
Hans-Christoph Steiner (https://github.com/eighthave)
- added xournal profile
hawkey116477 (https://github.com/hawkeye116477)
- added Waterfox profile
- updated Cyberfox profile
- updated Waterfox profile
Helmut Grohne (https://github.com/helmutg)
- compiler support in the build system - Debian bug #869707
hhzek0014 (https://github.com/hhzek0014)
- updated bibletime.profile
hlein (https://github.com/hlein)
- strip out \r's from jail prober
Holger Heinz (https://github.com/hheinz)
- manpage work
Haowei Yu (https://github.com/sfc-gh-hyu)
- add configure options when building rpm
Icaro Perseo (https://github.com/icaroperseo)
- Icecat profile
- several profile fixes
Igor Bukanov (https://github.com/ibukanov)
- found/fiixed privilege escalation in --hosts-file option
iiotx (https://github.com/iiotx)
- use generic.profile by default
Impyy (https://github.com/Impyy)
- added mumble profile
intika (https://github.com/intika)
- added musixmatch profile
irandms (https://github.com/irandms)
- man firecfg fixes
irregulator (https://github.com/irregulator)
- thunderbird profile fixes for debian stretch
Irvine (https://github.com/Irvinehimself)
- added conky profile
- added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles
Ivan Kozik (https://github.com/ivan)
- speed up sandbox exit
Jaykishan Mutkawoa (https://github.com/jmutkawoa)
- cpio profile
James Elford (https://github.com/jelford)
- pass password manager support
- removed shell none from ssh-agent configuration, fixing the infinite loop
- added gcloud profile
- blacklist sensitive cloud provider files in disable-common
Jean Lucas (https://github.com/flacks)
- fix Discord profile
- add AnyDesk profile
- add WebStorm profile
- add XMind profile
- add Whalebird profile
- add zulip profile
- add nvm to list of disabled interpreters
- fixes for tor-browser-* profiles
- alias for riot-desktop
- add gnome-mpv profile
- fix wire profile
- fix itch profile
- add Beaker profile
- fixes for gnome-music
- allow reading of system-wide Flatpak locale in gajim profile
Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth)
- fixed spotify.profile
Jeff Squyres (https://github.com/jsquyres)
- various manpage fixes
Jericho (https://github.com/attritionorg)
- spelling
Jesse Smith (https://github.com/slicer69)
- added QupZilla profile
jgriffiths (https://github.com/jgriffiths)
- make rpm packages support
Joan Figueras (https://github.com/figue)
- added abrowser profile
- added Google-Play-Music-Desktop-Player
- added cyberfox profile
John Mullee (https://github.com/jmullee)
- fix empty-string assignment in whitelisting code
Jonas Heinrich (https://github.com/onny)
- added signal-desktop profile
- fixed franz profile
Jose Riha (https://github.com/jose1711)
- added meteo-qt profile
- created qgis, links, xlinks profiles
- extended profile.template with comments
- some typo and comment fixes in profile.template
- Make it possible for cheese app to save pictures too
- Add davfs2 secrets file to blacklist
- Add profile for udiskie
- fix udiskie.profile
jrabe (https://github.com/jrabe)
- disallow access to kdbx files
- Epiphany profile
- Polari profile
- qTox profile
- X11 fixes
juan (https://github.com/nyancat18)
- fixed Kdenlive, Shotcut profiles
- new profiles for Cinelerra, Cliqz, Bluefish
- profile hardening
Kaan Genç (https://github.com/SeriousBug)
- dynamic allocation of noblacklist buffer
Karoshi42 (https://github.com/karoshi42)
- update dino-im.profile
KellerFuchs (https://github.com/KellerFuchs)
- nonewpriv support, extended profiles for this feature
- make `restricted-network` prevent use of netfilter
- disable-common.inc additions
- make mutt and msmtp's rc files read-only
- added support for .local profile files in /etc/firejail
- fixed Cryptocat profile
- make ~/.local read-only
Kelvin (https://github.com/kmk3)
- disable ldns utilities, dnssec-*, khost, unbound-host
- sort DNS / RUNUSER paths
- improve bug_report.md
- fix keypassxc
- blacklist oksh shell in disable-shell.inc
Kishore96in (https://github.com/Kishore96in)
- added falkon profile
- kxmlgui fixes
- okular profile fixes
- jitsi-meet-desktop profile
- konversatin profile fix
KOLANICH (https://github.com/KOLANICH)
- added symlink fixer fix_private-bin.py in contrib section
- update fix_private-bin.py
- fix meld
kortewegdevries (https://github.com/kortewegdevries)
- a whole bunch of new profiles and fixes
- whitelisting evolution, kmail
Kristóf Marussy (https://github.com/kris7t)
- dns support
Kunal Mehta (https://github.com/legoktm)
- converted all links to https in manpages
laniakea64 (https://github.com/laniakea64)
- added fj-mkdeb.py script to build deb packages
Lari Rauno (https://github.com/tuutti)
- qutebrowser profile fixes
Laurent Declercq (https://github.com/nuxwin)
- fixed test for shell interpreter in chroots
LaurentGH (https://github.com/LaurentGH)
- allow private-bin parameters to be absolute paths
Loïc Damien (https://github.com/dzamlo)
- small fixes
Liorst4 (https://github.com/Liorst4)
- Preserve CFLAGS given to configure in common.mk.in
- fix emacs config to load as read-write
- disable browser drm by default
- minetest fixes
Lockdis (https://github.com/Lockdis)
- Added crow, nyx, and google-earth-pro profiles
Lukáš Krejčí (https://github.com/lskrejci)
- fixed parsing of --keep-var-tmp
luzpaz (https://github.com/luzpaz)
- code spelling fixes
Mace Muilman (https://github.com/mace015)
- google-chrome{,beta,unstable} flags
maces (https://github.com/maces)
- Franz messenger profile
Madura A (https://github.com/manushanga)
- floader
mahdi1234 (https://github.com/mahdi1234)
- cherrytree profile
- Seamonkey profiles
Manuel Dipolt (https://github.com/xeniter)
- stack alignment for the ARM Architecture
Martin Carpenter (https://github.com/mcarpenter)
- security audit and bug fixes
- Centos 6.x support
Martin Dosch ([email protected])
- support for gnome-shell integration addon in Firefox
(Bug-Debian: https://bugs.debian.org/872720)
Matt Parnell (https://github.com/ilikenwf)
- whitelisting for core firefox related functionality
Mattias Wadman (https://github.com/wader)
- seccomp errno filter support
Matthew Gyurgyik (https://github.com/pyther)
- rpm spec and several fixes
matu3ba (https://github.com/matu3ba)
- evince hardening, dbus removed
- fix dia profile
- several template fixes
maxice8 (https://github.com/maxice8)
- fixed missing header
Melvin Vermeeren (https://github.com/melvinvermeeren)
- added teamspeak3 profile
- added --noautopulse command line option
Michael Haas (https://github.com/mhaas)
- bugfixes
Mike Frysinger ([email protected])
- Gentoo compile patch
mirabellette (https://github.com/mirabellette)
- add comment to thunderbird.profile to allow Firefox to load profiles
mjudtmann (https://github.com/mjudtmann)
- lock firejail configuration in disable-mgmt.inc
mustaqimM (https://github.com/mustaqimM)
- added profile for Nylas Mail
n1trux (https://github.com/n1trux)
- fix flashpeak-slimjet profile typos
nblock (https://github.com/nblock)
- cmus: allow access to resolv.conf
neirenoir (https://github.com/neirenoir) and noir <[email protected]>
- fixed Blender profile being unable to import numpy
Neo00001 (https://github.com/Neo00001)
- add vmware profile
- update virtualbox profile
- update telegram profile
- add spectacle profile
- add kdiff3 profile
Nick Fox (https://github.com/njfox)
- add a profile alias for code-oss
- add code-oss config directory
- fix wire-desktop.profile on arch
NickMolloy (https://github.com/NickMolloy)
- ARP address length fix
Niklas Haas (https://github.com/haasn)
- blacklisting for keybase.io's client
Niklas Goerke (https://github.com/Niklas974)
- update QOwnNotes profile
Nikos Chantziaras (https://github.com/realnc)
- fix audio support for Discord
nyancat18 (https://github.com/nyancat18)
- added ardour4, dooble, karbon, krita profiles
Ondra Nekola (https://github.com/satai)
- allow firefox theming with non-global themes
OndrejMalek (https://github.com/OndrejMalek)
- various manpage fixes
Ondřej Nový (https://github.com/onovy)
- allow video for Signal profile
- added Mattermost desktop profile
- hardened Zoom profile
- hardened Signal desktop profile
Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec)
- prevent thunderbird conflicts when firefox is running
- add join-or-start to pluma to open multiple files in tabs
- fixes to keepassxc, thunderbird and pluma
Panzerfather (https://github.com/Panzerfather)
- allow eog to access user's trash
Patrick Schleizer (https://github.com/adrelanos)
- fix tb-starter-wrapper profile
Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
- user namespace implementation
Paul Moore <[email protected]>
-src/fsec-print/print.c extracted from libseccomp software package
Paupiah Yash (https://github.com/CaffeinatedStud)
- gzip profile
Pawel (https://github.com/grimskies)
- make --join return exit code of the invoked program
Peter Millerchip (https://github.com/pmillerchip)
- memory allocation fix
- --private.keep to --private-home transition
- support for files and directories starting with ~ in blacklist option
- support for files and directories with spaces in blacklist option
- lots of other fixes
- implement the --allow-private-blacklist option
Peter Hogg (https://github.com/pigmonkey)
- WeeChat profile
- rtorrent profile
- bitlbee profile fixes
- mutt profile fixes
- fixes for youtube-dl in mpv profile
Peter Sanford (https://github.com/psanford)
- fix QtWebEngine in zoom
Petter Reinholdtsen ([email protected])
- Opera profile patch
PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
- fix quiterss profile
- added profile for gnome-ring
pianoslum (https://github.com/pianoslum)
- nodbus breaking evince two-page-view warning
pirate486743186 (https://github.com/pirate486743186)
- KMail profile
- mpsyt profile
- fix youtube-dl and mpv
- fix gnome-mpv profile
Pixel Fairy (https://github.com/xahare)
- added fjclip.py, fjdisplay.py and fjresize.py in contrib section
PizzaDude (https://github.com/pizzadude)
- add mpv support to smplayer
- added profile for torbrowser-launcher
- added profile for sayonara and qmmp
- remove tracelog from Firefox profile
polyzen (https://github.com/polyzen)
- fixed wusc issue with mpv/Vulkan
probonopd (https://github.com/probonopd)
- automatic build on Travis CI
pshpsh (https://github.com/pshpsh)
- added FossaMail profile
pstn (https://github.com/pstn)
- added install-strip, make install without strip
pszxzsd (https://github.com/pszxzsd)
-uGet profile
pwnage-pineapple (https://github.com/pwnage-pineapple)
- update Okular profile
Quentin Minster (https://github.com/laomaiweng)
- propagate --quiet to children Firejail'ed processes
- nodbus enhancements/bugfixes
- added vim syntax and ftdetect files
- Allow exec from /usr/libexec & co. with AppArmor
Rafael Cavalcanti (https://github.com/rccavalcanti)
- chromium profile fixes for Arch Linux
Rahiel Kasim (https://github.com/rahiel)
- Mathematica profile
- whitelisted Dropbox profile
- whitelisted keysnail config for firefox
- added telegram-desktop profile
Rahul Golam (https://github.com/technoLord)
- strings profile
RandomVoid (https://github.com/RandomVoid)
- fix building C# projects in Godot
Raphaël Droz (https://github.com/drzraf)
- zoom profile fixes
realaltffour (https://github.com/realaltffour)
- add lynx support to newsboat profile
Reiner Herrmann (https://github.com/reinerh)
- a number of build patches
- man page fixes
- Debian and Ubuntu integration
- clang-analyzer fixes
- Debian reproducible build
- unit testing framework
- moved build to .xz
- detached signatures for source archive
- recursive mkdir
Remco Verhoef (https://github.com/nl5887)
- add overlay configuration to profiles
- prevent running shells recursively
RD PROJEKT (https://github.com/RDProjekt)
- noblacklist support for /sys/module directory
- whitelist support for /sys/module directory
- support AMD GPU by OpenCL in Blender
rogshdo (https://github.com/rogshdo)
- BitlBee profile
rootalc (https://github.com/rootalc)
- add nolocal6.net filter
Ruan (https://github.com/ruany)
- fixed hexchat profile
rusty-snake (https://github.com/rusty-snake)
- added profiles: thunderbird-wayland, supertuxkart, ghostwriter
- added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
- added profiles: gajim-history-manager, freemind, nomacs, kid3
- added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap
- added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk
- added profiles: ktouch, yelp, klatexformula, klatexformula_cmdl
- added profiles: pandoc, gnome-sound-recorder, godot, newsbeuter
- added profiles: keepassxc-cli, keepassxc-proxy, rhythmbox-client
- added profiles: zeal, gnome-characters, gnome-character-map
- many profile fixing and hardening
- some typo fixes
- added profile templates
- added sort.py to contrib
Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
- fixed ktorrent profile
sarneaud (https://github.com/sarneaud)
- rewrite globbing code to fix various minor issues
- added noblacklist command for profile files
- various enhancements and bug fixes
Sebastian Hafner (https://github.com/DropNib)
- profile support for allow-debuggers
Senemu (https://github.com/Senemu)
- protection for .pythonrc.py
- fixed evince
Sergey Alirzaev (https://github.com/l29ah)
- firejail.h enum fix
- firefox-common-addons.inc: + tridactyl
Slava Monich (https://github.com/monich)
- added configure option to disable man pages
Tobias Schmidl (https://github.com/schtobia)
- added profile for webui-aria2
Simon Peter (https://github.com/probonopd)
- set $APPIMAGE and $APPDIR environment variables
- AppImage version detection
- Leafppad type v1 and v2 appimage packages in test/appimage
- GitHub/Travis CI integration
sinkuu (https://github.com/sinkuu)
- blacklisting kwalletd
- fix symlink invocation for programs placing symlinks in $PATH
Simo Piiroinen (https://github.com/spiiroin)
- Jolla/SailfishOS patches
smitsohu (https://github.com/smitsohu)
- read-only kde4 services directory
- enhanced mediathekview profile
- added tuxguitar profile
- removed nodvd from k3b profile
- lots of profile hardening and fixes
- added MuseScore profile
- fixed device discovery for simple-scan
- add novideo support in many profiles
- improve server profiles, harden musescore
- snap profile cleanup
- tighten some capability sets further
- enhance mutt, goobox, baloo and clementine profiles
soredake (https://github.com/soredake)
- fix steam startup with >=llvm-4
- fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
- fix keepassxc.profile
- fix qtox.profile
- add ocaltime to private-etc to make qtox show correct time
- fixes for the keepassxc 2.2.5 version
SkewedZeppelin (https://github.com/SkewedZeppelin)
- added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
- added PDFSam, Pithos, and Xonotic profiles
- disabled Go, Rust, and OpenSSL in disable-devel.conf
- added dino profile
- added Kodi profile
- lots of profile tightening
- added viking, youtube-dl, meld profiles
- added Arduino profile
- lots of profile hardening and fixing
- firecfg enhancements
- fixed vlc profile
- fixed wget profile
- fixed firecfg.config file
- added novideo and disable-mnt support in all profile files
- added Peek and silent profiles
- added IntelliJ IDEA and Android Studio profiles
- added arm profile
- lots of profile improvements/tightening
- added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img,
soundconverter, sqlitebrowser, and truecraft profiles
- added gnome-twitch profile
- Unified all 341 profiles
- profile tightening with private-bin
- fix notv and nodvd placement
- added novideo and noexec /tmp to Tor browser profile
- fixed Gnome 2048 on wayland
- added Neverball profile
- hardern /var
- profile standard layout
- Spotify and itch.io profile fixes
sshirokov (https://sourceforge.net/u/yshirokov/profile/)
- Patch to output "Reading profile" to stderr instead of stdout
SYN-cook (https://github.com/SYN-cook)
- keepass/keepassx browser fixes
- disable-common.inc fixes
- blacklist GNOME keyring and Konqueror
- fixed Keepass(x) profiles
- Engrampa profile
- Scribus profile
- autostart blacklist for KDE
- blacklist startup scripts
- various profile updates
- blacklist lots of KDE files
- blacklist nautilus and nemo in ~/.local/share/
- added mediathekview profile
- blacklist attic and borg
- cleaned up Okular and Gwenview profiles
- added baloo_file profile
- k3b profile update
- noexec changes
- gnome-calculator changes
startx2017 (https://github.com/startx2017)
- syscall list update
- updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
- enable/disable join support in /etc/firejail/firejail.config
- firecfg fix: create ~/.local/share/applications directory if it doesn't exist
- firejail.config cleanup
- --quiet fixes
- bugfixes branches maintainer
- firemon --top speed-up
- Blender and 2048-qt profiles
- handbrake profile
- mplayer and smplayer profiles
- kwrite and geary profiles
StelFux (https://github.com/StelFux)
- Fix youtube video in totem
the-antz (https://github.com/the-antz)
- Fix libx265 encoding in ffmpeg profile
- Fix Firefox profile
- Profile tweaks
thewisenerd (https://github.com/thewisenerd)
- allow multiple private-home commands
- use $SHELL variable if the shell is not specified
- appimage: pass commandline arguments
Thomas Jarosch (https://github.com/thomasjfox)
- disable keepassx in disable-passwdmgr.inc
- added uudeview profile
- added tar (gtar), unzip and unrar profile
- added file profile
- improved profile list
- fixed small variable glitch in stat64() / lstat64() (libtracelog)
- added lstat() / lstat64() support to libtrace
- include mkuid.sh in make dist
- cppcheck bugfixes
Timo Hardebusch (https://github.com/tihadot)
- add signal-cli profile
- KeePassXC: added a warning regarding tray icon
tinmanx (https://github.com/tinmanx)
- remove network access from cherrytree.profile
Tom Mellor (https://github.com/kalegrill)
- mupen64plus profile
Tomasz Jan Góralczyk (https://github.com/tjg)
- fixed Steam profile
Tomi Leppänen (https://github.com/Tomin1)
- Jolla/SailfishOS patches
Topi Miettinen (https://github.com/topimiettinen)
- improved seccomp printing
- improve mount handling, fix /run/user handling
- /proc/sys can be nosuid,noexec,nodev
- seccomp default list update
- improve loading of seccomp filter and memory-deny-write-execute feature
- private-lib feature
- make --nodbus block also system D-Bus socket
user1024 ([email protected])
- electron profile whitelisting
- fixed Rocket.Chat profile
- nheko profile
valoq (https://github.com/valoq)
- lots of profile fixes
- added support for /srv in --whitelist feature
- Eye of GNOME, Evolution, display (imagemagik) and Wire profiles
- blacklist suid binaries in disable-common.inc
- fix man pages
- added keypass2, qemu profiles
- added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles
- added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles
- added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles
- added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
- added wget profile
- disable gnupg and systemd directories under /run/user
- added iridium browser profile
Vadim A. Misbakh-Soloviov (https://github.com/msva)
- profile fixes
ValdikSS (https://github.com/ValdikSS)
- Psi+, Corebird, Konversation profiles
- various profile fixes
Vasya Novikov (https://github.com/vn971)
- Wesnoth profile
- Hedegewars profile
- manpage fixes
- fixed firecfg clean/clear issue
- found the ugliest bug so far
- seccomp debug description in man page
- seccomp syscall list update for glibc 2.26-10
Veeti Paananen (https://github.com/veeti)
- fixed Spotify profile
veloute (https://github.com/veloute)
- added standardnotes profile
- added flameshot profile
- added jdownloader profile
- fixed discord profile
- fixes for various profiles
- removed vim and ranger from firecfg
- fixing keepassxc auto-type, noexec /tmp
- fix ipc-namespace prblem in file-roller
- fix exiftool, viewnior, aria2c, ffmpegthumbnailer
- fix pavucontrol (ipcnamespace)
- fix gnuchess
- add anki profile
Vincent43 (https://github.com/Vincent43)
- apparmor enhancements
Vincent Blillault (https://github.com/Feandil)
- fix mumble profile
vismir2 (https://github.com/vismir2)
- feh, ranger, 7z, keepass, keepassx and zathura profiles
- claws-mail, mutt, git, emacs, vim profiles
- lots of profile fixes
- support for truecrypt and zuluCrypt
viq (https://github.com/viq)
- discord-canary profile
Vladimir Gorelov (https://github.com/larkvirtual)
- added Yandex browser profile
Vladimir Schowalter (https://github.com/VladimirSchowalter20)
- apparmor profile enhancements
- various KDE profile enhancements
read-only kde5 services directory