Package Release Info


Update Info: Base Release
Available in Package Hub : 15 SP4





Change Logs

* Sun Jul 18 2021 Andreas Stieger <>
- firejail 0.9.66:
  * deprecated --audit options, relpaced by jailcheck utility
  * deprecated follow-symlink-as-user from firejail.config
  * new firejail.config settings: private-bin, private-etc
  * new firejail.config settings: private-opt, private-srv
  * new firejail.config settings: whitelist-disable-topdir
  * new firejail.config settings: seccomp-filter-add
  * removed kcmp syscall from seccomp default filter
  * rename --noautopulse to keep-config-pulse
  * filtering environment variables
  * zsh completion
  * command line: --mkdir, --mkfile
  * --protocol now accumulates
  * jailtest utility for testing running sandboxes
  * faccessat2 syscall support
  * --private-dev keeps /dev/input
  * added --noinput to disable /dev/input
  * add support for subdirs in --private-etc
  * subdirs support in private-etc
  * input devices support in private-dev, --no-input
  * support trailing comments on profile lines
  * many new profiles
- split shell completion into standard subpackages
* Tue Feb 09 2021 Sebastian Wagner <>
- Bring firejail to Leap 15.2
  - fixes boo#1181990
  - fixes CVE-2021-26910
* Sun Feb 07 2021 ???? ?????? <>
- Update to
  * disabled overlayfs, pending multiple fixes
  * fixed launch firefox for open url in telegram-desktop.profile
* Thu Jan 28 2021 ???? ?????? <>
- Update to
  * allow --tmpfs inside $HOME for unprivileged users
  * --disable-usertmpfs compile time option
  * allow AF_BLUETOOTH via --protocol=bluetooth
  * setup guide for new users: contrib/
  * implement netns in profiles
  * added IPv6 network filter
  * new profiles: spectacle, chromium-browser-privacy,
    gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer,
    gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu,
    authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg,
    mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.
* Mon Nov 02 2020 Sebastian Wagner <>
- packaging fixes
* Sun Nov 01 2020 Sebastian Wagner <>
- Update to version 0.9.64:
  * replaced --nowrap option with --wrap in firemon
  * The blocking action of seccomp filters has been changed from
    killing the process to returning EPERM to the caller. To get the
    previous behaviour, use --seccomp-error-action=kill or
    syscall:kill syntax when constructing filters, or override in
    /etc/firejail/firejail.config file.
  * Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
    xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
    With this version nodbus is deprecated, in favor of dbus-user none and
    dbus-system none and will be removed in a future version.
  * DHCP client support
  * firecfg only fix dektop-files if started with sudo
  * SELinux labeling support
  * custom 32-bit seccomp filter support
  * restrict ${RUNUSER} in several profiles
  * blacklist shells such as bash in several profiles
  * whitelist globbing
  * mkdir and mkfile support for /run/user directory
  * support ignore for include
  * --include on the command line
  * splitting up media players whitelists in
  * new condition: HAS_NOSOUND
  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
  * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
  * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
  * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
  * new profiles: presentations18, presentations18free, textmaker18, teams
  * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
  * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
  * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
  * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
  * new profiles:, ferdi, abiword, four-in-a-row
  * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
  * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
  * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
  * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
  * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
  * new profiles: swell-foop, fdns, five-or-more, steam-runtime
  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
  * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
  * new profiles: gapplication, openarena_ded, element-desktop, cawbird
  * new profiles: freetube, strawberry, jitsi-meet-desktop
  * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
  * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
  * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
  * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
  * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
  * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
  * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
  * new profiles: qrencode, ytmdesktop, twitch
  * new profiles: xournalpp, chromium-freeworld, equalx
- remove firejail-0.9.62-fix-usr-etc.patch, included upstream
- remove firejail-apparmor-3.0.diff, included upstream
* Mon Oct 26 2020 Christian Boltz <>
- Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with
  AppArmor 3.0 (add missing include <tunables/global>)
* Wed Aug 19 2020 Paolo Stivanin <>
- Update to
  * fix AppArmor broken in the previous release
  * miscellaneous fixes
* Thu Aug 13 2020 Paolo Stivanin <>
- Update to
  * fix CVE-2020-17367
  * fix CVE-2020-17368
  * additional hardening and bug fixes
- Remove fix-CVE-2020-17368.patch
- Remove fix-CVE-2020-17367.patch
* Sat Aug 08 2020 Sebastian Wagner <>
- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986
Version: 0.9.62-bp152.2.1
* Wed Apr 29 2020 Michael Vetter <>
- Add firejail-0.9.62-fix-usr-etc.patch:
  Check /usr/etc not just /etc
- Replace python interpreter line in
* Tue Feb 11 2020 Marcus Rueckert <>
- update to version 0.9.62
  * added file-copy-limit in /etc/firejail/firejail.config
  * profile templates (/usr/share/doc/firejail)
  * allow-debuggers support in profiles
  * several seccomp enhancements
  * compiler flags autodetection
  * move chroot entirely from path based to file descriptor based mounts
  * whitelisting /usr/share in a large number of profiles
  * new scripts in conrib: and
  * enhancement: whitelist /usr/share in some profiles
  * added signal mediation to apparmor profile
  * new conditions: HAS_X11, HAS_NET
  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
  * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
  * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
  * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
  * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
  * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
  * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
  * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
  * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
  * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
  * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
  * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
  * new profiles: electron-mail, gist, gist-paste
* Sun Jun 02 2019 Sebastian Wagner <>
- update to version 0.9.60:
  * security bug reported by Austin Morton:
  Seccomp filters are copied into /run/firejail/mnt, and are writable
  within the jail. A malicious process can modify files from inside the
  jail. Processes that are later joined to the jail will not have seccomp
  filters applied.
  * memory-deny-write-execute now also blocks memfd_create
  * add private-cwd option to control working directory within jail
  * blocking system D-Bus socket with --nodbus
  * bringing back Centos 6 support
  * drop support for flatpak/snap packages
  * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
  * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
  * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
  * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
  * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
  * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
  * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
  * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
  * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
  * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
  * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
  * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
  * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
  * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
  * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
  * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
* Fri Feb 01 2019
-  update to version 0.9.58:
  * --disable-mnt rework
  * --net.print command
  * GitLab CI/CD integration: disto specific builds
  * profile parser enhancements and conditional handling support
  * profile name support
  * added explicit nonewprivs support to join option
  * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
  * new profiles: devilspie, devilspie2, easystroke, github-desktop, min
  * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
  * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
  * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
  * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
  * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
  * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
  * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley
  * new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland
  * new profiles: supertuxkart, ghostwriter, gajim-history-manager
  * bugfixes
* Sat Sep 22 2018 Sebastian Wagner <>
- update to version 0.9.56:
  * modif: removed CFG_CHROOT_DESKTOP configuration option
  * modif: removed compile time --enable-network=restricted
  * modif: removed compile time --disable-bind
  * modif: --net=none allowed even if networking was disabled at compile
    time or at run time
  * modif: allow system users to run the sandbox
  * support wireless devices in --net option
  * support tap devices in --net option (tunneling support)
  * allow IP address configuration if the parent interface specified
    by --net is not configured (--netmask)
  * support for firetunnel utility
  * disable U2F devices (--nou2f)
  * add --private-cache to support private ~/.cache
  * support full paths in private-lib
  * globbing support in private-lib
  * support for local user directories in firecfg (--bindir)
  * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
  * new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
  * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
  * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
  * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
  * new profiles: start-tor-browser.desktop
* Tue Sep 11 2018 Markos Chandras <>
- Drop ldconfig calls since firejail libraries are installed in their
  own subdirectory which is not scanned by ldconfig.
* Mon Sep 10 2018 Markos Chandras <>
- Remove the rpmlintrc file since the warnings are no longer relevant.
* Thu Aug 23 2018
- Changed the permissions of the firejail executable to 4750.
  Setuid mode is used, but only allowed for users in the newly
  created group 'firejail' (boo#1059013).
- Update to version 0.9.54:
  * modif: --force removed
  * modif: --csh, --zsh removed
  * modif: --debug-check-filename removed
  * modif: --git-install and --git-uninstall removed
  * modif: support for private-bin, private-lib and shell none has been
    disabled while running AppImage archives in order to be able to use
    our regular profile files with AppImages.
  * modif: restrictions for /proc, /sys and /run/user directories
    are moved from AppArmor profile into firejail executable
  * modif: unifying Chromium and Firefox browsers profiles.
    All users of Firefox-based browsers who use addons and plugins
    that read/write from ${HOME} will need to uncomment the includes for in firefox-common.profile.
  * modif: split into disable-devel and
  * Firejail user access database (/etc/firejail/firejail.users,
    man firejail-users)
  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
  * Spectre mitigation patch for gcc and clang compiler
  * D-Bus handling (--nodbus)
  * AppArmor support for overlayfs and chroot sandboxes
  * AppArmor support for AppImages
  * Enable AppArmor by default for a large number of programs
  * firejail --apparmor.print option
  * firemon --apparmor option
  * apparmor yes/no flag in /etc/firejail/firejail.config
  * seccomp syscall list update for glibc 2.26-10
  * seccomp disassembler for --seccomp.print option
  * seccomp machine code optimizer for default seccomp filters
  * IPv6 DNS support
  * whitelist support for overlay and chroot sandboxes
  * private-dev support for overlay and chroot sandboxes
  * private-tmp support for overlay and chroot sandboxes
  * added sandbox name support in firemon
  * firemon/prctl enhancements
  * noblacklist support for /sys/module directory
  * whitelist support for /sys/module directory
  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
  * new profiles: discord-canary, pycharm-community, pycharm-professional,
  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
  * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
  * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
  * new profiles: qmmp, sayonara
* Wed Dec 13 2017
- Update to version 0.9.52:
  * New features
    + systemd-resolved integration
    + whitelisted /var in most profiles
    + GTK2, GTK3 and Qt4 private-lib support
    + --debug-private-lib
    + test deployment of private-lib for the some apps: evince,
    galculator, gnome-calculator, leafpad, mousepad,
    transmission-gtk, xcalc, xmr-stak-cpu, atril,
    mate-color-select, tar, file, strings, gpicview, eom, eog,
    gedit, pluma
    + netfilter template support
    + various new arguments
  * --writable-run-user
  * --rlimit-as
  * --rlimit-cpu
  * --timeout
  * --build (profile build tool)
  * --netfilter.print
  * --netfilter6.print
  * deprecations in modif
    + --allow-private-blacklists (blacklisting, read-only,
    read-write, tmpfs and noexec are allowed in private home
    + remount-proc-sys (firejail.config)
    + follow-symlink-private-bin (firejail.config)
    + --profile-path
  * enhancements
    + support Firejail user config directory in firecfg
    + disable DBus activation in firecfg
    + enumerate root directories in apparmor profile
    + /etc and /usr/share whitelisting support
    + globbing support for --private-bin
  * new profiles: upstreamed profiles from 3 sources:
  * new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
    clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
    brackets, calligra, calligraauthor, calligraconverter,
    calligraflow, calligraplan, calligraplanwork, calligrasheets,
    calligrastage, calligrawords, cin, dooble, dooble-qt4,
    fetchmail, freecad, freecadcmd, google-earth,imagej, karbon,
    1kdenlive, krita, linphone, lmms, macrofusion, mpd, natron,
    Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
    Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg,
    bluefish, cinelerra, openshot-qt, pinta, uefitool, aosp,
    pdfmod, gnome-ring, xcalc, zaproxy, kopete, cliqz,
    signal-desktop, kget, nheko, Enpass, kwin_x11, krunner, ping,
    bsdtar, makepkg (Arch), archaudit-report cower (Arch), kdeinit4
- Add full link to source tarball from sourceforge
- Add asc file
* Sat Sep 09 2017
- Update to version 0.9.50:
  * New features:
  - per-profile disable-mnt (--disable-mnt)
  - per-profile support to set X11 Xephyr screen size (--xephyr-screen)
  - private /lib directory (--private-lib)
  - disable CDROM/DVD drive (--nodvd)
  - disable DVB devices (--notv)
  - --profile.print
  * modif: --output split in two commands, --output and --output-stderr
  * set xpra-attach yes in /etc/firejail/firejail.config
  * Enhancements:
  - print all seccomp filters under --debug
  - /proc/sys mounting
  - rework IP address assingment for --net options
  - support for newer Xpra versions (2.1+) -
  - all profiles use a standard layout style
  - create /usr/local for firecfg if the directory doesn't exist
  - allow full paths in --private-bin
  * New seccomp features:
  - --memory-deny-write-execute
  - seccomp post-exec
  - block secondary architecture (--seccomp.block_secondary)
  - seccomp syscall groups
  - print all seccomp filters under --debug
  - default seccomp list update
  * new profiles:
    curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
    Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
    Android Studio, electron, riot-web, Extreme Tux Racer,
    Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
    telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
    hashcat, obs, picard, remmina, sdat2img, soundconverter
    truecraft, gnome-twitch, tuxguitar, musescore, neverball
    sqlitebrowse, Yandex Browser, minetest
* Tue Aug 15 2017
- Update to version 0.9.48:
  * modifs: whitelisted Transmission, Deluge, qBitTorrent,
    please use ~/Downloads directory for saving files
  * modifs: AppArmor made optional; a warning is printed on the
    screen if the sandbox fails to load the AppArmor profile
  * feature: --novideo
  * feature: drop discretionary access control capabilities for
    root sandboxes
  * feature: added /etc/firejail/globals.local for global
  * feature: profile support in overlayfs mode
  * new profiles: vym, darktable, Waterfox, digiKam, Catfish,
  * bugfixes
* Mon Jan 16 2017
- Update to version
  * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
  * disabled --allow-debuggers when running on kernel versions prior
    to 4.8; a kernel bug in ptrace system call allows a full bypass
    of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
  * root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version
  * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
  * major cleanup of file copying code
  * tightening the rules for --chroot and --overlay features
  * ported Gentoo compile patch
  * Nvidia drivers bug in --private-dev
  * fix ASSERT_PERMS_FD macro
  * allow local customization using .local files under /etc/firejail
    backported from our development branch
  * spoof machine-id backported from our development branch
- Remove obsoleted patches:
* Thu Jan 05 2017
- Update to version
  Security fixes:
  * overwrite /etc/resolv.conf found by Martin Carpenter
  * TOCTOU exploit for ?get and ?put found by Daniel Hodson
  * invalid environment exploit found by Martin Carpenter
  * several security enhancements
  * crashing VLC by pressing Ctrl-O
  * use user configured icons in KDE
  * mkdir and mkfile are not applied to private directories
  * cannot open files on Deluge running under KDE
  * ?private=dir where dir is the user home directory
  * cannot start Vivaldi browser
  * cannot start mupdf
  * ssh profile problems
  * ?quiet
  * quiet in git profile
  * memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
* Thu Oct 27 2016
- Update to version 0.9.44:
  * CVE-2016-7545 submitted by Aleksey Manevich
  * removed man firejail-config
  * ?private-tmp whitelists /tmp/.X11-unix directory
  * Nvidia drivers added to ?private-dev
  * /srv supported by ?whitelist
  New features:
  * allow user access to /sys/fs (?noblacklist=/sys/fs)
  * support starting/joining sandbox is a single command (?join-or-start)
  * X11 detection support for ?audit
  * assign a name to the interface connected to the bridge (?veth-name)
  * all user home directories are visible (?allusers)
  * add files to sandbox container (?put)
  * blocking x11 (?x11=block)
  * X11 security extension (?x11=xorg)
  * disable 3D hardware acceleration (?no3d)
  * x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
  * move files in sandbox (?put)
  * accept wildcard patterns in user name field of restricted shell login feature
  New profiles:
  * qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
  * feh, ranger, zathura, 7z, keepass, keepassx,
  * claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
  * Flowblade, Eye of GNOME (eog), Evolution
* Fri Sep 30 2016
- Update to version 0.9.42:
  Security fixes:
  * ?whitelist deleted files
  * disable x32 ABI in seccomp
  * tighten ?chroot
  * terminal sandbox escape
  * several TOCTOU fixes
  Behavior changes:
  * bringing back ?private-home option
  * deprecated ?user option, please use ?sudo -u username firejail?
  * allow symlinks in home directory for ?whitelist option
  * Firejail prompt is enabled by env variable FIREJAIL_PROMPT=?yes?
  * recursive mkdir
  * include /dev/snd in ?private-dev
  * seccomp filter update
  * release archives moved to .xz format
  New features:
  * AppImage support (?appimage)
  * AppArmor support (?apparmor)
  * Ubuntu snap support (/etc/firejail/snap.profile)
  * Sandbox auditing support (?audit)
  * remove environment variable (?rmenv)
  * noexec support (?noexec)
  * clean local overlay storage directory (?overlay-clean)
  * store and reuse overlay (?overlay-named)
  * allow debugging inside the sandbox with gdb and strace (?allow-debuggers)
  * mkfile profile command
  * quiet profile command
  * x11 profile command
  * option to fix desktop files (firecfg ?fix)
  Build options:
  * Busybox support (?enable-busybox-workaround)
  * disable overlayfs (?disable-overlayfs)
  * disable whitlisting (?disable-whitelist)
  * disable global config (?disable-globalcfg)
  Runtime options:
  * enable/disable overlayfs (overlayfs yes/no)
  * enable/disable quiet as default (quiet-by-default yes/no)
  * user-defined network filter (netfilter-default)
  * enable/disable whitelisting (whitelist yes/no)
  * enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
  * enable/disable chroot desktop features (chroot-desktop yes/no)
  New/updated profiels:
  * Gitter, gThumb, mpv, Franz messenger, LibreOffice
  * pix, audacity, xz, xzdec, gzip, cpio, less
  * Atom Beta, Atom, jitsi, eom, uudeview
  * tar (gtar), unzip, unrar, file, skypeforlinux,
  * inox, Slack, gnome-chess. Gajim IM client, DOSBox
- Enable apparmor support
* Wed Jun 08 2016
- Update to version 0.9.40:
  * Added firecfg utility
  * New options: -nice, -cpu.print, -writable-etc, -writable-var,
  - read-only
  * X11 support: -x11 option (-x11=xpra, -x11=xephr)
  * Filetransfer options: ?ls and ?get
  * Added mkdir, ipc-namespace, and nosound profile commands
  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile
  * Run time config support, man firejail-config
  * AppArmor fixes
  * Default seccomp filter update
  * Disable STUN/WebRTC in default netfilter configuration
  * Lots of new profiles
* Tue May 17 2016
- initial package: 0.9.38