Package Release Info


Update Info: openSUSE-2022-10015
Available in Package Hub : 15 SP3 Update





Change Logs

* Tue Jun 14 2022 Sebastian Wagner <>
- update to version 0.9.70:
  - fix bsc#1199148 CVE-2022-31214
  - security: CVE-2022-31214 - root escalation in --join logic
  - Reported by Matthias Gerstner, working exploit code was provided to our
  - development team. In the same time frame, the problem was independently
  - reported by Birk Blechschmidt. Full working exploit code was also provided.
  - feature: enable shell tab completion with --tab (#4936)
  - feature: disable user profiles at compile time (#4990)
  - feature: Allow resolution of .local names with avahi-daemon in the apparmor
  - profile (#5088)
  - feature: always log seccomp errors (#5110)
  - feature: firecfg --guide, guided user configuration (#5111)
  - feature: --oom, kernel OutOfMemory-killer (#5122)
  - modif: --ids feature needs to be enabled at compile time (#5155)
  - modif: --nettrace only available to root user
  - rework: whitelist restructuring (#4985)
  - rework: firemon, speed up and lots of fixes
  - bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
  - bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
  - bugfix: openSUSE Leap - (#4954)
  - bugfix: fix printing in evince (#5011)
  - bugfix: gcov: fix gcov functions always declared as dummy (#5028)
  - bugfix: Stop warning on safe supplementary group clean (#5114)
  - build: remove ultimately unused INSTALL and RANLIB check macros (#5133)
  - build: pass remaining arguments to ./configure (#5154)
  - ci: replace centos (EOL) with almalinux (#4912)
  - ci: fix --version not printing compile-time features (#5147)
  - ci: print version after install & fix apparmor support on build_apparmor
  - (#5148)
  - docs: Refer to firejail.config in configuration files (#4916)
  - docs: firejail.config: add warning about allow-tray (#4946)
  - docs: mention that the protocol command accumulates (#5043)
  - docs: mention inconsistent homedir bug involving --private=dir (#5052)
  - docs: mention capabilities(7) on --caps (#5078)
  - new profiles: onionshare, onionshare-cli, opera-developer, songrec
  - new profiles: node-gyp, npx, semver, ping-hardened
  - removed profiles: nvm
Version: 0.9.62-bp152.2.1
* Wed Apr 29 2020 Michael Vetter <>
- Add firejail-0.9.62-fix-usr-etc.patch:
  Check /usr/etc not just /etc
- Replace python interpreter line in
* Tue Feb 11 2020 Marcus Rueckert <>
- update to version 0.9.62
  * added file-copy-limit in /etc/firejail/firejail.config
  * profile templates (/usr/share/doc/firejail)
  * allow-debuggers support in profiles
  * several seccomp enhancements
  * compiler flags autodetection
  * move chroot entirely from path based to file descriptor based mounts
  * whitelisting /usr/share in a large number of profiles
  * new scripts in conrib: and
  * enhancement: whitelist /usr/share in some profiles
  * added signal mediation to apparmor profile
  * new conditions: HAS_X11, HAS_NET
  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
  * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
  * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
  * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
  * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
  * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
  * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
  * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
  * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
  * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
  * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
  * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
  * new profiles: electron-mail, gist, gist-paste
* Sun Jun 02 2019 Sebastian Wagner <>
- update to version 0.9.60:
  * security bug reported by Austin Morton:
  Seccomp filters are copied into /run/firejail/mnt, and are writable
  within the jail. A malicious process can modify files from inside the
  jail. Processes that are later joined to the jail will not have seccomp
  filters applied.
  * memory-deny-write-execute now also blocks memfd_create
  * add private-cwd option to control working directory within jail
  * blocking system D-Bus socket with --nodbus
  * bringing back Centos 6 support
  * drop support for flatpak/snap packages
  * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
  * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
  * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
  * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
  * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
  * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
  * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
  * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
  * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
  * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
  * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
  * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
  * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
  * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
  * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
  * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
* Fri Feb 01 2019
-  update to version 0.9.58:
  * --disable-mnt rework
  * --net.print command
  * GitLab CI/CD integration: disto specific builds
  * profile parser enhancements and conditional handling support
  * profile name support
  * added explicit nonewprivs support to join option
  * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
  * new profiles: devilspie, devilspie2, easystroke, github-desktop, min
  * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
  * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
  * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
  * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
  * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
  * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
  * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley
  * new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland
  * new profiles: supertuxkart, ghostwriter, gajim-history-manager
  * bugfixes
* Sat Sep 22 2018 Sebastian Wagner <>
- update to version 0.9.56:
  * modif: removed CFG_CHROOT_DESKTOP configuration option
  * modif: removed compile time --enable-network=restricted
  * modif: removed compile time --disable-bind
  * modif: --net=none allowed even if networking was disabled at compile
    time or at run time
  * modif: allow system users to run the sandbox
  * support wireless devices in --net option
  * support tap devices in --net option (tunneling support)
  * allow IP address configuration if the parent interface specified
    by --net is not configured (--netmask)
  * support for firetunnel utility
  * disable U2F devices (--nou2f)
  * add --private-cache to support private ~/.cache
  * support full paths in private-lib
  * globbing support in private-lib
  * support for local user directories in firecfg (--bindir)
  * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
  * new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
  * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
  * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
  * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
  * new profiles: start-tor-browser.desktop
* Tue Sep 11 2018 Markos Chandras <>
- Drop ldconfig calls since firejail libraries are installed in their
  own subdirectory which is not scanned by ldconfig.
* Mon Sep 10 2018 Markos Chandras <>
- Remove the rpmlintrc file since the warnings are no longer relevant.
* Thu Aug 23 2018
- Changed the permissions of the firejail executable to 4750.
  Setuid mode is used, but only allowed for users in the newly
  created group 'firejail' (boo#1059013).
- Update to version 0.9.54:
  * modif: --force removed
  * modif: --csh, --zsh removed
  * modif: --debug-check-filename removed
  * modif: --git-install and --git-uninstall removed
  * modif: support for private-bin, private-lib and shell none has been
    disabled while running AppImage archives in order to be able to use
    our regular profile files with AppImages.
  * modif: restrictions for /proc, /sys and /run/user directories
    are moved from AppArmor profile into firejail executable
  * modif: unifying Chromium and Firefox browsers profiles.
    All users of Firefox-based browsers who use addons and plugins
    that read/write from ${HOME} will need to uncomment the includes for in firefox-common.profile.
  * modif: split into disable-devel and
  * Firejail user access database (/etc/firejail/firejail.users,
    man firejail-users)
  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
  * Spectre mitigation patch for gcc and clang compiler
  * D-Bus handling (--nodbus)
  * AppArmor support for overlayfs and chroot sandboxes
  * AppArmor support for AppImages
  * Enable AppArmor by default for a large number of programs
  * firejail --apparmor.print option
  * firemon --apparmor option
  * apparmor yes/no flag in /etc/firejail/firejail.config
  * seccomp syscall list update for glibc 2.26-10
  * seccomp disassembler for --seccomp.print option
  * seccomp machine code optimizer for default seccomp filters
  * IPv6 DNS support
  * whitelist support for overlay and chroot sandboxes
  * private-dev support for overlay and chroot sandboxes
  * private-tmp support for overlay and chroot sandboxes
  * added sandbox name support in firemon
  * firemon/prctl enhancements
  * noblacklist support for /sys/module directory
  * whitelist support for /sys/module directory
  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
  * new profiles: discord-canary, pycharm-community, pycharm-professional,
  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
  * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
  * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
  * new profiles: qmmp, sayonara
* Wed Dec 13 2017
- Update to version 0.9.52:
  * New features
    + systemd-resolved integration
    + whitelisted /var in most profiles
    + GTK2, GTK3 and Qt4 private-lib support
    + --debug-private-lib
    + test deployment of private-lib for the some apps: evince,
    galculator, gnome-calculator, leafpad, mousepad,
    transmission-gtk, xcalc, xmr-stak-cpu, atril,
    mate-color-select, tar, file, strings, gpicview, eom, eog,
    gedit, pluma
    + netfilter template support
    + various new arguments
  * --writable-run-user
  * --rlimit-as
  * --rlimit-cpu
  * --timeout
  * --build (profile build tool)
  * --netfilter.print
  * --netfilter6.print
  * deprecations in modif
    + --allow-private-blacklists (blacklisting, read-only,
    read-write, tmpfs and noexec are allowed in private home
    + remount-proc-sys (firejail.config)
    + follow-symlink-private-bin (firejail.config)
    + --profile-path
  * enhancements
    + support Firejail user config directory in firecfg
    + disable DBus activation in firecfg
    + enumerate root directories in apparmor profile
    + /etc and /usr/share whitelisting support
    + globbing support for --private-bin
  * new profiles: upstreamed profiles from 3 sources:
  * new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
    clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
    brackets, calligra, calligraauthor, calligraconverter,
    calligraflow, calligraplan, calligraplanwork, calligrasheets,
    calligrastage, calligrawords, cin, dooble, dooble-qt4,
    fetchmail, freecad, freecadcmd, google-earth,imagej, karbon,
    1kdenlive, krita, linphone, lmms, macrofusion, mpd, natron,
    Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
    Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg,
    bluefish, cinelerra, openshot-qt, pinta, uefitool, aosp,
    pdfmod, gnome-ring, xcalc, zaproxy, kopete, cliqz,
    signal-desktop, kget, nheko, Enpass, kwin_x11, krunner, ping,
    bsdtar, makepkg (Arch), archaudit-report cower (Arch), kdeinit4
- Add full link to source tarball from sourceforge
- Add asc file
* Sat Sep 09 2017
- Update to version 0.9.50:
  * New features:
  - per-profile disable-mnt (--disable-mnt)
  - per-profile support to set X11 Xephyr screen size (--xephyr-screen)
  - private /lib directory (--private-lib)
  - disable CDROM/DVD drive (--nodvd)
  - disable DVB devices (--notv)
  - --profile.print
  * modif: --output split in two commands, --output and --output-stderr
  * set xpra-attach yes in /etc/firejail/firejail.config
  * Enhancements:
  - print all seccomp filters under --debug
  - /proc/sys mounting
  - rework IP address assingment for --net options
  - support for newer Xpra versions (2.1+) -
  - all profiles use a standard layout style
  - create /usr/local for firecfg if the directory doesn't exist
  - allow full paths in --private-bin
  * New seccomp features:
  - --memory-deny-write-execute
  - seccomp post-exec
  - block secondary architecture (--seccomp.block_secondary)
  - seccomp syscall groups
  - print all seccomp filters under --debug
  - default seccomp list update
  * new profiles:
    curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
    Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
    Android Studio, electron, riot-web, Extreme Tux Racer,
    Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
    telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
    hashcat, obs, picard, remmina, sdat2img, soundconverter
    truecraft, gnome-twitch, tuxguitar, musescore, neverball
    sqlitebrowse, Yandex Browser, minetest
* Tue Aug 15 2017
- Update to version 0.9.48:
  * modifs: whitelisted Transmission, Deluge, qBitTorrent,
    please use ~/Downloads directory for saving files
  * modifs: AppArmor made optional; a warning is printed on the
    screen if the sandbox fails to load the AppArmor profile
  * feature: --novideo
  * feature: drop discretionary access control capabilities for
    root sandboxes
  * feature: added /etc/firejail/globals.local for global
  * feature: profile support in overlayfs mode
  * new profiles: vym, darktable, Waterfox, digiKam, Catfish,
  * bugfixes
* Mon Jan 16 2017
- Update to version
  * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
  * disabled --allow-debuggers when running on kernel versions prior
    to 4.8; a kernel bug in ptrace system call allows a full bypass
    of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
  * root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version
  * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
  * major cleanup of file copying code
  * tightening the rules for --chroot and --overlay features
  * ported Gentoo compile patch
  * Nvidia drivers bug in --private-dev
  * fix ASSERT_PERMS_FD macro
  * allow local customization using .local files under /etc/firejail
    backported from our development branch
  * spoof machine-id backported from our development branch
- Remove obsoleted patches:
* Thu Jan 05 2017
- Update to version
  Security fixes:
  * overwrite /etc/resolv.conf found by Martin Carpenter
  * TOCTOU exploit for ?get and ?put found by Daniel Hodson
  * invalid environment exploit found by Martin Carpenter
  * several security enhancements
  * crashing VLC by pressing Ctrl-O
  * use user configured icons in KDE
  * mkdir and mkfile are not applied to private directories
  * cannot open files on Deluge running under KDE
  * ?private=dir where dir is the user home directory
  * cannot start Vivaldi browser
  * cannot start mupdf
  * ssh profile problems
  * ?quiet
  * quiet in git profile
  * memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
* Thu Oct 27 2016
- Update to version 0.9.44:
  * CVE-2016-7545 submitted by Aleksey Manevich
  * removed man firejail-config
  * ?private-tmp whitelists /tmp/.X11-unix directory
  * Nvidia drivers added to ?private-dev
  * /srv supported by ?whitelist
  New features:
  * allow user access to /sys/fs (?noblacklist=/sys/fs)
  * support starting/joining sandbox is a single command (?join-or-start)
  * X11 detection support for ?audit
  * assign a name to the interface connected to the bridge (?veth-name)
  * all user home directories are visible (?allusers)
  * add files to sandbox container (?put)
  * blocking x11 (?x11=block)
  * X11 security extension (?x11=xorg)
  * disable 3D hardware acceleration (?no3d)
  * x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
  * move files in sandbox (?put)
  * accept wildcard patterns in user name field of restricted shell login feature
  New profiles:
  * qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
  * feh, ranger, zathura, 7z, keepass, keepassx,
  * claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
  * Flowblade, Eye of GNOME (eog), Evolution
* Fri Sep 30 2016
- Update to version 0.9.42:
  Security fixes:
  * ?whitelist deleted files
  * disable x32 ABI in seccomp
  * tighten ?chroot
  * terminal sandbox escape
  * several TOCTOU fixes
  Behavior changes:
  * bringing back ?private-home option
  * deprecated ?user option, please use ?sudo -u username firejail?
  * allow symlinks in home directory for ?whitelist option
  * Firejail prompt is enabled by env variable FIREJAIL_PROMPT=?yes?
  * recursive mkdir
  * include /dev/snd in ?private-dev
  * seccomp filter update
  * release archives moved to .xz format
  New features:
  * AppImage support (?appimage)
  * AppArmor support (?apparmor)
  * Ubuntu snap support (/etc/firejail/snap.profile)
  * Sandbox auditing support (?audit)
  * remove environment variable (?rmenv)
  * noexec support (?noexec)
  * clean local overlay storage directory (?overlay-clean)
  * store and reuse overlay (?overlay-named)
  * allow debugging inside the sandbox with gdb and strace (?allow-debuggers)
  * mkfile profile command
  * quiet profile command
  * x11 profile command
  * option to fix desktop files (firecfg ?fix)
  Build options:
  * Busybox support (?enable-busybox-workaround)
  * disable overlayfs (?disable-overlayfs)
  * disable whitlisting (?disable-whitelist)
  * disable global config (?disable-globalcfg)
  Runtime options:
  * enable/disable overlayfs (overlayfs yes/no)
  * enable/disable quiet as default (quiet-by-default yes/no)
  * user-defined network filter (netfilter-default)
  * enable/disable whitelisting (whitelist yes/no)
  * enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
  * enable/disable chroot desktop features (chroot-desktop yes/no)
  New/updated profiels:
  * Gitter, gThumb, mpv, Franz messenger, LibreOffice
  * pix, audacity, xz, xzdec, gzip, cpio, less
  * Atom Beta, Atom, jitsi, eom, uudeview
  * tar (gtar), unzip, unrar, file, skypeforlinux,
  * inox, Slack, gnome-chess. Gajim IM client, DOSBox
- Enable apparmor support
* Wed Jun 08 2016
- Update to version 0.9.40:
  * Added firecfg utility
  * New options: -nice, -cpu.print, -writable-etc, -writable-var,
  - read-only
  * X11 support: -x11 option (-x11=xpra, -x11=xephr)
  * Filetransfer options: ?ls and ?get
  * Added mkdir, ipc-namespace, and nosound profile commands
  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile
  * Run time config support, man firejail-config
  * AppArmor fixes
  * Default seccomp filter update
  * Disable STUN/WebRTC in default netfilter configuration
  * Lots of new profiles
* Tue May 17 2016
- initial package: 0.9.38
* Tue Feb 09 2021 Sebastian Wagner <>
- Bring firejail to Leap 15.2
  - fixes boo#1181990
  - fixes CVE-2021-26910
* Sun Feb 07 2021 ???? ?????? <>
- Update to
  * disabled overlayfs, pending multiple fixes
  * fixed launch firefox for open url in telegram-desktop.profile
* Thu Jan 28 2021 ???? ?????? <>
- Update to
  * allow --tmpfs inside $HOME for unprivileged users
  * --disable-usertmpfs compile time option
  * allow AF_BLUETOOTH via --protocol=bluetooth
  * setup guide for new users: contrib/
  * implement netns in profiles
  * added IPv6 network filter
  * new profiles: spectacle, chromium-browser-privacy,
    gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer,
    gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu,
    authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg,
    mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.
* Mon Nov 02 2020 Sebastian Wagner <>
- packaging fixes
* Sun Nov 01 2020 Sebastian Wagner <>
- Update to version 0.9.64:
  * replaced --nowrap option with --wrap in firemon
  * The blocking action of seccomp filters has been changed from
    killing the process to returning EPERM to the caller. To get the
    previous behaviour, use --seccomp-error-action=kill or
    syscall:kill syntax when constructing filters, or override in
    /etc/firejail/firejail.config file.
  * Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
    xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
    With this version nodbus is deprecated, in favor of dbus-user none and
    dbus-system none and will be removed in a future version.
  * DHCP client support
  * firecfg only fix dektop-files if started with sudo
  * SELinux labeling support
  * custom 32-bit seccomp filter support
  * restrict ${RUNUSER} in several profiles
  * blacklist shells such as bash in several profiles
  * whitelist globbing
  * mkdir and mkfile support for /run/user directory
  * support ignore for include
  * --include on the command line
  * splitting up media players whitelists in
  * new condition: HAS_NOSOUND
  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
  * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
  * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
  * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
  * new profiles: presentations18, presentations18free, textmaker18, teams
  * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
  * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
  * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
  * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
  * new profiles:, ferdi, abiword, four-in-a-row
  * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
  * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
  * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
  * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
  * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
  * new profiles: swell-foop, fdns, five-or-more, steam-runtime
  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
  * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
  * new profiles: gapplication, openarena_ded, element-desktop, cawbird
  * new profiles: freetube, strawberry, jitsi-meet-desktop
  * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
  * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
  * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
  * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
  * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
  * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
  * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
  * new profiles: qrencode, ytmdesktop, twitch
  * new profiles: xournalpp, chromium-freeworld, equalx
- remove firejail-0.9.62-fix-usr-etc.patch, included upstream
- remove firejail-apparmor-3.0.diff, included upstream
* Mon Oct 26 2020 Christian Boltz <>
- Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with
  AppArmor 3.0 (add missing include <tunables/global>)
* Wed Aug 19 2020 Paolo Stivanin <>
- Update to
  * fix AppArmor broken in the previous release
  * miscellaneous fixes
* Thu Aug 13 2020 Paolo Stivanin <>
- Update to
  * fix CVE-2020-17367
  * fix CVE-2020-17368
  * additional hardening and bug fixes
- Remove fix-CVE-2020-17368.patch
- Remove fix-CVE-2020-17367.patch
* Sat Aug 08 2020 Sebastian Wagner <>
- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986
Version: 0.9.66-bp154.1.22
* Sun Jul 18 2021 Andreas Stieger <>
- firejail 0.9.66:
  * deprecated --audit options, relpaced by jailcheck utility
  * deprecated follow-symlink-as-user from firejail.config
  * new firejail.config settings: private-bin, private-etc
  * new firejail.config settings: private-opt, private-srv
  * new firejail.config settings: whitelist-disable-topdir
  * new firejail.config settings: seccomp-filter-add
  * removed kcmp syscall from seccomp default filter
  * rename --noautopulse to keep-config-pulse
  * filtering environment variables
  * zsh completion
  * command line: --mkdir, --mkfile
  * --protocol now accumulates
  * jailtest utility for testing running sandboxes
  * faccessat2 syscall support
  * --private-dev keeps /dev/input
  * added --noinput to disable /dev/input
  * add support for subdirs in --private-etc
  * subdirs support in private-etc
  * input devices support in private-dev, --no-input
  * support trailing comments on profile lines
  * many new profiles
- split shell completion into standard subpackages
Version: 0.9.68-bp153.2.3.1
* Sun Feb 13 2022 Sebastian Wagner <>
- Update Leap 15.3 package to 0.9.68, fixing boo#1195880
  by using package from devel project/Tumbleweed, but without the split
  of shell completion packages to keep the changes minimal in this
* Sun Feb 06 2022 Sebastian Wagner <>
- update to firejail 0.9.68:
  - security: on Ubuntu, the PPA is now recommended over the distro package
  - (see (#4748)
  - security: bugfix: private-cwd leaks access to the entire filesystem
  - (#4780); reported by Hugo Osvaldo Barrera
  - feature: remove (some) environment variables with auth-tokens (#4157)
  - feature: ALLOW_TRAY condition (#4510 #4599)
  - feature: add basic Firejail support to AppArmor base abstraction (#3226
  - #4628)
  - feature: intrusion detection system (--ids-init, --ids-check)
  - feature: deterministic shutdown command (--deterministic-exit-code,
  - --deterministic-shutdown) (#928 #3042 #4635)
  - feature: noprinters command (#4607 #4827)
  - feature: network monitor (--nettrace)
  - feature: network locker (--netlock) (#4848)
  - feature: whitelist-ro profile command (#4740)
  - feature: disable pipewire with --nosound (#4855)
  - feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
  - feature: Allow apostrophe in whitelist and blacklist (#4614)
  - feature: AppImage support in --build command (#4878)
  - modifs: exit code: distinguish fatal signals by adding 128 (#4533)
  - modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
  - modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
  - modifs: nogroups now stopped causing certain system groups to be dropped,
  - which are now controlled by the relevant "no" options instead (such as
  - nosound -> drop audio group), which fixes device access issues on systems
  - not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
  - removal: --disable-whitelist at compile time
  - removal: whitelist=yes/no in /etc/firejail/firejail.config
  - bugfix: Fix sndio support (#4362 #4365)
  - bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
  - bugfix: --build clears the environment (#4460 #4467)
  - bugfix: firejail hangs with net parameter (#3958 #4476)
  - bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
  - bugfix: --tracelog and --trace override /etc/ (#4558 #4586)
  - bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
  - bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
  - bugfix: Firejail rejects empty arguments (#4395)
  - bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
  - bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
  - bugfix: private-etc does not work with symlinks (#4887)
  - bugfix: Hardware key not detected on keepassxc (#4883)
  - build: allow building with address sanitizer (#4594)
  - build: Stop linking pthread (#4695)
  - build: Configure cleanup and improvements (#4712)
  - ci: add profile checks for sorting and
  - firecfg.config and for the required arguments in private-etc (#2739 #4643)
  - ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
  - docs: Add new command checklist to (#4413)
  - docs: Rework bug report issue template and add both a question and a
  - feature request template (#4479 #4515 #4561)
  - docs: fix contradictory descriptions of machine-id ("preserves" vs
  - "spoofs") (#4689)
  - docs: Document that private-bin and private-etc always accumulate (#4078)
  - new includes: (#4288), (#4462)
  - new includes: (#4521)
  - removed includes: (#4454 #4461)
  - new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
  - new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
  - new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
  - new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
  - new profiles: imv, retroarch, torbrowser, CachyBrowser,
  - new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
  - new profiles: Seafile, neovim, com.github.tchx84.Flatseal