Version 0.9.26, Saturday, May 2, 2015
- Private dev directory
- private.keep option for whitelisting home files in a new private directory
- User namespaces support, noroot option
- Added Deluge and qBittorent profiles
Version 0.9.24, Sunday, April 5, 2015
- Whitelist and blacklist seccomp filters
- Doubledash option
- –shell=none support
- Netfilter support in profile files
- DNS server support in profile files
- Added –dns.print option
- Added default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem.
- Added –caps.drop=all in default profiles
- New syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
- Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
- Two build patches from Reiner Herman (tickets 11, 12)
- Man page patch from Reiner Herman (ticket 13)
- Output patch (ticket 15) from sshirokov
Version 0.9.22, Tuesday, March 10, 2015
- Replaced –noip option with –ip=none
- Container stdout logging and log rotation
- Added process_vm_readv, process_vm_writev and mknod to default seccomp blacklist
- Added CAP_MKNOD to default caps blacklist
- Blacklist and whitelist custom Linux capabilities filters
- macvlan device driver support for –net option
- DNS server support, –dns option
- Netfilter support
- Monitor network statistics, –netstats option
- Added profile for Mozilla Thunderbird/Icedove
- – –overlay support for Linux kernels 3.18+
- Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
- Bugfix: check uid/gid for cgroup
Version 0.9.20, Friday, February 6, 2015
- utmp, btmp and wtmp enhancements: create empty /var/log/wtmp and /var/log/btmp files in sandbox, generate a new /var/run/utmp file in sandbox
- CPU affinity, –cpu option
- Linux control groups support, –cgroup option
- Opera web browser support
- VLC support
- Add empty attribute to –seccomp command to remove the default syscall list form seccomp blacklist
- Added –nogroups option to disable supplementary groups for regular users. root user always runs without supplementary groups.
- firemon: display the command that started the sandbox
- firemon: added –caps option to display capabilities for all sandboxes
- firemon: added –cgroup option to display the control groups for all sandboxes
- firemon: added –cpu option to display CPU affinity for all sandboxes
- firemon: added –seccomp option to display seccomp setting for all sandboxes
- New compile time options: –disable-chroot, –disable-bind
Version 0.9.18, Tuesday, December 30, 2014
- Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
- Support for tracing setreuid, setregid, setresuid, setresguid syscalls
- Added profiles for transmission-gtk and transmission-qt
Version 0.9.16, Tuesday, November 4, 2014
- Configurable private home directory
- Configurable default user shell
- Software configuration support for –docdir and DESTDIR
- Profile file support for include, caps, seccomp and private keywords
- Dropbox profile file
- Linux capabilities and seccomp filters enabled by default for Firefox, Midori, Evince and Dropbox
Version 0.9.14, Friday, October 17 2004
- Linux capabilities and seccomp filters are automatically enabled in
chroot mode (–chroot option) if the sandbox is started as regular user
- Added support for user defined seccomp blacklists
- Added syscall trace support
- Added –tmpfs option
- Added –balcklist option
- Added –read-only option
- Added –bind option
- Process resource limits: –rlimit-fsize, –rlimit-nofile, –rlimit-nproc, –rlimit-sigpending
- Logging enhancements
- -overlay option was reactivated
- Added firemon support to print the ARP table for each sandbox
- Added firemon support to print the route table for each sandbox
- Added firemon support to print interface information for each sandbox
Version 0.9.12.2, Monday, September 29 2014
- More pulseaudio fixes
- –overlay option was temporarily disabled in this build
Version 0.9.12.1, Tuesday, September 23 2014
- Fix for pulseaudio problems
- –overlay option was temporarily disabled in this build
Version 0.9.12, Monday, September 15 2014
- Added Linux capabilities support
- Added support for CentOS 7
Version 0.9.10, Thursday, August 28 2014
- Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot
- Fixed –top option CPU utilization calculation
- Implemented –tree option in firejail and firemon
- Implemented –join=name option
- Implemented –shutdown option
- Preserve the current working directory if possible
- Cppcheck and clang errors cleanup
- Added a Chromium web browser profile
Version 0.9.8.1, Friday, July 25 2014
- Fixed a number of problems introduced in release 0.9.8.
Version 0.9.8, Thursday, July 24 2014
- Implemented nowrap mode for firejail –list command option
- Added –top option in both firejail and firemon
- Seccomp filter support
- Added PID filtering support for firemon
- Lots of bugfixes
Version 0.9.6, Saturday, June 7 2014
- Mounting tmpfs on top of /var/log, required by several server programs
- Server fixes for /var/lib and /var/cache
- Private mode fixes
- csh and zsh default shell support
- Chroot mode fixes
- Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd
Version 0.9.4, Sunday, May 4 2014
- Fixed resolv.conf on Ubuntu systems using DHCP.
- Fixed resolv.conf on Debian systems using resolvconf package.
- Fixed /var/lock directory.
- Fixed /var/tmp directory.
- Fixed symbolic links in profile files.
- Added profiles for evince, midori.
Version 0.9.2, Friday, April 24 2014
- Checking IP address passed with –ip option using ARP; exit if the address is already present.
- Using a lock file during ARP address assignment in order to removed a race condition.
- everal fixes to –private option; it also mounts a tmpfs filesystem on top of /tmp.
- Added user access check for profile file.
- Added –defaultgw option.
- Added support of –noip option; it is necessary for DHCP setups.
- Added syslog support.
- Added support for “tmpfs” and “read-only” profile commands.
- Added an expect-based testing framework for the project.
- Added bash completion support.
- Added support for multiple networks.
Version 0.9, Saturday, April 12 2014
- First beta version.