Firejail Release Notes

  Firejail   Firetools   News   Downloads   Install   HOWTOs

Version 0.9.34, Saturday, November 7, 2015

  • added –ignore option
  • added –protocol option
  • support dual i386/amd64 seccomp filters
  • added Google Chrome profile
  • added Steam, Skype, Wine and Conkeror profiles
  • Bugfixes

Version 0.9.32, Wednesday, October 21, 2015

  • Added –interface option
  • Added –mtu option
  • Added –private-bin option
  • Added –nosound option
  • Added –hostname option
  • Added –quiet option
  • Added seccomp errno support
  • Added FBReader default profile
  • Added Spotify default profile
  • Lots of default security profile changes
  • Fixed a security problem on multi-user systems
  • Bugfixes

Version 0.9.30, Monday, September 14, 2015

  • Added a profile as a result of Firefox PDF.js exploit;
  • included in all default profiles
  • Firefox PDF.js exploit (CVE-2015-4495) fixes
  • Added –private-etc option
  • Added –env option
  • Added –whitelist option
  • Support ${HOME} token in include directive in profile files
  • –private.keep is transitioned to –private-home
  • Support ~ and blanks in blacklist option
  • Support “net none” command in profile files
  • Using /etc/firejail/generic.profile by default for user sessions
  • Using /etc/firejail/server.profile by default for root sessions
  • Added build –enable-fatal-warnings configure option
  • Added persistence to –overlay option
  • Added –overlay-tmpfs option
  • make install-strip implemented, make install renamed
  • Bugfixes

Version 0.9.28, Tuesday, August 4, 2015

  • Network scanning, –scan option
  • Interface MAC address support, –mac option
  • IP address range, –iprange option
  • Traffic shaping, –bandwidth option
  • man pages rework
  • Added firejail-login man page
  • Added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default profiles
  • Added an /etc/firejail/ file to hold common directory blacklists
  • Blacklist Opera and Chrome/Chromium config directories in profile files
  • Support noroot option for profile files
  • Enabled noroot in default profile files
  • bugfixes

Version 0.9.26, Saturday, May 2, 2015

  • Private dev directory
  • private.keep option for whitelisting home files in a new private directory
  • User namespaces support, noroot option
  • Added Deluge and qBittorent profiles
  • bugfixes

Version 0.9.24, Sunday, April 5, 2015

  • Whitelist and blacklist seccomp filters
  • Doubledash option
  • –shell=none support
  • Netfilter support in profile files
  • DNS server support in profile files
  • Added –dns.print option
  • Added default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem.
  • Added –caps.drop=all in default profiles
  • New syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
  • Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
  • Two build patches from Reiner Herman (tickets 11, 12)
  • Man page patch from Reiner Herman (ticket 13)
  • Output patch (ticket 15) from sshirokov
  • Bugfixes

Version 0.9.22, Tuesday, March 10, 2015

  • Replaced –noip option with –ip=none
  • Container stdout logging and log rotation
  • Added process_vm_readv, process_vm_writev and mknod to default seccomp blacklist
  • Added CAP_MKNOD to default caps blacklist
  • Blacklist and whitelist custom Linux capabilities filters
  • macvlan device driver support for –net option
  • DNS server support, –dns option
  • Netfilter support
  • Monitor network statistics, –netstats option
  • Added profile for Mozilla Thunderbird/Icedove
  • – –overlay support for Linux kernels 3.18+
  • Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
  • Bugfix: check uid/gid for cgroup

Version 0.9.20, Friday, February 6, 2015

  • utmp, btmp and wtmp enhancements: create empty /var/log/wtmp and /var/log/btmp files in sandbox, generate a new /var/run/utmp file in sandbox
  • CPU affinity, –cpu option
  • Linux control groups support, –cgroup option
  • Opera web browser support
  • VLC support
  • Add empty attribute to –seccomp command to remove the default syscall list form seccomp blacklist
  • Added –nogroups option to disable supplementary groups for regular users. root user always runs without supplementary groups.
  • firemon: display the command that started the sandbox
  • firemon: added –caps option to display capabilities for all sandboxes
  • firemon: added –cgroup option to display the control groups for all sandboxes
  • firemon: added –cpu option to display CPU affinity for all sandboxes
  • firemon: added –seccomp option to display seccomp setting for all sandboxes
  • New compile time options: –disable-chroot, –disable-bind
  • bugfixes

Version 0.9.18, Tuesday, December 30, 2014

  • Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
  • Support for tracing setreuid, setregid, setresuid, setresguid syscalls
  • Added profiles for transmission-gtk and transmission-qt
  • bugfixes

Version 0.9.16, Tuesday, November 4, 2014

  • Configurable private home directory
  • Configurable default user shell
  • Software configuration support for –docdir and DESTDIR
  • Profile file support for include, caps, seccomp and private keywords
  • Dropbox profile file
  • Linux capabilities and seccomp filters enabled by default for Firefox, Midori, Evince and Dropbox
  • bugfixes

Version 0.9.14, Friday, October 17 2004

  • Linux capabilities and seccomp filters are automatically enabled in
    chroot mode (–chroot option) if the sandbox is started as regular user
  • Added support for user defined seccomp blacklists
  • Added syscall trace support
  • Added –tmpfs option
  • Added –balcklist option
  • Added –read-only option
  • Added –bind option
  • Process resource limits: –rlimit-fsize, –rlimit-nofile, –rlimit-nproc, –rlimit-sigpending
  • Logging enhancements
  • -overlay option was reactivated
  • Added firemon support to print the ARP table for each sandbox
  • Added firemon support to print the route table for each sandbox
  • Added firemon support to print interface information for each sandbox
  • bugfixes

Version, Monday, September 29 2014

  • More pulseaudio fixes
  • –overlay option was temporarily disabled in this build

Version, Tuesday, September 23 2014

  • Fix for pulseaudio problems
  • –overlay option was temporarily disabled in this build

Version 0.9.12, Monday, September 15 2014

  • Added Linux capabilities support
  • Added support for CentOS 7
  • Bugfixes

Version 0.9.10, Thursday, August 28 2014

  • Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot
  • Fixed –top option CPU utilization calculation
  • Implemented –tree option in firejail and firemon
  • Implemented –join=name option
  • Implemented –shutdown option
  • Preserve the current working directory if possible
  • Cppcheck and clang errors cleanup
  • Added a Chromium web browser profile

Version, Friday, July 25 2014

  • Fixed a number of problems introduced in release 0.9.8.

Version 0.9.8, Thursday, July 24 2014

  • Implemented nowrap mode for firejail –list command option
  • Added –top option in both firejail and firemon
  • Seccomp filter support
  • Added PID filtering support for firemon
  • Lots of bugfixes

Version 0.9.6, Saturday, June 7 2014

  • Mounting tmpfs on top of /var/log, required by several server programs
  • Server fixes for /var/lib and /var/cache
  • Private mode fixes
  • csh and zsh default shell support
  • Chroot mode fixes
  • Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd

Version 0.9.4, Sunday, May 4 2014

  • Fixed resolv.conf on Ubuntu systems using DHCP.
  • Fixed resolv.conf on Debian systems using resolvconf package.
  • Fixed /var/lock directory.
  • Fixed /var/tmp directory.
  • Fixed symbolic links in profile files.
  • Added profiles for evince, midori.

Version 0.9.2, Friday, April 24 2014

  • Checking IP address passed with –ip option using ARP; exit if the address is already present.
  • Using a lock file during ARP address assignment in order to removed a race condition.
  • everal fixes to –private option; it also mounts a tmpfs filesystem on top of /tmp.
  • Added user access check for profile file.
  • Added –defaultgw option.
  • Added support of –noip option; it is necessary for DHCP setups.
  • Added syslog support.
  • Added support for “tmpfs” and “read-only” profile commands.
  • Added an expect-based testing framework for the project.
  • Added bash completion support.
  • Added support for multiple networks.

Version 0.9, Saturday, April 12 2014

  • First beta version.

Back to Firejail project page

7 thoughts on “Firejail Release Notes

  1. Priyojit Chatterjee

    Firefox and many other apps like Sylpheed, Hexchat are crashing either on startup or after some activity.
    $ uname -r
    Firefox 32.0.3
    This started happening after I installed the last update pack which upgraded Xorg. Now Xorg runs without root rights.
    Firefox Error
    $ firejail ~/bin/firefox/firefox
    Parent pid 12834, child pid 12835
    Interface IP Mask Status
    lo UP
    enp0s7 UP

    Child process initialized

    (process:1): GLib-CRITICAL **: g_slice_set_config: assertion ‘sys_page_size == 0’ failed
    [Parent 1] ###!!! ABORT: X_ShmPutImage: BadShmSeg (invalid shared segment parameter); 661 requests ago: file /builds/slave/rel-m-rel-lx_bld-0000000000000/build/toolkit/xre/nsX11ErrorHandler.cpp, line 157
    [Parent 1] ###!!! ABORT: X_ShmPutImage: BadShmSeg (invalid shared segment parameter); 661 requests ago: file /builds/slave/rel-m-rel-lx_bld-0000000000000/build/toolkit/xre/nsX11ErrorHandler.cpp, line 157

    parent is shutting down, bye…

    Please create a forum or at least an IRC channel.

  2. Pascal Mathis

    Have you ever thought about adding a –whitelist option or isn’t that feasible? It would be way more clever if you could either whitelist specific folders and then blacklist everything else OR use patterns like “extglob”, to inverse pattern. For example, something like that:

    blacklist /storage/!(www|tmp)
    => All folders blacklisted except www and tmp

  3. Scooby

    Tried new version 0.9.28-rc1t

    Couldn’t find info for –scan option in man pages or –help

    Looking forward to a more complete tutorial with examples when released as stable.

    Lazy lazy me still haven’t gotten around to recompile kernel to support –noroot.
    Hopefully energy and time will magically appear for this.

    1. netblue30 Post author


      Do like this (assuming your computer is connected to the network using eth0):

      $ firejail --net=eth0 --scan
      Parent pid 4234, child pid 4235
      Interface        MAC                IP               Mask             Status
      lo                                UP    
      eth0-4234        56:3c:84:32:c4:2e    UP    
         Network scan:
      Default gateway
      Child process initialized

      There are still some bugs there, I guess I’ll have the new release in the next two weeks. Thanks!

  4. GNUser

    I installed firejail using the deb package with
    dpkg -i firejail
    How am i supposed to update? download the new version and run the same command? won’t that cause duplicates?

    Is the “nosound” a feature? seems like an antifeature to me… not having sound is a bad thing i guess, at least in most GUI internet apps.

    Thanks for the help, keep up the good work!

    1. netblue30 Post author

      Every time a new release comes out, you will need to download it and run “dpkg -i” again. Your package manager will take care of the duplicates.

      Some people use –nosound to disable access to microphone. Of course, you’ll lose the speakers as well.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s