Firejail Release Notes

Version 0.9.22, Tuesday, March 10, 2015

  • Replaced –noip option with –ip=none
  • Container stdout logging and log rotation
  • Added process_vm_readv, process_vm_writev and mknod to default seccomp blacklist
  • Added CAP_MKNOD to default caps blacklist
  • Blacklist and whitelist custom Linux capabilities filters
  • macvlan device driver support for –net option
  • DNS server support, –dns option
  • Netfilter support
  • Monitor network statistics, –netstats option
  • Added profile for Mozilla Thunderbird/Icedove
  • - –overlay support for Linux kernels 3.18+
  • Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
  • Bugfix: check uid/gid for cgroup

Version 0.9.20, Friday, February 6, 2015

  • utmp, btmp and wtmp enhancements: create empty /var/log/wtmp and /var/log/btmp files in sandbox, generate a new /var/run/utmp file in sandbox
  • CPU affinity, –cpu option
  • Linux control groups support, –cgroup option
  • Opera web browser support
  • VLC support
  • Add empty attribute to –seccomp command to remove the default syscall list form seccomp blacklist
  • Added –nogroups option to disable supplementary groups for regular users. root user always runs without supplementary groups.
  • firemon: display the command that started the sandbox
  • firemon: added –caps option to display capabilities for all sandboxes
  • firemon: added –cgroup option to display the control groups for all sandboxes
  • firemon: added –cpu option to display CPU affinity for all sandboxes
  • firemon: added –seccomp option to display seccomp setting for all sandboxes
  • New compile time options: –disable-chroot, –disable-bind
  • bugfixes

Version 0.9.18, Tuesday, December 30, 2014

  • Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
  • Support for tracing setreuid, setregid, setresuid, setresguid syscalls
  • Added profiles for transmission-gtk and transmission-qt
  • bugfixes

Version 0.9.16, Tuesday, November 4, 2014

  • Configurable private home directory
  • Configurable default user shell
  • Software configuration support for –docdir and DESTDIR
  • Profile file support for include, caps, seccomp and private keywords
  • Dropbox profile file
  • Linux capabilities and seccomp filters enabled by default for Firefox, Midori, Evince and Dropbox
  • bugfixes

Version 0.9.14, Friday, October 17 2004

  • Linux capabilities and seccomp filters are automatically enabled in
    chroot mode (–chroot option) if the sandbox is started as regular user
  • Added support for user defined seccomp blacklists
  • Added syscall trace support
  • Added –tmpfs option
  • Added –balcklist option
  • Added –read-only option
  • Added –bind option
  • Process resource limits: –rlimit-fsize, –rlimit-nofile, –rlimit-nproc, –rlimit-sigpending
  • Logging enhancements
  • -overlay option was reactivated
  • Added firemon support to print the ARP table for each sandbox
  • Added firemon support to print the route table for each sandbox
  • Added firemon support to print interface information for each sandbox
  • bugfixes

Version, Monday, September 29 2014

  • More pulseaudio fixes
  • –overlay option was temporarily disabled in this build

Version, Tuesday, September 23 2014

  • Fix for pulseaudio problems
  • –overlay option was temporarily disabled in this build

Version 0.9.12, Monday, September 15 2014

  • Added Linux capabilities support
  • Added support for CentOS 7
  • Bugfixes

Version 0.9.10, Thursday, August 28 2014

  • Disable /proc/kcore, /proc/kallsyms, /dev/port, /boot
  • Fixed –top option CPU utilization calculation
  • Implemented –tree option in firejail and firemon
  • Implemented –join=name option
  • Implemented –shutdown option
  • Preserve the current working directory if possible
  • Cppcheck and clang errors cleanup
  • Added a Chromium web browser profile

Version, Friday, July 25 2014

  • Fixed a number of problems introduced in release 0.9.8.

Version 0.9.8, Thursday, July 24 2014

  • Implemented nowrap mode for firejail –list command option
  • Added –top option in both firejail and firemon
  • Seccomp filter support
  • Added PID filtering support for firemon
  • Lots of bugfixes

Version 0.9.6, Saturday, June 7 2014

  • Mounting tmpfs on top of /var/log, required by several server programs
  • Server fixes for /var/lib and /var/cache
  • Private mode fixes
  • csh and zsh default shell support
  • Chroot mode fixes
  • Added support for lighttpd, isc-dhcp-server, apache2, nginx, snmpd

Version 0.9.4, Sunday, May 4 2014

  • Fixed resolv.conf on Ubuntu systems using DHCP.
  • Fixed resolv.conf on Debian systems using resolvconf package.
  • Fixed /var/lock directory.
  • Fixed /var/tmp directory.
  • Fixed symbolic links in profile files.
  • Added profiles for evince, midori.

Version 0.9.2, Friday, April 24 2014

  • Checking IP address passed with –ip option using ARP; exit if the address is already present.
  • Using a lock file during ARP address assignment in order to removed a race condition.
  • everal fixes to –private option; it also mounts a tmpfs filesystem on top of /tmp.
  • Added user access check for profile file.
  • Added –defaultgw option.
  • Added support of –noip option; it is necessary for DHCP setups.
  • Added syslog support.
  • Added support for “tmpfs” and “read-only” profile commands.
  • Added an expect-based testing framework for the project.
  • Added bash completion support.
  • Added support for multiple networks.

Version 0.9, Saturday, April 12 2014

  • First beta version.

Back to Firejail project page

3 thoughts on “Firejail Release Notes

  1. Priyojit Chatterjee

    Firefox and many other apps like Sylpheed, Hexchat are crashing either on startup or after some activity.
    $ uname -r
    Firefox 32.0.3
    This started happening after I installed the last update pack which upgraded Xorg. Now Xorg runs without root rights.
    Firefox Error
    $ firejail ~/bin/firefox/firefox
    Parent pid 12834, child pid 12835
    Interface IP Mask Status
    lo UP
    enp0s7 UP

    Child process initialized

    (process:1): GLib-CRITICAL **: g_slice_set_config: assertion ‘sys_page_size == 0′ failed
    [Parent 1] ###!!! ABORT: X_ShmPutImage: BadShmSeg (invalid shared segment parameter); 661 requests ago: file /builds/slave/rel-m-rel-lx_bld-0000000000000/build/toolkit/xre/nsX11ErrorHandler.cpp, line 157
    [Parent 1] ###!!! ABORT: X_ShmPutImage: BadShmSeg (invalid shared segment parameter); 661 requests ago: file /builds/slave/rel-m-rel-lx_bld-0000000000000/build/toolkit/xre/nsX11ErrorHandler.cpp, line 157

    parent is shutting down, bye…

    Please create a forum or at least an IRC channel.

  2. Pascal Mathis

    Have you ever thought about adding a –whitelist option or isn’t that feasible? It would be way more clever if you could either whitelist specific folders and then blacklist everything else OR use patterns like “extglob”, to inverse pattern. For example, something like that:

    blacklist /storage/!(www|tmp)
    => All folders blacklisted except www and tmp


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s