diff options
author | netblue30 <netblue30@yahoo.com> | 2018-10-03 10:01:07 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-10-03 10:01:07 -0400 |
commit | 682c3ed42cceaf7ff723d0f1893efd2c378622e2 (patch) | |
tree | eb03ca1545b9d58ebb8e335e86dd865f184bb525 | |
parent | fixes (diff) | |
download | firejail-0.9.56-LTS.tar.gz firejail-0.9.56-LTS.tar.zst firejail-0.9.56-LTS.zip |
0.9.56-LTS released0.9.56-LTS
-rw-r--r-- | README.md | 75 |
1 files changed, 6 insertions, 69 deletions
@@ -1,6 +1,12 @@ | |||
1 | # Firejail | 1 | # Firejail |
2 | [![Build Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail) | 2 | [![Build Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail) |
3 | 3 | ||
4 | *Note: | ||
5 | This is the long term support (LTS) version of Firejail. For the regular version please go to http://github.com/netblue30/firejail. | ||
6 | LTS version is usually supported for two years, at which point it is updated to the latest regular version. The code base is | ||
7 | aprox. 40% smaller than the regular version, providing a smaller attack surface for the SUID executable. | ||
8 | It is more suitable for business environments.* | ||
9 | |||
4 | Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting | 10 | Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting |
5 | the running environment of untrusted applications using Linux namespaces, seccomp-bpf | 11 | the running environment of untrusted applications using Linux namespaces, seccomp-bpf |
6 | and Linux capabilities. It allows a process and all its descendants to have their own private | 12 | and Linux capabilities. It allows a process and all its descendants to have their own private |
@@ -98,72 +104,3 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
98 | ````` | 104 | ````` |
99 | 105 | ||
100 | ````` | 106 | ````` |
101 | # Current development version: 0.9.55 | ||
102 | |||
103 | ## New commands: | ||
104 | ````` | ||
105 | (wireless support for --net) | ||
106 | --net=ethernet_interface|wireless_interface | ||
107 | Enable a new network namespace and connect it to this ethernet | ||
108 | interface using the standard Linux macvlan|ipvaln driver. | ||
109 | Unless specified with option --ip and --defaultgw, an IP | ||
110 | address and a default gateway will be assigned automatically to | ||
111 | the sandbox. The IP address is verified using ARP before | ||
112 | assignment. The address configured as default gateway is the | ||
113 | default gateway of the host. Up to four --net options can be | ||
114 | specified. Support for ipvlan driver was introduced in Linux | ||
115 | kernel 3.19. | ||
116 | |||
117 | Example: | ||
118 | $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox | ||
119 | $ firejail --net=wlan0 firefox | ||
120 | |||
121 | (tunneling support) | ||
122 | --net=tap_interface | ||
123 | Enable a new network namespace and connect it to this ethernet | ||
124 | tap interface using the standard Linux macvlan driver. If the | ||
125 | tap interface is not configured, the sandbox will not try to | ||
126 | configure the interface inside the sandbox. Please use --ip, | ||
127 | --netmask and --defaultgw to specify the configuration. | ||
128 | |||
129 | Example: | ||
130 | $ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0 | ||
131 | --defaultgw=10.10.20.1 firefox | ||
132 | |||
133 | --netmask=address | ||
134 | Use this option when you want to assign an IP address in a new | ||
135 | namespace and the parent interface specified by --net is not | ||
136 | configured. An IP address and a default gateway address | ||
137 | also have to be added. By default the new namespace interface | ||
138 | comes without IP address and default gateway configured. Exam‐ | ||
139 | ple: | ||
140 | |||
141 | $ sudo /sbin/brctl addbr br0 | ||
142 | $ sudo /sbin/ifconfig br0 up | ||
143 | $ firejail --ip=10.10.20.67 --netmask=255.255.255.0 | ||
144 | --defaultgw=10.10.20.1 | ||
145 | |||
146 | --keep-dev-shm | ||
147 | /dev/shm directory is untouched (even with --private-dev) | ||
148 | |||
149 | Example: | ||
150 | $ firejail --keep-dev-shm --private-dev | ||
151 | |||
152 | --nou2f | ||
153 | Disable U2F devices. | ||
154 | |||
155 | Example: | ||
156 | $ firejail --nou2f | ||
157 | |||
158 | --private-cache | ||
159 | Mount an empty temporary filesystem on top of the .cache | ||
160 | directory in user home. All modifications are discarded | ||
161 | when the sandbox is closed. | ||
162 | |||
163 | Example: | ||
164 | $ firejail --private-cache | ||
165 | ````` | ||
166 | |||
167 | ## New profiles | ||
168 | Microsoft Office Online, riot-desktop, gnome-mpv, snox, gradio, standardnotes-desktop, | ||
169 | shellcheck, patch, flameshot | ||