diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-08-31 14:55:13 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-09-05 01:07:41 -0300 |
commit | 2a79f3a2689711e6151187063bb55a6af3160b6f (patch) | |
tree | 1468a99bb3d09d0bedbe2042531340b2b0081e47 | |
parent | Revert "typos" (diff) | |
download | firejail-2a79f3a2689711e6151187063bb55a6af3160b6f.tar.gz firejail-2a79f3a2689711e6151187063bb55a6af3160b6f.tar.zst firejail-2a79f3a2689711e6151187063bb55a6af3160b6f.zip |
Revert "README/README.md"
This reverts commit 796fa09636195d8751a7bbc1e1bc88bf8c3ac95a.
Part of reverting commits with Landlock-related changes.
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | README.md | 88 |
2 files changed, 22 insertions, 67 deletions
@@ -43,7 +43,6 @@ Maintainer: | |||
43 | Committers | 43 | Committers |
44 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | 44 | - chiraag-nataraj (https://github.com/chiraag-nataraj) |
45 | - crass (https://github.com/crass) | 45 | - crass (https://github.com/crass) |
46 | - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | ||
47 | - curiosityseeker (https://github.com/curiosityseeker) | 46 | - curiosityseeker (https://github.com/curiosityseeker) |
48 | - glitsj16 (https://github.com/glitsj16) | 47 | - glitsj16 (https://github.com/glitsj16) |
49 | - Fred-Barclay (https://github.com/Fred-Barclay) | 48 | - Fred-Barclay (https://github.com/Fred-Barclay) |
@@ -214,7 +214,7 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
214 | $ firejail --restrict-namespaces=user,net | 214 | $ firejail --restrict-namespaces=user,net |
215 | ````` | 215 | ````` |
216 | 216 | ||
217 | ### Support for custom AppArmor profiles | 217 | #### Support for custom AppArmor profiles |
218 | 218 | ||
219 | ````` | 219 | ````` |
220 | --apparmor | 220 | --apparmor |
@@ -228,50 +228,6 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
228 | kernel. For more information, please see APPARMOR section be‐ | 228 | kernel. For more information, please see APPARMOR section be‐ |
229 | ````` | 229 | ````` |
230 | 230 | ||
231 | ### Landlock support - EXPERIMENTAL | ||
232 | For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build | ||
233 | or in the executable archives we provide. It will be "officially" released | ||
234 | in 0.9.74, sometime early next year. For now, use --enable-landlock durring software compile: | ||
235 | ````` | ||
236 | $ ./configure --enable-landlock | ||
237 | ````` | ||
238 | The functionality is segragated with ifdefs in the code, at times it might not even compile! | ||
239 | Work in progress, the interface described in the man page below could change. | ||
240 | ````` | ||
241 | --landlock | ||
242 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
243 | basic access rules to it. See LANDLOCK section for more informa‐ | ||
244 | tion. | ||
245 | |||
246 | --landlock.proc=no|ro|rw | ||
247 | Add an access rule for /proc directory (read-only if set to ro | ||
248 | and read-write if set to rw). The access rule for /proc is added | ||
249 | after this directory is set up in the sandbox. Access rules for | ||
250 | /proc set up with other Landlock-related command-line options | ||
251 | have no effect. | ||
252 | |||
253 | --landlock.read=path | ||
254 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
255 | a read access rule for path. | ||
256 | |||
257 | --landlock.write=path | ||
258 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
259 | a write access rule for path. | ||
260 | |||
261 | --landlock.special=path | ||
262 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
263 | a permission rule to create FIFO pipes, Unix domain sockets and | ||
264 | block devices beneath given path. | ||
265 | |||
266 | --landlock.execute=path | ||
267 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
268 | an execution permission rule for path. | ||
269 | |||
270 | Example: | ||
271 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ | ||
272 | lock.execute=/usr | ||
273 | ````` | ||
274 | |||
275 | ### Profile Statistics | 231 | ### Profile Statistics |
276 | 232 | ||
277 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 233 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -282,30 +238,30 @@ No include .local found in /etc/firejail/noprofile.profile | |||
282 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 238 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
283 | 239 | ||
284 | Stats: | 240 | Stats: |
285 | profiles 1196 | 241 | profiles 1191 |
286 | include local profile 1195 (include profile-name.local) | 242 | include local profile 1190 (include profile-name.local) |
287 | include globals 1169 (include globals.local) | 243 | include globals 1164 (include globals.local) |
288 | blacklist ~/.ssh 1067 (include disable-common.inc) | 244 | blacklist ~/.ssh 1063 (include disable-common.inc) |
289 | seccomp 1087 | 245 | seccomp 1082 |
290 | capabilities 1190 | 246 | capabilities 1185 |
291 | noexec 1075 (include disable-exec.inc) | 247 | noexec 1070 (include disable-exec.inc) |
292 | noroot 995 | 248 | noroot 991 |
293 | memory-deny-write-execute 269 | 249 | memory-deny-write-execute 267 |
294 | apparmor 713 | 250 | apparmor 710 |
295 | private-bin 695 | 251 | private-bin 689 |
296 | private-dev 1045 | 252 | private-dev 1041 |
297 | private-etc 542 | 253 | private-etc 539 |
298 | private-lib 70 | 254 | private-lib 70 |
299 | private-tmp 918 | 255 | private-tmp 915 |
300 | whitelist home directory 575 | 256 | whitelist home directory 573 |
301 | whitelist var 858 (include whitelist-var-common.inc) | 257 | whitelist var 855 (include whitelist-var-common.inc) |
302 | whitelist run/user 1164 (include whitelist-runuser-common.inc | 258 | whitelist run/user 1159 (include whitelist-runuser-common.inc |
303 | or blacklist ${RUNUSER}) | 259 | or blacklist ${RUNUSER}) |
304 | whitelist usr/share 630 (include whitelist-usr-share-common.inc | 260 | whitelist usr/share 628 (include whitelist-usr-share-common.inc |
305 | net none 404 | 261 | net none 403 |
306 | dbus-user none 677 | 262 | dbus-user none 673 |
307 | dbus-user filter 123 | 263 | dbus-user filter 123 |
308 | dbus-system none 837 | 264 | dbus-system none 833 |
309 | dbus-system filter 12 | 265 | dbus-system filter 12 |
310 | ``` | 266 | ``` |
311 | 267 | ||