diff options
author | netblue30 <netblue30@yahoo.com> | 2016-09-09 13:18:18 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-09-09 13:18:18 -0400 |
commit | e0935c5a3bb4c3b297c151e2060cfc624377a421 (patch) | |
tree | 5226728b6189532783f6b5dcccbf66980b781a37 | |
parent | 0.9.42 testing - CentOS 6 (diff) | |
download | firejail-e0935c5a3bb4c3b297c151e2060cfc624377a421.tar.gz firejail-e0935c5a3bb4c3b297c151e2060cfc624377a421.tar.zst firejail-e0935c5a3bb4c3b297c151e2060cfc624377a421.zip |
starting new development
-rw-r--r-- | README.md | 167 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 |
4 files changed, 15 insertions, 176 deletions
@@ -34,170 +34,5 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
34 | ````` | 34 | ````` |
35 | 35 | ||
36 | ````` | 36 | ````` |
37 | # Current development version: 0.9.42~rc2 | 37 | # Current development version: 0.9.43 |
38 | |||
39 | Version 0.9.41~rc1 was released. | ||
40 | |||
41 | ## Bringing back --private-home | ||
42 | |||
43 | ## Deprecated --user | ||
44 | |||
45 | --user option was deprecated, please use "sudo -u username firejail application" instead. | ||
46 | |||
47 | ## --whitelist rework | ||
48 | |||
49 | Symlinks outside user home directories are allowed: | ||
50 | ````` | ||
51 | --whitelist=dirname_or_filename | ||
52 | Whitelist directory or file. This feature is implemented only | ||
53 | for user home, /dev, /media, /opt, /var, and /tmp directories. | ||
54 | With the exception of user home, both the link and the real file | ||
55 | should be in the same top directory. For /home, both the link | ||
56 | and the real file should be owned by the user. | ||
57 | |||
58 | Example: | ||
59 | $ firejail --noprofile --whitelist=~/.mozilla | ||
60 | $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
61 | $ firejail "--whitelist=/home/username/My Virtual Machines" | ||
62 | ````` | ||
63 | |||
64 | ## AppArmor support | ||
65 | |||
66 | So far I've seen this working on Debian Jessie and Ubuntu 16.04, where I can get Firefox and | ||
67 | Chromium running. There is more testing to come. | ||
68 | |||
69 | ````` | ||
70 | APPARMOR | ||
71 | AppArmor support is disabled by default at compile time. Use --enable- | ||
72 | apparmor configuration option to enable it: | ||
73 | |||
74 | $ ./configure --prefix=/usr --enable-apparmor | ||
75 | |||
76 | During software install, a generic AppArmor profile file, firejail- | ||
77 | default, is placed in /etc/apparmor.d directory. The profile needs to | ||
78 | be loaded into the kernel by running the following command as root: | ||
79 | |||
80 | # aa-enforce firejail-default | ||
81 | |||
82 | The installed profile tries to replicate some advanced security fea‐ | ||
83 | tures inspired by kernel-based Grsecurity: | ||
84 | |||
85 | - Prevent information leakage in /proc and /sys directories. The | ||
86 | resulting file system is barely enough for running commands such | ||
87 | as "top" and "ps aux". | ||
88 | |||
89 | - Allow running programs only from well-known system paths, such | ||
90 | as /bin, /sbin, /usr/bin etc. Running programs and scripts from | ||
91 | user home or other directories writable by the user is not | ||
92 | allowed. | ||
93 | |||
94 | - Disable D-Bus. D-Bus has long been a huge security hole, and | ||
95 | most programs don't use it anyway. You should have no problems | ||
96 | running Chromium or Firefox. | ||
97 | |||
98 | To enable AppArmor confinement on top of your current Firejail security | ||
99 | features, pass --apparmor flag to Firejail command line. You can also | ||
100 | include apparmor command in a Firejail profile file. Example: | ||
101 | |||
102 | $ firejail --apparmor firefox | ||
103 | |||
104 | ````` | ||
105 | |||
106 | ## AppImage support | ||
107 | |||
108 | AppImage (http://appimage.org/) is a distribution-agnostic packaging format. | ||
109 | The package is a regular ISO file containing all binaries, libraries and resources | ||
110 | necessary for the program to run. | ||
111 | |||
112 | We introduce in this release support for sandboxing AppImage applications. Example: | ||
113 | ````` | ||
114 | $ firejail --appimage krita-3.0-x86_64.appimage | ||
115 | ````` | ||
116 | All Firejail sandboxing options should be available. A private home directory: | ||
117 | ````` | ||
118 | $ firejail --appimage --private krita-3.0-x86_64.appimage | ||
119 | ````` | ||
120 | or some basic X11 sandboxing: | ||
121 | ````` | ||
122 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | ||
123 | ````` | ||
124 | Major software applications distributing AppImage packages: | ||
125 | |||
126 | * Krita: https://krita.org/download/krita-desktop/ | ||
127 | * OpenShot: http://www.openshot.org/download/ | ||
128 | * Scribus: https://www.scribus.net/downloads/unstable-branch/ | ||
129 | * MuseScore: https://musescore.org/en/download | ||
130 | |||
131 | More packages build by AppImage developer Simon Peter: https://bintray.com/probono/AppImages | ||
132 | |||
133 | AppImage project home: https://github.com/probonopd/AppImageKit | ||
134 | |||
135 | ## Sandbox auditing | ||
136 | ````` | ||
137 | AUDIT | ||
138 | Audit feature allows the user to point out gaps in security profiles. | ||
139 | The implementation replaces the program to be sandboxed with a test | ||
140 | program. By default, we use faudit program distributed with Firejail. A | ||
141 | custom test program can also be supplied by the user. Examples: | ||
142 | |||
143 | Running the default audit program: | ||
144 | $ firejail --audit transmission-gtk | ||
145 | |||
146 | Running a custom audit program: | ||
147 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
148 | |||
149 | In the examples above, the sandbox configures transmission-gtk profile | ||
150 | and starts the test program. The real program, transmission-gtk, will | ||
151 | not be started. | ||
152 | |||
153 | Limitations: audit feature is not implemented for --x11 commands. | ||
154 | ````` | ||
155 | |||
156 | ## --noexec | ||
157 | ````` | ||
158 | --noexec=dirname_or_filename | ||
159 | Remount directory or file noexec, nodev and nosuid. | ||
160 | |||
161 | Example: | ||
162 | $ firejail --noexec=/tmp | ||
163 | |||
164 | /etc and /var are noexec by default. If there are more than one | ||
165 | mount operation on the path of the file or directory, noexec | ||
166 | should be applied to the last one. Always check if the change | ||
167 | took effect inside the sandbox. | ||
168 | ````` | ||
169 | |||
170 | ## --rmenv | ||
171 | ````` | ||
172 | --rmenv=name | ||
173 | Remove environment variable in the new sandbox. | ||
174 | |||
175 | Example: | ||
176 | $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS | ||
177 | ````` | ||
178 | |||
179 | ## Converting profiles to private-bin - work in progress! | ||
180 | |||
181 | BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk | ||
182 | |||
183 | File transfer: filezilla | ||
184 | |||
185 | Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom | ||
186 | |||
187 | Office: evince, gthumb, fbreader, pix, atril, xreader, | ||
188 | |||
189 | Chat/messaging: qtox, gitter, pidgin | ||
190 | |||
191 | Games: warzone2100, gnome-chess | ||
192 | |||
193 | Weather/climate: aweather | ||
194 | |||
195 | Astronomy: gpredict, stellarium | ||
196 | |||
197 | Browsers: Palemoon | ||
198 | |||
199 | ## New security profiles | ||
200 | |||
201 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview | ||
202 | tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client, DOSBox | ||
203 | 38 | ||
@@ -1,3 +1,7 @@ | |||
1 | firejail (0.9.43) baseline; urgency=low | ||
2 | * development version | ||
3 | -- netblue30 <netblue30@yahoo.com> Fri, 9 Sept 2016 08:00:00 -0500 | ||
4 | |||
1 | firejail (0.9.42) baseline; urgency=low | 5 | firejail (0.9.42) baseline; urgency=low |
2 | * security: --whitelist deleted files, submitted by Vasya Novikov | 6 | * security: --whitelist deleted files, submitted by Vasya Novikov |
3 | * security: disable x32 ABI in seccomp, submitted by Jann Horn | 7 | * security: disable x32 ABI in seccomp, submitted by Jann Horn |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.42. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.43. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.42' | 583 | PACKAGE_VERSION='0.9.43' |
584 | PACKAGE_STRING='firejail 0.9.42' | 584 | PACKAGE_STRING='firejail 0.9.43' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then | |||
1259 | # Omit some internal or obsolete options to make the list less imposing. | 1259 | # Omit some internal or obsolete options to make the list less imposing. |
1260 | # This message is too long to be a string in the A/UX 3.1 sh. | 1260 | # This message is too long to be a string in the A/UX 3.1 sh. |
1261 | cat <<_ACEOF | 1261 | cat <<_ACEOF |
1262 | \`configure' configures firejail 0.9.42 to adapt to many kinds of systems. | 1262 | \`configure' configures firejail 0.9.43 to adapt to many kinds of systems. |
1263 | 1263 | ||
1264 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1264 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1265 | 1265 | ||
@@ -1320,7 +1320,7 @@ fi | |||
1320 | 1320 | ||
1321 | if test -n "$ac_init_help"; then | 1321 | if test -n "$ac_init_help"; then |
1322 | case $ac_init_help in | 1322 | case $ac_init_help in |
1323 | short | recursive ) echo "Configuration of firejail 0.9.42:";; | 1323 | short | recursive ) echo "Configuration of firejail 0.9.43:";; |
1324 | esac | 1324 | esac |
1325 | cat <<\_ACEOF | 1325 | cat <<\_ACEOF |
1326 | 1326 | ||
@@ -1424,7 +1424,7 @@ fi | |||
1424 | test -n "$ac_init_help" && exit $ac_status | 1424 | test -n "$ac_init_help" && exit $ac_status |
1425 | if $ac_init_version; then | 1425 | if $ac_init_version; then |
1426 | cat <<\_ACEOF | 1426 | cat <<\_ACEOF |
1427 | firejail configure 0.9.42 | 1427 | firejail configure 0.9.43 |
1428 | generated by GNU Autoconf 2.69 | 1428 | generated by GNU Autoconf 2.69 |
1429 | 1429 | ||
1430 | Copyright (C) 2012 Free Software Foundation, Inc. | 1430 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF | |||
1726 | This file contains any messages produced by compilers while | 1726 | This file contains any messages produced by compilers while |
1727 | running configure, to aid debugging if configure makes a mistake. | 1727 | running configure, to aid debugging if configure makes a mistake. |
1728 | 1728 | ||
1729 | It was created by firejail $as_me 0.9.42, which was | 1729 | It was created by firejail $as_me 0.9.43, which was |
1730 | generated by GNU Autoconf 2.69. Invocation command line was | 1730 | generated by GNU Autoconf 2.69. Invocation command line was |
1731 | 1731 | ||
1732 | $ $0 $@ | 1732 | $ $0 $@ |
@@ -4310,7 +4310,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4310 | # report actual input values of CONFIG_FILES etc. instead of their | 4310 | # report actual input values of CONFIG_FILES etc. instead of their |
4311 | # values after options handling. | 4311 | # values after options handling. |
4312 | ac_log=" | 4312 | ac_log=" |
4313 | This file was extended by firejail $as_me 0.9.42, which was | 4313 | This file was extended by firejail $as_me 0.9.43, which was |
4314 | generated by GNU Autoconf 2.69. Invocation command line was | 4314 | generated by GNU Autoconf 2.69. Invocation command line was |
4315 | 4315 | ||
4316 | CONFIG_FILES = $CONFIG_FILES | 4316 | CONFIG_FILES = $CONFIG_FILES |
@@ -4364,7 +4364,7 @@ _ACEOF | |||
4364 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4364 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4365 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4365 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4366 | ac_cs_version="\\ | 4366 | ac_cs_version="\\ |
4367 | firejail config.status 0.9.42 | 4367 | firejail config.status 0.9.43 |
4368 | configured by $0, generated by GNU Autoconf 2.69, | 4368 | configured by $0, generated by GNU Autoconf 2.69, |
4369 | with options \\"\$ac_cs_config\\" | 4369 | with options \\"\$ac_cs_config\\" |
4370 | 4370 | ||
diff --git a/configure.ac b/configure.ac index 11c5b993e..f4deff7b5 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.42, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.43, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||