diff options
author | netblue30 <netblue30@protonmail.com> | 2023-04-06 10:41:22 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-06 10:41:22 -0400 |
commit | 991c782294636ec7e5680f29eeb7c7cd9371c8e7 (patch) | |
tree | c7405cf32f143046aabea14008e88ad45f488eac | |
parent | Merge pull request #5763 from kmk3/profiles-mv-readonly (diff) | |
parent | docs: line-wrap markdown and use double-spacing (diff) | |
download | firejail-991c782294636ec7e5680f29eeb7c7cd9371c8e7.tar.gz firejail-991c782294636ec7e5680f29eeb7c7cd9371c8e7.tar.zst firejail-991c782294636ec7e5680f29eeb7c7cd9371c8e7.zip |
Merge pull request #5757 from kmk3/docs-markdown-improvements
docs: markdown formatting and misc improvements
-rw-r--r-- | .github/ISSUE_TEMPLATE/bug_report.md | 9 | ||||
-rw-r--r-- | .github/ISSUE_TEMPLATE/feature_request.md | 1 | ||||
-rw-r--r-- | .github/pull_request_template.md | 30 | ||||
-rw-r--r-- | CONTRIBUTING.md | 69 | ||||
-rw-r--r-- | README | 74 | ||||
-rw-r--r-- | README.md | 284 | ||||
-rw-r--r-- | SECURITY.md | 6 |
7 files changed, 290 insertions, 183 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 53066013d..fc74640d4 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -22,7 +22,8 @@ _Describe the bug_ | |||
22 | 22 | ||
23 | _Steps to reproduce the behavior_ | 23 | _Steps to reproduce the behavior_ |
24 | 24 | ||
25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody) | 25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent |
26 | output in English that can be understood by everybody) | ||
26 | 2. Click on '....' | 27 | 2. Click on '....' |
27 | 3. Scroll down to '....' | 28 | 3. Scroll down to '....' |
28 | 4. See error `ERROR` | 29 | 4. See error `ERROR` |
@@ -37,7 +38,8 @@ _What actually happened_ | |||
37 | 38 | ||
38 | ### Behavior without a profile | 39 | ### Behavior without a profile |
39 | 40 | ||
40 | _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ | 41 | _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a |
42 | terminal?_ | ||
41 | 43 | ||
42 | ### Additional context | 44 | ### Additional context |
43 | 45 | ||
@@ -47,7 +49,8 @@ _Any other detail that may help to understand/debug the problem_ | |||
47 | 49 | ||
48 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") | 50 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") |
49 | - Firejail version (`firejail --version`). | 51 | - Firejail version (`firejail --version`). |
50 | - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). | 52 | - If you use a development version of firejail, also the commit from which it |
53 | was compiled (`git rev-parse HEAD`). | ||
51 | 54 | ||
52 | ### Checklist | 55 | ### Checklist |
53 | 56 | ||
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index a723cdbde..ce1b70e39 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md | |||
@@ -4,6 +4,7 @@ about: Suggest an idea for this project | |||
4 | title: '' | 4 | title: '' |
5 | labels: '' | 5 | labels: '' |
6 | assignees: '' | 6 | assignees: '' |
7 | |||
7 | --- | 8 | --- |
8 | 9 | ||
9 | ### Is your feature request related to a problem? Please describe. | 10 | ### Is your feature request related to a problem? Please describe. |
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3c256dd87..4a7998e87 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,17 +1,21 @@ | |||
1 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 1 | If your PR isn't about profiles or you have no idea how to do one of these, |
2 | skip the following and go ahead with this PR. | ||
2 | 3 | ||
3 | If you submit a PR for new profiles or changing profiles, please do the following: | 4 | If you submit a PR for new profiles or changing profiles, please do the |
4 | - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 5 | following: |
5 | > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. | ||
6 | - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). | ||
7 | The path to it depends on your distro: | ||
8 | 6 | ||
9 | | Distro | Path | | 7 | - The ordering of options follow the rules described in |
10 | | ------ | ---- | | 8 | [etc/templates/profile.template](../blob/master/etc/templates/profile.template) |
11 | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | | 9 | (/usr/share/doc/firejail/profile.template when installed). |
12 | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | | 10 | - Order the arguments of options alphabetically. You can easily do this with |
13 | | local git clone | `contrib/sort.py` | | 11 | [sort.py](../blob/master/contrib/sort.py). |
14 | 12 | ||
15 | Note also that the sort.py script exists only since firejail `0.9.61`. | 13 | The path to it depends on your distro: |
16 | 14 | ||
17 | See also [CONTRIBUTING.md](/CONTRIBUTING.md). | 15 | | Distro | Path | |
16 | | ------ | ---- | | ||
17 | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | | ||
18 | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | | ||
19 | | local git clone | `contrib/sort.py` | | ||
20 | |||
21 | See also [CONTRIBUTING.md](../blob/master/CONTRIBUTING.md). | ||
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 76d3e709b..1ae293264 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -1,38 +1,58 @@ | |||
1 | # Contributing | ||
2 | |||
1 | Welcome to firejail, and thank you for your interest in contributing! | 3 | Welcome to firejail, and thank you for your interest in contributing! |
2 | 4 | ||
3 | # Opening an issue: | 5 | ## Opening an issue |
4 | We welcome issues, whether to ask a question, provide information, request a new profile or | 6 | |
5 | feature, or to report a suspected bug or problem. | 7 | We welcome issues, whether to ask a question, provide information, request a |
8 | new profile or feature, or to report a suspected bug or problem. | ||
9 | |||
10 | If you want to request a program profile that we don't already have, please add | ||
11 | a comment in our dedicated issue: | ||
6 | 12 | ||
7 | If you want to request a program profile that we don't already have, please add a comment in | 13 | - [Profile requests](https://github.com/netblue30/firejail/issues/1139) |
8 | our [dedicated issue](https://github.com/netblue30/firejail/issues/1139). | ||
9 | 14 | ||
10 | When submitting a bug report, please provide the following information so that | 15 | When submitting a bug report, please provide the following information so that |
11 | we can handle the report more easily: | 16 | we can handle the report more easily: |
12 | - firejail version. If you're not sure, open a terminal and type `firejail --version`. | 17 | |
18 | - firejail version. If you're not sure, open a terminal and type `firejail | ||
19 | --version`. | ||
13 | - Linux distribution (so that we can try to reproduce it, if necessary). | 20 | - Linux distribution (so that we can try to reproduce it, if necessary). |
14 | - If you know that the problem did not exist in an earlier version of firejail, please mention it. | 21 | - If you know that the problem did not exist in an earlier version of firejail, |
15 | - If you are reporting that a program does not work with firejail, please also run firejail with | 22 | please mention it. |
16 | the `--noprofile` argument. | 23 | - If you are reporting that a program does not work with firejail, please also |
17 | For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and | 24 | run firejail with the `--noprofile` argument. For example, if `firejail |
18 | let us know if it runs correctly or not. | 25 | firefox` does not work, please also run `firejail --noprofile firefox` and |
19 | - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue. | 26 | let us know if it runs correctly or not. |
20 | 27 | - You may also try disabling various options provided in | |
21 | Please note: if you are running Debian, Ubuntu, Linux Mint, or another related | 28 | `/etc/firejail/<ProgramName.profile>` until you find out which one causes |
29 | problems. It will significantly help in finding a solution for your issue. | ||
30 | |||
31 | Please note: If you are running Debian, Ubuntu, Linux Mint, or another related | ||
22 | distribution and you installed firejail from your distro's repositories, please | 32 | distribution and you installed firejail from your distro's repositories, please |
23 | ensure that **both** of the following were installed: | 33 | ensure that **all** of the following packages were installed: |
24 | `firejail` and `firejail-profiles`. A common source of issues is that | 34 | |
25 | firejail-profiles was not installed when installing firejail. | 35 | - firejail |
36 | - firejail-profiles | ||
26 | 37 | ||
27 | We take security bugs very seriously. If you believe you have found one, please report it by | 38 | A common source of issues is that firejail-profiles was not installed when |
28 | emailing us at netblue30@protonmail.com | 39 | installing firejail. |
40 | |||
41 | ## Security vulnerabilities | ||
42 | |||
43 | See [SECURITY.md](SECURITY.md). | ||
44 | |||
45 | ## Opening a pull request | ||
29 | 46 | ||
30 | # Opening an pull request: | ||
31 | Pull requests with enhancements, bugfixes or new profiles are very welcome. | 47 | Pull requests with enhancements, bugfixes or new profiles are very welcome. |
32 | 48 | ||
33 | If you want to write a new profile, the easiest way to do this is to use the | 49 | If you want to write a new profile, the easiest way to do this is to use the |
34 | [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 50 | profile template: |
35 | If you have already written a profile, please make sure it follows the rules described in the template. | 51 | |
52 | - [etc/templates/profile.template](etc/templates/profile.template) | ||
53 | |||
54 | If you have already written a profile, please make sure it follows the rules | ||
55 | described in the template. | ||
36 | 56 | ||
37 | If you add a new command, here's the checklist: | 57 | If you add a new command, here's the checklist: |
38 | 58 | ||
@@ -41,6 +61,7 @@ If you add a new command, here's the checklist: | |||
41 | - [ ] Update syntax files (run `make syntax` or just `make`) | 61 | - [ ] Update syntax files (run `make syntax` or just `make`) |
42 | - [ ] Update --help | 62 | - [ ] Update --help |
43 | 63 | ||
44 | # Editing the wiki | 64 | ## Editing the wiki |
45 | 65 | ||
46 | You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki). | 66 | You are highly encouraged to add your own tips and tricks to the |
67 | [wiki](https://github.com/netblue30/firejail/wiki). | ||
@@ -1,13 +1,14 @@ | |||
1 | Firejail is a SUID sandbox program that reduces the risk of security | 1 | Firejail is a SUID sandbox program that reduces the risk of security breaches |
2 | breaches by restricting the running environment of untrusted applications | 2 | by restricting the running environment of untrusted applications using Linux |
3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for | 3 | namespaces and seccomp-bpf. |
4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, | 4 | |
5 | VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. | 5 | It includes sandbox profiles for many programs, including Iceweasel/Mozilla |
6 | DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, | 6 | Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audacious, |
7 | Pidgin, Quassel, and XChat. | 7 | Clementine, Rhythmbox, Totem, Deluge, qBittorrent, DeaDBeeF, Dropbox, Empathy, |
8 | FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel, and XChat. | ||
8 | 9 | ||
9 | Firejail also expands the restricted shell facility found in bash by adding | 10 | Firejail also expands the restricted shell facility found in bash by adding |
10 | Linux namespace support. It supports sandboxing specific users upon login. | 11 | Linux namespace support. It supports sandboxing specific users upon login. |
11 | 12 | ||
12 | Download: https://sourceforge.net/projects/firejail/files/ | 13 | Download: https://sourceforge.net/projects/firejail/files/ |
13 | Build and install: ./configure && make && sudo make install | 14 | Build and install: ./configure && make && sudo make install |
@@ -17,30 +18,33 @@ Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ | |||
17 | Development: https://github.com/netblue30/firejail | 18 | Development: https://github.com/netblue30/firejail |
18 | License: GPL v2 | 19 | License: GPL v2 |
19 | 20 | ||
20 | Please report all security vulnerabilities at netblue30@protonmail.com | 21 | Please report all security vulnerabilities to: |
22 | |||
23 | * <netblue30@protonmail.com> | ||
21 | 24 | ||
22 | Compile and install mainline version from GitHub: | 25 | Compile and install the mainline version from GitHub: |
23 | 26 | ||
24 | $ git clone https://github.com/netblue30/firejail.git | 27 | git clone https://github.com/netblue30/firejail.git |
25 | $ cd firejail | 28 | cd firejail |
26 | $ ./configure && make && sudo make install-strip | 29 | ./configure && make && sudo make install-strip |
27 | 30 | ||
28 | On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor | 31 | On Debian/Ubuntu you will need to install git and gcc. AppArmor development |
29 | development libraries and pkg-config are required when using --enable-apparmor | 32 | libraries and pkg-config are required when using the --enable-apparmor |
30 | ./configure option: | 33 | ./configure option: |
31 | 34 | ||
32 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk | 35 | sudo apt-get install git build-essential libapparmor-dev pkg-config gawk |
33 | 36 | ||
34 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). | 37 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). |
35 | 38 | ||
36 | We build our release firejail.tar.xz and firejail.deb packages using the following command: | 39 | We build our release firejail.tar.xz and firejail.deb packages using the |
37 | $ make distclean && ./configure && make deb | 40 | following commands: |
38 | 41 | ||
42 | make distclean && ./configure && make deb | ||
39 | 43 | ||
40 | Maintainer: | 44 | Maintainer: |
41 | - netblue30 (netblue30@protonmail.com) | 45 | - netblue30 (netblue30@protonmail.com) |
42 | 46 | ||
43 | Committers | 47 | Committers: |
44 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | 48 | - chiraag-nataraj (https://github.com/chiraag-nataraj) |
45 | - crass (https://github.com/crass) | 49 | - crass (https://github.com/crass) |
46 | - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | 50 | - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) |
@@ -55,15 +59,16 @@ Committers | |||
55 | - rusty-snake (https://github.com/rusty-snake) | 59 | - rusty-snake (https://github.com/rusty-snake) |
56 | - smitsohu (https://github.com/smitsohu) | 60 | - smitsohu (https://github.com/smitsohu) |
57 | - SkewedZeppelin (https://github.com/SkewedZeppelin) | 61 | - SkewedZeppelin (https://github.com/SkewedZeppelin) |
58 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) | 62 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches |
63 | maintainer) | ||
59 | - Topi Miettinen (https://github.com/topimiettinen) | 64 | - Topi Miettinen (https://github.com/topimiettinen) |
60 | - veloute (https://github.com/veloute) | 65 | - veloute (https://github.com/veloute) |
61 | - Vincent43 (https://github.com/Vincent43) | 66 | - Vincent43 (https://github.com/Vincent43) |
62 | - netblue30 (netblue30@protonmail.com) | 67 | - netblue30 (netblue30@protonmail.com) |
63 | 68 | ||
69 | --- | ||
64 | 70 | ||
65 | 71 | Firejail Authors (alphabetical order): | |
66 | Firejail Authors (alphabetical order) | ||
67 | 72 | ||
68 | 0x7969 (https://github.com/0x7969) | 73 | 0x7969 (https://github.com/0x7969) |
69 | - fix wire-desktop.profile | 74 | - fix wire-desktop.profile |
@@ -313,7 +318,8 @@ curiosityseeker (https://github.com/curiosityseeker - new) | |||
313 | - updated keypassxc profile | 318 | - updated keypassxc profile |
314 | - added syscalls.sh, which determine the necessary syscalls for a program | 319 | - added syscalls.sh, which determine the necessary syscalls for a program |
315 | - fixed conky profile | 320 | - fixed conky profile |
316 | - thunderbird.profile: harden and enable the rules necessary to make Firefox open links | 321 | - thunderbird.profile: harden and enable the rules necessary to make |
322 | Firefox open links | ||
317 | da2x (https://github.com/da2x) | 323 | da2x (https://github.com/da2x) |
318 | - matched RPM license tag | 324 | - matched RPM license tag |
319 | Daan Bakker (https://github.com/dbakker) | 325 | Daan Bakker (https://github.com/dbakker) |
@@ -358,7 +364,8 @@ Disconnect3d (https://github.com/disconnect3d) | |||
358 | dm9pZCAq (https://github.com/dm9pZCAq) | 364 | dm9pZCAq (https://github.com/dm9pZCAq) |
359 | - fix for compilation under musl | 365 | - fix for compilation under musl |
360 | dmfreemon (https://github.com/dmfreemon) | 366 | dmfreemon (https://github.com/dmfreemon) |
361 | - add sandbox name or name of private directory to the window title when xpra is used | 367 | - add sandbox name or name of private directory to the window title |
368 | when xpra is used | ||
362 | - handle malloc() failures; use gnu_basename() instead of basenaem() | 369 | - handle malloc() failures; use gnu_basename() instead of basenaem() |
363 | Dmitriy Chestnykh (https://github.com/chestnykh) | 370 | Dmitriy Chestnykh (https://github.com/chestnykh) |
364 | - add ability to disable user profiles at compile time | 371 | - add ability to disable user profiles at compile time |
@@ -1030,7 +1037,8 @@ soredake (https://github.com/soredake) | |||
1030 | - add localtime to private-etc to make qtox show correct time | 1037 | - add localtime to private-etc to make qtox show correct time |
1031 | - fixes for the keepassxc 2.2.5 version | 1038 | - fixes for the keepassxc 2.2.5 version |
1032 | SkewedZeppelin (https://github.com/SkewedZeppelin) | 1039 | SkewedZeppelin (https://github.com/SkewedZeppelin) |
1033 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles | 1040 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, |
1041 | Lollypop, MultiMC5 profiles | ||
1034 | - added PDFSam, Pithos, and Xonotic profiles | 1042 | - added PDFSam, Pithos, and Xonotic profiles |
1035 | - disabled Go, Rust, and OpenSSL in disable-devel.conf | 1043 | - disabled Go, Rust, and OpenSSL in disable-devel.conf |
1036 | - added dino profile | 1044 | - added dino profile |
@@ -1048,7 +1056,8 @@ SkewedZeppelin (https://github.com/SkewedZeppelin) | |||
1048 | - added IntelliJ IDEA and Android Studio profiles | 1056 | - added IntelliJ IDEA and Android Studio profiles |
1049 | - added arm profile | 1057 | - added arm profile |
1050 | - lots of profile improvements/tightening | 1058 | - lots of profile improvements/tightening |
1051 | - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img, | 1059 | - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, |
1060 | sdat2img, | ||
1052 | soundconverter, sqlitebrowser, and truecraft profiles | 1061 | soundconverter, sqlitebrowser, and truecraft profiles |
1053 | - added gnome-twitch profile | 1062 | - added gnome-twitch profile |
1054 | - Unified all 341 profiles | 1063 | - Unified all 341 profiles |
@@ -1085,10 +1094,12 @@ SYN-cook (https://github.com/SYN-cook) | |||
1085 | - gnome-calculator changes | 1094 | - gnome-calculator changes |
1086 | startx2017 (https://github.com/startx2017) | 1095 | startx2017 (https://github.com/startx2017) |
1087 | - syscall list update | 1096 | - syscall list update |
1088 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, | 1097 | - updated default seccomp filters - added bpf, clock_settime, |
1089 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old | 1098 | personality, process_vm_writev, query_module, settimeofday, stime, |
1099 | umount, userfaultfd, ustat, vm86, and vm86old | ||
1090 | - enable/disable join support in /etc/firejail/firejail.config | 1100 | - enable/disable join support in /etc/firejail/firejail.config |
1091 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist | 1101 | - firecfg fix: create ~/.local/share/applications directory if it |
1102 | doesn't exist | ||
1092 | - firejail.config cleanup | 1103 | - firejail.config cleanup |
1093 | - --quiet fixes | 1104 | - --quiet fixes |
1094 | - bugfixes branches maintainer | 1105 | - bugfixes branches maintainer |
@@ -1250,10 +1261,9 @@ Zack Weinberg (https://github.com/zackw) | |||
1250 | - wait_for_other function rewrite | 1261 | - wait_for_other function rewrite |
1251 | - Xvfb X11 server support | 1262 | - Xvfb X11 server support |
1252 | - Xvfb and Xephyr profiles, modified Xpra profile | 1263 | - Xvfb and Xephyr profiles, modified Xpra profile |
1253 | - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started | 1264 | - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes |
1254 | with firejail --x11 | 1265 | when started with firejail --x11 |
1255 | - support for xpra-extra-params in firejail.config | 1266 | - support for xpra-extra-params in firejail.config |
1256 | |||
1257 | zupatisc (https://github.com/zupatisc) | 1267 | zupatisc (https://github.com/zupatisc) |
1258 | - patch-util fix | 1268 | - patch-util fix |
1259 | 1269 | ||
@@ -1,79 +1,91 @@ | |||
1 | # Firejail | 1 | # Firejail |
2 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) | 2 | |
3 | [![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) | 3 | [![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) |
4 | [![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) | 4 | [![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) |
5 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | 5 | [![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) |
6 | 6 | [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | |
7 | Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting | 7 | |
8 | the running environment of untrusted applications using Linux namespaces, seccomp-bpf | 8 | Firejail is a SUID sandbox program that reduces the risk of security breaches |
9 | and Linux capabilities. It allows a process and all its descendants to have their own private | 9 | by restricting the running environment of untrusted applications using Linux |
10 | view of the globally shared kernel resources, such as the network stack, process table, mount table. | 10 | namespaces, seccomp-bpf and Linux capabilities. It allows a process and all |
11 | Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups. | 11 | its descendants to have their own private view of the globally shared kernel |
12 | 12 | resources, such as the network stack, process table, mount table. Firejail can | |
13 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel | 13 | work in a SELinux or AppArmor environment, and it is integrated with Linux |
14 | version or newer. It can sandbox any type of processes: servers, graphical applications, and even | 14 | Control Groups. |
15 | user login sessions. The software includes sandbox profiles for a number of more common Linux programs, | 15 | |
16 | Written in C with virtually no dependencies, the software runs on any Linux | ||
17 | computer with a 3.x kernel version or newer. It can sandbox any type of | ||
18 | processes: servers, graphical applications, and even user login sessions. The | ||
19 | software includes sandbox profiles for a number of more common Linux programs, | ||
16 | such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 20 | such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
17 | 21 | ||
18 | The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, | 22 | The sandbox is lightweight, the overhead is low. There are no complicated |
19 | no socket connections open, no daemons running in the background. All security features are | 23 | configuration files to edit, no socket connections open, no daemons running in |
20 | implemented directly in Linux kernel and available on any Linux computer. | 24 | the background. All security features are implemented directly in Linux kernel |
25 | and available on any Linux computer. | ||
26 | |||
27 | ## Videos | ||
21 | 28 | ||
22 | <table><tr> | 29 | <table> |
30 | <tr> | ||
23 | 31 | ||
24 | <td> | 32 | <td> |
25 | <a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank"> | 33 | <a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank"> |
26 | <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png" | 34 | <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png" |
27 | alt="Advanced Browser Security" width="240" height="142" border="10" /><br/>Advanced Browser Security</a> | 35 | alt="Advanced Browser Security" width="240" height="142" border="10" /> |
36 | <br/>Advanced Browser Security | ||
37 | </a> | ||
28 | </td> | 38 | </td> |
29 | 39 | ||
30 | <td> | 40 | <td> |
31 | <a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank"> | 41 | <a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank"> |
32 | <img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png" | 42 | <img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png" |
33 | alt="How To Disable Network Access" width="240" height="142" border="10" /><br/>How To Disable Network Access</a> | 43 | alt="How To Disable Network Access" width="240" height="142" border="10" /> |
44 | <br/>How To Disable Network Access | ||
45 | </a> | ||
34 | </td> | 46 | </td> |
35 | 47 | ||
36 | <td> | 48 | <td> |
37 | <a href="https://odysee.com/@netblue30:9/divested:2" target="_blank"> | 49 | <a href="https://odysee.com/@netblue30:9/divested:2" target="_blank"> |
38 | <img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png" | 50 | <img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png" |
39 | alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a> | 51 | alt="Deep Dive" width="240" height="142" border="10" /> |
52 | <br/>Deep Dive | ||
53 | </a> | ||
40 | </td> | 54 | </td> |
41 | 55 | ||
42 | </tr></table> | 56 | </tr> |
43 | 57 | </table> | |
44 | Project webpage: https://firejail.wordpress.com/ | ||
45 | |||
46 | IRC: https://web.libera.chat/#firejail | ||
47 | |||
48 | Download and Installation: https://firejail.wordpress.com/download-2/ | ||
49 | |||
50 | Features: https://firejail.wordpress.com/features-3/ | ||
51 | 58 | ||
52 | Documentation: https://firejail.wordpress.com/documentation-2/ | 59 | ## Links |
53 | 60 | ||
54 | FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | 61 | * Project webpage: <https://firejail.wordpress.com/> |
55 | 62 | * IRC: <https://web.libera.chat/#firejail> | |
56 | Wiki: https://github.com/netblue30/firejail/wiki | 63 | * Download and Installation: <https://firejail.wordpress.com/download-2/> |
57 | 64 | * Features: <https://firejail.wordpress.com/features-3/> | |
58 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ | 65 | * Documentation: <https://firejail.wordpress.com/documentation-2/> |
59 | 66 | * FAQ: <https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions> | |
60 | Video Channel: https://odysee.com/@netblue30:9?order=new | 67 | * Wiki: <https://github.com/netblue30/firejail/wiki> |
61 | 68 | * GitHub Actions: <https://github.com/netblue30/firejail/actions> | |
62 | Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ | 69 | * GitLab CI: <https://gitlab.com/Firejail/firejail_ci/pipelines> |
70 | * Video Channel: <https://odysee.com/@netblue30:9?order=new> | ||
71 | * Backup Video Channel: <https://www.bitchute.com/profile/JSBsA1aoQVfW/> | ||
63 | 72 | ||
64 | ## Security vulnerabilities | 73 | ## Security vulnerabilities |
65 | 74 | ||
66 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com | 75 | See [SECURITY.md](SECURITY.md). |
67 | 76 | ||
68 | ## Installing | 77 | ## Installing |
69 | 78 | ||
70 | ### Debian | 79 | ### Debian |
71 | 80 | ||
72 | Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package. | 81 | Debian stable (bullseye): We recommend to use the |
82 | [backports](https://packages.debian.org/bullseye-backports/firejail) package. | ||
73 | 83 | ||
74 | ### Ubuntu | 84 | ### Ubuntu |
75 | 85 | ||
76 | For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). | 86 | For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly |
87 | advised** to use the | ||
88 | [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). | ||
77 | 89 | ||
78 | How to add and install from the PPA: | 90 | How to add and install from the PPA: |
79 | 91 | ||
@@ -83,140 +95,186 @@ sudo apt-get update | |||
83 | sudo apt-get install firejail firejail-profiles | 95 | sudo apt-get install firejail firejail-profiles |
84 | ``` | 96 | ``` |
85 | 97 | ||
86 | Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad: | 98 | Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to |
99 | CVE-2021-26910 for months after a patch for it was posted on Launchpad: | ||
87 | 100 | ||
88 | * [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767) | 101 | * [CVE-2021-26910](https://github.com/advisories/GHSA-2q4h-h5jp-942w) |
102 | * [firejail version in Ubuntu 20.04 LTS is vulnerable to | ||
103 | CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767) | ||
89 | 104 | ||
90 | See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: | 105 | See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: |
91 | 106 | ||
92 | > What software is supported by the Ubuntu Security team? | 107 | > What software is supported by the Ubuntu Security team? |
93 | > | 108 | > |
94 | > Ubuntu is currently divided into four components: main, restricted, universe | 109 | > Ubuntu is currently divided into four components: main, restricted, universe |
95 | > and multiverse. All binary packages in main and restricted are supported by | 110 | > and multiverse. All binary packages in main and restricted are supported by |
96 | > the Ubuntu Security team for the life of an Ubuntu release, while binary | 111 | > the Ubuntu Security team for the life of an Ubuntu release, while binary |
97 | > packages in universe and multiverse are supported by the Ubuntu community. | 112 | > packages in universe and multiverse are supported by the Ubuntu community. |
98 | 113 | ||
99 | Additionally, the PPA version is likely to be more recent and to contain more profile fixes. | 114 | Additionally, the PPA version is likely to be more recent and to contain more |
115 | profile fixes. | ||
100 | 116 | ||
101 | See the following discussions for details: | 117 | See the following discussions for details: |
102 | 118 | ||
103 | * [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666) | 119 | * [Should I keep using the version of firejail available in my distro |
104 | * [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663) | 120 | repos?](https://github.com/netblue30/firejail/discussions/4666) |
121 | * [How to install the latest version on Ubuntu and | ||
122 | derivatives](https://github.com/netblue30/firejail/discussions/4663) | ||
105 | 123 | ||
106 | ### Other | 124 | ### Other |
107 | 125 | ||
108 | Firejail is included in a large number of Linux distributions. | 126 | Firejail is available in multiple Linux distributions: |
127 | |||
128 | <details> | ||
129 | <summary>Repology</summary> | ||
130 | <p> | ||
131 | |||
132 | [![Packaging status (Repology)](https://repology.org/badge/vertical-allrepos/firejail.svg)](https://repology.org/project/firejail/versions) | ||
109 | 133 | ||
110 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: | 134 | </p> |
135 | </details> | ||
111 | 136 | ||
112 | ````` | 137 | Other than the [aforementioned exceptions](#installing), as long as your |
113 | $ git clone https://github.com/netblue30/firejail.git | 138 | distribution provides a [supported version](SECURITY.md) of firejail, it's |
114 | $ cd firejail | 139 | generally a good idea to install it from the distribution. |
115 | $ ./configure && make && sudo make install-strip | 140 | |
116 | ````` | 141 | The version can be checked with `firejail --version` after installing. |
117 | On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor | 142 | |
118 | development libraries and pkg-config are required when using `--enable-apparmor` | 143 | You can also install one of the [released |
144 | packages](https://github.com/netblue30/firejail/releases). | ||
145 | |||
146 | Or clone the source code from our git repository and build manually: | ||
147 | |||
148 | ```sh | ||
149 | git clone https://github.com/netblue30/firejail.git | ||
150 | cd firejail | ||
151 | ./configure && make && sudo make install-strip | ||
152 | ``` | ||
153 | |||
154 | On Debian/Ubuntu you will need to install git and gcc. AppArmor development | ||
155 | libraries and pkg-config are required when using the `--enable-apparmor` | ||
119 | ./configure option: | 156 | ./configure option: |
120 | ````` | 157 | |
121 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk | 158 | ```sh |
122 | ````` | 159 | sudo apt-get install git build-essential libapparmor-dev pkg-config gawk |
160 | ``` | ||
161 | |||
123 | For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). | 162 | For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). |
124 | 163 | ||
125 | Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). | 164 | Detailed information on using firejail from git is available on the |
165 | [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). | ||
126 | 166 | ||
127 | ## Running the sandbox | 167 | ## Running the sandbox |
128 | 168 | ||
129 | To start the sandbox, prefix your command with `firejail`: | 169 | To start the sandbox, prefix your command with `firejail`: |
130 | 170 | ||
131 | ````` | 171 | ```sh |
132 | $ firejail firefox # starting Mozilla Firefox | 172 | firejail firefox # starting Mozilla Firefox |
133 | $ firejail transmission-gtk # starting Transmission BitTorrent | 173 | firejail transmission-gtk # starting Transmission BitTorrent |
134 | $ firejail vlc # starting VideoLAN Client | 174 | firejail vlc # starting VideoLAN Client |
135 | $ sudo firejail /etc/init.d/nginx start | 175 | sudo firejail /etc/init.d/nginx start |
136 | ````` | 176 | ``` |
137 | Run `firejail --list` in a terminal to list all active sandboxes. Example: | 177 | |
138 | ````` | 178 | Run `firejail --list` in a terminal to list all active sandboxes. Example: |
179 | |||
180 | ```console | ||
139 | $ firejail --list | 181 | $ firejail --list |
140 | 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr | 182 | 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr |
141 | 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt | 183 | 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt |
142 | 7779:netblue:/usr/bin/firejail /usr/bin/galculator | 184 | 7779:netblue:/usr/bin/firejail /usr/bin/galculator |
143 | 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4 | 185 | 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4 |
144 | 7916:netblue:firejail --list | 186 | 7916:netblue:firejail --list |
145 | ````` | 187 | ``` |
146 | 188 | ||
147 | ## Desktop integration | 189 | ## Desktop integration |
148 | 190 | ||
149 | Integrate your sandbox into your desktop by running the following two commands: | 191 | Integrate your sandbox into your desktop by running the following two commands: |
150 | ````` | ||
151 | $ firecfg --fix-sound | ||
152 | $ sudo firecfg | ||
153 | ````` | ||
154 | 192 | ||
155 | The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. | 193 | ```sh |
156 | The second command integrates Firejail into your desktop. You would need to logout and login back to apply | 194 | firecfg --fix-sound |
157 | PulseAudio changes. | 195 | sudo firecfg |
196 | ``` | ||
197 | |||
198 | The first command solves some shared memory/PID namespace bugs in PulseAudio | ||
199 | software prior to version 9. The second command integrates Firejail into your | ||
200 | desktop. You would need to logout and login back to apply PulseAudio changes. | ||
201 | |||
202 | Start your programs the way you are used to: desktop manager menus, file | ||
203 | manager, desktop launchers. | ||
158 | 204 | ||
159 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. | 205 | The integration applies to any program supported by default by Firejail. There |
160 | The integration applies to any program supported by default by Firejail. There are about 250 default applications | 206 | are over 900 default applications in the current Firejail version, and the |
161 | in current Firejail version, and the number goes up with every new release. | 207 | number goes up with every new release. |
162 | We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. | 208 | |
209 | We keep the application list in | ||
210 | [src/firecfg/firecfg.config](src/firecfg/firecfg.config) | ||
211 | (/etc/firejail/firecfg.config when installed). | ||
163 | 212 | ||
164 | ## Security profiles | 213 | ## Security profiles |
165 | 214 | ||
166 | Most Firejail command line options can be passed to the sandbox using profile files. | 215 | Most Firejail command line options can be passed to the sandbox using profile |
167 | You can find the profiles for all supported applications in [/etc/firejail](https://github.com/netblue30/firejail/tree/master/etc) directory. | 216 | files. |
217 | |||
218 | You can find the profiles for all supported applications in [etc/](etc/) | ||
219 | (/etc/firejail/ when installed). | ||
220 | |||
221 | We also keep a list of profile fixes for previous released versions in | ||
222 | [etc-fixes/](etc-fixes/). | ||
168 | 223 | ||
169 | If you keep additional Firejail security profiles in a public repository, please give us a link: | 224 | If you keep additional Firejail security profiles in a public repository, |
225 | please give us a link: | ||
170 | 226 | ||
171 | * https://github.com/chiraag-nataraj/firejail-profiles | 227 | * <https://github.com/chiraag-nataraj/firejail-profiles> |
228 | * <https://github.com/triceratops1/fe> | ||
172 | 229 | ||
173 | * https://github.com/triceratops1/fe | 230 | Use this issue to request new profiles: |
174 | 231 | ||
175 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) | 232 | * [Profile requests](https://github.com/netblue30/firejail/issues/1139) |
176 | 233 | ||
177 | You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh). | 234 | You can also use this tool to get a list of syscalls needed by a program: |
178 | 235 | ||
179 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 236 | * [contrib/syscalls.sh](contrib/syscalls.sh) |
180 | 237 | ||
181 | ## Latest released version: 0.9.72 | 238 | ## Latest released version: 0.9.72 |
182 | 239 | ||
183 | ## Current development version: 0.9.73 | 240 | ## Current development version: 0.9.73 |
184 | 241 | ||
185 | ### --keep-shell-rc | 242 | ### --keep-shell-rc |
186 | ````` | 243 | |
244 | ```text | ||
187 | --keep-shell-rc | 245 | --keep-shell-rc |
188 | By default, when using a private home directory, firejail copies | 246 | By default, when using a private home directory, firejail copies |
189 | files from the system's user home template (/etc/skel) into it, | 247 | files from the system's user home template (/etc/skel) into it, |
190 | which overrides attempts to whitelist the original files (such | 248 | which overrides attempts to whitelist the original files (such |
191 | as ~/.bashrc and ~/.zshrc). This option disables this feature, | 249 | as ~/.bashrc and ~/.zshrc). This option disables this feature, |
192 | and enables the user to whitelist the original files. | 250 | and enables the user to whitelist the original files. |
193 | 251 | ``` | |
194 | ````` | ||
195 | 252 | ||
196 | ### private-etc rework | 253 | ### private-etc rework |
197 | ````` | 254 | |
255 | ```text | ||
198 | --private-etc, --private-etc=file,directory,@group | 256 | --private-etc, --private-etc=file,directory,@group |
199 | The files installed by --private-etc are copies of the original | 257 | The files installed by --private-etc are copies of the original |
200 | system files from /etc directory. By default, the command | 258 | system files from /etc directory. By default, the command |
201 | brings in a skeleton of files and directories used by most con‐ | 259 | brings in a skeleton of files and directories used by most |
202 | sole tools: | 260 | console tools: |
203 | 261 | ||
204 | $ firejail --private-etc dig debian.org | 262 | $ firejail --private-etc dig debian.org |
205 | 263 | ||
206 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parame‐ | 264 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a |
207 | ter. Example: | 265 | parameter. Example: |
208 | 266 | ||
209 | $ firejail --private-etc=@x11,gcrypt,python* gimp | 267 | $ firejail --private-etc=@x11,gcrypt,python* gimp |
210 | 268 | ||
211 | gcrypt and /etc/python* directories are not part of the generic | 269 | gcrypt and /etc/python* directories are not part of the generic |
212 | @x11 group. File globbing is supported. | 270 | @x11 group. File globbing is supported. |
213 | 271 | ||
214 | For games, add @games group: | 272 | For games, add @games group: |
215 | 273 | ||
216 | $ firejail --private-etc=@games,@x11 warzone2100 | 274 | $ firejail --private-etc=@games,@x11 warzone2100 |
217 | 275 | ||
218 | Sound and networking files are included automatically, unless | 276 | Sound and networking files are included automatically, unless |
219 | --nosound or --net=none are specified. Files for encrypted | 277 | --nosound or --net=none are specified. Files for encrypted |
220 | TLS/SSL protocol are in @tls-ca group. | 278 | TLS/SSL protocol are in @tls-ca group. |
221 | 279 | ||
222 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org | 280 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org |
@@ -225,22 +283,29 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
225 | by your program is using strace utility: | 283 | by your program is using strace utility: |
226 | 284 | ||
227 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc | 285 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc |
286 | ``` | ||
287 | |||
288 | We keep the list of groups in | ||
289 | [src/include/etc_groups.h](src/include/etc_groups.h). | ||
228 | 290 | ||
229 | ````` | 291 | Discussion: |
230 | We keep the list of groups in [src/include/etc_groups.h](https://github.com/netblue30/firejail/blob/master/src/include/etc_groups.h) | 292 | |
231 | Discussion: https://github.com/netblue30/firejail/discussions/5610 | 293 | * [private-etc rework](https://github.com/netblue30/firejail/discussions/5610) |
232 | 294 | ||
233 | ### Profile Statistics | 295 | ### Profile Statistics |
234 | 296 | ||
235 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 297 | A small tool to print profile statistics. Compile and install as usual. The |
298 | tool is installed in the /usr/lib/firejail directory. | ||
299 | |||
236 | Run it over the profiles in /etc/profiles: | 300 | Run it over the profiles in /etc/profiles: |
237 | ``` | 301 | |
302 | ```console | ||
238 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile | 303 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile |
239 | No include .local found in /etc/firejail/noprofile.profile | 304 | No include .local found in /etc/firejail/noprofile.profile |
240 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 305 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
241 | 306 | ||
242 | Stats: | 307 | Stats: |
243 | profiles 1209 | 308 | profiles 1209 |
244 | include local profile 1208 (include profile-name.local) | 309 | include local profile 1208 (include profile-name.local) |
245 | include globals 1181 (include globals.local) | 310 | include globals 1181 (include globals.local) |
246 | blacklist ~/.ssh 1079 (include disable-common.inc) | 311 | blacklist ~/.ssh 1079 (include disable-common.inc) |
@@ -266,5 +331,4 @@ Stats: | |||
266 | dbus-user filter 141 | 331 | dbus-user filter 141 |
267 | dbus-system none 851 | 332 | dbus-system none 851 |
268 | dbus-system filter 12 | 333 | dbus-system filter 12 |
269 | |||
270 | ``` | 334 | ``` |
diff --git a/SECURITY.md b/SECURITY.md index 734d04ccf..2a9cc7f6f 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -26,4 +26,8 @@ | |||
26 | 26 | ||
27 | ## Security vulnerabilities | 27 | ## Security vulnerabilities |
28 | 28 | ||
29 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com | 29 | We take security bugs very seriously. |
30 | |||
31 | If you believe you have found one, please report it to: | ||
32 | |||
33 | * <netblue30@protonmail.com> | ||