diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-10 10:08:53 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-10 10:08:53 -0400 |
commit | a344c555ff282c23a8274d10ad0f75eb4fae6836 (patch) | |
tree | b86fde69dc1cb71a476745c974196735d694952a | |
parent | noexec inside /var directory (diff) | |
download | firejail-a344c555ff282c23a8274d10ad0f75eb4fae6836.tar.gz firejail-a344c555ff282c23a8274d10ad0f75eb4fae6836.tar.zst firejail-a344c555ff282c23a8274d10ad0f75eb4fae6836.zip |
--noexec
-rw-r--r-- | README.md | 23 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 15 |
5 files changed, 43 insertions, 3 deletions
@@ -90,9 +90,28 @@ AUDIT | |||
90 | Limitations: audit feature is not implemented for --x11 commands. | 90 | Limitations: audit feature is not implemented for --x11 commands. |
91 | ````` | 91 | ````` |
92 | 92 | ||
93 | ## --private-dev enhancements - work in progress! | 93 | ## --noexec |
94 | ````` | ||
95 | --noexec=dirname_or_filename | ||
96 | Remount directory or file noexec, nodev and nosuid. | ||
97 | |||
98 | Example: | ||
99 | $ firejail --noexec=/tmp | ||
100 | |||
101 | /etc and /var are noexec by default. If there are more than one | ||
102 | mount operation on the path of the file or directory, noexec | ||
103 | should be applied to the last one. Always check if the change | ||
104 | took effect inside the sandbox. | ||
105 | ````` | ||
94 | 106 | ||
95 | The following devices are added to --private-dev list. | 107 | ## --rmenv |
108 | ````` | ||
109 | --rmenv=name | ||
110 | Remove environment variable in the new sandbox. | ||
111 | |||
112 | Example: | ||
113 | $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS | ||
114 | ````` | ||
96 | 115 | ||
97 | ## Converting profiles to private-bin - work in progress! | 116 | ## Converting profiles to private-bin - work in progress! |
98 | 117 | ||
@@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low | |||
4 | * AppImage support (--appimage) | 4 | * AppImage support (--appimage) |
5 | * Sandbox auditing support (--audit) | 5 | * Sandbox auditing support (--audit) |
6 | * remove environment variable (--rmenv) | 6 | * remove environment variable (--rmenv) |
7 | * noexec support (--noexec) | ||
7 | * include /dev/snd in --private-dev | 8 | * include /dev/snd in --private-dev |
8 | * added mkfile profile command | 9 | * added mkfile profile command |
9 | * seccomp filter updated | 10 | * seccomp filter updated |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6b7a666db..f7a93174f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -147,9 +147,11 @@ void usage(void) { | |||
147 | printf(" --nice=value - set nice value\n\n"); | 147 | printf(" --nice=value - set nice value\n\n"); |
148 | printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); | 148 | printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); |
149 | printf("\tfile.\n\n"); | 149 | printf("\tfile.\n\n"); |
150 | printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n"); | ||
151 | printf("\tnosuid and nodev\n\n"); | ||
150 | printf(" --nogroups - disable supplementary groups. Without this option,\n"); | 152 | printf(" --nogroups - disable supplementary groups. Without this option,\n"); |
151 | printf("\tsupplementary groups are enabled for the user starting the sandbox.\n"); | 153 | printf("\tsupplementary groups are enabled for the user starting the sandbox.\n"); |
152 | printf("\t For root, groups are always disabled.\n\n"); | 154 | printf("\tFor root, groups are always disabled.\n\n"); |
153 | 155 | ||
154 | printf(" --noprofile - do not use a profile. Profile priority is use the one\n"); | 156 | printf(" --noprofile - do not use a profile. Profile priority is use the one\n"); |
155 | printf("\tspecified on the command line, next try to find one that\n"); | 157 | printf("\tspecified on the command line, next try to find one that\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 98fa17908..504842a9e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -157,6 +157,9 @@ whitelist ~/.cache/mozilla/firefox | |||
157 | Similar to mkdir, this command creates a file in user home before the sandbox is started. | 157 | Similar to mkdir, this command creates a file in user home before the sandbox is started. |
158 | The file is created if it doesn't already exist. | 158 | The file is created if it doesn't already exist. |
159 | .TP | 159 | .TP |
160 | \fBnoexec file_or_directory | ||
161 | Remount the file or the directory noexec, nodev and nosuid. | ||
162 | .TP | ||
160 | \fBprivate | 163 | \fBprivate |
161 | Mount new /root and /home/user directories in temporary | 164 | Mount new /root and /home/user directories in temporary |
162 | filesystems. All modifications are discarded when the sandbox is | 165 | filesystems. All modifications are discarded when the sandbox is |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7c9cd98de..cd9ea6a8a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -851,6 +851,21 @@ $ nc dict.org 2628 | |||
851 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | 851 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 |
852 | .br | 852 | .br |
853 | .TP | 853 | .TP |
854 | \fB\-\-noexec=dirname_or_filename | ||
855 | Remount directory or file noexec, nodev and nosuid. | ||
856 | .br | ||
857 | |||
858 | .br | ||
859 | Example: | ||
860 | .br | ||
861 | $ firejail \-\-noexec=/tmp | ||
862 | .br | ||
863 | |||
864 | .br | ||
865 | /etc and /var are noexec by default. If there are more than one mount operation | ||
866 | on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox. | ||
867 | |||
868 | .TP | ||
854 | \fB\-\-nogroups | 869 | \fB\-\-nogroups |
855 | Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the | 870 | Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the |
856 | sandbox. For root user supplementary groups are always disabled. | 871 | sandbox. For root user supplementary groups are always disabled. |