run time configuration support

author: netblue30 <netblue30@yahoo.com> 2016-03-19 09:18:24 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-03-19 09:18:24 -0400
commit: c07e4d109fecacfa96e0e14e2b470895d9629574 (patch)
tree: ca384517452e272b0f4e50716c86c7a95738837a
parent: x11 fix (diff)
download: firejail-c07e4d109fecacfa96e0e14e2b470895d9629574.tar.gz
firejail-c07e4d109fecacfa96e0e14e2b470895d9629574.tar.zst
firejail-c07e4d109fecacfa96e0e14e2b470895d9629574.zip
7 files changed, 51 insertions, 4 deletions
diff --git a/Makefile.in b/Makefile.in
index 20df3acf9..29d8004f3 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5
+all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5 firejail-config.5
 MYLIBS = src/lib
 APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee
@@ -33,6 +33,8 @@ firejail-profile.5: src/man/firejail-profile.txt
        ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5
 firejail-login.5: src/man/firejail-login.txt
        ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5
+firejail-config.5: src/man/firejail-config.txt
+        ./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5
 clean:
        for dir in $(APPS); do \
@@ -41,7 +43,7 @@ clean:
        for dir in $(MYLIBS); do \
                $(MAKE) -C $$dir clean; \
        done
-        rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm
+        rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm
 distclean: clean
        for dir in $(APPS); do \
@@ -160,13 +162,16 @@ realinstall:
        gzip -9n firejail-profile.5
        rm -f firejail-login.5.gz
        gzip -9n firejail-login.5
+        rm -f firejail-config.5.gz
+        gzip -9n firejail-config.5
        install -m 0755 -d $(DESTDIR)/$(mandir)/man1
        install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/.
        install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/.
        install -m 0755 -d $(DESTDIR)/$(mandir)/man5
        install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/.
        install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/.
-        rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz
+        install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/.
+        rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz
        # bash completion
        install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
        install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
@@ -193,6 +198,7 @@ uninstall:
        rm -f $(DESTDIR)/$(mandir)/man1/firemon.1*
        rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5*
        rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5*
+        rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5*
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
        
diff --git a/README.md b/README.md
index b3eb112bc..2406cfc49 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,43 @@ FILE TRANSFER
              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
 `````
+## Compile time and run time configuration support
+Most Linux kernel security features require root privileges during configuration.
+The same is true for kernel networking features. Firejail (SUID binary) opens the 
+access to these features to regular users. The privilege escalation is restricted 
+to the sandbox being configured, and is not extended to the rest of the system. 
+This arrangement works fine for user desktops or servers where the access is already limited.
+If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
+or at run time by editing /etc/firejail/firejail.config file.
+The following features can be enabled or disabled:
+`````
+       secomp Enable or disable seccomp support, default enabled.
+       chroot Enable or disable chroot support, default enabled.
+       bind   Enable or disable bind support, default enabled.
+       network
+              Enable or disable networking features, default enabled.
+       restricted-network
+              Enable  or disable restricted network support, default disabled.
+              If enabled, networking features should also be enabled  (network
+              yes).   Restricted  networking  grants access to --interface and
+              --net=ethXXX only to root user. Regular users are  only  allowed
+              --net=none.
+       userns Enable or disable user namespace support, default enabled.
+       x11    Enable or disable X11 sandboxing support, default enabled.
+       file-transfer
+              Enable or disable file transfer support, default enabled.
+`````
 ## Default seccomp filter update
 Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
diff --git a/RELNOTES b/RELNOTES
index 00695006e..03261ddf7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,6 +7,7 @@ firejail (0.9.39) baseline; urgency=low
  * added mkdir, ipc-namespace and nosound profile commands
  * --version also prints compile options
  * added compile-time option to restrict --net= to root only
+  * run time config support, man firejail-config
  * build rpm packages using "make rpms"
  * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
  * new profiles: qutebrowser, SlimJet
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index e5bcf9436..13d045ee4 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -33,6 +33,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
+\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index c5de79118..82a0d2503 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -352,6 +352,7 @@ Homepage: http://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b72296387..f3c023aba 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1787,6 +1787,7 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 88b2ce59f..78a6dd5ea 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -107,5 +107,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
author	netblue30 <netblue30@yahoo.com>	2016-03-19 09:18:24 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-03-19 09:18:24 -0400
commit	c07e4d109fecacfa96e0e14e2b470895d9629574 (patch)
tree	ca384517452e272b0f4e50716c86c7a95738837a
parent	x11 fix (diff)
download	firejail-c07e4d109fecacfa96e0e14e2b470895d9629574.tar.gz firejail-c07e4d109fecacfa96e0e14e2b470895d9629574.tar.zst firejail-c07e4d109fecacfa96e0e14e2b470895d9629574.zip

diff --git a/Makefile.in b/Makefile.in index 20df3acf9..29d8004f3 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -1,4 +1,4 @@
1	all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5	1	all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5 firejail-config.5
2	MYLIBS = src/lib	2	MYLIBS = src/lib
3	APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee	3	APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee
4		4
@@ -33,6 +33,8 @@ firejail-profile.5: src/man/firejail-profile.txt
33	./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5	33	./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5
34	firejail-login.5: src/man/firejail-login.txt	34	firejail-login.5: src/man/firejail-login.txt
35	./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5	35	./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5
		36	firejail-config.5: src/man/firejail-config.txt
		37	./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5
36		38
37	clean:	39	clean:
38	for dir in $(APPS); do \	40	for dir in $(APPS); do \
@@ -41,7 +43,7 @@ clean:
41	for dir in $(MYLIBS); do \	43	for dir in $(MYLIBS); do \
42	$(MAKE) -C $$dir clean; \	44	$(MAKE) -C $$dir clean; \
43	done	45	done
44	rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm	46	rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm
45		47
46	distclean: clean	48	distclean: clean
47	for dir in $(APPS); do \	49	for dir in $(APPS); do \
@@ -160,13 +162,16 @@ realinstall:
160	gzip -9n firejail-profile.5	162	gzip -9n firejail-profile.5
161	rm -f firejail-login.5.gz	163	rm -f firejail-login.5.gz
162	gzip -9n firejail-login.5	164	gzip -9n firejail-login.5
		165	rm -f firejail-config.5.gz
		166	gzip -9n firejail-config.5
163	install -m 0755 -d $(DESTDIR)/$(mandir)/man1	167	install -m 0755 -d $(DESTDIR)/$(mandir)/man1
164	install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/.	168	install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/.
165	install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/.	169	install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/.
166	install -m 0755 -d $(DESTDIR)/$(mandir)/man5	170	install -m 0755 -d $(DESTDIR)/$(mandir)/man5
167	install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/.	171	install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/.
168	install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/.	172	install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/.
169	rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz	173	install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/.
		174	rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz
170	# bash completion	175	# bash completion
171	install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions	176	install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
172	install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail	177	install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
@@ -193,6 +198,7 @@ uninstall:
193	rm -f $(DESTDIR)/$(mandir)/man1/firemon.1*	198	rm -f $(DESTDIR)/$(mandir)/man1/firemon.1*
194	rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5*	199	rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5*
195	rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5*	200	rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5*
		201	rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5*
196	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail	202	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
197	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon	203	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
198		204


diff --git a/README.md b/README.md index b3eb112bc..2406cfc49 100644 --- a/README.md +++ b/README.md
@@ -89,6 +89,43 @@ FILE TRANSFER
89	$ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png	89	$ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
90	`````	90	`````
91		91
		92	## Compile time and run time configuration support
		93
		94	Most Linux kernel security features require root privileges during configuration.
		95	The same is true for kernel networking features. Firejail (SUID binary) opens the
		96	access to these features to regular users. The privilege escalation is restricted
		97	to the sandbox being configured, and is not extended to the rest of the system.
		98	This arrangement works fine for user desktops or servers where the access is already limited.
		99
		100	If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
		101	or at run time by editing /etc/firejail/firejail.config file.
		102
		103	The following features can be enabled or disabled:
		104	`````
		105	secomp Enable or disable seccomp support, default enabled.
		106
		107	chroot Enable or disable chroot support, default enabled.
		108
		109	bind Enable or disable bind support, default enabled.
		110
		111	network
		112	Enable or disable networking features, default enabled.
		113
		114	restricted-network
		115	Enable or disable restricted network support, default disabled.
		116	If enabled, networking features should also be enabled (network
		117	yes). Restricted networking grants access to --interface and
		118	--net=ethXXX only to root user. Regular users are only allowed
		119	--net=none.
		120
		121	userns Enable or disable user namespace support, default enabled.
		122
		123	x11 Enable or disable X11 sandboxing support, default enabled.
		124
		125	file-transfer
		126	Enable or disable file transfer support, default enabled.
		127	`````
		128
92	## Default seccomp filter update	129	## Default seccomp filter update
93		130
94	Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).	131	Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).


diff --git a/RELNOTES b/RELNOTES index 00695006e..03261ddf7 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -7,6 +7,7 @@ firejail (0.9.39) baseline; urgency=low
7	* added mkdir, ipc-namespace and nosound profile commands	7	* added mkdir, ipc-namespace and nosound profile commands
8	* --version also prints compile options	8	* --version also prints compile options
9	* added compile-time option to restrict --net= to root only	9	* added compile-time option to restrict --net= to root only
		10	* run time config support, man firejail-config
10	* build rpm packages using "make rpms"	11	* build rpm packages using "make rpms"
11	* new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril	12	* new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
12	* new profiles: qutebrowser, SlimJet	13	* new profiles: qutebrowser, SlimJet


diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index e5bcf9436..13d045ee4 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt
@@ -33,6 +33,6 @@ Homepage: http://firejail.wordpress.com
33	\&\flfirejail\fR\\|(1),	33	\&\flfirejail\fR\\|(1),
34	\&\flfiremon\fR\\|(1),	34	\&\flfiremon\fR\\|(1),
35	\&\flfirejail-profile\fR\\|(5)	35	\&\flfirejail-profile\fR\\|(5)
36		36	\&\flfirejail-config\fR\\|(5)
37		37
38		38


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c5de79118..82a0d2503 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -352,6 +352,7 @@ Homepage: http://firejail.wordpress.com
352	\&\flfirejail\fR\\|(1),	352	\&\flfirejail\fR\\|(1),
353	\&\flfiremon\fR\\|(1),	353	\&\flfiremon\fR\\|(1),
354	\&\flfirejail-login\fR\\|(5)	354	\&\flfirejail-login\fR\\|(5)
		355	\&\flfirejail-config\fR\\|(5)
355		356
356		357
357		358


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b72296387..f3c023aba 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1787,6 +1787,7 @@ Homepage: http://firejail.wordpress.com
1787	\&\flfiremon\fR\\|(1),	1787	\&\flfiremon\fR\\|(1),
1788	\&\flfirejail-profile\fR\\|(5),	1788	\&\flfirejail-profile\fR\\|(5),
1789	\&\flfirejail-login\fR\\|(5)	1789	\&\flfirejail-login\fR\\|(5)
		1790	\&\flfirejail-config\fR\\|(5)
1790		1791
1791		1792
1792		1793


diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 88b2ce59f..78a6dd5ea 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt
@@ -107,5 +107,6 @@ Homepage: http://firejail.wordpress.com
107	\&\flfirejail\fR\\|(1),	107	\&\flfirejail\fR\\|(1),
108	\&\flfirejail-profile\fR\\|(5),	108	\&\flfirejail-profile\fR\\|(5),
109	\&\flfirejail-login\fR\\|(5)	109	\&\flfirejail-login\fR\\|(5)
		110	\&\flfirejail-config\fR\\|(5)
110		111
111		112