diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-08-17 08:32:28 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-08-17 08:32:28 -0400 |
| commit | 00822ba08cf16616473665dac6d1b9240a185872 (patch) | |
| tree | 9640ea1fc44f6b01fb64d4f05b024b27cddfbb9e | |
| parent | --net=none documentation (diff) | |
| download | firejail-00822ba08cf16616473665dac6d1b9240a185872.tar.gz firejail-00822ba08cf16616473665dac6d1b9240a185872.tar.zst firejail-00822ba08cf16616473665dac6d1b9240a185872.zip | |
memory-deny-write-execute
| -rw-r--r-- | README.md | 6 | ||||
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | etc/transmission-qt.profile | 2 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 5 |
4 files changed, 14 insertions, 0 deletions
| @@ -134,6 +134,12 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej | |||
| 134 | Example: | 134 | Example: |
| 135 | $ firejail --nodvd | 135 | $ firejail --nodvd |
| 136 | 136 | ||
| 137 | --memory-deny-write-execute | ||
| 138 | Install a seccomp filter to block attempts to create memory | ||
| 139 | mappings that are both writable and executable, to change map‐ | ||
| 140 | pings to be executable or to create executable shared memory. | ||
| 141 | |||
| 142 | |||
| 137 | ````` | 143 | ````` |
| 138 | 144 | ||
| 139 | ## /etc/firejail/firejail.config | 145 | ## /etc/firejail/firejail.config |
| @@ -3,6 +3,7 @@ firejail (0.9.49) baseline; urgency=low | |||
| 3 | * modif: --output split in two commands, --output and --output-stderr | 3 | * modif: --output split in two commands, --output and --output-stderr |
| 4 | * feature: per-profile disable-mnt (--disable-mnt) | 4 | * feature: per-profile disable-mnt (--disable-mnt) |
| 5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) | 5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) |
| 6 | * feature: --memory-deny-write-execute seccomp feature | ||
| 6 | * enhancement: /proc/sys mounting | 7 | * enhancement: /proc/sys mounting |
| 7 | * enhancement: default seccomp list update | 8 | * enhancement: default seccomp list update |
| 8 | * enhancement: rework IP address assingment for --net options | 9 | * enhancement: rework IP address assingment for --net options |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 02e9a5052..5351a1efa 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
| @@ -35,3 +35,5 @@ tracelog | |||
| 35 | private-bin transmission-qt | 35 | private-bin transmission-qt |
| 36 | private-dev | 36 | private-dev |
| 37 | private-tmp | 37 | private-tmp |
| 38 | |||
| 39 | memory-deny-write-execute | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5bd4f6ef8..9dafb3c65 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -312,6 +312,11 @@ Enable seccomp filter and blacklist the system calls in the list. | |||
| 312 | \fBseccomp.keep syscall,syscall,syscall | 312 | \fBseccomp.keep syscall,syscall,syscall |
| 313 | Enable seccomp filter and whitelist the system calls in the list. | 313 | Enable seccomp filter and whitelist the system calls in the list. |
| 314 | .TP | 314 | .TP |
| 315 | \fBmemory-deny-write-execute | ||
| 316 | Install a seccomp filter to block attempts to create memory mappings | ||
| 317 | that are both writable and executable, to change mappings to be | ||
| 318 | executable or to create executable shared memory. | ||
| 319 | .TP | ||
| 315 | \fBnonewprivs | 320 | \fBnonewprivs |
| 316 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | 321 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes |
| 317 | cannot acquire new privileges using execve(2); in particular, | 322 | cannot acquire new privileges using execve(2); in particular, |