man page, README.md, RELNOTES

author: netblue30 <netblue30@yahoo.com> 2018-02-21 09:28:42 -0500
committer: netblue30 <netblue30@yahoo.com> 2018-02-21 09:28:42 -0500
commit: 31550dd0b3be41e77aab8f16d65eda42aa500d1c (patch)
tree: 4b1885c802fdd6503747426f47d3b18ca318b598
parent: Minor bitcoin-qt nitpicks and update README (diff)
download: firejail-31550dd0b3be41e77aab8f16d65eda42aa500d1c.tar.gz
firejail-31550dd0b3be41e77aab8f16d65eda42aa500d1c.tar.zst
firejail-31550dd0b3be41e77aab8f16d65eda42aa500d1c.zip
5 files changed, 264 insertions, 29 deletions
diff --git a/README.md b/README.md
index f54cd6c22..240455ee5 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,125 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.53
+## Seccomp development
+Replaced the our seccomp disassembler with a real disassembler lifted from
+libseccomp (GPLv2, Paul Moore, Red Hat). The code is in src/fsec-print directory.
+`````
+$ firejail --seccomp.print=browser
+ line  OP JT JF    K
+=================================
+ 0000: 20 00 00 00000004   ld  data.architecture
+ 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
+ 0002: 06 00 00 7fff0000   ret ALLOW
+ 0003: 20 00 00 00000000   ld  data.syscall-number
+ 0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
+ 0005: 35 01 00 00000000   jge read 0007 (false 0006)
+ 0006: 06 00 00 00050001   ret ERRNO(1)
+ 0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
+ 0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
+ 0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
+ 000a: 15 3e 00 00000137   jeq process_vm_writev 0049 (false 000b)
+ 000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
+ 000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
+ 000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
+ 000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
+ 000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
+ 0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
+ 0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
+ 0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
+ 0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
+ 0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
+ 0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
+ 0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
+ 0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
+ 0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
+ 0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
+ 001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
+ 001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
+ 001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
+ 001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
+ 001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
+ 001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
+ 0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
+ 0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
+ 0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
+ 0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
+ 0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
+ 0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
+ 0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
+ 0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
+ 0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
+ 0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
+ 002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
+ 002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
+ 002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
+ 002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
+ 002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
+ 002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
+ 0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
+ 0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
+ 0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
+ 0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
+ 0034: 15 14 00 00000130   jeq open_by_handle_at 0049 (false 0035)
+ 0035: 15 13 00 0000012f   jeq name_to_handle_at 0049 (false 0036)
+ 0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
+ 0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
+ 0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
+ 0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
+ 003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
+ 003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
+ 003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
+ 003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
+ 003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
+ 003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
+ 0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
+ 0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
+ 0042: 15 06 00 000000d8   jeq remap_file_pages 0049 (false 0043)
+ 0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
+ 0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
+ 0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
+ 0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
+ 0047: 15 01 00 00000136   jeq process_vm_readv 0049 (false 0048)
+ 0048: 06 00 00 7fff0000   ret ALLOW
+ 0049: 06 00 01 00000000   ret KILL
+`````
+We are also introducing a seccomp optimizer, to be run directly on seccomp machine code
+filters produced by Firejail. The code is in src/fsec-optimize. Currently only the default seccomp
+filters built at compile time are run trough the optimizer. It will be extended and applied at run
+time on all filters.
+## AppArmor development
+AppArmor features are supported on overlayfs and chroot sandboxes.
+We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys
+and /run/user directories were moved out of the profile into firejail executable.
+We intend to start apparmor by default for browsers, torrent clients and media players.
+So far we cover Firefox (firefox-common.profile), Chromium (chromium-common.profile),
+transmission-qt, transmission-gtk, vlc and mpv.
+"apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to enable/disable apparmor functionality globally
+By default the flag is enabled.
+Checking apparmor status:
+`````
+$ firejail --apparmor.print=browser
+2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
+  AppArmor: firejail-default enforce
+$ firemon --apparmor
+2072:netblue:firejail --chroot=/chroot/sid --net=eth0
+  AppArmor: unconfined
+2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
+  AppArmor: firejail-default enforce
+4835:netblue:/usr/bin/firejail /usr/bin/vlc
+  AppArmor: firejail-default enforce
+`````
 ## Browser profile unification
 All Chromium and Firefox browsers have been unified to instead extend
diff --git a/RELNOTES b/RELNOTES
index 21ad8de25..3a7819514 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,13 +1,27 @@
 firejail (0.9.53) baseline; urgency=low
  * work in progress
+  * modif: restrictions for /proc, /sys and /run/user directories
+     are moved from AppArmor profile into firejail executable
+  * modif: unifying Chromium and Firefox browsers profiles.
+     All users of Firefox-based browsers who use addons and plugins
+     that read/write from ${HOME} will need to uncomment the includes for
+     firefox-common-addons.inc in firefox-common.profile.
+  * AppArmor support for overlayfs and chroot sandboxes
+  * Enable AppArmor by default for Firefox, Chromium, Transmission
+     VLC and mpv
+  * firejail --apparmor.print option
+  * firemon --apparmor option
+  * apparmor yes/no flag in /etc/firejail/firejail.config
  * seccomp syscall list update for glibc 2.26-10
+  * seccomp disassembler for --seccomp.print option
+  * seccomp machine code optimizer for default seccomp filters
  * IPv6 DNS support
  * whitelist support for overlay and chroot sandboxes
  * private-dev support for overlay and chroot sandboxes
  * private-tmp support for overlay and chroot sandboxes
  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
-  * new profiles: discord-canary, pycharm-community, pycharm-professional, kaffeine,
+  * new profiles: discord-canary, pycharm-community, pycharm-professional,
-  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt
+  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
 -- netblue30 <netblue30@yahoo.com>  Tue, 12 Dec 2017 08:00:00 -0500
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 2e632eef2..e864d5d45 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -24,6 +24,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
+apparmor
 private-bin mpv,youtube-dl,python*,env
 private-dev
diff --git a/etc/vlc.profile b/etc/vlc.profile
index e906d738c..c244be08b 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -23,6 +23,7 @@ noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+apparmor
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8704e53b3..b05a5a722 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1799,59 +1799,159 @@ Example:
 .br
 $ firejail \-\-name=browser firefox &
 .br
-$ firejail \-\-seccomp.print=browser
+$ firejail --seccomp.print=browser
 .br
-SECCOMP Filter:
+ line  OP JT JF    K
 .br
-  VALIDATE_ARCHITECTURE
+=================================
 .br
-  EXAMINE_SYSCALL
+ 0000: 20 00 00 00000004   ld  data.architecture
 .br
-  BLACKLIST 165 mount
+ 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 .br
-  BLACKLIST 166 umount2
+ 0002: 06 00 00 7fff0000   ret ALLOW
 .br
-  BLACKLIST 101 ptrace
+ 0003: 20 00 00 00000000   ld  data.syscall-number
 .br
-  BLACKLIST 246 kexec_load
+ 0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
 .br
-  BLACKLIST 304 open_by_handle_at
+ 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 .br
-  BLACKLIST 175 init_module
+ 0006: 06 00 00 00050001   ret ERRNO(1)
 .br
-  BLACKLIST 176 delete_module
+ 0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
 .br
-  BLACKLIST 172 iopl
+ 0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
 .br
-  BLACKLIST 173 ioperm
+ 0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
 .br
-  BLACKLIST 167 swapon
+ 000a: 15 3e 00 00000137   jeq process_vm_writev 0049 (false 000b)
 .br
-  BLACKLIST 168 swapoff
+ 000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
 .br
-  BLACKLIST 103 syslog
+ 000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
 .br
-  BLACKLIST 310 process_vm_readv
+ 000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
 .br
-  BLACKLIST 311 process_vm_writev
+ 000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
 .br
-  BLACKLIST 133 mknod
+ 000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
 .br
-  BLACKLIST 139 sysfs
+ 0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
 .br
-  BLACKLIST 156 _sysctl
+ 0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
 .br
-  BLACKLIST 159 adjtimex
+ 0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
 .br
-  BLACKLIST 305 clock_adjtime
+ 0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
 .br
-  BLACKLIST 212 lookup_dcookie
+ 0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
 .br
-  BLACKLIST 298 perf_event_open
+ 0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
 .br
-  BLACKLIST 300 fanotify_init
+ 0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
 .br
-  RETURN_ALLOW
+ 0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
+.br
+ 0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
+.br
+ 0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
+.br
+ 001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
+.br
+ 001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
+.br
+ 001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
+.br
+ 001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
+.br
+ 001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
+.br
+ 001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
+.br
+ 0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
+.br
+ 0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
+.br
+ 0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
+.br
+ 0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
+.br
+ 0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
+.br
+ 0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
+.br
+ 0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
+.br
+ 0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
+.br
+ 0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
+.br
+ 0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
+.br
+ 002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
+.br
+ 002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
+.br
+ 002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
+.br
+ 002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
+.br
+ 002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
+.br
+ 002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
+.br
+ 0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
+.br
+ 0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
+.br
+ 0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
+.br
+ 0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
+.br
+ 0034: 15 14 00 00000130   jeq open_by_handle_at 0049 (false 0035)
+.br
+ 0035: 15 13 00 0000012f   jeq name_to_handle_at 0049 (false 0036)
+.br
+ 0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
+.br
+ 0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
+.br
+ 0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
+.br
+ 0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
+.br
+ 003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
+.br
+ 003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
+.br
+ 003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
+.br
+ 003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
+.br
+ 003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
+.br
+ 003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
+.br
+ 0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
+.br
+ 0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
+.br
+ 0042: 15 06 00 000000d8   jeq remap_file_pages 0049 (false 0043)
+.br
+ 0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
+.br
+ 0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
+.br
+ 0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
+.br
+ 0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
+.br
+ 0047: 15 01 00 00000136   jeq process_vm_readv 0049 (false 0048)
+.br
+ 0048: 06 00 00 7fff0000   ret ALLOW
+.br
+ 0049: 06 00 01 00000000   ret KILL
 .br
 $
 .TP
author	netblue30 <netblue30@yahoo.com>	2018-02-21 09:28:42 -0500
committer	netblue30 <netblue30@yahoo.com>	2018-02-21 09:28:42 -0500
commit	31550dd0b3be41e77aab8f16d65eda42aa500d1c (patch)
tree	4b1885c802fdd6503747426f47d3b18ca318b598
parent	Minor bitcoin-qt nitpicks and update README (diff)
download	firejail-31550dd0b3be41e77aab8f16d65eda42aa500d1c.tar.gz firejail-31550dd0b3be41e77aab8f16d65eda42aa500d1c.tar.zst firejail-31550dd0b3be41e77aab8f16d65eda42aa500d1c.zip

diff --git a/README.md b/README.md index f54cd6c22..240455ee5 100644 --- a/README.md +++ b/README.md
@@ -98,6 +98,125 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
98	`````	98	`````
99	# Current development version: 0.9.53	99	# Current development version: 0.9.53
100		100
		101	## Seccomp development
		102
		103	Replaced the our seccomp disassembler with a real disassembler lifted from
		104	libseccomp (GPLv2, Paul Moore, Red Hat). The code is in src/fsec-print directory.
		105	`````
		106	$ firejail --seccomp.print=browser
		107	line OP JT JF K
		108	=================================
		109	0000: 20 00 00 00000004 ld data.architecture
		110	0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
		111	0002: 06 00 00 7fff0000 ret ALLOW
		112	0003: 20 00 00 00000000 ld data.syscall-number
		113	0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
		114	0005: 35 01 00 00000000 jge read 0007 (false 0006)
		115	0006: 06 00 00 00050001 ret ERRNO(1)
		116	0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
		117	0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
		118	0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
		119	000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false 000b)
		120	000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
		121	000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
		122	000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
		123	000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
		124	000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
		125	0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
		126	0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
		127	0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
		128	0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
		129	0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
		130	0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
		131	0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
		132	0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
		133	0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
		134	0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
		135	001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
		136	001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
		137	001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
		138	001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
		139	001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
		140	001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
		141	0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
		142	0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
		143	0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
		144	0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
		145	0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
		146	0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
		147	0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
		148	0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
		149	0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
		150	0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
		151	002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
		152	002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
		153	002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
		154	002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
		155	002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
		156	002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
		157	0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
		158	0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
		159	0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
		160	0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
		161	0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false 0035)
		162	0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false 0036)
		163	0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
		164	0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
		165	0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
		166	0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
		167	003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
		168	003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
		169	003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
		170	003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
		171	003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
		172	003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
		173	0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
		174	0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
		175	0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false 0043)
		176	0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
		177	0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
		178	0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
		179	0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
		180	0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048)
		181	0048: 06 00 00 7fff0000 ret ALLOW
		182	0049: 06 00 01 00000000 ret KILL
		183	`````
		184	We are also introducing a seccomp optimizer, to be run directly on seccomp machine code
		185	filters produced by Firejail. The code is in src/fsec-optimize. Currently only the default seccomp
		186	filters built at compile time are run trough the optimizer. It will be extended and applied at run
		187	time on all filters.
		188
		189
		190	## AppArmor development
		191
		192	AppArmor features are supported on overlayfs and chroot sandboxes.
		193
		194	We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys
		195	and /run/user directories were moved out of the profile into firejail executable.
		196
		197	We intend to start apparmor by default for browsers, torrent clients and media players.
		198	So far we cover Firefox (firefox-common.profile), Chromium (chromium-common.profile),
		199	transmission-qt, transmission-gtk, vlc and mpv.
		200
		201	"apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to enable/disable apparmor functionality globally
		202	By default the flag is enabled.
		203
		204	Checking apparmor status:
		205	`````
		206	$ firejail --apparmor.print=browser
		207	2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
		208	AppArmor: firejail-default enforce
		209
		210	$ firemon --apparmor
		211	2072:netblue:firejail --chroot=/chroot/sid --net=eth0
		212	AppArmor: unconfined
		213	2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
		214	AppArmor: firejail-default enforce
		215	4835:netblue:/usr/bin/firejail /usr/bin/vlc
		216	AppArmor: firejail-default enforce
		217	`````
		218
		219
101	## Browser profile unification	220	## Browser profile unification
102		221
103	All Chromium and Firefox browsers have been unified to instead extend	222	All Chromium and Firefox browsers have been unified to instead extend


diff --git a/RELNOTES b/RELNOTES index 21ad8de25..3a7819514 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,13 +1,27 @@
1	firejail (0.9.53) baseline; urgency=low	1	firejail (0.9.53) baseline; urgency=low
2	* work in progress	2	* work in progress
		3	* modif: restrictions for /proc, /sys and /run/user directories
		4	are moved from AppArmor profile into firejail executable
		5	* modif: unifying Chromium and Firefox browsers profiles.
		6	All users of Firefox-based browsers who use addons and plugins
		7	that read/write from ${HOME} will need to uncomment the includes for
		8	firefox-common-addons.inc in firefox-common.profile.
		9	* AppArmor support for overlayfs and chroot sandboxes
		10	* Enable AppArmor by default for Firefox, Chromium, Transmission
		11	VLC and mpv
		12	* firejail --apparmor.print option
		13	* firemon --apparmor option
		14	* apparmor yes/no flag in /etc/firejail/firejail.config
3	* seccomp syscall list update for glibc 2.26-10	15	* seccomp syscall list update for glibc 2.26-10
		16	* seccomp disassembler for --seccomp.print option
		17	* seccomp machine code optimizer for default seccomp filters
4	* IPv6 DNS support	18	* IPv6 DNS support
5	* whitelist support for overlay and chroot sandboxes	19	* whitelist support for overlay and chroot sandboxes
6	* private-dev support for overlay and chroot sandboxes	20	* private-dev support for overlay and chroot sandboxes
7	* private-tmp support for overlay and chroot sandboxes	21	* private-tmp support for overlay and chroot sandboxes
8	* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,	22	* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
9	* new profiles: discord-canary, pycharm-community, pycharm-professional, kaffeine,	23	* new profiles: discord-canary, pycharm-community, pycharm-professional,
10	* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt	24	* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
11	-- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500	25	-- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500
12		26
13	firejail (0.9.52) baseline; urgency=low	27	firejail (0.9.52) baseline; urgency=low


diff --git a/etc/mpv.profile b/etc/mpv.profile index 2e632eef2..e864d5d45 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile
@@ -24,6 +24,7 @@ protocol unix,inet,inet6
24	seccomp	24	seccomp
25	shell none	25	shell none
26	tracelog	26	tracelog
		27	apparmor
27		28
28	private-bin mpv,youtube-dl,python*,env	29	private-bin mpv,youtube-dl,python*,env
29	private-dev	30	private-dev


diff --git a/etc/vlc.profile b/etc/vlc.profile index e906d738c..c244be08b 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -23,6 +23,7 @@ noroot
23	protocol unix,inet,inet6,netlink	23	protocol unix,inet,inet6,netlink
24	seccomp	24	seccomp
25	shell none	25	shell none
		26	apparmor
26		27
27	private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc	28	private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
28	private-dev	29	private-dev


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8704e53b3..b05a5a722 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1799,59 +1799,159 @@ Example:
1799	.br	1799	.br
1800	$ firejail \-\-name=browser firefox &	1800	$ firejail \-\-name=browser firefox &
1801	.br	1801	.br
1802	$ firejail \-\-seccomp.print=browser	1802	$ firejail --seccomp.print=browser
1803	.br	1803	.br
1804	SECCOMP Filter:	1804	line OP JT JF K
1805	.br	1805	.br
1806	VALIDATE_ARCHITECTURE	1806	=================================
1807	.br	1807	.br
1808	EXAMINE_SYSCALL	1808	0000: 20 00 00 00000004 ld data.architecture
1809	.br	1809	.br
1810	BLACKLIST 165 mount	1810	0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
1811	.br	1811	.br
1812	BLACKLIST 166 umount2	1812	0002: 06 00 00 7fff0000 ret ALLOW
1813	.br	1813	.br
1814	BLACKLIST 101 ptrace	1814	0003: 20 00 00 00000000 ld data.syscall-number
1815	.br	1815	.br
1816	BLACKLIST 246 kexec_load	1816	0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
1817	.br	1817	.br
1818	BLACKLIST 304 open_by_handle_at	1818	0005: 35 01 00 00000000 jge read 0007 (false 0006)
1819	.br	1819	.br
1820	BLACKLIST 175 init_module	1820	0006: 06 00 00 00050001 ret ERRNO(1)
1821	.br	1821	.br
1822	BLACKLIST 176 delete_module	1822	0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
1823	.br	1823	.br
1824	BLACKLIST 172 iopl	1824	0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
1825	.br	1825	.br
1826	BLACKLIST 173 ioperm	1826	0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
1827	.br	1827	.br
1828	BLACKLIST 167 swapon	1828	000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false 000b)
1829	.br	1829	.br
1830	BLACKLIST 168 swapoff	1830	000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
1831	.br	1831	.br
1832	BLACKLIST 103 syslog	1832	000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
1833	.br	1833	.br
1834	BLACKLIST 310 process_vm_readv	1834	000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
1835	.br	1835	.br
1836	BLACKLIST 311 process_vm_writev	1836	000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
1837	.br	1837	.br
1838	BLACKLIST 133 mknod	1838	000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
1839	.br	1839	.br
1840	BLACKLIST 139 sysfs	1840	0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
1841	.br	1841	.br
1842	BLACKLIST 156 _sysctl	1842	0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
1843	.br	1843	.br
1844	BLACKLIST 159 adjtimex	1844	0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
1845	.br	1845	.br
1846	BLACKLIST 305 clock_adjtime	1846	0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
1847	.br	1847	.br
1848	BLACKLIST 212 lookup_dcookie	1848	0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
1849	.br	1849	.br
1850	BLACKLIST 298 perf_event_open	1850	0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
1851	.br	1851	.br
1852	BLACKLIST 300 fanotify_init	1852	0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
1853	.br	1853	.br
1854	RETURN_ALLOW	1854	0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
		1855	.br
		1856	0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
		1857	.br
		1858	0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
		1859	.br
		1860	001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
		1861	.br
		1862	001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
		1863	.br
		1864	001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
		1865	.br
		1866	001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
		1867	.br
		1868	001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
		1869	.br
		1870	001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
		1871	.br
		1872	0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
		1873	.br
		1874	0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
		1875	.br
		1876	0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
		1877	.br
		1878	0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
		1879	.br
		1880	0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
		1881	.br
		1882	0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
		1883	.br
		1884	0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
		1885	.br
		1886	0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
		1887	.br
		1888	0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
		1889	.br
		1890	0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
		1891	.br
		1892	002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
		1893	.br
		1894	002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
		1895	.br
		1896	002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
		1897	.br
		1898	002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
		1899	.br
		1900	002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
		1901	.br
		1902	002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
		1903	.br
		1904	0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
		1905	.br
		1906	0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
		1907	.br
		1908	0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
		1909	.br
		1910	0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
		1911	.br
		1912	0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false 0035)
		1913	.br
		1914	0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false 0036)
		1915	.br
		1916	0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
		1917	.br
		1918	0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
		1919	.br
		1920	0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
		1921	.br
		1922	0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
		1923	.br
		1924	003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
		1925	.br
		1926	003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
		1927	.br
		1928	003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
		1929	.br
		1930	003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
		1931	.br
		1932	003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
		1933	.br
		1934	003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
		1935	.br
		1936	0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
		1937	.br
		1938	0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
		1939	.br
		1940	0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false 0043)
		1941	.br
		1942	0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
		1943	.br
		1944	0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
		1945	.br
		1946	0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
		1947	.br
		1948	0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
		1949	.br
		1950	0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048)
		1951	.br
		1952	0048: 06 00 00 7fff0000 ret ALLOW
		1953	.br
		1954	0049: 06 00 01 00000000 ret KILL
1855	.br	1955	.br
1856	$	1956	$
1857	.TP	1957	.TP