diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-17 08:32:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-17 08:32:28 -0400 |
commit | 00822ba08cf16616473665dac6d1b9240a185872 (patch) | |
tree | 9640ea1fc44f6b01fb64d4f05b024b27cddfbb9e | |
parent | --net=none documentation (diff) | |
download | firejail-00822ba08cf16616473665dac6d1b9240a185872.tar.gz firejail-00822ba08cf16616473665dac6d1b9240a185872.tar.zst firejail-00822ba08cf16616473665dac6d1b9240a185872.zip |
memory-deny-write-execute
-rw-r--r-- | README.md | 6 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/transmission-qt.profile | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 5 |
4 files changed, 14 insertions, 0 deletions
@@ -134,6 +134,12 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej | |||
134 | Example: | 134 | Example: |
135 | $ firejail --nodvd | 135 | $ firejail --nodvd |
136 | 136 | ||
137 | --memory-deny-write-execute | ||
138 | Install a seccomp filter to block attempts to create memory | ||
139 | mappings that are both writable and executable, to change map‐ | ||
140 | pings to be executable or to create executable shared memory. | ||
141 | |||
142 | |||
137 | ````` | 143 | ````` |
138 | 144 | ||
139 | ## /etc/firejail/firejail.config | 145 | ## /etc/firejail/firejail.config |
@@ -3,6 +3,7 @@ firejail (0.9.49) baseline; urgency=low | |||
3 | * modif: --output split in two commands, --output and --output-stderr | 3 | * modif: --output split in two commands, --output and --output-stderr |
4 | * feature: per-profile disable-mnt (--disable-mnt) | 4 | * feature: per-profile disable-mnt (--disable-mnt) |
5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) | 5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) |
6 | * feature: --memory-deny-write-execute seccomp feature | ||
6 | * enhancement: /proc/sys mounting | 7 | * enhancement: /proc/sys mounting |
7 | * enhancement: default seccomp list update | 8 | * enhancement: default seccomp list update |
8 | * enhancement: rework IP address assingment for --net options | 9 | * enhancement: rework IP address assingment for --net options |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 02e9a5052..5351a1efa 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -35,3 +35,5 @@ tracelog | |||
35 | private-bin transmission-qt | 35 | private-bin transmission-qt |
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
38 | |||
39 | memory-deny-write-execute | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5bd4f6ef8..9dafb3c65 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -312,6 +312,11 @@ Enable seccomp filter and blacklist the system calls in the list. | |||
312 | \fBseccomp.keep syscall,syscall,syscall | 312 | \fBseccomp.keep syscall,syscall,syscall |
313 | Enable seccomp filter and whitelist the system calls in the list. | 313 | Enable seccomp filter and whitelist the system calls in the list. |
314 | .TP | 314 | .TP |
315 | \fBmemory-deny-write-execute | ||
316 | Install a seccomp filter to block attempts to create memory mappings | ||
317 | that are both writable and executable, to change mappings to be | ||
318 | executable or to create executable shared memory. | ||
319 | .TP | ||
315 | \fBnonewprivs | 320 | \fBnonewprivs |
316 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | 321 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes |
317 | cannot acquire new privileges using execve(2); in particular, | 322 | cannot acquire new privileges using execve(2); in particular, |