diff options
author | 2017-09-07 10:22:10 -0400 | |
---|---|---|
committer | 2017-09-07 10:22:10 -0400 | |
commit | 957713cc3628a65fc01bbfafe866baf3842810d9 (patch) | |
tree | 5c26f6e07e4a7f391dcb4bbfce580575cacc4589 /README.md | |
parent | small fixes (diff) | |
download | firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.gz firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.zst firejail-957713cc3628a65fc01bbfafe866baf3842810d9.zip |
0.9.51 development starting
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 129 |
1 files changed, 3 insertions, 126 deletions
@@ -96,131 +96,8 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
96 | ````` | 96 | ````` |
97 | 97 | ||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.49 | 99 | # 0.9.50 release pending |
100 | 100 | ||
101 | ## Travis-CI integration | 101 | Development moved on 0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes |
102 | 102 | ||
103 | Check the status of the latest build here: https://travis-ci.org/netblue30/firejail | 103 | # Current development version: 0.9.51 |
104 | |||
105 | ## New command options: | ||
106 | ````` | ||
107 | --disable-mnt | ||
108 | Disable /mnt, /media, /run/mount and /run/media access. | ||
109 | |||
110 | Example: | ||
111 | $ firejail --disable-mnt firefox | ||
112 | |||
113 | --xephyr-screen=WIDTHxHEIGHT | ||
114 | Set screen size for --x11=xephyr. The setting will overwrite the | ||
115 | default set in /etc/firejail/firejail.config for the current | ||
116 | sandbox. Run xrandr to get a list of supported resolutions on | ||
117 | your computer. | ||
118 | |||
119 | Example: | ||
120 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐ | ||
121 | fox | ||
122 | |||
123 | --output-stderr=logfile | ||
124 | Similar to --output, but stderr is also stored. | ||
125 | |||
126 | --notv Disable DVB (Digital Video Broadcasting) TV devices. | ||
127 | |||
128 | Example: | ||
129 | $ firejail --notv vlc | ||
130 | |||
131 | --nodvd | ||
132 | Disable DVD and audio CD devices. | ||
133 | |||
134 | Example: | ||
135 | $ firejail --nodvd | ||
136 | |||
137 | --memory-deny-write-execute | ||
138 | Install a seccomp filter to block attempts to create memory | ||
139 | mappings that are both writable and executable, to change map‐ | ||
140 | pings to be executable or to create executable shared memory. | ||
141 | |||
142 | --private-lib=file,directory | ||
143 | This feature is currently under heavy development. Only amd64 | ||
144 | platforms are supported at this moment. The idea is to build a | ||
145 | new /lib in a temporary filesystem, with only the library files | ||
146 | necessary to run the application. It could be as simple as: | ||
147 | |||
148 | $ firejail --private-lib galculator | ||
149 | |||
150 | but it gets complicated really fast: | ||
151 | |||
152 | $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux- | ||
153 | gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed | ||
154 | |||
155 | The feature is integrated with --private-bin: | ||
156 | |||
157 | $ firejail --private-lib --private-bin=bash,ls,ps | ||
158 | $ ls /lib | ||
159 | ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐ | ||
160 | temd.so.0 | ||
161 | libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 | ||
162 | libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu | ||
163 | libgcrypt.so.20 libpcre.so.3 libselinux.so.1 | ||
164 | $ ps | ||
165 | PID TTY TIME CMD | ||
166 | 1 pts/0 00:00:00 firejail | ||
167 | 45 pts/0 00:00:00 bash | ||
168 | 48 pts/0 00:00:00 ps | ||
169 | $ | ||
170 | |||
171 | --seccomp.block_secondary | ||
172 | Enable seccomp filter and filter system call architectures so | ||
173 | that only the native architecture is allowed. For example, on | ||
174 | amd64, i386 and x32 system calls are blocked as well as chang‐ | ||
175 | ing the execution domain with personality(2) system call. | ||
176 | |||
177 | --profile.print=name|pid | ||
178 | Print the name of the profile file for the sandbox identified | ||
179 | by name or or PID. | ||
180 | |||
181 | Example: | ||
182 | $ firejail --profile.print=browser | ||
183 | /etc/firejail/firefox.profile | ||
184 | |||
185 | |||
186 | ````` | ||
187 | |||
188 | ## /etc/firejail/firejail.config | ||
189 | |||
190 | ````` | ||
191 | # Number of ARP probes sent when assigning an IP address for --net option, | ||
192 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds | ||
193 | # timeout is implemented for each probe. Increase this number to 4 if your | ||
194 | # local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are | ||
195 | # between 1 and 30. | ||
196 | # arp-probes 2 | ||
197 | |||
198 | # Enable this option if you have a version of Xpra that supports --attach switch | ||
199 | # for start command, default disabled. | ||
200 | # xpra-attach no | ||
201 | |||
202 | |||
203 | ````` | ||
204 | |||
205 | |||
206 | ## Default seccomp list update | ||
207 | |||
208 | The following syscalls have been added: | ||
209 | afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, | ||
210 | pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, | ||
211 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, | ||
212 | ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default. | ||
213 | |||
214 | get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break | ||
215 | playing youtube videos on Firefox Nightly. | ||
216 | |||
217 | |||
218 | |||
219 | ## New profiles: | ||
220 | |||
221 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, | ||
222 | IntelliJ IDEA, Android Studio, electron, riot-web, | ||
223 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux, | ||
224 | telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, | ||
225 | remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar, | ||
226 | musescore, neverball, Yandex Browser, minetest | ||