0.9.51 development starting

author: netblue30 <netblue30@yahoo.com> 2017-09-07 10:22:10 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-07 10:22:10 -0400
commit: 957713cc3628a65fc01bbfafe866baf3842810d9 (patch)
tree: 5c26f6e07e4a7f391dcb4bbfce580575cacc4589 /README.md
parent: small fixes (diff)
download: firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.gz
firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.zst
firejail-957713cc3628a65fc01bbfafe866baf3842810d9.zip
1 files changed, 3 insertions, 126 deletions
diff --git a/README.md b/README.md
index 26b76361e..26055300b 100644
--- a/README.md
+++ b/README.md
@@ -96,131 +96,8 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 `````
-# Current development version: 0.9.49
+# 0.9.50 release pending
-## Travis-CI integration
+Development moved on  0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes
-Check the status of the latest build here: https://travis-ci.org/netblue30/firejail
+# Current development version: 0.9.51
-## New command options:
-`````
-      --disable-mnt
-              Disable /mnt, /media, /run/mount and /run/media access.
-              Example:
-              $ firejail --disable-mnt firefox
-       --xephyr-screen=WIDTHxHEIGHT
-              Set screen size for --x11=xephyr. The setting will overwrite the
-              default set in  /etc/firejail/firejail.config  for  the  current
-              sandbox.  Run  xrandr  to get a list of supported resolutions on
-              your computer.
-              Example:
-              $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
-              fox
-       --output-stderr=logfile
-              Similar to --output, but stderr is also stored.
-      --notv Disable DVB (Digital Video Broadcasting) TV devices.
-              Example:
-              $ firejail --notv vlc
-       --nodvd
-              Disable DVD and audio CD devices.
-              Example:
-              $ firejail --nodvd
-      --memory-deny-write-execute
-              Install a seccomp filter to block  attempts  to  create  memory
-              mappings  that are both writable and executable, to change map‐
-              pings to be executable or to create executable shared memory.
-       --private-lib=file,directory
-              This  feature  is currently under heavy development. Only amd64
-              platforms are supported at this moment.  The idea is to build a
-              new /lib in a temporary filesystem, with only the library files
-              necessary to run the application.  It could be as simple as:
-              $ firejail --private-lib galculator
-              but it gets complicated really fast:
-              $   firejail   --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
-              gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
-              The feature is integrated with --private-bin:
-              $ firejail --private-lib --private-bin=bash,ls,ps
-              $ ls /lib
-              ld-linux-x86-64.so.2  libgpg-error.so.0  libprocps.so.6 libsys‐
-              temd.so.0
-              libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
-              libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
-              libgcrypt.so.20 libpcre.so.3 libselinux.so.1
-              $ ps
-               PID TTY          TIME CMD
-                  1 pts/0    00:00:00 firejail
-                 45 pts/0    00:00:00 bash
-                 48 pts/0    00:00:00 ps
-              $
-       --seccomp.block_secondary
-              Enable seccomp filter and filter system call  architectures  so
-              that  only  the native architecture is allowed. For example, on
-              amd64, i386 and x32 system calls are blocked as well as  chang‐
-              ing the execution domain with personality(2) system call.
-       --profile.print=name|pid
-              Print  the  name of the profile file for the sandbox identified
-              by name or or PID.
-              Example:
-              $ firejail --profile.print=browser
-              /etc/firejail/firefox.profile
-`````
-## /etc/firejail/firejail.config
-`````
-# Number of ARP probes sent when assigning an IP address for --net option,
-# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
-# timeout is implemented for each probe. Increase this number to 4 if your
-# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
-# between 1 and 30.
-# arp-probes 2
-# Enable this option if you have a version of Xpra that supports --attach switch
-# for start command, default disabled.
-# xpra-attach no
-`````
-## Default seccomp list update
-The following syscalls have been added:
-afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
-pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
-security, setdomainname,  sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
-ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default.
-get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break
-playing youtube videos on Firefox Nightly.
-## New profiles:
-curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy,
-IntelliJ IDEA, Android Studio, electron, riot-web,
-Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux,
-telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard,
-remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar,
-musescore, neverball, Yandex Browser, minetest
author	netblue30 <netblue30@yahoo.com>	2017-09-07 10:22:10 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-07 10:22:10 -0400
commit	957713cc3628a65fc01bbfafe866baf3842810d9 (patch)
tree	5c26f6e07e4a7f391dcb4bbfce580575cacc4589 /README.md
parent	small fixes (diff)
download	firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.gz firejail-957713cc3628a65fc01bbfafe866baf3842810d9.tar.zst firejail-957713cc3628a65fc01bbfafe866baf3842810d9.zip

diff --git a/README.md b/README.md index 26b76361e..26055300b 100644 --- a/README.md +++ b/README.md
@@ -96,131 +96,8 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
96	`````	96	`````
97		97
98	`````	98	`````
99	# Current development version: 0.9.49	99	# 0.9.50 release pending
100		100
101	## Travis-CI integration	101	Development moved on 0.9.50-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.50-bugfixes
102		102
103	Check the status of the latest build here: https://travis-ci.org/netblue30/firejail	103	# Current development version: 0.9.51
104
105	## New command options:
106	`````
107	--disable-mnt
108	Disable /mnt, /media, /run/mount and /run/media access.
109
110	Example:
111	$ firejail --disable-mnt firefox
112
113	--xephyr-screen=WIDTHxHEIGHT
114	Set screen size for --x11=xephyr. The setting will overwrite the
115	default set in /etc/firejail/firejail.config for the current
116	sandbox. Run xrandr to get a list of supported resolutions on
117	your computer.
118
119	Example:
120	$ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
121	fox
122
123	--output-stderr=logfile
124	Similar to --output, but stderr is also stored.
125
126	--notv Disable DVB (Digital Video Broadcasting) TV devices.
127
128	Example:
129	$ firejail --notv vlc
130
131	--nodvd
132	Disable DVD and audio CD devices.
133
134	Example:
135	$ firejail --nodvd
136
137	--memory-deny-write-execute
138	Install a seccomp filter to block attempts to create memory
139	mappings that are both writable and executable, to change map‐
140	pings to be executable or to create executable shared memory.
141
142	--private-lib=file,directory
143	This feature is currently under heavy development. Only amd64
144	platforms are supported at this moment. The idea is to build a
145	new /lib in a temporary filesystem, with only the library files
146	necessary to run the application. It could be as simple as:
147
148	$ firejail --private-lib galculator
149
150	but it gets complicated really fast:
151
152	$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
153	gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
154
155	The feature is integrated with --private-bin:
156
157	$ firejail --private-lib --private-bin=bash,ls,ps
158	$ ls /lib
159	ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
160	temd.so.0
161	libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
162	libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
163	libgcrypt.so.20 libpcre.so.3 libselinux.so.1
164	$ ps
165	PID TTY TIME CMD
166	1 pts/0 00:00:00 firejail
167	45 pts/0 00:00:00 bash
168	48 pts/0 00:00:00 ps
169	$
170
171	--seccomp.block_secondary
172	Enable seccomp filter and filter system call architectures so
173	that only the native architecture is allowed. For example, on
174	amd64, i386 and x32 system calls are blocked as well as chang‐
175	ing the execution domain with personality(2) system call.
176
177	--profile.print=name\|pid
178	Print the name of the profile file for the sandbox identified
179	by name or or PID.
180
181	Example:
182	$ firejail --profile.print=browser
183	/etc/firejail/firefox.profile
184
185
186	`````
187
188	## /etc/firejail/firejail.config
189
190	`````
191	# Number of ARP probes sent when assigning an IP address for --net option,
192	# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
193	# timeout is implemented for each probe. Increase this number to 4 if your
194	# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
195	# between 1 and 30.
196	# arp-probes 2
197
198	# Enable this option if you have a version of Xpra that supports --attach switch
199	# for start command, default disabled.
200	# xpra-attach no
201
202
203	`````
204
205
206	## Default seccomp list update
207
208	The following syscalls have been added:
209	afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
210	pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
211	security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
212	ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default.
213
214	get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break
215	playing youtube videos on Firefox Nightly.
216
217
218
219	## New profiles:
220
221	curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy,
222	IntelliJ IDEA, Android Studio, electron, riot-web,
223	Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux,
224	telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard,
225	remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar,
226	musescore, neverball, Yandex Browser, minetest