diff options
author | netblue30 <netblue30@yahoo.com> | 2017-05-13 09:51:21 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-05-13 09:51:21 -0400 |
commit | 32254c20905a3eb5b279a4d327bc3fb789d77ce7 (patch) | |
tree | b99753c3cb96145b0d7990448866604605bfb310 /README.md | |
parent | 0.9.46 testing (diff) | |
download | firejail-32254c20905a3eb5b279a4d327bc3fb789d77ce7.tar.gz firejail-32254c20905a3eb5b279a4d327bc3fb789d77ce7.tar.zst firejail-32254c20905a3eb5b279a4d327bc3fb789d77ce7.zip |
0.9.47 development
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 158 |
1 files changed, 2 insertions, 156 deletions
@@ -62,161 +62,7 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
62 | ````` | 62 | ````` |
63 | 63 | ||
64 | ````` | 64 | ````` |
65 | # Current development version: 0.9.45 | 65 | # Current development version: 0.9.47 |
66 | ````` | ||
67 | |||
68 | ````` | ||
69 | ## Desktop integration | ||
70 | |||
71 | All --fix functionality is done by default in firecfg, --fix option was removed. Clicking on a program | ||
72 | in desktop manager menu should start the program automatically in a sandbox if a profile | ||
73 | is available in /etc/firejail. We cover about 300 different applications in this moment on all major desktop managers. | ||
74 | |||
75 | Symlinks for the common file managers are installed in /usr/local/bin by firecfg. | ||
76 | File managers are usually started by default at login time, and will be sandboxed. | ||
77 | Clicking on a file in the file manager will start the corresponding program in the same sandbox as the file manager. | ||
78 | For example, clicking on a video file will start a sandboxed VLC running the video. | ||
79 | We support in this moment XFCE, LXDE, MATE, Cinnamon and KDE. | ||
80 | |||
81 | ## AppImage | ||
82 | |||
83 | Added AppImage type 2 support, and support for passing command line arguments to appimages. | ||
84 | ````` | ||
85 | |||
86 | ````` | ||
87 | ## X11 sandboxing support | ||
88 | In this release we add support for Xvfb (X virtual framebuffer), an in-memory X display server. | ||
89 | Xvfb allows the user to run graphical applications without a display (e.g., browser tests on a CI server) | ||
90 | while also having the ability to take screenshots. | ||
91 | |||
92 | |||
93 | --x11=xvfb | ||
94 | Start Xvfb X11 server and attach the sandbox to this server. | ||
95 | Xvfb, short for X virtual framebuffer, performs all graphical | ||
96 | operations in memory without showing any screen output. Xvfb is | ||
97 | mainly used for remote access and software testing on headless | ||
98 | servers. | ||
99 | 66 | ||
100 | On Debian platforms Xvfb is installed with the command sudo apt- | 67 | Upcoming release 0.9.46 was moved on 0.9.46-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.46-bugfixes |
101 | get install xvfb. This feature is not available when running as | ||
102 | root. | ||
103 | 68 | ||
104 | Example: remote VNC access | ||
105 | |||
106 | On the server we start a sandbox using Xvfb and openbox window | ||
107 | manager. The default size of Xvfb screen is 800x600 - it can be | ||
108 | changed in /etc/firejail/firejail.config (xvfb-screen). Some | ||
109 | sort of networking (--net) is required in order to isolate the | ||
110 | abstract sockets used by other X servers. | ||
111 | |||
112 | $ firejail --net=none --x11=xvfb openbox | ||
113 | |||
114 | *** Attaching to Xvfb display 792 *** | ||
115 | |||
116 | Reading profile /etc/firejail/openbox.profile | ||
117 | Reading profile /etc/firejail/disable-common.inc | ||
118 | Reading profile /etc/firejail/disable-common.local | ||
119 | Parent pid 5400, child pid 5401 | ||
120 | |||
121 | On the server we also start a VNC server and attach it to the | ||
122 | display handled by our Xvfb server (792). | ||
123 | |||
124 | $ x11vnc -display :792 | ||
125 | |||
126 | On the client machine we start a VNC viewer and use it to con‐ | ||
127 | nect to our server: | ||
128 | |||
129 | $ vncviewer | ||
130 | |||
131 | |||
132 | ## New command line options | ||
133 | ````` | ||
134 | --private-opt=file,directory | ||
135 | Build a new /opt in a temporary filesystem, and copy the files | ||
136 | and directories in the list. If no listed file is found, /opt | ||
137 | directory will be empty. All modifications are discarded when | ||
138 | the sandbox is closed. | ||
139 | |||
140 | Example: | ||
141 | $ firejail --private-opt=firefox /opt/firefox/firefox | ||
142 | |||
143 | --private-srv=file,directory | ||
144 | Build a new /srv in a temporary filesystem, and copy the files | ||
145 | and directories in the list. If no listed file is found, /srv | ||
146 | directory will be empty. All modifications are discarded when | ||
147 | the sandbox is closed. | ||
148 | |||
149 | Example: | ||
150 | # firejail --private-srv=www /etc/init.d/apache2 start | ||
151 | |||
152 | --machine-id | ||
153 | Spoof id number in /etc/machine-id file - a new random id is | ||
154 | generated inside the sandbox. | ||
155 | |||
156 | Example: | ||
157 | $ firejail --machine-id | ||
158 | |||
159 | --allow-private-blacklist | ||
160 | Allow blacklisting files in private home directory. By default | ||
161 | these blacklists are disabled. | ||
162 | |||
163 | Example: | ||
164 | $ firejail --allow-private-blacklist --private=~/priv-dir | ||
165 | --blacklist=~/.mozilla | ||
166 | |||
167 | --hosts-file=file | ||
168 | Use file as /etc/hosts. | ||
169 | |||
170 | Example: | ||
171 | $ firejail --hosts-file=~/myhosts firefox | ||
172 | |||
173 | --writable-var-log | ||
174 | Use the real /var/log directory, not a clone. By default, a | ||
175 | tmpfs is mounted on top of /var/log directory, and a skeleton | ||
176 | filesystem is created based on the original /var/log. | ||
177 | |||
178 | Example: | ||
179 | $ sudo firejail --writable-var-log | ||
180 | |||
181 | --git-install | ||
182 | Download, compile and install mainline git version of Firejail | ||
183 | from the official repository on GitHub. The software is | ||
184 | installed in /usr/local/bin, and takes precedence over the (old) | ||
185 | version installed in /usr/bin. If for any reason the new version | ||
186 | doesn't work, the user can uninstall it using --git-uninstall | ||
187 | command and revert to the old version. | ||
188 | |||
189 | Prerequisites: git and compile support are required for this com‐ | ||
190 | mand to work. On Debian/Ubuntu systems this support is installed | ||
191 | using "sudo apt-get install build-essential git". | ||
192 | |||
193 | Example: | ||
194 | |||
195 | $ firejail --git-install | ||
196 | |||
197 | --git-uninstall | ||
198 | Remove the Firejail version previously installed in | ||
199 | /usr/local/bin using --git-install command. | ||
200 | |||
201 | Example: | ||
202 | |||
203 | $ firejail --git-uninstall | ||
204 | |||
205 | |||
206 | --nowhitelist=dirname_or_filename | ||
207 | Disable whitelist for this directory or file. | ||
208 | |||
209 | ````` | ||
210 | ## New Profiles | ||
211 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, | ||
212 | amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit, | ||
213 | gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, | ||
214 | goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, | ||
215 | simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, | ||
216 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, | ||
217 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, | ||
218 | Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file, | ||
219 | Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, | ||
220 | Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM, Dia, FontForge, Geany, Hugin, | ||
221 | mate-calc, mate-dictionary, mate-color-select, caja, galculator, Nemo, gnome-font-viewer, gucharmap, | ||
222 | knotes, clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr, Blender, 2048-qt | ||