diff options
author | netblue30 <netblue30@protonmail.com> | 2022-08-30 09:10:55 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-08-30 09:10:55 -0400 |
commit | 796fa09636195d8751a7bbc1e1bc88bf8c3ac95a (patch) | |
tree | b51c788b4cbb2fc8dac60203a034c1c8e556e470 /README.md | |
parent | Merge pull request #5349 from glitsj16/typo-fixes (diff) | |
download | firejail-796fa09636195d8751a7bbc1e1bc88bf8c3ac95a.tar.gz firejail-796fa09636195d8751a7bbc1e1bc88bf8c3ac95a.tar.zst firejail-796fa09636195d8751a7bbc1e1bc88bf8c3ac95a.zip |
README/README.md
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 88 |
1 files changed, 66 insertions, 22 deletions
@@ -214,7 +214,7 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
214 | $ firejail --restrict-namespaces=user,net | 214 | $ firejail --restrict-namespaces=user,net |
215 | ````` | 215 | ````` |
216 | 216 | ||
217 | #### Support for custom AppArmor profiles | 217 | ### Support for custom AppArmor profiles |
218 | 218 | ||
219 | ````` | 219 | ````` |
220 | --apparmor | 220 | --apparmor |
@@ -228,6 +228,50 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
228 | kernel. For more information, please see APPARMOR section be‐ | 228 | kernel. For more information, please see APPARMOR section be‐ |
229 | ````` | 229 | ````` |
230 | 230 | ||
231 | ### Landlock support - EXPERIMENTAL | ||
232 | For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build | ||
233 | or in the executable archives we provide. It will be "officially" released | ||
234 | in 0.9.74, sometime early next year. For now, use --enable-landlock durring software compile: | ||
235 | ````` | ||
236 | $ ./configure --enable-landlock | ||
237 | ````` | ||
238 | The functionality is segragated with ifdefs in the code, at times it might not even compile! | ||
239 | Work in progress, the interface described in the man page below could change. | ||
240 | ````` | ||
241 | --landlock | ||
242 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
243 | basic access rules to it. See LANDLOCK section for more informa‐ | ||
244 | tion. | ||
245 | |||
246 | --landlock.proc=no|ro|rw | ||
247 | Add an access rule for /proc directory (read-only if set to ro | ||
248 | and read-write if set to rw). The access rule for /proc is added | ||
249 | after this directory is set up in the sandbox. Access rules for | ||
250 | /proc set up with other Landlock-related command-line options | ||
251 | have no effect. | ||
252 | |||
253 | --landlock.read=path | ||
254 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
255 | a read access rule for path. | ||
256 | |||
257 | --landlock.write=path | ||
258 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
259 | a write access rule for path. | ||
260 | |||
261 | --landlock.special=path | ||
262 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
263 | a permission rule to create FIFO pipes, Unix domain sockets and | ||
264 | block devices beneath given path. | ||
265 | |||
266 | --landlock.execute=path | ||
267 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
268 | an execution permission rule for path. | ||
269 | |||
270 | Example: | ||
271 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ | ||
272 | lock.execute=/usr | ||
273 | ````` | ||
274 | |||
231 | ### Profile Statistics | 275 | ### Profile Statistics |
232 | 276 | ||
233 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 277 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -238,30 +282,30 @@ No include .local found in /etc/firejail/noprofile.profile | |||
238 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 282 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
239 | 283 | ||
240 | Stats: | 284 | Stats: |
241 | profiles 1191 | 285 | profiles 1196 |
242 | include local profile 1190 (include profile-name.local) | 286 | include local profile 1195 (include profile-name.local) |
243 | include globals 1164 (include globals.local) | 287 | include globals 1169 (include globals.local) |
244 | blacklist ~/.ssh 1063 (include disable-common.inc) | 288 | blacklist ~/.ssh 1067 (include disable-common.inc) |
245 | seccomp 1082 | 289 | seccomp 1087 |
246 | capabilities 1185 | 290 | capabilities 1190 |
247 | noexec 1070 (include disable-exec.inc) | 291 | noexec 1075 (include disable-exec.inc) |
248 | noroot 991 | 292 | noroot 995 |
249 | memory-deny-write-execute 267 | 293 | memory-deny-write-execute 269 |
250 | apparmor 710 | 294 | apparmor 713 |
251 | private-bin 689 | 295 | private-bin 695 |
252 | private-dev 1041 | 296 | private-dev 1045 |
253 | private-etc 539 | 297 | private-etc 542 |
254 | private-lib 70 | 298 | private-lib 70 |
255 | private-tmp 915 | 299 | private-tmp 918 |
256 | whitelist home directory 573 | 300 | whitelist home directory 575 |
257 | whitelist var 855 (include whitelist-var-common.inc) | 301 | whitelist var 858 (include whitelist-var-common.inc) |
258 | whitelist run/user 1159 (include whitelist-runuser-common.inc | 302 | whitelist run/user 1164 (include whitelist-runuser-common.inc |
259 | or blacklist ${RUNUSER}) | 303 | or blacklist ${RUNUSER}) |
260 | whitelist usr/share 628 (include whitelist-usr-share-common.inc | 304 | whitelist usr/share 630 (include whitelist-usr-share-common.inc |
261 | net none 403 | 305 | net none 404 |
262 | dbus-user none 673 | 306 | dbus-user none 677 |
263 | dbus-user filter 123 | 307 | dbus-user filter 123 |
264 | dbus-system none 833 | 308 | dbus-system none 837 |
265 | dbus-system filter 12 | 309 | dbus-system filter 12 |
266 | ``` | 310 | ``` |
267 | 311 | ||