cleanup for the next development cycle

author: netblue30 <netblue30@protonmail.com> 2021-07-01 08:59:59 -0400
committer: netblue30 <netblue30@protonmail.com> 2021-07-01 08:59:59 -0400
commit: 0562ceb658efff25583ff619846ef2c0ab697e37 (patch)
tree: 98aef0cb248780c30bec7ee97cd569c4a823e265 /README.md
parent: Merge pull request #4365 from lxeiqr/sndio-fix (diff)
download: firejail-0562ceb658efff25583ff619846ef2c0ab697e37.tar.gz
firejail-0562ceb658efff25583ff619846ef2c0ab697e37.tar.zst
firejail-0562ceb658efff25583ff619846ef2c0ab697e37.zip
1 files changed, 27 insertions, 126 deletions
diff --git a/README.md b/README.md
index c235759e9..c635bf811 100644
--- a/README.md
+++ b/README.md
@@ -189,107 +189,18 @@ You can also use this tool to get a list of syscalls needed by a program: [contr
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
-## Latest released version: 0.9.64
+## Latest released version: 0.9.66
-## Current development version: 0.9.65
+## Current development version: 0.9.67
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 Release discussion: https://github.com/netblue30/firejail/issues/3696
-### jailcheck
+Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change!
-`````
-JAILCHECK(1)                  JAILCHECK man page                  JAILCHECK(1)
-NAME
-       jailcheck - Simple utility program to test running sandboxes
-SYNOPSIS
-       sudo jailcheck [OPTIONS] [directory]
-DESCRIPTION
-       jailcheck attaches itself to all sandboxes started by the user and per‐
-       forms some basic tests on the sandbox filesystem:
-       1. Virtual directories
-              jailcheck extracts a list with the main virtual directories  in‐
-              stalled by the sandbox.  These directories are build by firejail
-              at startup using --private* and --whitelist commands.
-       2. Noexec test
-              jailcheck inserts executable programs in  /home/username,  /tmp,
-              and  /var/tmp  directories and tries to run them from inside the
-              sandbox, thus testing if the directory is executable or not.
-       3. Read access test
-              jailcheck creates test files in the directories specified by the
-              user and tries to read them from inside the sandbox.
-       4. AppArmor test
-       5. Seccomp test
-       The program is started as root using sudo.
-OPTIONS
-       --debug
-              Print debug messages.
-       -?, --help
-              Print options and exit.
-       --version
-              Print program version and exit.
-       [directory]
-              One  or  more  directories in user home to test for read access.
-              ~/.ssh and ~/.gnupg are tested by default.
-OUTPUT
+The old whitelist/blacklist will remain as aliasses for the next one or two releases
-       For each sandbox detected we print the following line:
+in order to give users a chance to switch their local profiles.
+The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
-            PID:USER:Sandbox Name:Command
-       It is followed by relevant sandbox information, such as the virtual di‐
-       rectories and various warnings.
-EXAMPLE
-       $ sudo jailcheck
-       2014:netblue::firejail /usr/bin/gimp
-          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
-          Warning: I can run programs in /home/netblue
-       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
-          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
-          Warning: I can read ~/.ssh
-       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
-       pimage
-          Virtual dirs: /tmp, /var/tmp, /dev,
-       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
-                        /run/user/1000,
-       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
-          Warning: AppArmor not enabled
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
-                        /usr/share, /run/user/1000,
-          Warning: I can run programs in /home/netblue
-LICENSE
-       This program is free software; you can redistribute it and/or modify it
-       under  the  terms of the GNU General Public License as published by the
-       Free Software Foundation; either version 2 of the License, or (at  your
-       option) any later version.
-       Homepage: https://firejail.wordpress.com
-SEE ALSO
-       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
-       gin(5), firejail-users(5),
-0.9.65                             May 2021                       JAILCHECK(1)
-`````
 ### Profile Statistics
@@ -298,40 +209,30 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
 $ sudo cp src/profstats/profstats /etc/firejail/.
 $ cd /etc/firejail
 $ ./profstats *.profile
-Stats:
+    profiles                    1150
-    profiles                    1135
+    include local profile       1150   (include profile-name.local)
-    include local profile       1135   (include profile-name.local)
+    include globals             1120   (include globals.local)
-    include globals             1106   (include globals.local)
+    blacklist ~/.ssh            1026   (include disable-common.inc)
-    blacklist ~/.ssh            1009   (include disable-common.inc)
+    seccomp                     1050
-    seccomp                     1035
+    capabilities                1146
-    capabilities                1130
+    noexec                      1030   (include disable-exec.inc)
-    noexec                      1011   (include disable-exec.inc)
+    noroot                      959
-    noroot                      944
+    memory-deny-write-execute   253
-    memory-deny-write-execute   242
+    apparmor                    681
-    apparmor                    667
+    private-bin                 667
-    private-bin                 635
+    private-dev                 1009
-    private-dev                 992
+    private-etc                 523
-    private-etc                 508
+    private-tmp                 883
-    private-tmp                 866
+    whitelist home directory    547
-    whitelist home directory    542
+    whitelist var               818   (include whitelist-var-common.inc)
-    whitelist var               799   (include whitelist-var-common.inc)
+    whitelist run/user          616   (include whitelist-runuser-common.inc
-    whitelist run/user          597   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         569   (include whitelist-usr-share-common.inc
+    whitelist usr/share         591   (include whitelist-usr-share-common.inc
-    net none                    389
+    net none                    391
-    dbus-user none              619
+    dbus-user none              641
    dbus-user filter            105
-    dbus-system none            770
+    dbus-system none            792
    dbus-system filter          7
 ```
 ### New profiles:
-vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
-avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
-pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
-sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
-ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
-pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon,
-neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr,
-tin
author	netblue30 <netblue30@protonmail.com>	2021-07-01 08:59:59 -0400
committer	netblue30 <netblue30@protonmail.com>	2021-07-01 08:59:59 -0400
commit	0562ceb658efff25583ff619846ef2c0ab697e37 (patch)
tree	98aef0cb248780c30bec7ee97cd569c4a823e265 /README.md
parent	Merge pull request #4365 from lxeiqr/sndio-fix (diff)
download	firejail-0562ceb658efff25583ff619846ef2c0ab697e37.tar.gz firejail-0562ceb658efff25583ff619846ef2c0ab697e37.tar.zst firejail-0562ceb658efff25583ff619846ef2c0ab697e37.zip

diff --git a/README.md b/README.md index c235759e9..c635bf811 100644 --- a/README.md +++ b/README.md
@@ -189,107 +189,18 @@ You can also use this tool to get a list of syscalls needed by a program: [contr
189		189
190	We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.	190	We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
191		191
192	## Latest released version: 0.9.64	192	## Latest released version: 0.9.66
193		193
194	## Current development version: 0.9.65	194	## Current development version: 0.9.67
195		195
196	Milestone page: https://github.com/netblue30/firejail/milestone/1	196	Milestone page: https://github.com/netblue30/firejail/milestone/1
197	Release discussion: https://github.com/netblue30/firejail/issues/3696	197	Release discussion: https://github.com/netblue30/firejail/issues/3696
198		198
199	### jailcheck	199	Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change!
200	`````
201	JAILCHECK(1) JAILCHECK man page JAILCHECK(1)
202
203	NAME
204	jailcheck - Simple utility program to test running sandboxes
205
206	SYNOPSIS
207	sudo jailcheck [OPTIONS] [directory]
208
209	DESCRIPTION
210	jailcheck attaches itself to all sandboxes started by the user and per‐
211	forms some basic tests on the sandbox filesystem:
212
213	1. Virtual directories
214	jailcheck extracts a list with the main virtual directories in‐
215	stalled by the sandbox. These directories are build by firejail
216	at startup using --private* and --whitelist commands.
217
218	2. Noexec test
219	jailcheck inserts executable programs in /home/username, /tmp,
220	and /var/tmp directories and tries to run them from inside the
221	sandbox, thus testing if the directory is executable or not.
222
223	3. Read access test
224	jailcheck creates test files in the directories specified by the
225	user and tries to read them from inside the sandbox.
226
227	4. AppArmor test
228
229	5. Seccomp test
230
231	The program is started as root using sudo.
232
233	OPTIONS
234	--debug
235	Print debug messages.
236
237	-?, --help
238	Print options and exit.
239
240	--version
241	Print program version and exit.
242
243	[directory]
244	One or more directories in user home to test for read access.
245	~/.ssh and ~/.gnupg are tested by default.
246		200
247	OUTPUT	201	The old whitelist/blacklist will remain as aliasses for the next one or two releases
248	For each sandbox detected we print the following line:	202	in order to give users a chance to switch their local profiles.
249		203	The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
250	PID:USER:Sandbox Name:Command
251
252	It is followed by relevant sandbox information, such as the virtual di‐
253	rectories and various warnings.
254
255	EXAMPLE
256	$ sudo jailcheck
257	2014:netblue::firejail /usr/bin/gimp
258	Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
259	Warning: I can run programs in /home/netblue
260
261	2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
262	Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
263	Warning: I can read ~/.ssh
264
265	2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
266	pimage
267	Virtual dirs: /tmp, /var/tmp, /dev,
268
269	26090:netblue::/usr/bin/firejail /opt/firefox/firefox
270	Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
271	/run/user/1000,
272
273	26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
274	Warning: AppArmor not enabled
275	Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
276	/usr/share, /run/user/1000,
277	Warning: I can run programs in /home/netblue
278
279	LICENSE
280	This program is free software; you can redistribute it and/or modify it
281	under the terms of the GNU General Public License as published by the
282	Free Software Foundation; either version 2 of the License, or (at your
283	option) any later version.
284
285	Homepage: https://firejail.wordpress.com
286
287	SEE ALSO
288	firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
289	gin(5), firejail-users(5),
290
291	0.9.65 May 2021 JAILCHECK(1)
292	`````
293		204
294	### Profile Statistics	205	### Profile Statistics
295		206
@@ -298,40 +209,30 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
298	$ sudo cp src/profstats/profstats /etc/firejail/.	209	$ sudo cp src/profstats/profstats /etc/firejail/.
299	$ cd /etc/firejail	210	$ cd /etc/firejail
300	$ ./profstats *.profile	211	$ ./profstats *.profile
301	Stats:	212	profiles 1150
302	profiles 1135	213	include local profile 1150 (include profile-name.local)
303	include local profile 1135 (include profile-name.local)	214	include globals 1120 (include globals.local)
304	include globals 1106 (include globals.local)	215	blacklist ~/.ssh 1026 (include disable-common.inc)
305	blacklist ~/.ssh 1009 (include disable-common.inc)	216	seccomp 1050
306	seccomp 1035	217	capabilities 1146
307	capabilities 1130	218	noexec 1030 (include disable-exec.inc)
308	noexec 1011 (include disable-exec.inc)	219	noroot 959
309	noroot 944	220	memory-deny-write-execute 253
310	memory-deny-write-execute 242	221	apparmor 681
311	apparmor 667	222	private-bin 667
312	private-bin 635	223	private-dev 1009
313	private-dev 992	224	private-etc 523
314	private-etc 508	225	private-tmp 883
315	private-tmp 866	226	whitelist home directory 547
316	whitelist home directory 542	227	whitelist var 818 (include whitelist-var-common.inc)
317	whitelist var 799 (include whitelist-var-common.inc)	228	whitelist run/user 616 (include whitelist-runuser-common.inc
318	whitelist run/user 597 (include whitelist-runuser-common.inc
319	or blacklist ${RUNUSER})	229	or blacklist ${RUNUSER})
320	whitelist usr/share 569 (include whitelist-usr-share-common.inc	230	whitelist usr/share 591 (include whitelist-usr-share-common.inc
321	net none 389	231	net none 391
322	dbus-user none 619	232	dbus-user none 641
323	dbus-user filter 105	233	dbus-user filter 105
324	dbus-system none 770	234	dbus-system none 792
325	dbus-system filter 7	235	dbus-system filter 7
326	```	236	```
327		237
328	### New profiles:	238	### New profiles:
329
330	vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
331	avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
332	pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
333	sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
334	ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
335	pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon,
336	neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr,
337	tin