0.9.55

author: netblue30 <netblue30@yahoo.com> 2018-05-16 10:27:46 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-05-16 10:27:46 -0400
commit: 7b2b00d83ea5b6b0cf3e5299b8e8b4e4993c30b1 (patch)
tree: 4d55772c166a7162cb0e17ce2edec533a37096a1 /README.md
parent: x11 cleanup (remove superfluous set_perms) (diff)
download: firejail-7b2b00d83ea5b6b0cf3e5299b8e8b4e4993c30b1.tar.gz
firejail-7b2b00d83ea5b6b0cf3e5299b8e8b4e4993c30b1.tar.zst
firejail-7b2b00d83ea5b6b0cf3e5299b8e8b4e4993c30b1.zip
1 files changed, 1 insertions, 281 deletions
diff --git a/README.md b/README.md
index 3b0f69fc4..25d543652 100644
--- a/README.md
+++ b/README.md
@@ -98,284 +98,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 `````
-# Current development version: 0.9.54~rc3
+# Current development version: 0.9.55
-## Firejail user access database
-`````
-$ man firejail-users
-FIREJAIL-USERS(5)          firejail.users man page          FIREJAIL-USERS(5)
-NAME
-       firejail.users - Firejail user access database
-DESCRIPTION
-       /etc/firejail/firejail.users  lists  the users allowed to run firejail
-       SUID executable.  If the file is not present in the system, all  users
-       are allowed to use the sandbox.  root user is allowed by default.
-       Example:
-            $ cat /etc/firejail/firejail.users
-            dustin
-            lucas
-            mike
-            eleven
-       Use  a  text editor to add or remove users from the list. You can also
-       use firecfg --add-users command. Example:
-            $ sudo firecfg --add-users dustin lucas mike eleven
-       By default, running firecfg creates the file and adds the current user
-       to the list. Example:
-            $ sudo firecfg
-       See man 1 firecfg for details.
-FILES
-       /etc/firejail/firejail.users
-LICENSE
-       Firejail  is  free  software; you can redistribute it and/or modify it
-       under the terms of the GNU General Public License as published by  the
-       Free Software Foundation; either version 2 of the License, or (at your
-       option) any later version.
-       Homepage: https://firejail.wordpress.com
-SEE ALSO
-       firejail(1),  firemon(1),  firecfg(1),  firejail-profile(5)  firejail-
-       login(5)
-0.9.53                             Apr 2018                 FIREJAIL-USERS(5)
-`````
-## Spectre mitigation
-If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration.
-The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it
-on older versions, for example on Debian stable running on gcc 6.3.0.  This is how you check it:
-`````
-$ ./configure --prefix=/usr
-checking for gcc... gcc
-checking whether the C compiler works... yes
-checking for C compiler default output file name... a.out
-checking for suffix of executables...
-checking whether we are cross compiling... no
-checking for suffix of object files... o
-checking whether we are using the GNU C compiler... yes
-checking whether gcc accepts -g... yes
-checking for gcc option to accept ISO C89... none needed
-checking for a BSD-compatible install... /usr/bin/install -c
-checking for ranlib... ranlib
-checking for Spectre mitigation support in gcc compiler... yes
-[...]
-Configuration options:
-   prefix: /usr
-   sysconfdir: /etc
-   seccomp: -DHAVE_SECCOMP
-   <linux/seccomp.h>: -DHAVE_SECCOMP_H
-   apparmor:
-   global config: -DHAVE_GLOBALCFG
-   chroot: -DHAVE_CHROOT
-   bind: -DHAVE_BIND
-   network: -DHAVE_NETWORK
-   user namespace: -DHAVE_USERNS
-   X11 sandboxing support: -DHAVE_X11
-   whitelisting: -DHAVE_WHITELIST
-   private home support: -DHAVE_PRIVATE_HOME
-   file transfer support: -DHAVE_FILE_TRANSFER
-   overlayfs support: -DHAVE_OVERLAYFS
-   git install support:
-   busybox workaround: no
-   Spectre compiler patch: yes
-   EXTRA_LDFLAGS:
-   EXTRA_CFLAGS:  -mindirect-branch=thunk
-   fatal warnings:
-   Gcov instrumentation:
-   Install contrib scripts: yes
-`````
-This feature is also supported for LLVM/clang compiler
-## New command line options
-`````
-       --keep-var-tmp
-              /var/tmp directory is untouched.
-              Example:
-              $ firejail --keep-var-tmp
-       --nodbus
-              Disable D-Bus access. Only the regular UNIX socket is handled by
-              this command. To disable the abstract socket you would  need  to
-              request  a  new  network  namespace using --net command. Another
-              option is to remove unix from --protocol set.
-              Example:
-              $ firejail --nodbus --net=none
-       --noautopulse
-              Disable automatic ~/.config/pulse init, for complex setups such
-              as remote pulse servers or non-standard socket paths.
-              Example:
-              $ firejail --noautopulse firefox
-`````
-## AppImage development
-Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.
-This allows us to use our regular profile files for appimages. We don't have a way to extract the name
-of the executable, so the profile will have to be passed on the command line. Example:
-`````
-$ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
-`````
-Also, we have full AppArmor support for AppImages:
-`````
-$ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
-`````
-## Seccomp development
-Replaced the our seccomp disassembler with a real disassembler lifted from
-libseccomp (GPLv2, Paul Moore, Red Hat). The code is in src/fsec-print directory.
-`````
-$ firejail --seccomp.print=browser
- line  OP JT JF    K
-=================================
- 0000: 20 00 00 00000004   ld  data.architecture
- 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
- 0002: 06 00 00 7fff0000   ret ALLOW
- 0003: 20 00 00 00000000   ld  data.syscall-number
- 0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
- 0005: 35 01 00 00000000   jge read 0007 (false 0006)
- 0006: 06 00 00 00050001   ret ERRNO(1)
- 0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
- 0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
- 0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
- 000a: 15 3e 00 00000137   jeq process_vm_writev 0049 (false 000b)
- 000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
- 000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
- 000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
- 000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
- 000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
- 0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
- 0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
- 0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
- 0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
- 0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
- 0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
- 0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
- 0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
- 0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
- 0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
- 001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
- 001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
- 001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
- 001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
- 001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
- 001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
- 0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
- 0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
- 0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
- 0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
- 0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
- 0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
- 0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
- 0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
- 0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
- 0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
- 002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
- 002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
- 002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
- 002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
- 002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
- 002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
- 0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
- 0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
- 0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
- 0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
- 0034: 15 14 00 00000130   jeq open_by_handle_at 0049 (false 0035)
- 0035: 15 13 00 0000012f   jeq name_to_handle_at 0049 (false 0036)
- 0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
- 0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
- 0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
- 0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
- 003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
- 003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
- 003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
- 003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
- 003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
- 003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
- 0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
- 0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
- 0042: 15 06 00 000000d8   jeq remap_file_pages 0049 (false 0043)
- 0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
- 0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
- 0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
- 0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
- 0047: 15 01 00 00000136   jeq process_vm_readv 0049 (false 0048)
- 0048: 06 00 00 7fff0000   ret ALLOW
- 0049: 06 00 01 00000000   ret KILL
-`````
-We are also introducing a seccomp optimizer, to be run directly on seccomp machine code
-filters produced by Firejail. The code is in src/fsec-optimize. Currently only the default seccomp
-filters built at compile time are run trough the optimizer. It will be extended and applied at run
-time on all filters.
-## AppArmor development
-AppArmor features are supported on overlayfs and chroot sandboxes.
-We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys
-and /run/user directories were moved out of the profile into firejail executable.
-We are also adding a "apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to
-enable/disable apparmor functionality globally. By default the flag is enabled.
-AppArmor deployment: we are starting apparmor by default for the following programs:
- web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile)
- torrent clients: transmission-qt, transmission-gtk, qbittorrent
- media players: mpv, audacious, kodi, smplayer
- media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot
- archive managers: ark, engrampa, file-roller
- etc.: digikam, okular, gwenview, galculator, kcalc
-Checking apparmor status:
-`````
-$ firejail --apparmor.print=browser
-2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
-  AppArmor: firejail-default enforce
-$ firemon --apparmor
-2072:netblue:firejail --chroot=/chroot/sid --net=eth0
-  AppArmor: unconfined
-2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
-  AppArmor: firejail-default enforce
-4835:netblue:/usr/bin/firejail /usr/bin/vlc
-  AppArmor: firejail-default enforce
-`````
-## Browser profile unification
-All Chromium and Firefox browsers have been unified to instead extend
-chromium-common.profile and firefox-common.profile respectively.
-This allows for reduced maintenance and ease of adding new browsers.
-NOTE: All users of Firefox-based browsers who use addons and plugins
-that read/write from ${HOME} will need to uncomment the includes for
-firefox-common-addons.inc in firefox-common.profile.
-## New profiles
-Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
-pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
-tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
-gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
-thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,
-enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,
-aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,
-AnyDesk, webstorm, xmind, qmmp, sayonara
author	netblue30 <netblue30@yahoo.com>	2018-05-16 10:27:46 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-05-16 10:27:46 -0400
commit	7b2b00d83ea5b6b0cf3e5299b8e8b4e4993c30b1 (patch)
tree	4d55772c166a7162cb0e17ce2edec533a37096a1 /README.md
parent	x11 cleanup (remove superfluous set_perms) (diff)
download	firejail-7b2b00d83ea5b6b0cf3e5299b8e8b4e4993c30b1.tar.gz firejail-7b2b00d83ea5b6b0cf3e5299b8e8b4e4993c30b1.tar.zst firejail-7b2b00d83ea5b6b0cf3e5299b8e8b4e4993c30b1.zip

diff --git a/README.md b/README.md index 3b0f69fc4..25d543652 100644 --- a/README.md +++ b/README.md
@@ -98,284 +98,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
98	`````	98	`````
99		99
100	`````	100	`````
101	# Current development version: 0.9.54~rc3	101	# Current development version: 0.9.55
102
103	## Firejail user access database
104	`````
105	$ man firejail-users
106	FIREJAIL-USERS(5) firejail.users man page FIREJAIL-USERS(5)
107
108	NAME
109	firejail.users - Firejail user access database
110
111	DESCRIPTION
112	/etc/firejail/firejail.users lists the users allowed to run firejail
113	SUID executable. If the file is not present in the system, all users
114	are allowed to use the sandbox. root user is allowed by default.
115
116	Example:
117
118	$ cat /etc/firejail/firejail.users
119	dustin
120	lucas
121	mike
122	eleven
123
124	Use a text editor to add or remove users from the list. You can also
125	use firecfg --add-users command. Example:
126
127	$ sudo firecfg --add-users dustin lucas mike eleven
128
129	By default, running firecfg creates the file and adds the current user
130	to the list. Example:
131
132	$ sudo firecfg
133
134	See man 1 firecfg for details.
135
136	FILES
137	/etc/firejail/firejail.users
138
139	LICENSE
140	Firejail is free software; you can redistribute it and/or modify it
141	under the terms of the GNU General Public License as published by the
142	Free Software Foundation; either version 2 of the License, or (at your
143	option) any later version.
144
145	Homepage: https://firejail.wordpress.com
146
147	SEE ALSO
148	firejail(1), firemon(1), firecfg(1), firejail-profile(5) firejail-
149	login(5)
150
151	0.9.53 Apr 2018 FIREJAIL-USERS(5)
152	`````
153
154	## Spectre mitigation
155
156	If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration.
157	The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it
158	on older versions, for example on Debian stable running on gcc 6.3.0. This is how you check it:
159	`````
160	$ ./configure --prefix=/usr
161	checking for gcc... gcc
162	checking whether the C compiler works... yes
163	checking for C compiler default output file name... a.out
164	checking for suffix of executables...
165	checking whether we are cross compiling... no
166	checking for suffix of object files... o
167	checking whether we are using the GNU C compiler... yes
168	checking whether gcc accepts -g... yes
169	checking for gcc option to accept ISO C89... none needed
170	checking for a BSD-compatible install... /usr/bin/install -c
171	checking for ranlib... ranlib
172	checking for Spectre mitigation support in gcc compiler... yes
173	[...]
174	Configuration options:
175	prefix: /usr
176	sysconfdir: /etc
177	seccomp: -DHAVE_SECCOMP
178	<linux/seccomp.h>: -DHAVE_SECCOMP_H
179	apparmor:
180	global config: -DHAVE_GLOBALCFG
181	chroot: -DHAVE_CHROOT
182	bind: -DHAVE_BIND
183	network: -DHAVE_NETWORK
184	user namespace: -DHAVE_USERNS
185	X11 sandboxing support: -DHAVE_X11
186	whitelisting: -DHAVE_WHITELIST
187	private home support: -DHAVE_PRIVATE_HOME
188	file transfer support: -DHAVE_FILE_TRANSFER
189	overlayfs support: -DHAVE_OVERLAYFS
190	git install support:
191	busybox workaround: no
192	Spectre compiler patch: yes
193	EXTRA_LDFLAGS:
194	EXTRA_CFLAGS: -mindirect-branch=thunk
195	fatal warnings:
196	Gcov instrumentation:
197	Install contrib scripts: yes
198	`````
199	This feature is also supported for LLVM/clang compiler
200
201	## New command line options
202	`````
203	--keep-var-tmp
204	/var/tmp directory is untouched.
205
206	Example:
207	$ firejail --keep-var-tmp
208
209	--nodbus
210	Disable D-Bus access. Only the regular UNIX socket is handled by
211	this command. To disable the abstract socket you would need to
212	request a new network namespace using --net command. Another
213	option is to remove unix from --protocol set.
214
215	Example:
216	$ firejail --nodbus --net=none
217
218	--noautopulse
219	Disable automatic ~/.config/pulse init, for complex setups such
220	as remote pulse servers or non-standard socket paths.
221
222	Example:
223	$ firejail --noautopulse firefox
224
225	`````
226
227	## AppImage development
228
229	Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.
230	This allows us to use our regular profile files for appimages. We don't have a way to extract the name
231	of the executable, so the profile will have to be passed on the command line. Example:
232	`````
233	$ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
234	`````
235	Also, we have full AppArmor support for AppImages:
236	`````
237
238	$ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
239	`````
240
241	## Seccomp development
242
243	Replaced the our seccomp disassembler with a real disassembler lifted from
244	libseccomp (GPLv2, Paul Moore, Red Hat). The code is in src/fsec-print directory.
245	`````
246	$ firejail --seccomp.print=browser
247	line OP JT JF K
248	=================================
249	0000: 20 00 00 00000004 ld data.architecture
250	0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
251	0002: 06 00 00 7fff0000 ret ALLOW
252	0003: 20 00 00 00000000 ld data.syscall-number
253	0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
254	0005: 35 01 00 00000000 jge read 0007 (false 0006)
255	0006: 06 00 00 00050001 ret ERRNO(1)
256	0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
257	0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
258	0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
259	000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false 000b)
260	000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
261	000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
262	000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
263	000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
264	000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
265	0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
266	0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
267	0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
268	0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
269	0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
270	0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
271	0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
272	0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
273	0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
274	0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
275	001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
276	001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
277	001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
278	001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
279	001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
280	001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
281	0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
282	0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
283	0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
284	0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
285	0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
286	0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
287	0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
288	0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
289	0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
290	0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
291	002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
292	002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
293	002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
294	002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
295	002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
296	002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
297	0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
298	0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
299	0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
300	0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
301	0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false 0035)
302	0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false 0036)
303	0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
304	0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
305	0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
306	0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
307	003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
308	003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
309	003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
310	003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
311	003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
312	003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
313	0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
314	0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
315	0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false 0043)
316	0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
317	0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
318	0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
319	0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
320	0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048)
321	0048: 06 00 00 7fff0000 ret ALLOW
322	0049: 06 00 01 00000000 ret KILL
323	`````
324	We are also introducing a seccomp optimizer, to be run directly on seccomp machine code
325	filters produced by Firejail. The code is in src/fsec-optimize. Currently only the default seccomp
326	filters built at compile time are run trough the optimizer. It will be extended and applied at run
327	time on all filters.
328
329
330	## AppArmor development
331
332	AppArmor features are supported on overlayfs and chroot sandboxes.
333
334	We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys
335	and /run/user directories were moved out of the profile into firejail executable.
336	We are also adding a "apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to
337	enable/disable apparmor functionality globally. By default the flag is enabled.
338
339	AppArmor deployment: we are starting apparmor by default for the following programs:
340	- web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile)
341	- torrent clients: transmission-qt, transmission-gtk, qbittorrent
342	- media players: mpv, audacious, kodi, smplayer
343	- media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot
344	- archive managers: ark, engrampa, file-roller
345	- etc.: digikam, okular, gwenview, galculator, kcalc
346
347	Checking apparmor status:
348	`````
349	$ firejail --apparmor.print=browser
350	2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
351	AppArmor: firejail-default enforce
352
353	$ firemon --apparmor
354	2072:netblue:firejail --chroot=/chroot/sid --net=eth0
355	AppArmor: unconfined
356	2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
357	AppArmor: firejail-default enforce
358	4835:netblue:/usr/bin/firejail /usr/bin/vlc
359	AppArmor: firejail-default enforce
360	`````
361
362
363	## Browser profile unification
364
365	All Chromium and Firefox browsers have been unified to instead extend
366	chromium-common.profile and firefox-common.profile respectively.
367	This allows for reduced maintenance and ease of adding new browsers.
368	NOTE: All users of Firefox-based browsers who use addons and plugins
369	that read/write from ${HOME} will need to uncomment the includes for
370	firefox-common-addons.inc in firefox-common.profile.
371
372	## New profiles
373
374	Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
375	pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
376	tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
377	gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
378	thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,
379	enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,
380	aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,
381	AnyDesk, webstorm, xmind, qmmp, sayonara