diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-10-29 08:30:25 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-10-29 08:30:25 -0400 |
| commit | 7daaa4d12b78e190e6f223ca5adc1271d814018b (patch) | |
| tree | 905d5934652b632a85cd1c322ef5c383965cabaa /README.md | |
| parent | dual i386/amd64 seccomp support for --seccomp option (diff) | |
| download | firejail-7daaa4d12b78e190e6f223ca5adc1271d814018b.tar.gz firejail-7daaa4d12b78e190e6f223ca5adc1271d814018b.tar.zst firejail-7daaa4d12b78e190e6f223ca5adc1271d814018b.zip | |
readme.md
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 26 |
1 files changed, 20 insertions, 6 deletions
| @@ -63,7 +63,7 @@ I intend to bring in all files and directories used by Firefox addons and plugin | |||
| 63 | and [Vimperator](https://addons.mozilla.org/en-US/firefox/addon/vimperator/) | 63 | and [Vimperator](https://addons.mozilla.org/en-US/firefox/addon/vimperator/) |
| 64 | If you're using a anything else, please let me know. | 64 | If you're using a anything else, please let me know. |
| 65 | 65 | ||
| 66 | ### Whitelisting in default Cromium profile | 66 | ### Whitelisting in default Chromium profile |
| 67 | 67 | ||
| 68 |  | 68 |  |
| 69 | 69 | ||
| @@ -76,15 +76,29 @@ $ firejail --ignore=seccomp wine | |||
| 76 | 76 | ||
| 77 | ### --protocol option | 77 | ### --protocol option |
| 78 | 78 | ||
| 79 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | 79 | Enable protocol filter. It is based on seccomp and it filters the first argument to socket system call. |
| 80 | Recognized values: unix, inet, inet6, netlink and packet. Example: | 80 | If the value is not recognized, seccomp will kill the process. |
| 81 | Recognized values: unix, inet, inet6, netlink and packet. | ||
| 82 | |||
| 83 | "unix" describes the regular Unix socket connections, | ||
| 84 | and "inet" and "inet6" are the regular IPv4 and IPv6 traffic. Most GUI applications need "unix,inet,inet6". "netlink" is the protocol | ||
| 85 | used to talk to Linux kernel. You'll only need this for applications such as [iproute2](http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2) for | ||
| 86 | system administration, and "packet" is used by sniffers to talk directly with the Ethernet layer. | ||
| 87 | |||
| 88 | Example: | ||
| 81 | ````` | 89 | ````` |
| 82 | $ firejail --protocol=unix,inet,inet6 firefox | 90 | $ firejail --protocol=unix,inet,inet6 |
| 83 | ````` | 91 | ````` |
| 84 | 92 | ||
| 85 | ### New security profiles | 93 | Protocol filter is enabled in all default security profiles for GUI applications ("protocol unix,inet,inet6"). |
| 86 | 94 | ||
| 87 | Steam, Skype, Wine | 95 | ### Dual i386/amd64 seccomp filter |
| 96 | |||
| 97 | --seccomp option now installs a dual i386/amd64 default filter. | ||
| 98 | 32bit applications, such as Skype, running on regular 64bit computers, are protected by i386 seccomp filter. | ||
| 99 | |||
| 100 | ### New security profiles | ||
| 88 | 101 | ||
| 102 | Steam, Skype, Wine. The dual seccomp filter is enabled by default for these applications. | ||
| 89 | 103 | ||
| 90 | 104 | ||