starting 0.9.53

author: netblue30 <netblue30@yahoo.com> 2017-12-12 09:09:13 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-12-12 09:09:13 -0500
commit: f89ba6ad2638749e96b048330c262ee591cefe30 (patch)
tree: 89bb2cc796a0a310a7a18aa41618a7311eddecd8 /README.md
parent: 0.9.52 testing (diff)
download: firejail-f89ba6ad2638749e96b048330c262ee591cefe30.tar.gz
firejail-f89ba6ad2638749e96b048330c262ee591cefe30.tar.zst
firejail-f89ba6ad2638749e96b048330c262ee591cefe30.zip
1 files changed, 1 insertions, 154 deletions
diff --git a/README.md b/README.md
index 20659dc3d..1a3c1b4c5 100644
--- a/README.md
+++ b/README.md
@@ -96,157 +96,4 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 `````
-# Current development version: 0.9.51
+# Current development version: 0.9.53
-## Whitelisting, globbing etc.
-We deployed a whitelist for /var directory ("include /etc/firejail/whitelist-var-common.inc").
-It is currently done for 115 applications.
-We added globbing support for --private-bin and whitelisting support for /etc and /usr/share.
--private-lib was enhanced to autodetect GTK2, GTK3 and Qt4 libraries. In the next release we do a test run with this option enabled
-for the following applications: evince, galculator, gnome-calculator,
-    leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
-    atril, mate-color-select, tar, file, strings, gpicview,
-    eom, eog, gedit, pluma
-Just for fun, this is a private-bin/private-lib Firefox running on Debian 9:
-`````
-$ firejail --private-bin=firefox,firefox-esr,sh,which --private-lib=firefox-esr firefox
-`````
-## Profile build  tool
-`````
-$ firejail --build appname
-$ firejail --build=appname.profile appname
-`````
-The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
-Example:
-`````
-$ firejail --build /usr/bin/vlc ~/Videos/test.mp4
-[...]
-############################################
-# /usr/bin/vlc profile
-############################################
-# Persistent global definitions
-# include /etc/firejail/globals.local
-### basic blacklisting
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
-### home directory whitelisting
-whitelist ~/Videos
-whitelist ~/.local/share/vlc
-whitelist ~/.config/vlc
-include /etc/firejail/whitelist-common.inc
-### filesystem
-private-tmp
-private-dev
-private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
-whitelist /var/lib/menu-xdg
-# private-bin vlc,
-### security filters
-caps.drop all
-nonewprivs
-seccomp
-# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create
-# 76 syscalls total
-# Probably you will need to add more syscalls to seccomp.keep. Look for
-# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
-# running your sandbox.
-### network
-protocol unix,netlink,
-net none
-### environment
-shell none
-$
-`````
-## New command line and profile options
-`````
-      --writable-run-user
-              This    options    disables   the   default   blacklisting   of
-              run/user/$UID/systemd and /run/user/$UID/gnupg.
-              Example:
-              $ sudo firejail --writable-run-user
-       --rlimit-as=number
-              Set the maximum size of the process's virtual  memory  (address
-              space) in bytes.
-       --rlimit-cpu=number
-              Set  the  maximum limit, in seconds, for the amount of CPU time
-              each sandboxed process  can consume. When the limit is reached,
-              the processes are killed.
-              The  CPU  limit  is  a limit on CPU seconds rather than elapsed
-              time. CPU seconds is basically how many  seconds  the  CPU  has
-              been  in  use  and  does not necessarily directly relate to the
-              elapsed time. Linux kernel keeps track of CPU seconds for  each
-              process independently.
-       --timeout=hh:mm:ss
-              Kill  the sandbox automatically after the time has elapsed. The
-              time is specified in hours/minutes/seconds format.
-              $ firejail --timeout=01:30:00 firefox
-      --debug-private-lib
-              Debug messages for --private-lib option.
-       --netfilter=filename,arg1,arg2,arg3 ...
-              This  is  the  template  version of the previous command. $ARG1,
-              $ARG2, $ARG3 ... in the firewall script are replaced with  arg1,
-              arg2,  arg3  ...  passed on the command line. Up to 16 arguments
-              are supported.  Example:
-              $ firejail --net=eth0 --ip=192.168.1.105 \
-              --netfilter=/etc/firejail/tcpserver.net,5001 server-program
-       --netfilter.print=name|pid
-              Print  the  firewall installed in the sandbox specified by name
-              or PID. Example:
-              $ firejail --name=browser --net=eth0 --netfilter firefox &
-              $ firejail --netfilter.print=browser
-       --netfilter6.print=name|pid
-              Print the IPv6 firewall installed in the sandbox  specified  by
-              name or PID. Example:
-              $ firejail --name=browser --net=eth0 --netfilter firefox &
-              $ firejail --netfilter6.print=browser
-`````
-## New profiles:
-terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu,
-amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter,
-calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
-calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
-imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
-ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
-conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
-aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass,
-kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch),
-kdeinit4
-Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles,
-https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles.
author	netblue30 <netblue30@yahoo.com>	2017-12-12 09:09:13 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-12-12 09:09:13 -0500
commit	f89ba6ad2638749e96b048330c262ee591cefe30 (patch)
tree	89bb2cc796a0a310a7a18aa41618a7311eddecd8 /README.md
parent	0.9.52 testing (diff)
download	firejail-f89ba6ad2638749e96b048330c262ee591cefe30.tar.gz firejail-f89ba6ad2638749e96b048330c262ee591cefe30.tar.zst firejail-f89ba6ad2638749e96b048330c262ee591cefe30.zip

diff --git a/README.md b/README.md index 20659dc3d..1a3c1b4c5 100644 --- a/README.md +++ b/README.md
@@ -96,157 +96,4 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
96	`````	96	`````
97		97
98	`````	98	`````
99	# Current development version: 0.9.51	99	# Current development version: 0.9.53
100
101	## Whitelisting, globbing etc.
102
103	We deployed a whitelist for /var directory ("include /etc/firejail/whitelist-var-common.inc").
104	It is currently done for 115 applications.
105
106	We added globbing support for --private-bin and whitelisting support for /etc and /usr/share.
107
108	--private-lib was enhanced to autodetect GTK2, GTK3 and Qt4 libraries. In the next release we do a test run with this option enabled
109	for the following applications: evince, galculator, gnome-calculator,
110	leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
111	atril, mate-color-select, tar, file, strings, gpicview,
112	eom, eog, gedit, pluma
113
114	Just for fun, this is a private-bin/private-lib Firefox running on Debian 9:
115	`````
116	$ firejail --private-bin=firefox,firefox-esr,sh,which --private-lib=firefox-esr firefox
117	`````
118
119
120	## Profile build tool
121	`````
122	$ firejail --build appname
123	$ firejail --build=appname.profile appname
124	`````
125	The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
126	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
127	with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
128	in order to allow strace to run. Chromium and Chromium-based browsers will not work.
129
130	Example:
131	`````
132	$ firejail --build /usr/bin/vlc ~/Videos/test.mp4
133
134	[...]
135
136	############################################
137	# /usr/bin/vlc profile
138	############################################
139	# Persistent global definitions
140	# include /etc/firejail/globals.local
141
142	### basic blacklisting
143	include /etc/firejail/disable-common.inc
144	# include /etc/firejail/disable-devel.inc
145	include /etc/firejail/disable-passwdmgr.inc
146	# include /etc/firejail/disable-programs.inc
147
148	### home directory whitelisting
149	whitelist ~/Videos
150	whitelist ~/.local/share/vlc
151	whitelist ~/.config/vlc
152	include /etc/firejail/whitelist-common.inc
153
154	### filesystem
155	private-tmp
156	private-dev
157	private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
158	whitelist /var/lib/menu-xdg
159	# private-bin vlc,
160
161	### security filters
162	caps.drop all
163	nonewprivs
164	seccomp
165	# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create
166	# 76 syscalls total
167	# Probably you will need to add more syscalls to seccomp.keep. Look for
168	# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
169	# running your sandbox.
170
171	### network
172	protocol unix,netlink,
173	net none
174
175	### environment
176	shell none
177	$
178	`````
179
180	## New command line and profile options
181	`````
182	--writable-run-user
183	This options disables the default blacklisting of
184	run/user/$UID/systemd and /run/user/$UID/gnupg.
185
186	Example:
187	$ sudo firejail --writable-run-user
188
189	--rlimit-as=number
190	Set the maximum size of the process's virtual memory (address
191	space) in bytes.
192
193	--rlimit-cpu=number
194	Set the maximum limit, in seconds, for the amount of CPU time
195	each sandboxed process can consume. When the limit is reached,
196	the processes are killed.
197
198	The CPU limit is a limit on CPU seconds rather than elapsed
199	time. CPU seconds is basically how many seconds the CPU has
200	been in use and does not necessarily directly relate to the
201	elapsed time. Linux kernel keeps track of CPU seconds for each
202	process independently.
203
204	--timeout=hh:mm:ss
205	Kill the sandbox automatically after the time has elapsed. The
206	time is specified in hours/minutes/seconds format.
207
208	$ firejail --timeout=01:30:00 firefox
209
210	--debug-private-lib
211	Debug messages for --private-lib option.
212
213	--netfilter=filename,arg1,arg2,arg3 ...
214	This is the template version of the previous command. $ARG1,
215	$ARG2, $ARG3 ... in the firewall script are replaced with arg1,
216	arg2, arg3 ... passed on the command line. Up to 16 arguments
217	are supported. Example:
218
219	$ firejail --net=eth0 --ip=192.168.1.105 \
220	--netfilter=/etc/firejail/tcpserver.net,5001 server-program
221
222	--netfilter.print=name\|pid
223	Print the firewall installed in the sandbox specified by name
224	or PID. Example:
225
226	$ firejail --name=browser --net=eth0 --netfilter firefox &
227	$ firejail --netfilter.print=browser
228
229	--netfilter6.print=name\|pid
230	Print the IPv6 firewall installed in the sandbox specified by
231	name or PID. Example:
232
233	$ firejail --name=browser --net=eth0 --netfilter firefox &
234	$ firejail --netfilter6.print=browser
235
236	`````
237
238	## New profiles:
239
240	terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu,
241	amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter,
242	calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
243	calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
244	imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
245	ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
246	conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
247	aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass,
248	kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch),
249	kdeinit4
250
251	Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles,
252	https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles.