update README.md

author: netblue30 <netblue30@protonmail.com> 2023-01-18 10:26:51 -0500
committer: netblue30 <netblue30@protonmail.com> 2023-01-18 10:26:51 -0500
commit: 347c0e3adaecb4adaaab903d610936dbd3bc0f90 (patch)
tree: 108d5e6d7e8a6fc0ad666b0d1dd4984d466f1ed4 /README.md
parent: build(deps): bump github/codeql-action from 2.1.37 to 2.1.38 (diff)
download: firejail-347c0e3adaecb4adaaab903d610936dbd3bc0f90.tar.gz
firejail-347c0e3adaecb4adaaab903d610936dbd3bc0f90.tar.zst
firejail-347c0e3adaecb4adaaab903d610936dbd3bc0f90.zip
1 files changed, 22 insertions, 142 deletions
diff --git a/README.md b/README.md
index 3bede887e..5f4aedcde 100644
--- a/README.md
+++ b/README.md
@@ -178,123 +178,10 @@ You can also use this tool to get a list of syscalls needed by a program: [contr
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
-## Latest released version: 0.9.70
+## Latest released version: 0.9.72
-## Current development version: 0.9.71
+## Current development version: 0.9.73
-Milestone page: https://github.com/netblue30/firejail/milestone/1
-### Restrict namespaces
-`````
-       --restrict-namespaces
-              Install a seccomp filter that  blocks  attempts  to  create  new
-              cgroup, ipc, net, mount, pid, time, user or uts namespaces.
-              Example:
-              $ firejail --restrict-namespaces
-       --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
-              Install  a  seccomp filter that blocks attempts to create any of
-              the specified namespaces. The filter examines the  arguments  of
-              clone, unshare and setns system calls and returns error EPERM to
-              the process (or kills it or logs the attempt, see  --seccomp-er‐
-              ror-action below) if necessary. Note that the filter is not able
-              to examine the arguments of clone3 system calls, and always  re‐
-              sponds to these calls with error ENOSYS.
-              Example:
-              $ firejail --restrict-namespaces=user,net
-`````
-### Support for custom AppArmor profiles
-`````
-      --apparmor
-              Enable AppArmor confinement with the "firejail-default" AppArmor
-              profile.   For more information, please see APPARMOR section be‐
-              low.
-       --apparmor=profile_name
-              Enable AppArmor confinement  with  a  custom  AppArmor  profile.
-              Note  that  profile  in question must already be loaded into the
-              kernel.  For more information, please see APPARMOR  section  be‐
-`````
-### dnstrace
-`````
-      --dnstrace[=name|pid]
-              Monitor DNS queries. The sandbox can be  specified  by  name  or
-              pid.  Only networked sandboxes created with --net are supported.
-              This option is only available when running the sandbox as root.
-              Without a name/pid, Firejail will monitor the main  system  net‐
-              work namespace.
-              $ sudo firejail --dnstrace=browser
-              11:31:43  9.9.9.9        linux.com (type 1)
-              11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
-              11:31:45  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
-              11:31:45  9.9.9.9        www.linux.com (type 1)
-              11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
-              11:31:52  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
-              11:32:05  9.9.9.9        secure.gravatar.com (type 1)
-              11:32:06  9.9.9.9        secure.gravatar.com (type 1)
-              11:32:08  9.9.9.9        taikai.network (type 1)
-              11:32:08  9.9.9.9        cdn.jsdelivr.net (type 1)
-              11:32:08  9.9.9.9        taikai.azureedge.net (type 1)
-              11:32:08  9.9.9.9        www.youtube.com (type 1)
-`````
-### snitrace
-`````
-     --snitrace[=name|pid]
-              Monitor Server Name Indication (TLS/SNI).  The  sandbox  can  be
-              specified  by name or pid. Only networked sandboxes created with
-              --net are supported. This option is only available when  running
-              the sandbox as root.
-              Without  a  name/pid, Firejail will monitor the main system net‐
-              work namespace.
-              $ sudo firejail --snitrace=browser
-              07:49:51  23.185.0.3       linux.com
-              07:49:51  23.185.0.3       www.linux.com
-              07:50:05  192.0.73.2       secure.gravatar.com
-              07:52:35  172.67.68.93     www.howtoforge.com
-              07:52:37  13.225.103.59    sf.ezoiccdn.com
-              07:52:42  142.250.176.3    www.gstatic.com
-              07:53:03  173.236.250.32   www.linuxlinks.com
-              07:53:05  192.0.77.37      c0.wp.com
-              07:53:08  192.0.78.32      jetpack.wordpress.com
-              07:53:09  192.0.77.32      s0.wp.com
-              07:53:09  192.0.77.2       i0.wp.com
-              07:53:10  192.0.77.2       i0.wp.com
-              07:53:11  192.0.73.2       1.gravatar.com
-`````
-### icmptrace
-`````
-       --icmptrace[=name|pid]
-              Monitor  ICMP  traffic.  The sandbox can be specified by name or
-              pid. Only networked sandboxes created with --net are  supported.
-              This option is only available when running the sandbox as root.
-              Without  a  name/pid, Firejail will monitor the main system net‐
-              work namespace.
-              Example
-              $ sudo firejail --icmptrace
-              20:53:54  192.168.1.60 -> 142.250.65.174 - 98 bytes -  Echo  re‐
-              quest/0
-              20:53:54   142.250.65.174  -> 192.168.1.60 - 98 bytes - Echo re‐
-              ply/0
-              20:53:55  192.168.1.60 -> 142.250.65.174 - 98 bytes -  Echo  re‐
-              quest/0
-              20:53:55   142.250.65.174  -> 192.168.1.60 - 98 bytes - Echo re‐
-              ply/0
-              20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination  un‐
-              reachable/Port unreachable
-`````
 ### Profile Statistics
@@ -306,40 +193,33 @@ No include .local found in /etc/firejail/noprofile.profile
 Warning: multiple caps in /etc/firejail/transmission-daemon.profile
 Stats:
-    profiles                    1205
+     profiles                   1209
-    include local profile       1204   (include profile-name.local)
+    include local profile       1208   (include profile-name.local)
-    include globals             1178   (include globals.local)
+    include globals             1181   (include globals.local)
-    blacklist ~/.ssh            1076   (include disable-common.inc)
+    blacklist ~/.ssh            1079   (include disable-common.inc)
-    seccomp                     1095
+    seccomp                     1096
-    capabilities                1199
+    capabilities                1202
-    noexec                      1084   (include disable-exec.inc)
+    noexec                      1087   (include disable-exec.inc)
-    noroot                      1002
+    noroot                      1003
    memory-deny-write-execute   272
-    restrict-namespaces         962
+    restrict-namespaces         958
-    apparmor                    720
+    apparmor                    753
    private-bin                 704
-    private-dev                 1055
+    private-dev                 1058
-    private-etc                 546
+    private-etc                 550
    private-lib                 71
-    private-tmp                 929
+    private-tmp                 932
-    whitelist home directory    581
+    whitelist home directory    585
-    whitelist var               867   (include whitelist-var-common.inc)
+    whitelist var               870   (include whitelist-var-common.inc)
-    whitelist run/user          1173   (include whitelist-runuser-common.inc
+    whitelist run/user          1176   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         637   (include whitelist-usr-share-common.inc
+    whitelist usr/share         640   (include whitelist-usr-share-common.inc
    net none                    410
-    dbus-user none              677
+    dbus-user none              679
-    dbus-user filter            137
+    dbus-user filter            141
-    dbus-system none            848
+    dbus-system none            851
    dbus-system filter          12
 ```
-### New profiles:
-onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,
-cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp,
-linuxqq, qq
author	netblue30 <netblue30@protonmail.com>	2023-01-18 10:26:51 -0500
committer	netblue30 <netblue30@protonmail.com>	2023-01-18 10:26:51 -0500
commit	347c0e3adaecb4adaaab903d610936dbd3bc0f90 (patch)
tree	108d5e6d7e8a6fc0ad666b0d1dd4984d466f1ed4 /README.md
parent	build(deps): bump github/codeql-action from 2.1.37 to 2.1.38 (diff)
download	firejail-347c0e3adaecb4adaaab903d610936dbd3bc0f90.tar.gz firejail-347c0e3adaecb4adaaab903d610936dbd3bc0f90.tar.zst firejail-347c0e3adaecb4adaaab903d610936dbd3bc0f90.zip

diff --git a/README.md b/README.md index 3bede887e..5f4aedcde 100644 --- a/README.md +++ b/README.md
@@ -178,123 +178,10 @@ You can also use this tool to get a list of syscalls needed by a program: [contr
178		178
179	We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.	179	We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
180		180
181	## Latest released version: 0.9.70	181	## Latest released version: 0.9.72
182		182
183	## Current development version: 0.9.71	183	## Current development version: 0.9.73
184		184
185	Milestone page: https://github.com/netblue30/firejail/milestone/1
186
187	### Restrict namespaces
188
189	`````
190	--restrict-namespaces
191	Install a seccomp filter that blocks attempts to create new
192	cgroup, ipc, net, mount, pid, time, user or uts namespaces.
193
194	Example:
195	$ firejail --restrict-namespaces
196
197	--restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
198	Install a seccomp filter that blocks attempts to create any of
199	the specified namespaces. The filter examines the arguments of
200	clone, unshare and setns system calls and returns error EPERM to
201	the process (or kills it or logs the attempt, see --seccomp-er‐
202	ror-action below) if necessary. Note that the filter is not able
203	to examine the arguments of clone3 system calls, and always re‐
204	sponds to these calls with error ENOSYS.
205
206	Example:
207	$ firejail --restrict-namespaces=user,net
208	`````
209
210	### Support for custom AppArmor profiles
211
212	`````
213	--apparmor
214	Enable AppArmor confinement with the "firejail-default" AppArmor
215	profile. For more information, please see APPARMOR section be‐
216	low.
217
218	--apparmor=profile_name
219	Enable AppArmor confinement with a custom AppArmor profile.
220	Note that profile in question must already be loaded into the
221	kernel. For more information, please see APPARMOR section be‐
222	`````
223
224	### dnstrace
225	`````
226	--dnstrace[=name\|pid]
227	Monitor DNS queries. The sandbox can be specified by name or
228	pid. Only networked sandboxes created with --net are supported.
229	This option is only available when running the sandbox as root.
230
231	Without a name/pid, Firejail will monitor the main system net‐
232	work namespace.
233
234	$ sudo firejail --dnstrace=browser
235	11:31:43 9.9.9.9 linux.com (type 1)
236	11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
237	11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
238	11:31:45 9.9.9.9 www.linux.com (type 1)
239	11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
240	11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
241	11:32:05 9.9.9.9 secure.gravatar.com (type 1)
242	11:32:06 9.9.9.9 secure.gravatar.com (type 1)
243	11:32:08 9.9.9.9 taikai.network (type 1)
244	11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1)
245	11:32:08 9.9.9.9 taikai.azureedge.net (type 1)
246	11:32:08 9.9.9.9 www.youtube.com (type 1)
247	`````
248
249	### snitrace
250	`````
251	--snitrace[=name\|pid]
252	Monitor Server Name Indication (TLS/SNI). The sandbox can be
253	specified by name or pid. Only networked sandboxes created with
254	--net are supported. This option is only available when running
255	the sandbox as root.
256
257	Without a name/pid, Firejail will monitor the main system net‐
258	work namespace.
259
260	$ sudo firejail --snitrace=browser
261	07:49:51 23.185.0.3 linux.com
262	07:49:51 23.185.0.3 www.linux.com
263	07:50:05 192.0.73.2 secure.gravatar.com
264	07:52:35 172.67.68.93 www.howtoforge.com
265	07:52:37 13.225.103.59 sf.ezoiccdn.com
266	07:52:42 142.250.176.3 www.gstatic.com
267	07:53:03 173.236.250.32 www.linuxlinks.com
268	07:53:05 192.0.77.37 c0.wp.com
269	07:53:08 192.0.78.32 jetpack.wordpress.com
270	07:53:09 192.0.77.32 s0.wp.com
271	07:53:09 192.0.77.2 i0.wp.com
272	07:53:10 192.0.77.2 i0.wp.com
273	07:53:11 192.0.73.2 1.gravatar.com
274	`````
275	### icmptrace
276	`````
277	--icmptrace[=name\|pid]
278	Monitor ICMP traffic. The sandbox can be specified by name or
279	pid. Only networked sandboxes created with --net are supported.
280	This option is only available when running the sandbox as root.
281
282	Without a name/pid, Firejail will monitor the main system net‐
283	work namespace.
284
285	Example
286	$ sudo firejail --icmptrace
287	20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐
288	quest/0
289	20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐
290	ply/0
291	20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐
292	quest/0
293	20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐
294	ply/0
295	20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination un‐
296	reachable/Port unreachable
297	`````
298		185
299	### Profile Statistics	186	### Profile Statistics
300		187
@@ -306,40 +193,33 @@ No include .local found in /etc/firejail/noprofile.profile
306	Warning: multiple caps in /etc/firejail/transmission-daemon.profile	193	Warning: multiple caps in /etc/firejail/transmission-daemon.profile
307		194
308	Stats:	195	Stats:
309	profiles 1205	196	profiles 1209
310	include local profile 1204 (include profile-name.local)	197	include local profile 1208 (include profile-name.local)
311	include globals 1178 (include globals.local)	198	include globals 1181 (include globals.local)
312	blacklist ~/.ssh 1076 (include disable-common.inc)	199	blacklist ~/.ssh 1079 (include disable-common.inc)
313	seccomp 1095	200	seccomp 1096
314	capabilities 1199	201	capabilities 1202
315	noexec 1084 (include disable-exec.inc)	202	noexec 1087 (include disable-exec.inc)
316	noroot 1002	203	noroot 1003
317	memory-deny-write-execute 272	204	memory-deny-write-execute 272
318	restrict-namespaces 962	205	restrict-namespaces 958
319	apparmor 720	206	apparmor 753
320	private-bin 704	207	private-bin 704
321	private-dev 1055	208	private-dev 1058
322	private-etc 546	209	private-etc 550
323	private-lib 71	210	private-lib 71
324	private-tmp 929	211	private-tmp 932
325	whitelist home directory 581	212	whitelist home directory 585
326	whitelist var 867 (include whitelist-var-common.inc)	213	whitelist var 870 (include whitelist-var-common.inc)
327	whitelist run/user 1173 (include whitelist-runuser-common.inc	214	whitelist run/user 1176 (include whitelist-runuser-common.inc
328	or blacklist ${RUNUSER})	215	or blacklist ${RUNUSER})
329	whitelist usr/share 637 (include whitelist-usr-share-common.inc	216	whitelist usr/share 640 (include whitelist-usr-share-common.inc
330	net none 410	217	net none 410
331	dbus-user none 677	218	dbus-user none 679
332	dbus-user filter 137	219	dbus-user filter 141
333	dbus-system none 848	220	dbus-system none 851
334	dbus-system filter 12	221	dbus-system filter 12
335		222
336	```	223	```
337		224
338	### New profiles:
339
340	onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,
341	cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp,
342	linuxqq, qq
343
344
345		225