diff options
author | netblue30 <netblue30@yahoo.com> | 2017-04-26 08:45:52 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-04-26 08:45:52 -0400 |
commit | da9bdbaeadeba6c2271dd39245cb7583d430bf39 (patch) | |
tree | 0b37949c0aa788b9c01159624cb50a5e02dd4d57 /README.md | |
parent | Added noexec for home and tmp, spotify profile. (diff) | |
download | firejail-da9bdbaeadeba6c2271dd39245cb7583d430bf39.tar.gz firejail-da9bdbaeadeba6c2271dd39245cb7583d430bf39.tar.zst firejail-da9bdbaeadeba6c2271dd39245cb7583d430bf39.zip |
PCManFM profile
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 98 |
1 files changed, 59 insertions, 39 deletions
@@ -66,12 +66,69 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
66 | ````` | 66 | ````` |
67 | 67 | ||
68 | ````` | 68 | ````` |
69 | ## Desktop integration | ||
70 | |||
71 | All --fix functionality is done by default in firecfg, --fix option was removed. Clicking on a program | ||
72 | in desktop manager menu should start the program automatically in a sandbox, if a profile | ||
73 | is available in /etc/firejail. We cover about 270 different applications in this moment on all major desktop managers. | ||
74 | |||
75 | Thunar (XFCE) and PCManFM (LXDE) file managers symlinks are installed in /usr/local/bin by firecfg. | ||
76 | File managers are usually started by default at login time, and will be sandboxed. | ||
77 | Clicking on a file in the file manager will start the corresponding program in the same sandbox as the file manager. | ||
78 | For example, clicking on a video file will start a sandboxed VLC running the video. | ||
79 | We support in this moment XFCE and LXDE, MATE will come next, followed by KDE and Gnome. | ||
80 | |||
69 | ## AppImage | 81 | ## AppImage |
70 | 82 | ||
71 | Added AppImage type 2 support, and support for passing command line arguments to appimages. | 83 | Added AppImage type 2 support, and support for passing command line arguments to appimages. |
72 | ````` | 84 | ````` |
73 | 85 | ||
74 | ````` | 86 | ````` |
87 | ## X11 sandboxing support | ||
88 | In this release we add support for Xvfb (X virtual framebuffer), an in-memory X display server. | ||
89 | Xvfb allows the user to run graphical applications without a display (e.g., browser tests on a CI server) | ||
90 | while also having the ability to take screenshots. | ||
91 | |||
92 | |||
93 | --x11=xvfb | ||
94 | Start Xvfb X11 server and attach the sandbox to this server. | ||
95 | Xvfb, short for X virtual framebuffer, performs all graphical | ||
96 | operations in memory without showing any screen output. Xvfb is | ||
97 | mainly used for remote access and software testing on headless | ||
98 | servers. | ||
99 | |||
100 | On Debian platforms Xvfb is installed with the command sudo apt- | ||
101 | get install xvfb. This feature is not available when running as | ||
102 | root. | ||
103 | |||
104 | Example: remote VNC access | ||
105 | |||
106 | On the server we start a sandbox using Xvfb and openbox window | ||
107 | manager. The default size of Xvfb screen is 800x600 - it can be | ||
108 | changed in /etc/firejail/firejail.config (xvfb-screen). Some | ||
109 | sort of networking (--net) is required in order to isolate the | ||
110 | abstract sockets used by other X servers. | ||
111 | |||
112 | $ firejail --net=none --x11=xvfb openbox | ||
113 | |||
114 | *** Attaching to Xvfb display 792 *** | ||
115 | |||
116 | Reading profile /etc/firejail/openbox.profile | ||
117 | Reading profile /etc/firejail/disable-common.inc | ||
118 | Reading profile /etc/firejail/disable-common.local | ||
119 | Parent pid 5400, child pid 5401 | ||
120 | |||
121 | On the server we also start a VNC server and attach it to the | ||
122 | display handled by our Xvfb server (792). | ||
123 | |||
124 | $ x11vnc -display :792 | ||
125 | |||
126 | On the client machine we start a VNC viewer and use it to con‐ | ||
127 | nect to our server: | ||
128 | |||
129 | $ vncviewer | ||
130 | |||
131 | |||
75 | ## New command line options | 132 | ## New command line options |
76 | ````` | 133 | ````` |
77 | --private-opt=file,directory | 134 | --private-opt=file,directory |
@@ -145,43 +202,6 @@ Added AppImage type 2 support, and support for passing command line arguments to | |||
145 | 202 | ||
146 | $ firejail --git-uninstall | 203 | $ firejail --git-uninstall |
147 | 204 | ||
148 | --x11=xvfb | ||
149 | Start Xvfb X11 server and attach the sandbox to this server. | ||
150 | Xvfb, short for X virtual framebuffer, performs all graphical | ||
151 | operations in memory without showing any screen output. Xvfb is | ||
152 | mainly used for remote access and software testing on headless | ||
153 | servers. | ||
154 | |||
155 | On Debian platforms Xvfb is installed with the command sudo apt- | ||
156 | get install xvfb. This feature is not available when running as | ||
157 | root. | ||
158 | |||
159 | Example: remote VNC access | ||
160 | |||
161 | On the server we start a sandbox using Xvfb and openbox window | ||
162 | manager. The default size of Xvfb screen is 800x600 - it can be | ||
163 | changed in /etc/firejail/firejail.config (xvfb-screen). Some | ||
164 | sort of networking (--net) is required in order to isolate the | ||
165 | abstract sockets used by other X servers. | ||
166 | |||
167 | $ firejail --net=none --x11=xvfb openbox | ||
168 | |||
169 | *** Attaching to Xvfb display 792 *** | ||
170 | |||
171 | Reading profile /etc/firejail/openbox.profile | ||
172 | Reading profile /etc/firejail/disable-common.inc | ||
173 | Reading profile /etc/firejail/disable-common.local | ||
174 | Parent pid 5400, child pid 5401 | ||
175 | |||
176 | On the server we also start a VNC server and attach it to the | ||
177 | display handled by our Xvfb server (792). | ||
178 | |||
179 | $ x11vnc -display :792 | ||
180 | |||
181 | On the client machine we start a VNC viewer and use it to con‐ | ||
182 | nect to our server: | ||
183 | |||
184 | $ vncviewer | ||
185 | 205 | ||
186 | --nowhitelist=dirname_or_filename | 206 | --nowhitelist=dirname_or_filename |
187 | Disable whitelist for this directory or file. | 207 | Disable whitelist for this directory or file. |
@@ -196,5 +216,5 @@ simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, | |||
196 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, | 216 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, |
197 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, | 217 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, |
198 | Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file, | 218 | Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file, |
199 | Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, akregator, kcalc, ktorrent, | 219 | Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, |
200 | Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto | 220 | Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM |