diff options
-rw-r--r-- | Makefile.in | 12 | ||||
-rw-r--r-- | README.md | 37 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 1 | ||||
-rw-r--r-- | src/man/firemon.txt | 1 |
7 files changed, 51 insertions, 4 deletions
diff --git a/Makefile.in b/Makefile.in index 20df3acf9..29d8004f3 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5 | 1 | all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5 firejail-config.5 |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee | 3 | APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee |
4 | 4 | ||
@@ -33,6 +33,8 @@ firejail-profile.5: src/man/firejail-profile.txt | |||
33 | ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5 | 33 | ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5 |
34 | firejail-login.5: src/man/firejail-login.txt | 34 | firejail-login.5: src/man/firejail-login.txt |
35 | ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5 | 35 | ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5 |
36 | firejail-config.5: src/man/firejail-config.txt | ||
37 | ./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5 | ||
36 | 38 | ||
37 | clean: | 39 | clean: |
38 | for dir in $(APPS); do \ | 40 | for dir in $(APPS); do \ |
@@ -41,7 +43,7 @@ clean: | |||
41 | for dir in $(MYLIBS); do \ | 43 | for dir in $(MYLIBS); do \ |
42 | $(MAKE) -C $$dir clean; \ | 44 | $(MAKE) -C $$dir clean; \ |
43 | done | 45 | done |
44 | rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm | 46 | rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm |
45 | 47 | ||
46 | distclean: clean | 48 | distclean: clean |
47 | for dir in $(APPS); do \ | 49 | for dir in $(APPS); do \ |
@@ -160,13 +162,16 @@ realinstall: | |||
160 | gzip -9n firejail-profile.5 | 162 | gzip -9n firejail-profile.5 |
161 | rm -f firejail-login.5.gz | 163 | rm -f firejail-login.5.gz |
162 | gzip -9n firejail-login.5 | 164 | gzip -9n firejail-login.5 |
165 | rm -f firejail-config.5.gz | ||
166 | gzip -9n firejail-config.5 | ||
163 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 | 167 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 |
164 | install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/. | 168 | install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/. |
165 | install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/. | 169 | install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/. |
166 | install -m 0755 -d $(DESTDIR)/$(mandir)/man5 | 170 | install -m 0755 -d $(DESTDIR)/$(mandir)/man5 |
167 | install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/. | 171 | install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/. |
168 | install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/. | 172 | install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/. |
169 | rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz | 173 | install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/. |
174 | rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz | ||
170 | # bash completion | 175 | # bash completion |
171 | install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions | 176 | install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions |
172 | install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail | 177 | install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail |
@@ -193,6 +198,7 @@ uninstall: | |||
193 | rm -f $(DESTDIR)/$(mandir)/man1/firemon.1* | 198 | rm -f $(DESTDIR)/$(mandir)/man1/firemon.1* |
194 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5* | 199 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5* |
195 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5* | 200 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5* |
201 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5* | ||
196 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail | 202 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail |
197 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon | 203 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon |
198 | 204 | ||
@@ -89,6 +89,43 @@ FILE TRANSFER | |||
89 | $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png | 89 | $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png |
90 | ````` | 90 | ````` |
91 | 91 | ||
92 | ## Compile time and run time configuration support | ||
93 | |||
94 | Most Linux kernel security features require root privileges during configuration. | ||
95 | The same is true for kernel networking features. Firejail (SUID binary) opens the | ||
96 | access to these features to regular users. The privilege escalation is restricted | ||
97 | to the sandbox being configured, and is not extended to the rest of the system. | ||
98 | This arrangement works fine for user desktops or servers where the access is already limited. | ||
99 | |||
100 | If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time, | ||
101 | or at run time by editing /etc/firejail/firejail.config file. | ||
102 | |||
103 | The following features can be enabled or disabled: | ||
104 | ````` | ||
105 | secomp Enable or disable seccomp support, default enabled. | ||
106 | |||
107 | chroot Enable or disable chroot support, default enabled. | ||
108 | |||
109 | bind Enable or disable bind support, default enabled. | ||
110 | |||
111 | network | ||
112 | Enable or disable networking features, default enabled. | ||
113 | |||
114 | restricted-network | ||
115 | Enable or disable restricted network support, default disabled. | ||
116 | If enabled, networking features should also be enabled (network | ||
117 | yes). Restricted networking grants access to --interface and | ||
118 | --net=ethXXX only to root user. Regular users are only allowed | ||
119 | --net=none. | ||
120 | |||
121 | userns Enable or disable user namespace support, default enabled. | ||
122 | |||
123 | x11 Enable or disable X11 sandboxing support, default enabled. | ||
124 | |||
125 | file-transfer | ||
126 | Enable or disable file transfer support, default enabled. | ||
127 | ````` | ||
128 | |||
92 | ## Default seccomp filter update | 129 | ## Default seccomp filter update |
93 | 130 | ||
94 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). | 131 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). |
@@ -7,6 +7,7 @@ firejail (0.9.39) baseline; urgency=low | |||
7 | * added mkdir, ipc-namespace and nosound profile commands | 7 | * added mkdir, ipc-namespace and nosound profile commands |
8 | * --version also prints compile options | 8 | * --version also prints compile options |
9 | * added compile-time option to restrict --net= to root only | 9 | * added compile-time option to restrict --net= to root only |
10 | * run time config support, man firejail-config | ||
10 | * build rpm packages using "make rpms" | 11 | * build rpm packages using "make rpms" |
11 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril | 12 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril |
12 | * new profiles: qutebrowser, SlimJet | 13 | * new profiles: qutebrowser, SlimJet |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index e5bcf9436..13d045ee4 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -33,6 +33,6 @@ Homepage: http://firejail.wordpress.com | |||
33 | \&\flfirejail\fR\|(1), | 33 | \&\flfirejail\fR\|(1), |
34 | \&\flfiremon\fR\|(1), | 34 | \&\flfiremon\fR\|(1), |
35 | \&\flfirejail-profile\fR\|(5) | 35 | \&\flfirejail-profile\fR\|(5) |
36 | 36 | \&\flfirejail-config\fR\|(5) | |
37 | 37 | ||
38 | 38 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c5de79118..82a0d2503 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -352,6 +352,7 @@ Homepage: http://firejail.wordpress.com | |||
352 | \&\flfirejail\fR\|(1), | 352 | \&\flfirejail\fR\|(1), |
353 | \&\flfiremon\fR\|(1), | 353 | \&\flfiremon\fR\|(1), |
354 | \&\flfirejail-login\fR\|(5) | 354 | \&\flfirejail-login\fR\|(5) |
355 | \&\flfirejail-config\fR\|(5) | ||
355 | 356 | ||
356 | 357 | ||
357 | 358 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b72296387..f3c023aba 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1787,6 +1787,7 @@ Homepage: http://firejail.wordpress.com | |||
1787 | \&\flfiremon\fR\|(1), | 1787 | \&\flfiremon\fR\|(1), |
1788 | \&\flfirejail-profile\fR\|(5), | 1788 | \&\flfirejail-profile\fR\|(5), |
1789 | \&\flfirejail-login\fR\|(5) | 1789 | \&\flfirejail-login\fR\|(5) |
1790 | \&\flfirejail-config\fR\|(5) | ||
1790 | 1791 | ||
1791 | 1792 | ||
1792 | 1793 | ||
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 88b2ce59f..78a6dd5ea 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -107,5 +107,6 @@ Homepage: http://firejail.wordpress.com | |||
107 | \&\flfirejail\fR\|(1), | 107 | \&\flfirejail\fR\|(1), |
108 | \&\flfirejail-profile\fR\|(5), | 108 | \&\flfirejail-profile\fR\|(5), |
109 | \&\flfirejail-login\fR\|(5) | 109 | \&\flfirejail-login\fR\|(5) |
110 | \&\flfirejail-config\fR\|(5) | ||
110 | 111 | ||
111 | 112 | ||