diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
4 files changed, 8 insertions, 2 deletions
@@ -3,6 +3,7 @@ firejail (0.9.65) baseline; urgency=low | |||
3 | * --disable-usertmpfs compile time option | 3 | * --disable-usertmpfs compile time option |
4 | * allow AF_BLUETOOTH via --protocol=bluetooth | 4 | * allow AF_BLUETOOTH via --protocol=bluetooth |
5 | * Setup guide for new users: contrib/firejail-welcome.sh | 5 | * Setup guide for new users: contrib/firejail-welcome.sh |
6 | * implement netns in profiles | ||
6 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer | 7 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer |
7 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer | 8 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer |
8 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo | 9 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index c454887dd..ebc648548 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -35,7 +35,7 @@ Definition of groups | |||
35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup | 36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup |
37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
38 | @default-keep=execve,prctl | 38 | @default-keep=execveat,execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | 39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes |
40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select | 40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select |
41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget | 41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9524254c1..030a3c95c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -862,6 +862,11 @@ the parent interface specified by --net is not configured. An IP address and | |||
862 | a default gateway address also have to be added. | 862 | a default gateway address also have to be added. |
863 | 863 | ||
864 | .TP | 864 | .TP |
865 | \fBnetns namespace | ||
866 | Run the program in a named, persistent network namespace. These can | ||
867 | be created and configured using "ip netns". | ||
868 | |||
869 | .TP | ||
865 | \fBveth-name name | 870 | \fBveth-name name |
866 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | 871 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, |
867 | instead of the default one. | 872 | instead of the default one. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 347e2b31b..e72ef48c2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2273,7 +2273,7 @@ rm: cannot remove `testfile': Operation not permitted | |||
2273 | .TP | 2273 | .TP |
2274 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 2274 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
2275 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 2275 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
2276 | The system calls needed by Firejail (group @default-keep: prctl, execve) | 2276 | The system calls needed by Firejail (group @default-keep: prctl, execve, execveat) |
2277 | are handled with the preload library. On a 64 bit architecture, an | 2277 | are handled with the preload library. On a 64 bit architecture, an |
2278 | additional filter for 32 bit system calls can be installed with | 2278 | additional filter for 32 bit system calls can be installed with |
2279 | \-\-seccomp.32.keep. | 2279 | \-\-seccomp.32.keep. |