diff options
-rw-r--r-- | README.md | 258 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 |
3 files changed, 11 insertions, 267 deletions
@@ -34,260 +34,4 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
34 | ````` | 34 | ````` |
35 | 35 | ||
36 | ````` | 36 | ````` |
37 | # Current development version: 0.9.40~rc2 | 37 | # Current development version: 0.9.41 |
38 | Version 0.9.40-rc1 released! | ||
39 | |||
40 | ## X11 sandboxing support | ||
41 | |||
42 | X11 support is built around Xpra (http://xpra.org/) or Xephyr. | ||
43 | ````` | ||
44 | --x11 Start a new X11 server using Xpra or Xephyr and attach the sand‐ | ||
45 | box to this server. The regular X11 server (display 0) is not | ||
46 | visible in the sandbox. This prevents screenshot and keylogger | ||
47 | applications started in the sandbox from accessing other X11 | ||
48 | displays. A network namespace needs to be instantiated in order | ||
49 | to deny access to X11 abstract Unix domain socket. | ||
50 | |||
51 | Firejail will try first Xpra, and if Xpra is not installed on | ||
52 | the system, it will try to find Xephyr. This feature is not | ||
53 | available when running as root. | ||
54 | |||
55 | Example: | ||
56 | $ firejail --x11 --net=eth0 firefox | ||
57 | |||
58 | --x11=xpra | ||
59 | Start a new X11 server using Xpra (http://xpra.org) and attach | ||
60 | the sandbox to this server. Xpra is a persistent remote display | ||
61 | server and client for forwarding X11 applications and desktop | ||
62 | screens. On Debian platforms Xpra is installed with the command | ||
63 | sudo apt-get install xpra. This feature is not available when | ||
64 | running as root. | ||
65 | |||
66 | Example: | ||
67 | $ firejail --x11 --net=eth0 firefox | ||
68 | |||
69 | --x11=xephyr | ||
70 | Start a new X11 server using Xephyr and attach the sandbox to | ||
71 | this server. Xephyr is a display server implementing the X11 | ||
72 | display server protocol. It runs in a window just like other X | ||
73 | applications, but it is an X server itself in which you can run | ||
74 | other software. The default Xephyr window size is 800x600. This | ||
75 | can be modified in /etc/firejail/firejail.config file, see man 5 | ||
76 | firejail-config for more details. | ||
77 | |||
78 | The recommended way to use this feature is to run a window man‐ | ||
79 | ager inside the sandbox. A security profile for OpenBox is pro‐ | ||
80 | vided. On Debian platforms Xephyr is installed with the command | ||
81 | sudo apt-get install xserver-xephyr. This feature is not avail‐ | ||
82 | able when running as root. | ||
83 | |||
84 | Example: | ||
85 | $ firejail --x11 --net=eth0 openbox | ||
86 | ````` | ||
87 | More information here: https://firejail.wordpress.com/documentation-2/x11-guide/ | ||
88 | |||
89 | ## File transfers | ||
90 | ````` | ||
91 | FILE TRANSFER | ||
92 | These features allow the user to inspect the filesystem container of an | ||
93 | existing sandbox and transfer files from the container to the host | ||
94 | filesystem. | ||
95 | |||
96 | --get=name filename | ||
97 | Retrieve the container file and store it on the host in the cur‐ | ||
98 | rent working directory. The container is specified by name | ||
99 | (--name option). Full path is needed for filename. | ||
100 | |||
101 | --get=pid filename | ||
102 | Retrieve the container file and store it on the host in the cur‐ | ||
103 | rent working directory. The container is specified by process | ||
104 | ID. Full path is needed for filename. | ||
105 | |||
106 | --ls=name dir_or_filename | ||
107 | List container files. The container is specified by name | ||
108 | (--name option). Full path is needed for dir_or_filename. | ||
109 | |||
110 | --ls=pid dir_or_filename | ||
111 | List container files. The container is specified by process ID. | ||
112 | Full path is needed for dir_or_filename. | ||
113 | |||
114 | Examples: | ||
115 | |||
116 | $ firejail --name=mybrowser --private firefox | ||
117 | |||
118 | $ firejail --ls=mybrowser ~/Downloads | ||
119 | drwxr-xr-x netblue netblue 4096 . | ||
120 | drwxr-xr-x netblue netblue 4096 .. | ||
121 | -rw-r--r-- netblue netblue 7847 x11-x305.png | ||
122 | -rw-r--r-- netblue netblue 6800 x11-x642.png | ||
123 | -rw-r--r-- netblue netblue 34139 xpra-clipboard.png | ||
124 | |||
125 | $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png | ||
126 | ````` | ||
127 | |||
128 | ## Firecfg | ||
129 | ````` | ||
130 | NAME | ||
131 | Firecfg - Desktop configuration program for Firejail software. | ||
132 | |||
133 | SYNOPSIS | ||
134 | firecfg [OPTIONS] | ||
135 | |||
136 | DESCRIPTION | ||
137 | Firecfg is the desktop configuration utility for Firejail software. The | ||
138 | utility creates several symbolic links to firejail executable. This | ||
139 | allows the user to sandbox applications automatically, just by clicking | ||
140 | on a regular desktop menus and icons. | ||
141 | |||
142 | The symbolic links are placed in /usr/local/bin. For more information, | ||
143 | see DESKTOP INTEGRATION section in man 1 firejail. | ||
144 | |||
145 | OPTIONS | ||
146 | --clean | ||
147 | Remove all firejail symbolic links | ||
148 | |||
149 | -?, --help | ||
150 | Print options end exit. | ||
151 | |||
152 | --list List all firejail symbolic links | ||
153 | |||
154 | --version | ||
155 | Print program version and exit. | ||
156 | |||
157 | Example: | ||
158 | |||
159 | $ sudo firecfg | ||
160 | /usr/local/bin/firefox created | ||
161 | /usr/local/bin/vlc created | ||
162 | [...] | ||
163 | $ firecfg --list | ||
164 | /usr/local/bin/firefox | ||
165 | /usr/local/bin/vlc | ||
166 | [...] | ||
167 | $ sudo firecfg --clean | ||
168 | /usr/local/bin/firefox removed | ||
169 | /usr/local/bin/vlc removed | ||
170 | [...] | ||
171 | ````` | ||
172 | |||
173 | |||
174 | ## Compile time and run time configuration support | ||
175 | |||
176 | Most Linux kernel security features require root privileges during configuration. | ||
177 | The same is true for kernel networking features. Firejail (SUID binary) opens the | ||
178 | access to these features to regular users. The privilege escalation is restricted | ||
179 | to the sandbox being configured, and is not extended to the rest of the system. | ||
180 | This arrangement works fine for user desktops or servers where the access is already limited. | ||
181 | |||
182 | If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time, | ||
183 | or at run time by editing /etc/firejail/firejail.config file. | ||
184 | |||
185 | The following features can be enabled or disabled: | ||
186 | ````` | ||
187 | bind Enable or disable bind support, default enabled. | ||
188 | |||
189 | chroot Enable or disable chroot support, default enabled. | ||
190 | |||
191 | file-transfer | ||
192 | Enable or disable file transfer support, default enabled. | ||
193 | |||
194 | network | ||
195 | Enable or disable networking features, default enabled. | ||
196 | |||
197 | restricted-network | ||
198 | Enable or disable restricted network support, default disabled. | ||
199 | If enabled, networking features should also be enabled (network | ||
200 | yes). Restricted networking grants access to --interface, | ||
201 | --net=ethXXX and --netfilter only to root user. Regular users | ||
202 | are only allowed --net=none. Default disabled | ||
203 | |||
204 | secomp Enable or disable seccomp support, default enabled. | ||
205 | |||
206 | userns Enable or disable user namespace support, default enabled. | ||
207 | |||
208 | x11 Enable or disable X11 sandboxing support, default enabled. | ||
209 | |||
210 | force-nonewprivs | ||
211 | Force use of theh NO_NEW_PRIVS prctl(2) flag. | ||
212 | This mitigates the possibility of a user abusing firejail's | ||
213 | features to trick a privileged (suid or file capabilities) | ||
214 | process into loading code or configuration that is partially | ||
215 | under their control. Default disabled | ||
216 | |||
217 | xephyr-screen | ||
218 | Screen size for --x11=xephyr, default 800x600. Run | ||
219 | /usr/bin/xrandr for a full list of resolutions available on your | ||
220 | specific setup. Examples: | ||
221 | |||
222 | xephyr-screen 640x480 | ||
223 | xephyr-screen 800x600 | ||
224 | xephyr-screen 1024x768 | ||
225 | xephyr-screen 1280x1024 | ||
226 | ````` | ||
227 | |||
228 | ## Default seccomp filter update | ||
229 | |||
230 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). | ||
231 | |||
232 | ## STUN/WebRTC disabled in default netfilter configuration | ||
233 | |||
234 | The current netfilter configuration (--netfilter option) looks like this: | ||
235 | ````` | ||
236 | *filter | ||
237 | :INPUT DROP [0:0] | ||
238 | :FORWARD DROP [0:0] | ||
239 | :OUTPUT ACCEPT [0:0] | ||
240 | -A INPUT -i lo -j ACCEPT | ||
241 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
242 | # allow ping | ||
243 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
244 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | ||
245 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
246 | # drop STUN (WebRTC) requests | ||
247 | -A OUTPUT -p udp --dport 3478 -j DROP | ||
248 | -A OUTPUT -p udp --dport 3479 -j DROP | ||
249 | -A OUTPUT -p tcp --dport 3478 -j DROP | ||
250 | -A OUTPUT -p tcp --dport 3479 -j DROP | ||
251 | COMMIT | ||
252 | ````` | ||
253 | |||
254 | The filter is loaded by default for Firefox if a network namespace is configured: | ||
255 | ````` | ||
256 | $ firejail --net=eth0 firefox | ||
257 | ````` | ||
258 | |||
259 | ## Set sandbox nice value | ||
260 | ````` | ||
261 | --nice=value | ||
262 | Set nice value for all processes running inside the sandbox. | ||
263 | |||
264 | Example: | ||
265 | $ firejail --nice=-5 firefox | ||
266 | ````` | ||
267 | |||
268 | ## mkdir | ||
269 | |||
270 | ````` | ||
271 | $ man firejail-profile | ||
272 | [...] | ||
273 | mkdir directory | ||
274 | Create a directory in user home. Use this command for | ||
275 | whitelisted directories you need to preserve when the sandbox is | ||
276 | closed. Subdirectories also need to be created using mkdir. | ||
277 | Example from firefox profile: | ||
278 | |||
279 | mkdir ~/.mozilla | ||
280 | whitelist ~/.mozilla | ||
281 | mkdir ~/.cache | ||
282 | mkdir ~/.cache/mozilla | ||
283 | mkdir ~/.cache/mozilla/firefox | ||
284 | whitelist ~/.cache/mozilla/firefox | ||
285 | |||
286 | [...] | ||
287 | ````` | ||
288 | |||
289 | ## New security profiles | ||
290 | lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, | ||
291 | OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, | ||
292 | Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, | ||
293 | cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation, Brave | ||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.40. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.41. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.40' | 583 | PACKAGE_VERSION='0.9.41' |
584 | PACKAGE_STRING='firejail 0.9.40' | 584 | PACKAGE_STRING='firejail 0.9.41' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then | |||
1246 | # Omit some internal or obsolete options to make the list less imposing. | 1246 | # Omit some internal or obsolete options to make the list less imposing. |
1247 | # This message is too long to be a string in the A/UX 3.1 sh. | 1247 | # This message is too long to be a string in the A/UX 3.1 sh. |
1248 | cat <<_ACEOF | 1248 | cat <<_ACEOF |
1249 | \`configure' configures firejail 0.9.40 to adapt to many kinds of systems. | 1249 | \`configure' configures firejail 0.9.41 to adapt to many kinds of systems. |
1250 | 1250 | ||
1251 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1251 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1252 | 1252 | ||
@@ -1307,7 +1307,7 @@ fi | |||
1307 | 1307 | ||
1308 | if test -n "$ac_init_help"; then | 1308 | if test -n "$ac_init_help"; then |
1309 | case $ac_init_help in | 1309 | case $ac_init_help in |
1310 | short | recursive ) echo "Configuration of firejail 0.9.40:";; | 1310 | short | recursive ) echo "Configuration of firejail 0.9.41:";; |
1311 | esac | 1311 | esac |
1312 | cat <<\_ACEOF | 1312 | cat <<\_ACEOF |
1313 | 1313 | ||
@@ -1403,7 +1403,7 @@ fi | |||
1403 | test -n "$ac_init_help" && exit $ac_status | 1403 | test -n "$ac_init_help" && exit $ac_status |
1404 | if $ac_init_version; then | 1404 | if $ac_init_version; then |
1405 | cat <<\_ACEOF | 1405 | cat <<\_ACEOF |
1406 | firejail configure 0.9.40 | 1406 | firejail configure 0.9.41 |
1407 | generated by GNU Autoconf 2.69 | 1407 | generated by GNU Autoconf 2.69 |
1408 | 1408 | ||
1409 | Copyright (C) 2012 Free Software Foundation, Inc. | 1409 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF | |||
1705 | This file contains any messages produced by compilers while | 1705 | This file contains any messages produced by compilers while |
1706 | running configure, to aid debugging if configure makes a mistake. | 1706 | running configure, to aid debugging if configure makes a mistake. |
1707 | 1707 | ||
1708 | It was created by firejail $as_me 0.9.40, which was | 1708 | It was created by firejail $as_me 0.9.41, which was |
1709 | generated by GNU Autoconf 2.69. Invocation command line was | 1709 | generated by GNU Autoconf 2.69. Invocation command line was |
1710 | 1710 | ||
1711 | $ $0 $@ | 1711 | $ $0 $@ |
@@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4184 | # report actual input values of CONFIG_FILES etc. instead of their | 4184 | # report actual input values of CONFIG_FILES etc. instead of their |
4185 | # values after options handling. | 4185 | # values after options handling. |
4186 | ac_log=" | 4186 | ac_log=" |
4187 | This file was extended by firejail $as_me 0.9.40, which was | 4187 | This file was extended by firejail $as_me 0.9.41, which was |
4188 | generated by GNU Autoconf 2.69. Invocation command line was | 4188 | generated by GNU Autoconf 2.69. Invocation command line was |
4189 | 4189 | ||
4190 | CONFIG_FILES = $CONFIG_FILES | 4190 | CONFIG_FILES = $CONFIG_FILES |
@@ -4238,7 +4238,7 @@ _ACEOF | |||
4238 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4238 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4239 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4239 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4240 | ac_cs_version="\\ | 4240 | ac_cs_version="\\ |
4241 | firejail config.status 0.9.40 | 4241 | firejail config.status 0.9.41 |
4242 | configured by $0, generated by GNU Autoconf 2.69, | 4242 | configured by $0, generated by GNU Autoconf 2.69, |
4243 | with options \\"\$ac_cs_config\\" | 4243 | with options \\"\$ac_cs_config\\" |
4244 | 4244 | ||
diff --git a/configure.ac b/configure.ac index 47048046b..ef6a11af5 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.40, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.41, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||