diff options
-rw-r--r-- | Makefile | 5 | ||||
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | README.md | 37 | ||||
-rw-r--r-- | RELNOTES | 7 | ||||
-rw-r--r-- | config.sh.in | 8 | ||||
-rw-r--r-- | contrib/vim/syntax/firejail.vim | 2 | ||||
-rw-r--r-- | etc/profile-m-z/neomutt.profile | 20 | ||||
-rw-r--r-- | etc/profile-m-z/vmware.profile | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 11 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/man/firecfg.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 7 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 20 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 3 |
19 files changed, 110 insertions, 33 deletions
@@ -179,8 +179,8 @@ uninstall: config.mk | |||
179 | rm -f $(DESTDIR)$(bindir)/firejail | 179 | rm -f $(DESTDIR)$(bindir)/firejail |
180 | rm -f $(DESTDIR)$(bindir)/firemon | 180 | rm -f $(DESTDIR)$(bindir)/firemon |
181 | rm -f $(DESTDIR)$(bindir)/firecfg | 181 | rm -f $(DESTDIR)$(bindir)/firecfg |
182 | rm -f $(DESTDIR)$(bindir)/jailcheck | ||
182 | rm -fr $(DESTDIR)$(libdir)/firejail | 183 | rm -fr $(DESTDIR)$(libdir)/firejail |
183 | rm -fr $(DESTDIR)$(libdir)/jailcheck | ||
184 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 184 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail |
185 | for man in $(MANPAGES); do \ | 185 | for man in $(MANPAGES); do \ |
186 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ | 186 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ |
@@ -189,6 +189,9 @@ uninstall: config.mk | |||
189 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 189 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
190 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 190 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
191 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 191 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
192 | rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail | ||
193 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim | ||
194 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim | ||
192 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 195 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
193 | 196 | ||
194 | DISTFILES = \ | 197 | DISTFILES = \ |
@@ -182,6 +182,8 @@ avoidr (https://github.com/avoidr) | |||
182 | - added mcabber profile | 182 | - added mcabber profile |
183 | - fixed mpv profile | 183 | - fixed mpv profile |
184 | - various other fixes | 184 | - various other fixes |
185 | Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | ||
186 | - add support for custom AppArmor profiles (--apparmor=) | ||
185 | backspac (https://github.com/backspac) | 187 | backspac (https://github.com/backspac) |
186 | - firecfg fixes | 188 | - firecfg fixes |
187 | - add steam-runtime alias | 189 | - add steam-runtime alias |
@@ -182,6 +182,43 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
182 | 182 | ||
183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
184 | 184 | ||
185 | ### Restrict namespaces | ||
186 | |||
187 | ````` | ||
188 | --restrict-namespaces | ||
189 | Install a seccomp filter that blocks attempts to create new | ||
190 | cgroup, ipc, net, mount, pid, time, user or uts namespaces. | ||
191 | |||
192 | Example: | ||
193 | $ firejail --restrict-namespaces | ||
194 | |||
195 | --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts | ||
196 | Install a seccomp filter that blocks attempts to create any of | ||
197 | the specified namespaces. The filter examines the arguments of | ||
198 | clone, unshare and setns system calls and returns error EPERM to | ||
199 | the process (or kills it or logs the attempt, see --seccomp-er‐ | ||
200 | ror-action below) if necessary. Note that the filter is not able | ||
201 | to examine the arguments of clone3 system calls, and always re‐ | ||
202 | sponds to these calls with error ENOSYS. | ||
203 | |||
204 | Example: | ||
205 | $ firejail --restrict-namespaces=user,net | ||
206 | ````` | ||
207 | |||
208 | #### Support for custom AppArmor profiles | ||
209 | |||
210 | ````` | ||
211 | --apparmor | ||
212 | Enable AppArmor confinement with the "firejail-default" AppArmor | ||
213 | profile. For more information, please see APPARMOR section be‐ | ||
214 | low. | ||
215 | |||
216 | --apparmor=profile_name | ||
217 | Enable AppArmor confinement with a custom AppArmor profile. | ||
218 | Note that profile in question must already be loaded into the | ||
219 | kernel. For more information, please see APPARMOR section be‐ | ||
220 | ````` | ||
221 | |||
185 | ### Profile Statistics | 222 | ### Profile Statistics |
186 | 223 | ||
187 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 224 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -1,7 +1,10 @@ | |||
1 | firejail (0.9.71) baseline; urgency=low | 1 | firejail (0.9.71) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * feat: On failing to remount a fuse filesystem, give warning instead of | 3 | * feature: restrict namespaces (--restrict-namespaces) inplemented as |
4 | * erroring out (#5240 #5242) | 4 | a seccomp filter for both 64 and 32 bit architectures |
5 | * feature: On failing to remount a fuse filesystem, give warning instead of | ||
6 | erroring out (#5240 #5242) | ||
7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274) | ||
5 | * build: deduplicate configure-time vars into new config files (#5140) | 8 | * build: deduplicate configure-time vars into new config files (#5140) |
6 | * build: fix file mode of shell scripts (644 -> 755) (#5206) | 9 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
7 | * build: reduce autoconf input files from 32 to 2 (#5219) | 10 | * build: reduce autoconf input files from 32 to 2 (#5219) |
diff --git a/config.sh.in b/config.sh.in index 3d54ff189..155f2158e 100644 --- a/config.sh.in +++ b/config.sh.in | |||
@@ -1,3 +1,7 @@ | |||
1 | # @configure_input@ | 1 | # @configure_input@ |
2 | NAME=@PACKAGE_NAME@ | 2 | # |
3 | VERSION=@PACKAGE_VERSION@ | 3 | # shellcheck shell=sh |
4 | # shellcheck disable=SC2034 | ||
5 | |||
6 | NAME="@PACKAGE_NAME@" | ||
7 | VERSION="@PACKAGE_VERSION@" | ||
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 9099a0808..0c8ebdbd8 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -52,7 +52,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
52 | 52 | ||
53 | " Commands grabbed from: src/firejail/profile.c | 53 | " Commands grabbed from: src/firejail/profile.c |
54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
55 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 55 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 5d482adca..9000b7972 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -50,31 +50,11 @@ include disable-programs.inc | |||
50 | include disable-xdg.inc | 50 | include disable-xdg.inc |
51 | 51 | ||
52 | mkdir ${HOME}/.Mail | 52 | mkdir ${HOME}/.Mail |
53 | mkdir ${HOME}/.bogofilter | ||
54 | mkdir ${HOME}/.config/mutt | ||
55 | mkdir ${HOME}/.config/nano | ||
56 | mkdir ${HOME}/.config/neomutt | ||
57 | mkdir ${HOME}/.elinks | ||
58 | mkdir ${HOME}/.emacs.d | ||
59 | mkdir ${HOME}/.gnupg | ||
60 | mkdir ${HOME}/.mail | 53 | mkdir ${HOME}/.mail |
61 | mkdir ${HOME}/.mutt | ||
62 | mkdir ${HOME}/.neomutt | ||
63 | mkdir ${HOME}/.vim | ||
64 | mkdir ${HOME}/.w3m | ||
65 | mkdir ${HOME}/Mail | 54 | mkdir ${HOME}/Mail |
66 | mkdir ${HOME}/mail | 55 | mkdir ${HOME}/mail |
67 | mkdir ${HOME}/postponed | 56 | mkdir ${HOME}/postponed |
68 | mkdir ${HOME}/sent | 57 | mkdir ${HOME}/sent |
69 | mkfile ${HOME}/.emacs | ||
70 | mkfile ${HOME}/.mailcap | ||
71 | mkfile ${HOME}/.msmtprc | ||
72 | mkfile ${HOME}/.muttrc | ||
73 | mkfile ${HOME}/.nanorc | ||
74 | mkfile ${HOME}/.neomuttrc | ||
75 | mkfile ${HOME}/.signature | ||
76 | mkfile ${HOME}/.viminfo | ||
77 | mkfile ${HOME}/.vimrc | ||
78 | whitelist ${DOCUMENTS} | 58 | whitelist ${DOCUMENTS} |
79 | whitelist ${DOWNLOADS} | 59 | whitelist ${DOWNLOADS} |
80 | whitelist ${HOME}/.Mail | 60 | whitelist ${HOME}/.Mail |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 627bb57a8..74c951fe6 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -38,6 +38,6 @@ tracelog | |||
38 | #disable-mnt | 38 | #disable-mnt |
39 | # Add the next line to your vmware.local to enable private-bin. | 39 | # Add the next line to your vmware.local to enable private-bin. |
40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* | 40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
42 | dbus-user none | 42 | dbus-user none |
43 | dbus-system none | 43 | dbus-system none |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 167b6a843..0a4dffb75 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -338,6 +338,7 @@ extern int arg_writable_run_user; // writable /run/user | |||
338 | extern int arg_writable_var_log; // writable /var/log | 338 | extern int arg_writable_var_log; // writable /var/log |
339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
341 | extern char *apparmor_profile; // apparmor profile | ||
341 | extern int arg_allow_debuggers; // allow debuggers | 342 | extern int arg_allow_debuggers; // allow debuggers |
342 | extern int arg_x11_block; // block X11 | 343 | extern int arg_x11_block; // block X11 |
343 | extern int arg_x11_xorg; // use X11 security extension | 344 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 55f623138..29c25dfc5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0; // writable /run/user | |||
133 | int arg_writable_var_log = 0; // writable /var/log | 133 | int arg_writable_var_log = 0; // writable /var/log |
134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
136 | char *apparmor_profile = NULL; // apparmor profile | ||
136 | int arg_allow_debuggers = 0; // allow debuggers | 137 | int arg_allow_debuggers = 0; // allow debuggers |
137 | int arg_x11_block = 0; // block X11 | 138 | int arg_x11_block = 0; // block X11 |
138 | int arg_x11_xorg = 0; // use X11 security extension | 139 | int arg_x11_xorg = 0; // use X11 security extension |
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) { | |||
1287 | // filtering | 1288 | // filtering |
1288 | //************************************* | 1289 | //************************************* |
1289 | #ifdef HAVE_APPARMOR | 1290 | #ifdef HAVE_APPARMOR |
1290 | else if (strcmp(argv[i], "--apparmor") == 0) | 1291 | else if (strcmp(argv[i], "--apparmor") == 0) { |
1291 | arg_apparmor = 1; | 1292 | arg_apparmor = 1; |
1293 | apparmor_profile = "firejail-default"; | ||
1294 | } | ||
1295 | else if (strncmp(argv[i], "--apparmor=", 11) == 0) { | ||
1296 | arg_apparmor = 1; | ||
1297 | apparmor_profile = argv[i] + 11; | ||
1298 | } | ||
1292 | #endif | 1299 | #endif |
1293 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1300 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1294 | if (checkcfg(CFG_SECCOMP)) { | 1301 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index dc1aff49a..82f8a393b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
939 | if (strcmp(ptr, "apparmor") == 0) { | 939 | if (strcmp(ptr, "apparmor") == 0) { |
940 | #ifdef HAVE_APPARMOR | 940 | #ifdef HAVE_APPARMOR |
941 | arg_apparmor = 1; | 941 | arg_apparmor = 1; |
942 | apparmor_profile = "firejail-default"; | ||
943 | #endif | ||
944 | return 0; | ||
945 | } | ||
946 | |||
947 | if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
948 | #ifdef HAVE_APPARMOR | ||
949 | arg_apparmor = 1; | ||
950 | apparmor_profile = strdup(ptr + 9); | ||
951 | if (!apparmor_profile) | ||
952 | errExit("strdup"); | ||
942 | #endif | 953 | #endif |
943 | return 0; | 954 | return 0; |
944 | } | 955 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b1b3407b4..9299268a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -130,7 +130,7 @@ static void set_caps(void) { | |||
130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
133 | if (aa_change_onexec("firejail-default")) { | 133 | if (aa_stack_onexec(apparmor_profile)) { |
134 | fwarning("Cannot confine the application using AppArmor.\n" | 134 | fwarning("Cannot confine the application using AppArmor.\n" |
135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c3c17393c..e11081eed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,7 +30,9 @@ static char *usage_str = | |||
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement with the default profile.\n" |
34 | " --apparmor=profile_name - enable AppArmor confinement with a\n" | ||
35 | "\tcustom profile.\n" | ||
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 36 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 37 | " --appimage - sandbox an AppImage application.\n" |
36 | #ifdef HAVE_NETWORK | 38 | #ifdef HAVE_NETWORK |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 280a4aff1..42add6a41 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -146,3 +146,4 @@ Homepage: https://firejail.wordpress.com | |||
146 | .BR firejail-login (5), | 146 | .BR firejail-login (5), |
147 | .BR firejail-users (5), | 147 | .BR firejail-users (5), |
148 | .BR jailcheck (1) | 148 | .BR jailcheck (1) |
149 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 05afd55b5..f03fc3c37 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -40,3 +40,4 @@ Homepage: https://firejail.wordpress.com | |||
40 | .BR firejail-profile (5), | 40 | .BR firejail-profile (5), |
41 | .BR firejail-users (5), | 41 | .BR firejail-users (5), |
42 | .BR jailcheck (1) | 42 | .BR jailcheck (1) |
43 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index be1f55f0f..138aae8af 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal | |||
478 | #ifdef HAVE_APPARMOR | 478 | #ifdef HAVE_APPARMOR |
479 | .TP | 479 | .TP |
480 | \fBapparmor | 480 | \fBapparmor |
481 | Enable AppArmor confinement. | 481 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
482 | .TP | ||
483 | \fBapparmor profile_name | ||
484 | Enable AppArmor confinement with a custom AppArmor profile. | ||
485 | Note that the profile in question must already be loaded into the kernel. | ||
482 | #endif | 486 | #endif |
483 | .TP | 487 | .TP |
484 | \fBcaps | 488 | \fBcaps |
@@ -1031,3 +1035,4 @@ Homepage: https://firejail.wordpress.com | |||
1031 | 1035 | ||
1032 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 1036 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
1033 | .UE | 1037 | .UE |
1038 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index e3cce7ed5..7aa151680 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -60,3 +60,4 @@ Homepage: https://firejail.wordpress.com | |||
60 | .BR firejail-profile (5), | 60 | .BR firejail-profile (5), |
61 | .BR firejail-login (5), | 61 | .BR firejail-login (5), |
62 | .BR jailcheck (1) | 62 | .BR jailcheck (1) |
63 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 087d1c85a..2d8adb0b7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles. | |||
67 | Each profile defines a set of permissions for a specific application or group | 67 | Each profile defines a set of permissions for a specific application or group |
68 | of applications. The software includes security profiles for a number of more common | 68 | of applications. The software includes security profiles for a number of more common |
69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
70 | .\" TODO: Explain the security/usability tradeoffs from #4601. | ||
71 | .PP | ||
72 | Firejail is currently implemented as an SUID binary, which means that if a | ||
73 | malicious or compromised user account manages to exploit a bug in Firejail, | ||
74 | that could ultimately lead to a privilege escalation to root. | ||
75 | To mitigate this, it is recommended to only allow trusted users to run firejail | ||
76 | (see firejail-users(5) for details on how to achieve that). | ||
77 | For more details on the security/usability tradeoffs of Firejail, see: | ||
78 | .UR https://github.com/netblue30/firejail/discussions/4601 | ||
79 | #4601 | ||
80 | .UE | ||
70 | .PP | 81 | .PP |
71 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | 82 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) |
72 | are not supported. Snap and flatpak packages have their own native management tools and will | 83 | are not supported. Snap and flatpak packages have their own native management tools and will |
@@ -122,7 +133,13 @@ $ firejail --allusers | |||
122 | #ifdef HAVE_APPARMOR | 133 | #ifdef HAVE_APPARMOR |
123 | .TP | 134 | .TP |
124 | \fB\-\-apparmor | 135 | \fB\-\-apparmor |
125 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 136 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
137 | For more information, please see \fBAPPARMOR\fR section below. | ||
138 | .TP | ||
139 | \fB\-\-apparmor=profile_name | ||
140 | Enable AppArmor confinement with a custom AppArmor profile. | ||
141 | Note that profile in question must already be loaded into the kernel. | ||
142 | For more information, please see \fBAPPARMOR\fR section below. | ||
126 | .TP | 143 | .TP |
127 | \fB\-\-apparmor.print=name|pid | 144 | \fB\-\-apparmor.print=name|pid |
128 | Print the AppArmor confinement status for the sandbox identified by name or by PID. | 145 | Print the AppArmor confinement status for the sandbox identified by name or by PID. |
@@ -3611,3 +3628,4 @@ Homepage: https://firejail.wordpress.com | |||
3611 | .UE , | 3628 | .UE , |
3612 | .UR https://github.com/netblue30/firejail | 3629 | .UR https://github.com/netblue30/firejail |
3613 | .UE | 3630 | .UE |
3631 | .\" vim: set filetype=groff : | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 605000e31..2b67c2a00 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -171,7 +171,8 @@ _firejail_args=( | |||
171 | '--writable-var-log[use the real /var/log directory, not a clone]' | 171 | '--writable-var-log[use the real /var/log directory, not a clone]' |
172 | 172 | ||
173 | #ifdef HAVE_APPARMOR | 173 | #ifdef HAVE_APPARMOR |
174 | '--apparmor[enable AppArmor confinement]' | 174 | '--apparmor[enable AppArmor confinement with the default profile]' |
175 | '--apparmor=-[enable AppArmor confinement with a custom profile]: :' | ||
175 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' | 176 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' |
176 | #endif | 177 | #endif |
177 | 178 | ||