diff options
-rw-r--r-- | README | 4 | ||||
-rw-r--r-- | README.md | 28 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 |
4 files changed, 20 insertions, 15 deletions
@@ -42,6 +42,8 @@ Committers | |||
42 | 42 | ||
43 | Firejail Authors (alphabetical order) | 43 | Firejail Authors (alphabetical order) |
44 | 44 | ||
45 | Aidan Gauland (https://github.com/aidalgol) | ||
46 | - added electron and riot-web profiles | ||
45 | Akhil Hans Maulloo (https://github.com/kouul) | 47 | Akhil Hans Maulloo (https://github.com/kouul) |
46 | - xz profile | 48 | - xz profile |
47 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) | 49 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) |
@@ -302,6 +304,8 @@ Niklas Haas (https://github.com/haasn) | |||
302 | - blacklisting for keybase.io's client | 304 | - blacklisting for keybase.io's client |
303 | Ondra Nekola (https://github.com/satai) | 305 | Ondra Nekola (https://github.com/satai) |
304 | - allow firefox theming with non-global themes | 306 | - allow firefox theming with non-global themes |
307 | Panzerfather (https://github.com/Panzerfather) | ||
308 | - allow eog to access user's trash | ||
305 | Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) | 309 | Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) |
306 | - user namespace implementation | 310 | - user namespace implementation |
307 | Paupiah Yash (https://github.com/CaffeinatedStud) | 311 | Paupiah Yash (https://github.com/CaffeinatedStud) |
@@ -13,7 +13,7 @@ such as Mozilla Firefox, Chromium, VLC, Transmission etc. | |||
13 | 13 | ||
14 | The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, | 14 | The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, |
15 | no socket connections open, no daemons running in the background. All security features are | 15 | no socket connections open, no daemons running in the background. All security features are |
16 | implemented directly in Linux kernel and available on any Linux computer. | 16 | implemented directly in Linux kernel and available on any Linux computer. |
17 | 17 | ||
18 | [![About Firejail](video.png)](http://www.youtube.com/watch?v=Yk1HVPOeoTc) | 18 | [![About Firejail](video.png)](http://www.youtube.com/watch?v=Yk1HVPOeoTc) |
19 | 19 | ||
@@ -54,11 +54,11 @@ $ sudo firejail /etc/init.d/nginx start | |||
54 | Run "firejail --list" in a terminal to list all active sandboxes. Example: | 54 | Run "firejail --list" in a terminal to list all active sandboxes. Example: |
55 | ````` | 55 | ````` |
56 | $ firejail --list | 56 | $ firejail --list |
57 | 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr | 57 | 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr |
58 | 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt | 58 | 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt |
59 | 7779:netblue:/usr/bin/firejail /usr/bin/galculator | 59 | 7779:netblue:/usr/bin/firejail /usr/bin/galculator |
60 | 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4 | 60 | 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4 |
61 | 7916:netblue:firejail --list | 61 | 7916:netblue:firejail --list |
62 | ````` | 62 | ````` |
63 | 63 | ||
64 | ## Desktop integration | 64 | ## Desktop integration |
@@ -69,13 +69,13 @@ $ firecfg --fix-sound | |||
69 | $ sudo firecfg | 69 | $ sudo firecfg |
70 | ````` | 70 | ````` |
71 | 71 | ||
72 | The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. | 72 | The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. |
73 | The second command integrates Firejail into your desktop. You would need to logout and login back to apply | 73 | The second command integrates Firejail into your desktop. You would need to logout and login back to apply |
74 | PulseAudio changes. | 74 | PulseAudio changes. |
75 | 75 | ||
76 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. | 76 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. |
77 | The integration applies to any program supported by default by Firejail. There are about 250 default applications | 77 | The integration applies to any program supported by default by Firejail. There are about 250 default applications |
78 | in current Firejail version, and the number goes up with every new release. | 78 | in current Firejail version, and the number goes up with every new release. |
79 | We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. | 79 | We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. |
80 | 80 | ||
81 | ## Security profiles | 81 | ## Security profiles |
@@ -116,7 +116,7 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
116 | 116 | ||
117 | ## Default seccomp list update | 117 | ## Default seccomp list update |
118 | 118 | ||
119 | The following syscalls have been added: | 119 | The following syscalls have been added: |
120 | afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, | 120 | afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, |
121 | pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, | 121 | pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, |
122 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, | 122 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, |
@@ -126,5 +126,5 @@ ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted b | |||
126 | 126 | ||
127 | ## New profiles: | 127 | ## New profiles: |
128 | 128 | ||
129 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, IntelliJ IDEA, Android Studio | 129 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, |
130 | 130 | IntelliJ IDEA, Android Studio, electron, riot-web | |
@@ -6,7 +6,7 @@ firejail (0.9.49) baseline; urgency=low | |||
6 | * enhancement: default seccomp list update | 6 | * enhancement: default seccomp list update |
7 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, | 7 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, |
8 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, | 8 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, |
9 | * new profiles: Android Studio | 9 | * new profiles: Android Studio, electron, riot-web |
10 | * bugfixes | 10 | * bugfixes |
11 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 | 11 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 |
12 | 12 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3c98b8ac3..0a4d4c4cb 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -47,6 +47,7 @@ blacklist ${HOME}/.config/Nylas Mail | |||
47 | blacklist ${HOME}/.config/Qlipper | 47 | blacklist ${HOME}/.config/Qlipper |
48 | blacklist ${HOME}/.config/QuiteRss | 48 | blacklist ${HOME}/.config/QuiteRss |
49 | blacklist ${HOME}/.config/QuiteRssrc | 49 | blacklist ${HOME}/.config/QuiteRssrc |
50 | blacklist ${HOME}/.config/Riot | ||
50 | blacklist ${HOME}/.config/Slack | 51 | blacklist ${HOME}/.config/Slack |
51 | blacklist ${HOME}/.config/Thunar | 52 | blacklist ${HOME}/.config/Thunar |
52 | blacklist ${HOME}/.config/VirtualBox | 53 | blacklist ${HOME}/.config/VirtualBox |