diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | README.md | 37 | ||||
-rw-r--r-- | RELNOTES | 10 |
3 files changed, 45 insertions, 4 deletions
@@ -182,6 +182,8 @@ avoidr (https://github.com/avoidr) | |||
182 | - added mcabber profile | 182 | - added mcabber profile |
183 | - fixed mpv profile | 183 | - fixed mpv profile |
184 | - various other fixes | 184 | - various other fixes |
185 | Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | ||
186 | - add support for custom AppArmor profiles (--apparmor=) | ||
185 | backspac (https://github.com/backspac) | 187 | backspac (https://github.com/backspac) |
186 | - firecfg fixes | 188 | - firecfg fixes |
187 | - add steam-runtime alias | 189 | - add steam-runtime alias |
@@ -182,6 +182,43 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
182 | 182 | ||
183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
184 | 184 | ||
185 | ### Restrict namespaces | ||
186 | |||
187 | ````` | ||
188 | --restrict-namespaces | ||
189 | Install a seccomp filter that blocks attempts to create new | ||
190 | cgroup, ipc, net, mount, pid, time, user or uts namespaces. | ||
191 | |||
192 | Example: | ||
193 | $ firejail --restrict-namespaces | ||
194 | |||
195 | --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts | ||
196 | Install a seccomp filter that blocks attempts to create any of | ||
197 | the specified namespaces. The filter examines the arguments of | ||
198 | clone, unshare and setns system calls and returns error EPERM to | ||
199 | the process (or kills it or logs the attempt, see --seccomp-er‐ | ||
200 | ror-action below) if necessary. Note that the filter is not able | ||
201 | to examine the arguments of clone3 system calls, and always re‐ | ||
202 | sponds to these calls with error ENOSYS. | ||
203 | |||
204 | Example: | ||
205 | $ firejail --restrict-namespaces=user,net | ||
206 | ````` | ||
207 | |||
208 | #### Support for custom AppArmor profiles | ||
209 | |||
210 | ````` | ||
211 | --apparmor | ||
212 | Enable AppArmor confinement with the "firejail-default" AppArmor | ||
213 | profile. For more information, please see APPARMOR section be‐ | ||
214 | low. | ||
215 | |||
216 | --apparmor=profile_name | ||
217 | Enable AppArmor confinement with a custom AppArmor profile. | ||
218 | Note that profile in question must already be loaded into the | ||
219 | kernel. For more information, please see APPARMOR section be‐ | ||
220 | ````` | ||
221 | |||
185 | ### Profile Statistics | 222 | ### Profile Statistics |
186 | 223 | ||
187 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 224 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -1,13 +1,15 @@ | |||
1 | firejail (0.9.71) baseline; urgency=low | 1 | firejail (0.9.71) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * feat: On failing to remount a fuse filesystem, give warning instead of | 3 | * feature: restrict namespaces (--restrict-namespaces) inplemented as |
4 | * erroring out (#5240 #5242) | 4 | a seccomp filter for both 64 and 32 bit architectures |
5 | * build: deduplicate configure-time vars into new config files (#5140 #5284) | 5 | * feature: On failing to remount a fuse filesystem, give warning instead of |
6 | erroring out (#5240 #5242) | ||
7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274) | ||
8 | * build: deduplicate configure-time vars into new config files (#5140) | ||
6 | * build: fix file mode of shell scripts (644 -> 755) (#5206) | 9 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
7 | * build: reduce autoconf input files from 32 to 2 (#5219) | 10 | * build: reduce autoconf input files from 32 to 2 (#5219) |
8 | * build: add dist build directory to .gitignore (#5248) | 11 | * build: add dist build directory to .gitignore (#5248) |
9 | * build: add autoconf auto-generation comment to input files (#5251) | 12 | * build: add autoconf auto-generation comment to input files (#5251) |
10 | * build: Add files make uninstall forgot to remove (#5283) | ||
11 | * ci: ignore git-related paths and the project license (#5249) | 13 | * ci: ignore git-related paths and the project license (#5249) |
12 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | 14 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 |
13 | 15 | ||