diff options
-rw-r--r-- | README.md | 26 |
1 files changed, 20 insertions, 6 deletions
@@ -63,7 +63,7 @@ I intend to bring in all files and directories used by Firefox addons and plugin | |||
63 | and [Vimperator](https://addons.mozilla.org/en-US/firefox/addon/vimperator/) | 63 | and [Vimperator](https://addons.mozilla.org/en-US/firefox/addon/vimperator/) |
64 | If you're using a anything else, please let me know. | 64 | If you're using a anything else, please let me know. |
65 | 65 | ||
66 | ### Whitelisting in default Cromium profile | 66 | ### Whitelisting in default Chromium profile |
67 | 67 | ||
68 | ![Whitelisted home directory](chromium-whitelist.png?raw=true) | 68 | ![Whitelisted home directory](chromium-whitelist.png?raw=true) |
69 | 69 | ||
@@ -76,15 +76,29 @@ $ firejail --ignore=seccomp wine | |||
76 | 76 | ||
77 | ### --protocol option | 77 | ### --protocol option |
78 | 78 | ||
79 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | 79 | Enable protocol filter. It is based on seccomp and it filters the first argument to socket system call. |
80 | Recognized values: unix, inet, inet6, netlink and packet. Example: | 80 | If the value is not recognized, seccomp will kill the process. |
81 | Recognized values: unix, inet, inet6, netlink and packet. | ||
82 | |||
83 | "unix" describes the regular Unix socket connections, | ||
84 | and "inet" and "inet6" are the regular IPv4 and IPv6 traffic. Most GUI applications need "unix,inet,inet6". "netlink" is the protocol | ||
85 | used to talk to Linux kernel. You'll only need this for applications such as [iproute2](http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2) for | ||
86 | system administration, and "packet" is used by sniffers to talk directly with the Ethernet layer. | ||
87 | |||
88 | Example: | ||
81 | ````` | 89 | ````` |
82 | $ firejail --protocol=unix,inet,inet6 firefox | 90 | $ firejail --protocol=unix,inet,inet6 |
83 | ````` | 91 | ````` |
84 | 92 | ||
85 | ### New security profiles | 93 | Protocol filter is enabled in all default security profiles for GUI applications ("protocol unix,inet,inet6"). |
86 | 94 | ||
87 | Steam, Skype, Wine | 95 | ### Dual i386/amd64 seccomp filter |
96 | |||
97 | --seccomp option now installs a dual i386/amd64 default filter. | ||
98 | 32bit applications, such as Skype, running on regular 64bit computers, are protected by i386 seccomp filter. | ||
99 | |||
100 | ### New security profiles | ||
88 | 101 | ||
102 | Steam, Skype, Wine. The dual seccomp filter is enabled by default for these applications. | ||
89 | 103 | ||
90 | 104 | ||