1 files changed, 63 insertions, 0 deletions
diff --git a/README.md b/README.md
index 255384e2e..ba8ae77ac 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,69 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.51
+## Whitelisting /var
+Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
+send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
+## Profile build  tool
+`````
+$ firejail --build appname
+`````
+The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
+builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
+in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+Example:
+`````
+$ firejail --build vlc ~/Videos/test.mp4
+[...]
+############################################
+# vlc profile
+############################################
+# Persistent global definitions
+# include /etc/firejail/globals.local
+### basic blacklisting
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+# include /etc/firejail/disable-programs.inc
+### home directory whitelisting
+whitelist ~/Videos
+whitelist ~/.local/share/vlc
+whitelist ~/.config/vlc
+include /etc/firejail/whitelist-common.inc
+### filesystem
+private-tmp
+private-dev
+private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
+whitelist /var/lib/menu-xdg
+### security filters
+caps.drop all
+nonewprivs
+seccomp
+# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create
+# 82 syscalls total
+# Probably you will need to add more syscalls to seccomp.keep. Look for
+# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
+# running your sandbox.
+### network
+protocol unix,netlink,
+net none
+### environment
+shell none
+$
+`````
 ## New command line options
 `````
      --writable-run-user

diff --git a/README.md b/README.md index 255384e2e..ba8ae77ac 100644 --- a/README.md +++ b/README.md
@@ -98,6 +98,69 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
98	`````	98	`````
99	# Current development version: 0.9.51	99	# Current development version: 0.9.51
100		100
		101	## Whitelisting /var
		102
		103	Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
		104	send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
		105
		106	## Profile build tool
		107	`````
		108	$ firejail --build appname
		109	`````
		110	The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
		111	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
		112	with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
		113	in order to allow strace to run. Chromium and Chromium-based browsers will not work.
		114
		115	Example:
		116	`````
		117	$ firejail --build vlc ~/Videos/test.mp4
		118
		119	[...]
		120
		121	############################################
		122	# vlc profile
		123	############################################
		124	# Persistent global definitions
		125	# include /etc/firejail/globals.local
		126
		127	### basic blacklisting
		128	include /etc/firejail/disable-common.inc
		129	# include /etc/firejail/disable-devel.inc
		130	include /etc/firejail/disable-passwdmgr.inc
		131	# include /etc/firejail/disable-programs.inc
		132
		133	### home directory whitelisting
		134	whitelist ~/Videos
		135	whitelist ~/.local/share/vlc
		136	whitelist ~/.config/vlc
		137	include /etc/firejail/whitelist-common.inc
		138
		139	### filesystem
		140	private-tmp
		141	private-dev
		142	private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
		143	whitelist /var/lib/menu-xdg
		144
		145	### security filters
		146	caps.drop all
		147	nonewprivs
		148	seccomp
		149	# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create
		150	# 82 syscalls total
		151	# Probably you will need to add more syscalls to seccomp.keep. Look for
		152	# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
		153	# running your sandbox.
		154
		155	### network
		156	protocol unix,netlink,
		157	net none
		158
		159	### environment
		160	shell none
		161	$
		162	`````
		163
101	## New command line options	164	## New command line options
102	`````	165	`````
103	--writable-run-user	166	--writable-run-user