1 files changed, 8 insertions, 237 deletions
diff --git a/README.md b/README.md
index 7f6f573b4..ad90639e2 100644
--- a/README.md
+++ b/README.md
@@ -31,255 +31,26 @@ Features: https://firejail.wordpress.com/features-3/
 Documentation: https://firejail.wordpress.com/documentation-2/
 FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
-`````
 `````
-# Current development version: 0.9.40-rc2
-Version 0.9.40-rc1 released!
-## X11 sandboxing support
-X11 support is built around Xpra (http://xpra.org/) or Xephyr.
 `````
-       --x11  Start a new X11 server using Xpra or Xephyr and attach the sand‐
+## User submitted profile repositories
-              box to this server.  The regular X11 server (display 0)  is  not
-              visible  in  the sandbox. This prevents screenshot and keylogger
-              applications started in the sandbox  from  accessing  other  X11
-              displays.  A network namespace needs to be instantiated in order
-              to deny access to X11 abstract Unix domain socket.
-              Firejail will try first Xpra, and if Xpra is  not  installed  on
-              the  system,  it  will  try to find Xephyr.  This feature is not
-              available when running as root.
-              Example:
-              $ firejail --x11 --net=eth0 firefox
-       --x11=xpra
-              Start a new X11 server using Xpra (http://xpra.org)  and  attach
-              the sandbox to this server.  Xpra is a persistent remote display
-              server and client for forwarding X11  applications  and  desktop
-              screens.  On Debian platforms Xpra is installed with the command
-              sudo apt-get install xpra.  This feature is not  available  when
-              running as root.
-              Example:
-              $ firejail --x11 --net=eth0 firefox
-       --x11=xephyr
-              Start  a  new  X11 server using Xephyr and attach the sandbox to
-              this server.  Xephyr is a display server  implementing  the  X11
-              display  server protocol.  It runs in a window just like other X
-              applications, but it is an X server itself in which you can  run
-              other software.  The default Xephyr window size is 800x600. This
-              can be modified in /etc/firejail/firejail.config file, see man 5
-              firejail-config for more details.
-              The  recommended way to use this feature is to run a window man‐
-              ager inside the sandbox.  A security profile for OpenBox is pro‐
-              vided.  On Debian platforms Xephyr is installed with the command
-              sudo apt-get install xserver-xephyr.  This feature is not avail‐
-              able when running as root.
-              Example:
-              $ firejail --x11 --net=eth0 openbox
-`````
-More information here: https://firejail.wordpress.com/documentation-2/x11-guide/
-## File transfers
-`````
-FILE TRANSFER
-       These features allow the user to inspect the filesystem container of an
-       existing sandbox and transfer files from  the  container  to  the  host
-       filesystem.
-       --get=name filename
-              Retrieve the container file and store it on the host in the cur‐
-              rent working directory.  The  container  is  specified  by  name
-              (--name option). Full path is needed for filename.
-       --get=pid filename
-              Retrieve the container file and store it on the host in the cur‐
-              rent working directory.  The container is specified  by  process
-              ID. Full path is needed for filename.
-       --ls=name dir_or_filename
-              List  container  files.   The  container  is  specified  by name
-              (--name option).  Full path is needed for dir_or_filename.
-       --ls=pid dir_or_filename
+If you keep your Firejail profiles in a public repository, please give us a link:
-              List container files.  The container is specified by process ID.
-              Full path is needed for dir_or_filename.
-       Examples:
+* https://github.com/chiraag-nataraj/firejail-profiles
-              $ firejail --name=mybrowser --private firefox
+* https://github.com/triceratops1/fe
-              $ firejail --ls=mybrowser ~/Downloads
+Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825
-              drwxr-xr-x netblue  netblue         4096 .
-              drwxr-xr-x netblue  netblue         4096 ..
-              -rw-r--r-- netblue  netblue         7847 x11-x305.png
-              -rw-r--r-- netblue  netblue         6800 x11-x642.png
-              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
-              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
 `````
-## Firecfg
 `````
-NAME
+# Current development version: 0.9.45
-       Firecfg - Desktop configuration program for Firejail software.
-SYNOPSIS
-       firecfg [OPTIONS]
-DESCRIPTION
-       Firecfg is the desktop configuration utility for Firejail software. The
-       utility creates several symbolic links  to  firejail  executable.  This
-       allows the user to sandbox applications automatically, just by clicking
-       on a regular desktop menus and icons.
-       The symbolic links are placed in /usr/local/bin. For more  information,
-       see DESKTOP INTEGRATION section in man 1 firejail.
-OPTIONS
-       --clear
-              Clear all firejail symbolic links
-       -?, --help
-              Print options end exit.
-       --list List all firejail symbolic links
-       --version
-              Print program version and exit.
-       Example:
-       $ sudo firecfg
-       /usr/local/bin/firefox created
-       /usr/local/bin/vlc created
-       [...]
-       $ firecfg --list
-       /usr/local/bin/firefox
-       /usr/local/bin/vlc
-       [...]
-       $ sudo firecfg --clear
-       /usr/local/bin/firefox removed
-       /usr/local/bin/vlc removed
-       [...]
 `````
-## Compile time and run time configuration support
-Most Linux kernel security features require root privileges during configuration.
-The same is true for kernel networking features. Firejail (SUID binary) opens the 
-access to these features to regular users. The privilege escalation is restricted 
-to the sandbox being configured, and is not extended to the rest of the system. 
-This arrangement works fine for user desktops or servers where the access is already limited.
-If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
-or at run time by editing /etc/firejail/firejail.config file.
-The following features can be enabled or disabled:
 `````
-       bind   Enable or disable bind support, default enabled.
+## New Profiles
+xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque
-       chroot Enable or disable chroot support, default enabled.
-       file-transfer
-              Enable or disable file transfer support, default enabled.
-       network
-              Enable or disable networking features, default enabled.
-       restricted-network
-              Enable  or disable restricted network support, default disabled.
-              If enabled, networking features should also be enabled  (network
-              yes).   Restricted  networking  grants access to --interface and
-              --net=ethXXX only to root user. Regular users are  only  allowed
-              --net=none.
-       secomp Enable or disable seccomp support, default enabled.
-       userns Enable or disable user namespace support, default enabled.
-       x11    Enable or disable X11 sandboxing support, default enabled.
-       xephyr-screen
-              Screen    size    for   --x11=xephyr,   default   800x600.   Run
-              /usr/bin/xrandr for a full list of resolutions available on your
-              specific setup. Examples:
-              xephyr-screen 640x480
-              xephyr-screen 800x600
-              xephyr-screen 1024x768
-              xephyr-screen 1280x1024
-`````
-## Default seccomp filter update
-Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
-## STUN/WebRTC disabled in default netfilter configuration
-The  current netfilter configuration (--netfilter option) looks like this:
-`````
-             *filter
-              :INPUT DROP [0:0]
-              :FORWARD DROP [0:0]
-              :OUTPUT ACCEPT [0:0]
-              -A INPUT -i lo -j ACCEPT
-              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-              # allow ping
-              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-              # drop STUN (WebRTC) requests
-              -A OUTPUT -p udp --dport 3478 -j DROP
-              -A OUTPUT -p udp --dport 3479 -j DROP
-              -A OUTPUT -p tcp --dport 3478 -j DROP
-              -A OUTPUT -p tcp --dport 3479 -j DROP
-              COMMIT
-`````
-The filter is loaded by default for Firefox if a network namespace is configured:
-`````
-$ firejail --net=eth0 firefox
-`````
-## Set sandbox nice value
-`````
-      --nice=value
-              Set nice value for all processes running inside the sandbox.
-              Example:
-              $ firejail --nice=-5 firefox
-`````
-## mkdir
-`````
-$ man firejail-profile
-[...]
-       mkdir directory
-              Create   a   directory  in  user  home.  Use  this  command  for
-              whitelisted directories you need to preserve when the sandbox is
-              closed.  Subdirectories  also  need  to  be created using mkdir.
-              Example from firefox profile:
-              mkdir ~/.mozilla
-              whitelist ~/.mozilla
-              mkdir ~/.cache
-              mkdir ~/.cache/mozilla
-              mkdir ~/.cache/mozilla/firefox
-              whitelist ~/.cache/mozilla/firefox
-[...]
-`````
-## New security profiles
-lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
-OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad

diff --git a/README.md b/README.md index 7f6f573b4..ad90639e2 100644 --- a/README.md +++ b/README.md
@@ -31,255 +31,26 @@ Features: https://firejail.wordpress.com/features-3/
31	Documentation: https://firejail.wordpress.com/documentation-2/	31	Documentation: https://firejail.wordpress.com/documentation-2/
32		32
33	FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/	33	FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
34	`````
35		34
36	`````	35	`````
37	# Current development version: 0.9.40-rc2
38	Version 0.9.40-rc1 released!
39
40	## X11 sandboxing support
41		36
42	X11 support is built around Xpra (http://xpra.org/) or Xephyr.
43	`````	37	`````
44	--x11 Start a new X11 server using Xpra or Xephyr and attach the sand‐	38	## User submitted profile repositories
45	box to this server. The regular X11 server (display 0) is not
46	visible in the sandbox. This prevents screenshot and keylogger
47	applications started in the sandbox from accessing other X11
48	displays. A network namespace needs to be instantiated in order
49	to deny access to X11 abstract Unix domain socket.
50
51	Firejail will try first Xpra, and if Xpra is not installed on
52	the system, it will try to find Xephyr. This feature is not
53	available when running as root.
54
55	Example:
56	$ firejail --x11 --net=eth0 firefox
57
58	--x11=xpra
59	Start a new X11 server using Xpra (http://xpra.org) and attach
60	the sandbox to this server. Xpra is a persistent remote display
61	server and client for forwarding X11 applications and desktop
62	screens. On Debian platforms Xpra is installed with the command
63	sudo apt-get install xpra. This feature is not available when
64	running as root.
65
66	Example:
67	$ firejail --x11 --net=eth0 firefox
68
69	--x11=xephyr
70	Start a new X11 server using Xephyr and attach the sandbox to
71	this server. Xephyr is a display server implementing the X11
72	display server protocol. It runs in a window just like other X
73	applications, but it is an X server itself in which you can run
74	other software. The default Xephyr window size is 800x600. This
75	can be modified in /etc/firejail/firejail.config file, see man 5
76	firejail-config for more details.
77
78	The recommended way to use this feature is to run a window man‐
79	ager inside the sandbox. A security profile for OpenBox is pro‐
80	vided. On Debian platforms Xephyr is installed with the command
81	sudo apt-get install xserver-xephyr. This feature is not avail‐
82	able when running as root.
83
84	Example:
85	$ firejail --x11 --net=eth0 openbox
86	`````
87	More information here: https://firejail.wordpress.com/documentation-2/x11-guide/
88
89	## File transfers
90	`````
91	FILE TRANSFER
92	These features allow the user to inspect the filesystem container of an
93	existing sandbox and transfer files from the container to the host
94	filesystem.
95
96	--get=name filename
97	Retrieve the container file and store it on the host in the cur‐
98	rent working directory. The container is specified by name
99	(--name option). Full path is needed for filename.
100
101	--get=pid filename
102	Retrieve the container file and store it on the host in the cur‐
103	rent working directory. The container is specified by process
104	ID. Full path is needed for filename.
105
106	--ls=name dir_or_filename
107	List container files. The container is specified by name
108	(--name option). Full path is needed for dir_or_filename.
109		39
110	--ls=pid dir_or_filename	40	If you keep your Firejail profiles in a public repository, please give us a link:
111	List container files. The container is specified by process ID.
112	Full path is needed for dir_or_filename.
113		41
114	Examples:	42	* https://github.com/chiraag-nataraj/firejail-profiles
115		43
116	$ firejail --name=mybrowser --private firefox	44	* https://github.com/triceratops1/fe
117		45
118	$ firejail --ls=mybrowser ~/Downloads	46	Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825
119	drwxr-xr-x netblue netblue 4096 .
120	drwxr-xr-x netblue netblue 4096 ..
121	-rw-r--r-- netblue netblue 7847 x11-x305.png
122	-rw-r--r-- netblue netblue 6800 x11-x642.png
123	-rw-r--r-- netblue netblue 34139 xpra-clipboard.png
124
125	$ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
126	`````	47	`````
127		48
128	## Firecfg
129	`````	49	`````
130	NAME	50	# Current development version: 0.9.45
131	Firecfg - Desktop configuration program for Firejail software.
132
133	SYNOPSIS
134	firecfg [OPTIONS]
135
136	DESCRIPTION
137	Firecfg is the desktop configuration utility for Firejail software. The
138	utility creates several symbolic links to firejail executable. This
139	allows the user to sandbox applications automatically, just by clicking
140	on a regular desktop menus and icons.
141
142	The symbolic links are placed in /usr/local/bin. For more information,
143	see DESKTOP INTEGRATION section in man 1 firejail.
144
145	OPTIONS
146	--clear
147	Clear all firejail symbolic links
148
149	-?, --help
150	Print options end exit.
151
152	--list List all firejail symbolic links
153
154	--version
155	Print program version and exit.
156
157	Example:
158
159	$ sudo firecfg
160	/usr/local/bin/firefox created
161	/usr/local/bin/vlc created
162	[...]
163	$ firecfg --list
164	/usr/local/bin/firefox
165	/usr/local/bin/vlc
166	[...]
167	$ sudo firecfg --clear
168	/usr/local/bin/firefox removed
169	/usr/local/bin/vlc removed
170	[...]
171	`````	51	`````
172		52
173
174	## Compile time and run time configuration support
175
176	Most Linux kernel security features require root privileges during configuration.
177	The same is true for kernel networking features. Firejail (SUID binary) opens the
178	access to these features to regular users. The privilege escalation is restricted
179	to the sandbox being configured, and is not extended to the rest of the system.
180	This arrangement works fine for user desktops or servers where the access is already limited.
181
182	If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
183	or at run time by editing /etc/firejail/firejail.config file.
184
185	The following features can be enabled or disabled:
186	`````	53	`````
187	bind Enable or disable bind support, default enabled.	54	## New Profiles
188		55	xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque
189	chroot Enable or disable chroot support, default enabled.
190
191	file-transfer
192	Enable or disable file transfer support, default enabled.
193
194	network
195	Enable or disable networking features, default enabled.
196
197	restricted-network
198	Enable or disable restricted network support, default disabled.
199	If enabled, networking features should also be enabled (network
200	yes). Restricted networking grants access to --interface and
201	--net=ethXXX only to root user. Regular users are only allowed
202	--net=none.
203
204	secomp Enable or disable seccomp support, default enabled.
205
206	userns Enable or disable user namespace support, default enabled.
207
208	x11 Enable or disable X11 sandboxing support, default enabled.
209
210	xephyr-screen
211	Screen size for --x11=xephyr, default 800x600. Run
212	/usr/bin/xrandr for a full list of resolutions available on your
213	specific setup. Examples:
214
215	xephyr-screen 640x480
216	xephyr-screen 800x600
217	xephyr-screen 1024x768
218	xephyr-screen 1280x1024
219	`````
220
221	## Default seccomp filter update
222
223	Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
224
225	## STUN/WebRTC disabled in default netfilter configuration
226
227	The current netfilter configuration (--netfilter option) looks like this:
228	`````
229	*filter
230	:INPUT DROP [0:0]
231	:FORWARD DROP [0:0]
232	:OUTPUT ACCEPT [0:0]
233	-A INPUT -i lo -j ACCEPT
234	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
235	# allow ping
236	-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
237	-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
238	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
239	# drop STUN (WebRTC) requests
240	-A OUTPUT -p udp --dport 3478 -j DROP
241	-A OUTPUT -p udp --dport 3479 -j DROP
242	-A OUTPUT -p tcp --dport 3478 -j DROP
243	-A OUTPUT -p tcp --dport 3479 -j DROP
244	COMMIT
245	`````
246
247	The filter is loaded by default for Firefox if a network namespace is configured:
248	`````
249	$ firejail --net=eth0 firefox
250	`````
251
252	## Set sandbox nice value
253	`````
254	--nice=value
255	Set nice value for all processes running inside the sandbox.
256
257	Example:
258	$ firejail --nice=-5 firefox
259	`````
260
261	## mkdir
262
263	`````
264	$ man firejail-profile
265	[...]
266	mkdir directory
267	Create a directory in user home. Use this command for
268	whitelisted directories you need to preserve when the sandbox is
269	closed. Subdirectories also need to be created using mkdir.
270	Example from firefox profile:
271
272	mkdir ~/.mozilla
273	whitelist ~/.mozilla
274	mkdir ~/.cache
275	mkdir ~/.cache/mozilla
276	mkdir ~/.cache/mozilla/firefox
277	whitelist ~/.cache/mozilla/firefox
278
279	[...]
280	`````
281
282	## New security profiles
283	lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
284	OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad
285		56