diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 58 |
1 files changed, 58 insertions, 0 deletions
@@ -98,6 +98,64 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.51 | 99 | # Current development version: 0.9.51 |
100 | 100 | ||
101 | ## Profile build tool | ||
102 | ````` | ||
103 | $ firejail --build appname | ||
104 | ````` | ||
105 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
106 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
107 | with only --caps.drop=all and --nonewprivs. Only programs that don't rise privileges are supported | ||
108 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
109 | |||
110 | Example: | ||
111 | ````` | ||
112 | $ firejail --build vlc ~/Videos/test.mp4 | ||
113 | |||
114 | [...] | ||
115 | |||
116 | ############################################ | ||
117 | # vlc profile | ||
118 | ############################################ | ||
119 | # Persistent global definitions | ||
120 | # include /etc/firejail/globals.local | ||
121 | |||
122 | ### basic blacklisting | ||
123 | include /etc/firejail/disable-common.inc | ||
124 | # include /etc/firejail/disable-devel.inc | ||
125 | include /etc/firejail/disable-passwdmgr.inc | ||
126 | # include /etc/firejail/disable-programs.inc | ||
127 | |||
128 | ### home directory whitelisting | ||
129 | whitelist ~/Videos | ||
130 | whitelist ~/.local/share/vlc | ||
131 | whitelist ~/.config/vlc | ||
132 | include /etc/firejail/whitelist-common.inc | ||
133 | |||
134 | ### filesystem | ||
135 | private-tmp | ||
136 | private-dev | ||
137 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | ||
138 | whitelist /var/lib/menu-xdg | ||
139 | |||
140 | ### security filters | ||
141 | caps.drop all | ||
142 | nonewprivs | ||
143 | seccomp | ||
144 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create | ||
145 | # 82 syscalls total | ||
146 | # Probably you will need to add more syscalls to seccomp.keep. Look for | ||
147 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | ||
148 | # running your sandbox. | ||
149 | |||
150 | ### network | ||
151 | protocol unix,netlink, | ||
152 | net none | ||
153 | |||
154 | ### environment | ||
155 | shell none | ||
156 | $ | ||
157 | ```` | ||
158 | |||
101 | ## New command line options | 159 | ## New command line options |
102 | ````` | 160 | ````` |
103 | --writable-run-user | 161 | --writable-run-user |