aboutsummaryrefslogtreecommitdiffstats
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'README.md')
-rw-r--r--README.md94
1 files changed, 68 insertions, 26 deletions
diff --git a/README.md b/README.md
index 8d3b3c3bb..db088ddf6 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
1# Firejail 1# Firejail
2[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) 2[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/)
3[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
4[![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
3[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) 5[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
4 6
5Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting 7Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting
@@ -22,19 +24,19 @@ implemented directly in Linux kernel and available on any Linux computer.
22<td> 24<td>
23<a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98 25<a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98
24" target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg" 26" target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg"
25alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Intro</a> 27alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>
26</td> 28</td>
27 29
28<td> 30<td>
29<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU 31<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
30" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" 32" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
31alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Demo</a> 33alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>
32</td> 34</td>
33 35
34<td> 36<td>
35<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 37<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
36" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" 38" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
37alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Debian Install</a> 39alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>
38</td> 40</td>
39 41
40 42
@@ -42,13 +44,19 @@ alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Debian In
42<td> 44<td>
43<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w 45<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
44" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg" 46" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
45alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Arch Linux Install</a> 47alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
46 48
47</td> 49</td>
48<td> 50<td>
49<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ 51<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
50" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg" 52" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
51alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Disable Network Access</a> 53alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
54
55</td>
56<td>
57<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
58" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
59alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
52 60
53</td> 61</td>
54</tr></table> 62</tr></table>
@@ -67,11 +75,43 @@ Wiki: https://github.com/netblue30/firejail/wiki
67 75
68GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ 76GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
69 77
78Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
79
80Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
70 81
71## Security vulnerabilities 82## Security vulnerabilities
72 83
73We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com 84We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
74 85
86`````
87Security Adivsory - Feb 8, 2021
88
89Summary: A vulnerability resulting in root privilege escalation was discovered in
90Firejail's OverlayFS code,
91
92Versions affected: Firejail software versions starting with 0.9.30.
93Long Term Support (LTS) Firejail branch is not affected by this bug.
94
95Workaround: Disable overlayfs feature at runtime.
96In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no".
97
98 $ grep overlayfs /etc/firejail/firejail.config
99 # Enable or disable overlayfs features, default enabled.
100 overlayfs no
101
102Fix: The bug is fixed in Firejail version 0.9.64.4
103
104GitHub commit: (file configure.ac)
105https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
106
107Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability.
108Functional PoC exploit code was provided to Firejail development team.
109A description of the problem is here on Roman's blog:
110
111https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
112https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
113`````
114
75## Installing 115## Installing
76 116
77Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. 117Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
@@ -170,29 +210,31 @@ $ ./profstats *.profile
170Warning: multiple caps in transmission-daemon.profile 210Warning: multiple caps in transmission-daemon.profile
171 211
172Stats: 212Stats:
173 profiles 1031 213 profiles 1064
174 include local profile 1031 (include profile-name.local) 214 include local profile 1064 (include profile-name.local)
175 include globals 1031 (include globals.local) 215 include globals 1064 (include globals.local)
176 blacklist ~/.ssh 1007 (include disable-common.inc) 216 blacklist ~/.ssh 959 (include disable-common.inc)
177 seccomp 976 217 seccomp 975
178 capabilities 1030 218 capabilities 1063
179 noexec 901 (include disable-exec.inc) 219 noexec 944 (include disable-exec.inc)
180 memory-deny-write-execute 221 220 memory-deny-write-execute 229
181 apparmor 555 221 apparmor 605
182 private-bin 544 222 private-bin 564
183 private-dev 897 223 private-dev 932
184 private-etc 435 224 private-etc 462
185 private-tmp 785 225 private-tmp 823
186 whitelist home directory 474 226 whitelist home directory 502
187 whitelist var 699 (include whitelist-var-common.inc) 227 whitelist var 744 (include whitelist-var-common.inc)
188 whitelist run/user 336 (include whitelist-runuser-common.inc 228 whitelist run/user 461 (include whitelist-runuser-common.inc
189 or blacklist ${RUNUSER}) 229 or blacklist ${RUNUSER})
190 whitelist usr/share 359 (include whitelist-usr-share-common.inc 230 whitelist usr/share 451 (include whitelist-usr-share-common.inc
191 net none 333 231 net none 345
192 dbus-user none 523 232 dbus-user none 564
193 dbus-system none 632 233 dbus-user filter 85
234 dbus-system none 696
235 dbus-system filter 7
194``` 236```
195 237
196### New profiles: 238### New profiles:
197 239
198spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo 240vmware-view, display-im6.q16
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-04 10:54:18 +0000