diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 50 |
1 files changed, 27 insertions, 23 deletions
@@ -5,20 +5,24 @@ | |||
5 | [![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) | 5 | [![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) |
6 | [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | 6 | [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) |
7 | 7 | ||
8 | Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting | 8 | Firejail is a SUID sandbox program that reduces the risk of security breaches |
9 | the running environment of untrusted applications using Linux namespaces, seccomp-bpf | 9 | by restricting the running environment of untrusted applications using Linux |
10 | and Linux capabilities. It allows a process and all its descendants to have their own private | 10 | namespaces, seccomp-bpf and Linux capabilities. It allows a process and all |
11 | view of the globally shared kernel resources, such as the network stack, process table, mount table. | 11 | its descendants to have their own private view of the globally shared kernel |
12 | Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups. | 12 | resources, such as the network stack, process table, mount table. Firejail can |
13 | 13 | work in a SELinux or AppArmor environment, and it is integrated with Linux | |
14 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel | 14 | Control Groups. |
15 | version or newer. It can sandbox any type of processes: servers, graphical applications, and even | 15 | |
16 | user login sessions. The software includes sandbox profiles for a number of more common Linux programs, | 16 | Written in C with virtually no dependencies, the software runs on any Linux |
17 | computer with a 3.x kernel version or newer. It can sandbox any type of | ||
18 | processes: servers, graphical applications, and even user login sessions. The | ||
19 | software includes sandbox profiles for a number of more common Linux programs, | ||
17 | such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 20 | such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
18 | 21 | ||
19 | The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, | 22 | The sandbox is lightweight, the overhead is low. There are no complicated |
20 | no socket connections open, no daemons running in the background. All security features are | 23 | configuration files to edit, no socket connections open, no daemons running in |
21 | implemented directly in Linux kernel and available on any Linux computer. | 24 | the background. All security features are implemented directly in Linux kernel |
25 | and available on any Linux computer. | ||
22 | 26 | ||
23 | ## Videos | 27 | ## Videos |
24 | 28 | ||
@@ -103,7 +107,7 @@ See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: | |||
103 | > What software is supported by the Ubuntu Security team? | 107 | > What software is supported by the Ubuntu Security team? |
104 | > | 108 | > |
105 | > Ubuntu is currently divided into four components: main, restricted, universe | 109 | > Ubuntu is currently divided into four components: main, restricted, universe |
106 | > and multiverse. All binary packages in main and restricted are supported by | 110 | > and multiverse. All binary packages in main and restricted are supported by |
107 | > the Ubuntu Security team for the life of an Ubuntu release, while binary | 111 | > the Ubuntu Security team for the life of an Ubuntu release, while binary |
108 | > packages in universe and multiverse are supported by the Ubuntu community. | 112 | > packages in universe and multiverse are supported by the Ubuntu community. |
109 | 113 | ||
@@ -147,7 +151,7 @@ cd firejail | |||
147 | ./configure && make && sudo make install-strip | 151 | ./configure && make && sudo make install-strip |
148 | ``` | 152 | ``` |
149 | 153 | ||
150 | On Debian/Ubuntu you will need to install git and gcc. AppArmor development | 154 | On Debian/Ubuntu you will need to install git and gcc. AppArmor development |
151 | libraries and pkg-config are required when using the `--enable-apparmor` | 155 | libraries and pkg-config are required when using the `--enable-apparmor` |
152 | ./configure option: | 156 | ./configure option: |
153 | 157 | ||
@@ -171,7 +175,7 @@ firejail vlc # starting VideoLAN Client | |||
171 | sudo firejail /etc/init.d/nginx start | 175 | sudo firejail /etc/init.d/nginx start |
172 | ``` | 176 | ``` |
173 | 177 | ||
174 | Run `firejail --list` in a terminal to list all active sandboxes. Example: | 178 | Run `firejail --list` in a terminal to list all active sandboxes. Example: |
175 | 179 | ||
176 | ```console | 180 | ```console |
177 | $ firejail --list | 181 | $ firejail --list |
@@ -191,16 +195,16 @@ firecfg --fix-sound | |||
191 | sudo firecfg | 195 | sudo firecfg |
192 | ``` | 196 | ``` |
193 | 197 | ||
194 | The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. | 198 | The first command solves some shared memory/PID namespace bugs in PulseAudio |
195 | The second command integrates Firejail into your desktop. You would need to logout and login back to apply | 199 | software prior to version 9. The second command integrates Firejail into your |
196 | PulseAudio changes. | 200 | desktop. You would need to logout and login back to apply PulseAudio changes. |
197 | 201 | ||
198 | Start your programs the way you are used to: desktop manager menus, file | 202 | Start your programs the way you are used to: desktop manager menus, file |
199 | manager, desktop launchers. | 203 | manager, desktop launchers. |
200 | 204 | ||
201 | The integration applies to any program supported by default by Firejail. | 205 | The integration applies to any program supported by default by Firejail. There |
202 | There are over 900 default applications in the current Firejail version, and | 206 | are over 900 default applications in the current Firejail version, and the |
203 | the number goes up with every new release. | 207 | number goes up with every new release. |
204 | 208 | ||
205 | We keep the application list in | 209 | We keep the application list in |
206 | [src/firecfg/firecfg.config](src/firecfg/firecfg.config) | 210 | [src/firecfg/firecfg.config](src/firecfg/firecfg.config) |
@@ -290,8 +294,8 @@ Discussion: | |||
290 | 294 | ||
291 | ### Profile Statistics | 295 | ### Profile Statistics |
292 | 296 | ||
293 | A small tool to print profile statistics. Compile and install as usual. | 297 | A small tool to print profile statistics. Compile and install as usual. The |
294 | The tool is installed in the /usr/lib/firejail directory. | 298 | tool is installed in the /usr/lib/firejail directory. |
295 | 299 | ||
296 | Run it over the profiles in /etc/profiles: | 300 | Run it over the profiles in /etc/profiles: |
297 | 301 | ||