diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 282 |
1 files changed, 1 insertions, 281 deletions
@@ -98,284 +98,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
98 | ````` | 98 | ````` |
99 | 99 | ||
100 | ````` | 100 | ````` |
101 | # Current development version: 0.9.54~rc3 | 101 | # Current development version: 0.9.55 |
102 | |||
103 | ## Firejail user access database | ||
104 | ````` | ||
105 | $ man firejail-users | ||
106 | FIREJAIL-USERS(5) firejail.users man page FIREJAIL-USERS(5) | ||
107 | |||
108 | NAME | ||
109 | firejail.users - Firejail user access database | ||
110 | |||
111 | DESCRIPTION | ||
112 | /etc/firejail/firejail.users lists the users allowed to run firejail | ||
113 | SUID executable. If the file is not present in the system, all users | ||
114 | are allowed to use the sandbox. root user is allowed by default. | ||
115 | |||
116 | Example: | ||
117 | |||
118 | $ cat /etc/firejail/firejail.users | ||
119 | dustin | ||
120 | lucas | ||
121 | mike | ||
122 | eleven | ||
123 | |||
124 | Use a text editor to add or remove users from the list. You can also | ||
125 | use firecfg --add-users command. Example: | ||
126 | |||
127 | $ sudo firecfg --add-users dustin lucas mike eleven | ||
128 | |||
129 | By default, running firecfg creates the file and adds the current user | ||
130 | to the list. Example: | ||
131 | |||
132 | $ sudo firecfg | ||
133 | |||
134 | See man 1 firecfg for details. | ||
135 | |||
136 | FILES | ||
137 | /etc/firejail/firejail.users | ||
138 | |||
139 | LICENSE | ||
140 | Firejail is free software; you can redistribute it and/or modify it | ||
141 | under the terms of the GNU General Public License as published by the | ||
142 | Free Software Foundation; either version 2 of the License, or (at your | ||
143 | option) any later version. | ||
144 | |||
145 | Homepage: https://firejail.wordpress.com | ||
146 | |||
147 | SEE ALSO | ||
148 | firejail(1), firemon(1), firecfg(1), firejail-profile(5) firejail- | ||
149 | login(5) | ||
150 | |||
151 | 0.9.53 Apr 2018 FIREJAIL-USERS(5) | ||
152 | ````` | ||
153 | |||
154 | ## Spectre mitigation | ||
155 | |||
156 | If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration. | ||
157 | The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it | ||
158 | on older versions, for example on Debian stable running on gcc 6.3.0. This is how you check it: | ||
159 | ````` | ||
160 | $ ./configure --prefix=/usr | ||
161 | checking for gcc... gcc | ||
162 | checking whether the C compiler works... yes | ||
163 | checking for C compiler default output file name... a.out | ||
164 | checking for suffix of executables... | ||
165 | checking whether we are cross compiling... no | ||
166 | checking for suffix of object files... o | ||
167 | checking whether we are using the GNU C compiler... yes | ||
168 | checking whether gcc accepts -g... yes | ||
169 | checking for gcc option to accept ISO C89... none needed | ||
170 | checking for a BSD-compatible install... /usr/bin/install -c | ||
171 | checking for ranlib... ranlib | ||
172 | checking for Spectre mitigation support in gcc compiler... yes | ||
173 | [...] | ||
174 | Configuration options: | ||
175 | prefix: /usr | ||
176 | sysconfdir: /etc | ||
177 | seccomp: -DHAVE_SECCOMP | ||
178 | <linux/seccomp.h>: -DHAVE_SECCOMP_H | ||
179 | apparmor: | ||
180 | global config: -DHAVE_GLOBALCFG | ||
181 | chroot: -DHAVE_CHROOT | ||
182 | bind: -DHAVE_BIND | ||
183 | network: -DHAVE_NETWORK | ||
184 | user namespace: -DHAVE_USERNS | ||
185 | X11 sandboxing support: -DHAVE_X11 | ||
186 | whitelisting: -DHAVE_WHITELIST | ||
187 | private home support: -DHAVE_PRIVATE_HOME | ||
188 | file transfer support: -DHAVE_FILE_TRANSFER | ||
189 | overlayfs support: -DHAVE_OVERLAYFS | ||
190 | git install support: | ||
191 | busybox workaround: no | ||
192 | Spectre compiler patch: yes | ||
193 | EXTRA_LDFLAGS: | ||
194 | EXTRA_CFLAGS: -mindirect-branch=thunk | ||
195 | fatal warnings: | ||
196 | Gcov instrumentation: | ||
197 | Install contrib scripts: yes | ||
198 | ````` | ||
199 | This feature is also supported for LLVM/clang compiler | ||
200 | |||
201 | ## New command line options | ||
202 | ````` | ||
203 | --keep-var-tmp | ||
204 | /var/tmp directory is untouched. | ||
205 | |||
206 | Example: | ||
207 | $ firejail --keep-var-tmp | ||
208 | |||
209 | --nodbus | ||
210 | Disable D-Bus access. Only the regular UNIX socket is handled by | ||
211 | this command. To disable the abstract socket you would need to | ||
212 | request a new network namespace using --net command. Another | ||
213 | option is to remove unix from --protocol set. | ||
214 | |||
215 | Example: | ||
216 | $ firejail --nodbus --net=none | ||
217 | |||
218 | --noautopulse | ||
219 | Disable automatic ~/.config/pulse init, for complex setups such | ||
220 | as remote pulse servers or non-standard socket paths. | ||
221 | |||
222 | Example: | ||
223 | $ firejail --noautopulse firefox | ||
224 | |||
225 | ````` | ||
226 | |||
227 | ## AppImage development | ||
228 | |||
229 | Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. | ||
230 | This allows us to use our regular profile files for appimages. We don't have a way to extract the name | ||
231 | of the executable, so the profile will have to be passed on the command line. Example: | ||
232 | ````` | ||
233 | $ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage | ||
234 | ````` | ||
235 | Also, we have full AppArmor support for AppImages: | ||
236 | ````` | ||
237 | |||
238 | $ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage | ||
239 | ````` | ||
240 | |||
241 | ## Seccomp development | ||
242 | |||
243 | Replaced the our seccomp disassembler with a real disassembler lifted from | ||
244 | libseccomp (GPLv2, Paul Moore, Red Hat). The code is in src/fsec-print directory. | ||
245 | ````` | ||
246 | $ firejail --seccomp.print=browser | ||
247 | line OP JT JF K | ||
248 | ================================= | ||
249 | 0000: 20 00 00 00000004 ld data.architecture | ||
250 | 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) | ||
251 | 0002: 06 00 00 7fff0000 ret ALLOW | ||
252 | 0003: 20 00 00 00000000 ld data.syscall-number | ||
253 | 0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005) | ||
254 | 0005: 35 01 00 00000000 jge read 0007 (false 0006) | ||
255 | 0006: 06 00 00 00050001 ret ERRNO(1) | ||
256 | 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008) | ||
257 | 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009) | ||
258 | 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a) | ||
259 | 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false 000b) | ||
260 | 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c) | ||
261 | 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d) | ||
262 | 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e) | ||
263 | 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f) | ||
264 | 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010) | ||
265 | 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011) | ||
266 | 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012) | ||
267 | 0012: 15 36 00 000000b9 jeq security 0049 (false 0013) | ||
268 | 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014) | ||
269 | 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015) | ||
270 | 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016) | ||
271 | 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017) | ||
272 | 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018) | ||
273 | 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019) | ||
274 | 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a) | ||
275 | 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b) | ||
276 | 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c) | ||
277 | 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d) | ||
278 | 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e) | ||
279 | 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f) | ||
280 | 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020) | ||
281 | 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021) | ||
282 | 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022) | ||
283 | 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023) | ||
284 | 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024) | ||
285 | 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025) | ||
286 | 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026) | ||
287 | 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027) | ||
288 | 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028) | ||
289 | 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029) | ||
290 | 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a) | ||
291 | 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b) | ||
292 | 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c) | ||
293 | 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d) | ||
294 | 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e) | ||
295 | 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f) | ||
296 | 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030) | ||
297 | 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031) | ||
298 | 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032) | ||
299 | 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033) | ||
300 | 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034) | ||
301 | 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false 0035) | ||
302 | 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false 0036) | ||
303 | 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037) | ||
304 | 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038) | ||
305 | 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039) | ||
306 | 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a) | ||
307 | 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b) | ||
308 | 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c) | ||
309 | 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d) | ||
310 | 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e) | ||
311 | 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f) | ||
312 | 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040) | ||
313 | 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041) | ||
314 | 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042) | ||
315 | 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false 0043) | ||
316 | 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044) | ||
317 | 0044: 15 04 00 00000087 jeq personality 0049 (false 0045) | ||
318 | 0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046) | ||
319 | 0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047) | ||
320 | 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048) | ||
321 | 0048: 06 00 00 7fff0000 ret ALLOW | ||
322 | 0049: 06 00 01 00000000 ret KILL | ||
323 | ````` | ||
324 | We are also introducing a seccomp optimizer, to be run directly on seccomp machine code | ||
325 | filters produced by Firejail. The code is in src/fsec-optimize. Currently only the default seccomp | ||
326 | filters built at compile time are run trough the optimizer. It will be extended and applied at run | ||
327 | time on all filters. | ||
328 | |||
329 | |||
330 | ## AppArmor development | ||
331 | |||
332 | AppArmor features are supported on overlayfs and chroot sandboxes. | ||
333 | |||
334 | We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys | ||
335 | and /run/user directories were moved out of the profile into firejail executable. | ||
336 | We are also adding a "apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to | ||
337 | enable/disable apparmor functionality globally. By default the flag is enabled. | ||
338 | |||
339 | AppArmor deployment: we are starting apparmor by default for the following programs: | ||
340 | - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) | ||
341 | - torrent clients: transmission-qt, transmission-gtk, qbittorrent | ||
342 | - media players: mpv, audacious, kodi, smplayer | ||
343 | - media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot | ||
344 | - archive managers: ark, engrampa, file-roller | ||
345 | - etc.: digikam, okular, gwenview, galculator, kcalc | ||
346 | |||
347 | Checking apparmor status: | ||
348 | ````` | ||
349 | $ firejail --apparmor.print=browser | ||
350 | 2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr | ||
351 | AppArmor: firejail-default enforce | ||
352 | |||
353 | $ firemon --apparmor | ||
354 | 2072:netblue:firejail --chroot=/chroot/sid --net=eth0 | ||
355 | AppArmor: unconfined | ||
356 | 2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr | ||
357 | AppArmor: firejail-default enforce | ||
358 | 4835:netblue:/usr/bin/firejail /usr/bin/vlc | ||
359 | AppArmor: firejail-default enforce | ||
360 | ````` | ||
361 | |||
362 | |||
363 | ## Browser profile unification | ||
364 | |||
365 | All Chromium and Firefox browsers have been unified to instead extend | ||
366 | chromium-common.profile and firefox-common.profile respectively. | ||
367 | This allows for reduced maintenance and ease of adding new browsers. | ||
368 | NOTE: All users of Firefox-based browsers who use addons and plugins | ||
369 | that read/write from ${HOME} will need to uncomment the includes for | ||
370 | firefox-common-addons.inc in firefox-common.profile. | ||
371 | |||
372 | ## New profiles | ||
373 | |||
374 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, | ||
375 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, | ||
376 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, | ||
377 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, | ||
378 | thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant, | ||
379 | enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack, | ||
380 | aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor, | ||
381 | AnyDesk, webstorm, xmind, qmmp, sayonara | ||