diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 37 |
1 files changed, 37 insertions, 0 deletions
@@ -89,6 +89,43 @@ FILE TRANSFER | |||
89 | $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png | 89 | $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png |
90 | ````` | 90 | ````` |
91 | 91 | ||
92 | ## Compile time and run time configuration support | ||
93 | |||
94 | Most Linux kernel security features require root privileges during configuration. | ||
95 | The same is true for kernel networking features. Firejail (SUID binary) opens the | ||
96 | access to these features to regular users. The privilege escalation is restricted | ||
97 | to the sandbox being configured, and is not extended to the rest of the system. | ||
98 | This arrangement works fine for user desktops or servers where the access is already limited. | ||
99 | |||
100 | If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time, | ||
101 | or at run time by editing /etc/firejail/firejail.config file. | ||
102 | |||
103 | The following features can be enabled or disabled: | ||
104 | ````` | ||
105 | secomp Enable or disable seccomp support, default enabled. | ||
106 | |||
107 | chroot Enable or disable chroot support, default enabled. | ||
108 | |||
109 | bind Enable or disable bind support, default enabled. | ||
110 | |||
111 | network | ||
112 | Enable or disable networking features, default enabled. | ||
113 | |||
114 | restricted-network | ||
115 | Enable or disable restricted network support, default disabled. | ||
116 | If enabled, networking features should also be enabled (network | ||
117 | yes). Restricted networking grants access to --interface and | ||
118 | --net=ethXXX only to root user. Regular users are only allowed | ||
119 | --net=none. | ||
120 | |||
121 | userns Enable or disable user namespace support, default enabled. | ||
122 | |||
123 | x11 Enable or disable X11 sandboxing support, default enabled. | ||
124 | |||
125 | file-transfer | ||
126 | Enable or disable file transfer support, default enabled. | ||
127 | ````` | ||
128 | |||
92 | ## Default seccomp filter update | 129 | ## Default seccomp filter update |
93 | 130 | ||
94 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). | 131 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). |