diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 163 |
1 files changed, 22 insertions, 141 deletions
@@ -178,123 +178,10 @@ You can also use this tool to get a list of syscalls needed by a program: [contr | |||
178 | 178 | ||
179 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 179 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. |
180 | 180 | ||
181 | ## Latest released version: 0.9.70 | 181 | ## Latest released version: 0.9.72 |
182 | 182 | ||
183 | ## Current development version: 0.9.71 | 183 | ## Current development version: 0.9.73 |
184 | 184 | ||
185 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | ||
186 | |||
187 | ### Restrict namespaces | ||
188 | |||
189 | ````` | ||
190 | --restrict-namespaces | ||
191 | Install a seccomp filter that blocks attempts to create new | ||
192 | cgroup, ipc, net, mount, pid, time, user or uts namespaces. | ||
193 | |||
194 | Example: | ||
195 | $ firejail --restrict-namespaces | ||
196 | |||
197 | --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts | ||
198 | Install a seccomp filter that blocks attempts to create any of | ||
199 | the specified namespaces. The filter examines the arguments of | ||
200 | clone, unshare and setns system calls and returns error EPERM to | ||
201 | the process (or kills it or logs the attempt, see --seccomp-er‐ | ||
202 | ror-action below) if necessary. Note that the filter is not able | ||
203 | to examine the arguments of clone3 system calls, and always re‐ | ||
204 | sponds to these calls with error ENOSYS. | ||
205 | |||
206 | Example: | ||
207 | $ firejail --restrict-namespaces=user,net | ||
208 | ````` | ||
209 | |||
210 | ### Support for custom AppArmor profiles | ||
211 | |||
212 | ````` | ||
213 | --apparmor | ||
214 | Enable AppArmor confinement with the "firejail-default" AppArmor | ||
215 | profile. For more information, please see APPARMOR section be‐ | ||
216 | low. | ||
217 | |||
218 | --apparmor=profile_name | ||
219 | Enable AppArmor confinement with a custom AppArmor profile. | ||
220 | Note that profile in question must already be loaded into the | ||
221 | kernel. For more information, please see APPARMOR section be‐ | ||
222 | ````` | ||
223 | |||
224 | ### dnstrace | ||
225 | ````` | ||
226 | --dnstrace[=name|pid] | ||
227 | Monitor DNS queries. The sandbox can be specified by name or | ||
228 | pid. Only networked sandboxes created with --net are supported. | ||
229 | This option is only available when running the sandbox as root. | ||
230 | |||
231 | Without a name/pid, Firejail will monitor the main system net‐ | ||
232 | work namespace. | ||
233 | |||
234 | $ sudo firejail --dnstrace=browser | ||
235 | 11:31:43 9.9.9.9 linux.com (type 1) | ||
236 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
237 | 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
238 | 11:31:45 9.9.9.9 www.linux.com (type 1) | ||
239 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
240 | 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
241 | 11:32:05 9.9.9.9 secure.gravatar.com (type 1) | ||
242 | 11:32:06 9.9.9.9 secure.gravatar.com (type 1) | ||
243 | 11:32:08 9.9.9.9 taikai.network (type 1) | ||
244 | 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) | ||
245 | 11:32:08 9.9.9.9 taikai.azureedge.net (type 1) | ||
246 | 11:32:08 9.9.9.9 www.youtube.com (type 1) | ||
247 | ````` | ||
248 | |||
249 | ### snitrace | ||
250 | ````` | ||
251 | --snitrace[=name|pid] | ||
252 | Monitor Server Name Indication (TLS/SNI). The sandbox can be | ||
253 | specified by name or pid. Only networked sandboxes created with | ||
254 | --net are supported. This option is only available when running | ||
255 | the sandbox as root. | ||
256 | |||
257 | Without a name/pid, Firejail will monitor the main system net‐ | ||
258 | work namespace. | ||
259 | |||
260 | $ sudo firejail --snitrace=browser | ||
261 | 07:49:51 23.185.0.3 linux.com | ||
262 | 07:49:51 23.185.0.3 www.linux.com | ||
263 | 07:50:05 192.0.73.2 secure.gravatar.com | ||
264 | 07:52:35 172.67.68.93 www.howtoforge.com | ||
265 | 07:52:37 13.225.103.59 sf.ezoiccdn.com | ||
266 | 07:52:42 142.250.176.3 www.gstatic.com | ||
267 | 07:53:03 173.236.250.32 www.linuxlinks.com | ||
268 | 07:53:05 192.0.77.37 c0.wp.com | ||
269 | 07:53:08 192.0.78.32 jetpack.wordpress.com | ||
270 | 07:53:09 192.0.77.32 s0.wp.com | ||
271 | 07:53:09 192.0.77.2 i0.wp.com | ||
272 | 07:53:10 192.0.77.2 i0.wp.com | ||
273 | 07:53:11 192.0.73.2 1.gravatar.com | ||
274 | ````` | ||
275 | ### icmptrace | ||
276 | ````` | ||
277 | --icmptrace[=name|pid] | ||
278 | Monitor ICMP traffic. The sandbox can be specified by name or | ||
279 | pid. Only networked sandboxes created with --net are supported. | ||
280 | This option is only available when running the sandbox as root. | ||
281 | |||
282 | Without a name/pid, Firejail will monitor the main system net‐ | ||
283 | work namespace. | ||
284 | |||
285 | Example | ||
286 | $ sudo firejail --icmptrace | ||
287 | 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐ | ||
288 | quest/0 | ||
289 | 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐ | ||
290 | ply/0 | ||
291 | 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐ | ||
292 | quest/0 | ||
293 | 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐ | ||
294 | ply/0 | ||
295 | 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination un‐ | ||
296 | reachable/Port unreachable | ||
297 | ````` | ||
298 | 185 | ||
299 | ### Profile Statistics | 186 | ### Profile Statistics |
300 | 187 | ||
@@ -306,39 +193,33 @@ No include .local found in /etc/firejail/noprofile.profile | |||
306 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 193 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
307 | 194 | ||
308 | Stats: | 195 | Stats: |
309 | profiles 1205 | 196 | profiles 1209 |
310 | include local profile 1204 (include profile-name.local) | 197 | include local profile 1208 (include profile-name.local) |
311 | include globals 1178 (include globals.local) | 198 | include globals 1181 (include globals.local) |
312 | blacklist ~/.ssh 1076 (include disable-common.inc) | 199 | blacklist ~/.ssh 1079 (include disable-common.inc) |
313 | seccomp 1095 | 200 | seccomp 1096 |
314 | capabilities 1199 | 201 | capabilities 1202 |
315 | noexec 1084 (include disable-exec.inc) | 202 | noexec 1087 (include disable-exec.inc) |
316 | noroot 1002 | 203 | noroot 1003 |
317 | memory-deny-write-execute 272 | 204 | memory-deny-write-execute 272 |
318 | restrict-namespaces 962 | 205 | restrict-namespaces 958 |
319 | apparmor 720 | 206 | apparmor 753 |
320 | private-bin 704 | 207 | private-bin 704 |
321 | private-dev 1055 | 208 | private-dev 1058 |
322 | private-etc 546 | 209 | private-etc 550 |
323 | private-lib 71 | 210 | private-lib 71 |
324 | private-tmp 929 | 211 | private-tmp 932 |
325 | whitelist home directory 581 | 212 | whitelist home directory 585 |
326 | whitelist var 867 (include whitelist-var-common.inc) | 213 | whitelist var 870 (include whitelist-var-common.inc) |
327 | whitelist run/user 1173 (include whitelist-runuser-common.inc | 214 | whitelist run/user 1176 (include whitelist-runuser-common.inc |
328 | or blacklist ${RUNUSER}) | 215 | or blacklist ${RUNUSER}) |
329 | whitelist usr/share 637 (include whitelist-usr-share-common.inc | 216 | whitelist usr/share 640 (include whitelist-usr-share-common.inc |
330 | net none 410 | 217 | net none 410 |
331 | dbus-user none 677 | 218 | dbus-user none 679 |
332 | dbus-user filter 137 | 219 | dbus-user filter 141 |
333 | dbus-system none 848 | 220 | dbus-system none 851 |
334 | dbus-system filter 12 | 221 | dbus-system filter 12 |
335 | 222 | ||
336 | ``` | 223 | ``` |
337 | 224 | ||
338 | ### New profiles: | ||
339 | |||
340 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, | ||
341 | cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp | ||
342 | |||
343 | |||
344 | 225 | ||