diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 37 |
1 files changed, 37 insertions, 0 deletions
@@ -182,6 +182,43 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
182 | 182 | ||
183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
184 | 184 | ||
185 | ### Restrict namespaces | ||
186 | |||
187 | ````` | ||
188 | --restrict-namespaces | ||
189 | Install a seccomp filter that blocks attempts to create new | ||
190 | cgroup, ipc, net, mount, pid, time, user or uts namespaces. | ||
191 | |||
192 | Example: | ||
193 | $ firejail --restrict-namespaces | ||
194 | |||
195 | --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts | ||
196 | Install a seccomp filter that blocks attempts to create any of | ||
197 | the specified namespaces. The filter examines the arguments of | ||
198 | clone, unshare and setns system calls and returns error EPERM to | ||
199 | the process (or kills it or logs the attempt, see --seccomp-er‐ | ||
200 | ror-action below) if necessary. Note that the filter is not able | ||
201 | to examine the arguments of clone3 system calls, and always re‐ | ||
202 | sponds to these calls with error ENOSYS. | ||
203 | |||
204 | Example: | ||
205 | $ firejail --restrict-namespaces=user,net | ||
206 | ````` | ||
207 | |||
208 | #### Support for custom AppArmor profiles | ||
209 | |||
210 | ````` | ||
211 | --apparmor | ||
212 | Enable AppArmor confinement with the "firejail-default" AppArmor | ||
213 | profile. For more information, please see APPARMOR section be‐ | ||
214 | low. | ||
215 | |||
216 | --apparmor=profile_name | ||
217 | Enable AppArmor confinement with a custom AppArmor profile. | ||
218 | Note that profile in question must already be loaded into the | ||
219 | kernel. For more information, please see APPARMOR section be‐ | ||
220 | ````` | ||
221 | |||
185 | ### Profile Statistics | 222 | ### Profile Statistics |
186 | 223 | ||
187 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 224 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |