1 files changed, 37 insertions, 0 deletions
diff --git a/README.md b/README.md
index b3eb112bc..2406cfc49 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,43 @@ FILE TRANSFER
              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
 `````
+## Compile time and run time configuration support
+Most Linux kernel security features require root privileges during configuration.
+The same is true for kernel networking features. Firejail (SUID binary) opens the 
+access to these features to regular users. The privilege escalation is restricted 
+to the sandbox being configured, and is not extended to the rest of the system. 
+This arrangement works fine for user desktops or servers where the access is already limited.
+If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
+or at run time by editing /etc/firejail/firejail.config file.
+The following features can be enabled or disabled:
+`````
+       secomp Enable or disable seccomp support, default enabled.
+       chroot Enable or disable chroot support, default enabled.
+       bind   Enable or disable bind support, default enabled.
+       network
+              Enable or disable networking features, default enabled.
+       restricted-network
+              Enable  or disable restricted network support, default disabled.
+              If enabled, networking features should also be enabled  (network
+              yes).   Restricted  networking  grants access to --interface and
+              --net=ethXXX only to root user. Regular users are  only  allowed
+              --net=none.
+       userns Enable or disable user namespace support, default enabled.
+       x11    Enable or disable X11 sandboxing support, default enabled.
+       file-transfer
+              Enable or disable file transfer support, default enabled.
+`````
 ## Default seccomp filter update
 Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).

diff --git a/README.md b/README.md index b3eb112bc..2406cfc49 100644 --- a/README.md +++ b/README.md
@@ -89,6 +89,43 @@ FILE TRANSFER
89	$ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png	89	$ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
90	`````	90	`````
91		91
		92	## Compile time and run time configuration support
		93
		94	Most Linux kernel security features require root privileges during configuration.
		95	The same is true for kernel networking features. Firejail (SUID binary) opens the
		96	access to these features to regular users. The privilege escalation is restricted
		97	to the sandbox being configured, and is not extended to the rest of the system.
		98	This arrangement works fine for user desktops or servers where the access is already limited.
		99
		100	If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
		101	or at run time by editing /etc/firejail/firejail.config file.
		102
		103	The following features can be enabled or disabled:
		104	`````
		105	secomp Enable or disable seccomp support, default enabled.
		106
		107	chroot Enable or disable chroot support, default enabled.
		108
		109	bind Enable or disable bind support, default enabled.
		110
		111	network
		112	Enable or disable networking features, default enabled.
		113
		114	restricted-network
		115	Enable or disable restricted network support, default disabled.
		116	If enabled, networking features should also be enabled (network
		117	yes). Restricted networking grants access to --interface and
		118	--net=ethXXX only to root user. Regular users are only allowed
		119	--net=none.
		120
		121	userns Enable or disable user namespace support, default enabled.
		122
		123	x11 Enable or disable X11 sandboxing support, default enabled.
		124
		125	file-transfer
		126	Enable or disable file transfer support, default enabled.
		127	`````
		128
92	## Default seccomp filter update	129	## Default seccomp filter update
93		130
94	Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).	131	Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).