diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 110 |
1 files changed, 32 insertions, 78 deletions
@@ -31,97 +31,51 @@ Features: https://firejail.wordpress.com/features-3/ | |||
31 | Documentation: https://firejail.wordpress.com/documentation-2/ | 31 | Documentation: https://firejail.wordpress.com/documentation-2/ |
32 | 32 | ||
33 | FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | 33 | FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ |
34 | |||
35 | # Current development version: 0.9.37 | ||
36 | |||
37 | ## Symlink invocation | ||
38 | |||
39 | This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under | ||
40 | the name of the program you want to run, and put the link in the first $PATH position (for | ||
41 | example in /usr/local/bin). Example: | ||
42 | ````` | 34 | ````` |
43 | $ which -a transmission-gtk | ||
44 | /usr/bin/transmission-gtk | ||
45 | |||
46 | $ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk | ||
47 | 35 | ||
48 | $ which -a transmission-gtk | ||
49 | /usr/local/bin/transmission-gtk | ||
50 | /usr/bin/transmission-gtk | ||
51 | ````` | 36 | ````` |
52 | We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail. | 37 | # Current development version: 0.9.39 |
53 | The second one is the real program. Starting transmission in this moment, invokes "firejail transmission-gtk" | ||
54 | ````` | 38 | ````` |
55 | $ transmission-gtk | ||
56 | Redirecting symlink to /usr/bin/transmission-gtk | ||
57 | Reading profile /etc/firejail/transmission-gtk.profile | ||
58 | Reading profile /etc/firejail/disable-mgmt.inc | ||
59 | Reading profile /etc/firejail/disable-secret.inc | ||
60 | Reading profile /etc/firejail/disable-common.inc | ||
61 | Reading profile /etc/firejail/disable-devel.inc | ||
62 | Parent pid 19343, child pid 19344 | ||
63 | Blacklist violations are logged to syslog | ||
64 | Child process initialized | ||
65 | ````` | ||
66 | |||
67 | 39 | ||
68 | ## IPv6 support: | ||
69 | ````` | 40 | ````` |
70 | --ip6=address | ||
71 | Assign IPv6 addresses to the last network interface defined by a | ||
72 | --net option. | ||
73 | |||
74 | Example: | ||
75 | $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox | ||
76 | 41 | ||
77 | --netfilter6=filename | 42 | ## Default seccomp filter update |
78 | Enable the IPv6 network filter specified by filename in the new | ||
79 | network namespace. The filter file format is the format of | ||
80 | ip6tables-save and ip6table-restore commands. New network | ||
81 | namespaces are created using --net option. If a new network | ||
82 | namespaces is not created, --netfilter6 option does nothing. | ||
83 | 43 | ||
84 | ````` | 44 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). |
85 | 45 | ||
86 | ## join command enhancements | 46 | ## STUN/WebRTC disabled in default netfilter configuration |
87 | 47 | ||
48 | The current netfilter configuration (--netfilter option) looks like this: | ||
88 | ````` | 49 | ````` |
89 | --join-filesystem=name | 50 | *filter |
90 | Join the mount namespace of the sandbox identified by name. By | 51 | :INPUT DROP [0:0] |
91 | default a /bin/bash shell is started after joining the sandbox. | 52 | :FORWARD DROP [0:0] |
92 | If a program is specified, the program is run in the sandbox. | 53 | :OUTPUT ACCEPT [0:0] |
93 | This command is available only to root user. Security filters, | 54 | -A INPUT -i lo -j ACCEPT |
94 | cgroups and cpus configurations are not applied to the process | 55 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
95 | joining the sandbox. | 56 | # allow ping |
96 | 57 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | |
97 | --join-filesystem=pid | 58 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT |
98 | Join the mount namespace of the sandbox identified by process | 59 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT |
99 | ID. By default a /bin/bash shell is started after joining the | 60 | # drop STUN (WebRTC) requests |
100 | sandbox. If a program is specified, the program is run in the | 61 | -A OUTPUT -p udp --dport 3478 -j DROP |
101 | sandbox. This command is available only to root user. Security | 62 | -A OUTPUT -p udp --dport 3479 -j DROP |
102 | filters, cgroups and cpus configurations are not applied to the | 63 | -A OUTPUT -p tcp --dport 3478 -j DROP |
103 | process joining the sandbox. | 64 | -A OUTPUT -p tcp --dport 3479 -j DROP |
104 | 65 | COMMIT | |
105 | --join-network=name | ||
106 | Join the network namespace of the sandbox identified by name. By | ||
107 | default a /bin/bash shell is started after joining the sandbox. | ||
108 | If a program is specified, the program is run in the sandbox. | ||
109 | This command is available only to root user. Security filters, | ||
110 | cgroups and cpus configurations are not applied to the process | ||
111 | joining the sandbox. | ||
112 | |||
113 | --join-network=pid | ||
114 | Join the network namespace of the sandbox identified by process | ||
115 | ID. By default a /bin/bash shell is started after joining the | ||
116 | sandbox. If a program is specified, the program is run in the | ||
117 | sandbox. This command is available only to root user. Security | ||
118 | filters, cgroups and cpus configurations are not applied to the | ||
119 | process joining the sandbox. | ||
120 | |||
121 | ````` | 66 | ````` |
122 | 67 | ||
68 | The filter is loaded by default for Firefox if a network namespace is configured: | ||
69 | ````` | ||
70 | $ firejail --net=eth0 firefox | ||
71 | ````` | ||
123 | 72 | ||
124 | ## New profiles: KMail | 73 | ## Set sandbox nice value |
125 | 74 | ````` | |
75 | --nice=value | ||
76 | Set nice value for all processes running inside the sandbox. | ||
126 | 77 | ||
78 | Example: | ||
79 | $ firejail --nice=-5 firefox | ||
80 | ````` | ||
127 | 81 | ||