diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 9 |
1 files changed, 5 insertions, 4 deletions
@@ -114,12 +114,12 @@ in order to allow strace to run. Chromium and Chromium-based browsers will not w | |||
114 | 114 | ||
115 | Example: | 115 | Example: |
116 | ````` | 116 | ````` |
117 | $ firejail --build vlc ~/Videos/test.mp4 | 117 | $ firejail --build /usr/bin/vlc ~/Videos/test.mp4 |
118 | 118 | ||
119 | [...] | 119 | [...] |
120 | 120 | ||
121 | ############################################ | 121 | ############################################ |
122 | # vlc profile | 122 | # /usr/bin/vlc profile |
123 | ############################################ | 123 | ############################################ |
124 | # Persistent global definitions | 124 | # Persistent global definitions |
125 | # include /etc/firejail/globals.local | 125 | # include /etc/firejail/globals.local |
@@ -141,13 +141,14 @@ private-tmp | |||
141 | private-dev | 141 | private-dev |
142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | 142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, |
143 | whitelist /var/lib/menu-xdg | 143 | whitelist /var/lib/menu-xdg |
144 | # private-bin vlc, | ||
144 | 145 | ||
145 | ### security filters | 146 | ### security filters |
146 | caps.drop all | 147 | caps.drop all |
147 | nonewprivs | 148 | nonewprivs |
148 | seccomp | 149 | seccomp |
149 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create | 150 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create |
150 | # 82 syscalls total | 151 | # 76 syscalls total |
151 | # Probably you will need to add more syscalls to seccomp.keep. Look for | 152 | # Probably you will need to add more syscalls to seccomp.keep. Look for |
152 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | 153 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while |
153 | # running your sandbox. | 154 | # running your sandbox. |