diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 74 |
1 files changed, 74 insertions, 0 deletions
@@ -98,6 +98,70 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.51 | 99 | # Current development version: 0.9.51 |
100 | 100 | ||
101 | ## Whitelisting /var | ||
102 | |||
103 | Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working, | ||
104 | send a pull request. I did it so far for some more common applications like Firefox, Chromium etc. | ||
105 | |||
106 | ## Profile build tool | ||
107 | ````` | ||
108 | $ firejail --build appname | ||
109 | ````` | ||
110 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
111 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
112 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
113 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
114 | |||
115 | Example: | ||
116 | ````` | ||
117 | $ firejail --build /usr/bin/vlc ~/Videos/test.mp4 | ||
118 | |||
119 | [...] | ||
120 | |||
121 | ############################################ | ||
122 | # /usr/bin/vlc profile | ||
123 | ############################################ | ||
124 | # Persistent global definitions | ||
125 | # include /etc/firejail/globals.local | ||
126 | |||
127 | ### basic blacklisting | ||
128 | include /etc/firejail/disable-common.inc | ||
129 | # include /etc/firejail/disable-devel.inc | ||
130 | include /etc/firejail/disable-passwdmgr.inc | ||
131 | # include /etc/firejail/disable-programs.inc | ||
132 | |||
133 | ### home directory whitelisting | ||
134 | whitelist ~/Videos | ||
135 | whitelist ~/.local/share/vlc | ||
136 | whitelist ~/.config/vlc | ||
137 | include /etc/firejail/whitelist-common.inc | ||
138 | |||
139 | ### filesystem | ||
140 | private-tmp | ||
141 | private-dev | ||
142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | ||
143 | whitelist /var/lib/menu-xdg | ||
144 | # private-bin vlc, | ||
145 | |||
146 | ### security filters | ||
147 | caps.drop all | ||
148 | nonewprivs | ||
149 | seccomp | ||
150 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create | ||
151 | # 76 syscalls total | ||
152 | # Probably you will need to add more syscalls to seccomp.keep. Look for | ||
153 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | ||
154 | # running your sandbox. | ||
155 | |||
156 | ### network | ||
157 | protocol unix,netlink, | ||
158 | net none | ||
159 | |||
160 | ### environment | ||
161 | shell none | ||
162 | $ | ||
163 | ````` | ||
164 | |||
101 | ## New command line options | 165 | ## New command line options |
102 | ````` | 166 | ````` |
103 | --writable-run-user | 167 | --writable-run-user |
@@ -107,3 +171,13 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
107 | Example: | 171 | Example: |
108 | $ sudo firejail --writable-run-user | 172 | $ sudo firejail --writable-run-user |
109 | ````` | 173 | ````` |
174 | |||
175 | ## New profiles: | ||
176 | |||
177 | terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, | ||
178 | amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, | ||
179 | calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, | ||
180 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, | ||
181 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, | ||
182 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, | ||
183 | conky | ||