diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 153 |
1 files changed, 28 insertions, 125 deletions
@@ -189,107 +189,18 @@ You can also use this tool to get a list of syscalls needed by a program: [contr | |||
189 | 189 | ||
190 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 190 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. |
191 | 191 | ||
192 | ## Latest released version: 0.9.64 | 192 | ## Latest released version: 0.9.66 |
193 | 193 | ||
194 | ## Current development version: 0.9.65 | 194 | ## Current development version: 0.9.67 |
195 | 195 | ||
196 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 196 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
197 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | 197 | Release discussion: https://github.com/netblue30/firejail/issues/3696 |
198 | 198 | ||
199 | ### jailcheck | 199 | Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change! |
200 | ````` | ||
201 | JAILCHECK(1) JAILCHECK man page JAILCHECK(1) | ||
202 | |||
203 | NAME | ||
204 | jailcheck - Simple utility program to test running sandboxes | ||
205 | |||
206 | SYNOPSIS | ||
207 | sudo jailcheck [OPTIONS] [directory] | ||
208 | |||
209 | DESCRIPTION | ||
210 | jailcheck attaches itself to all sandboxes started by the user and per‐ | ||
211 | forms some basic tests on the sandbox filesystem: | ||
212 | |||
213 | 1. Virtual directories | ||
214 | jailcheck extracts a list with the main virtual directories in‐ | ||
215 | stalled by the sandbox. These directories are build by firejail | ||
216 | at startup using --private* and --whitelist commands. | ||
217 | |||
218 | 2. Noexec test | ||
219 | jailcheck inserts executable programs in /home/username, /tmp, | ||
220 | and /var/tmp directories and tries to run them from inside the | ||
221 | sandbox, thus testing if the directory is executable or not. | ||
222 | |||
223 | 3. Read access test | ||
224 | jailcheck creates test files in the directories specified by the | ||
225 | user and tries to read them from inside the sandbox. | ||
226 | |||
227 | 4. AppArmor test | ||
228 | |||
229 | 5. Seccomp test | ||
230 | |||
231 | The program is started as root using sudo. | ||
232 | |||
233 | OPTIONS | ||
234 | --debug | ||
235 | Print debug messages. | ||
236 | |||
237 | -?, --help | ||
238 | Print options and exit. | ||
239 | |||
240 | --version | ||
241 | Print program version and exit. | ||
242 | 200 | ||
243 | [directory] | 201 | The old whitelist/blacklist will remain as aliasses for the next one or two releases |
244 | One or more directories in user home to test for read access. | 202 | in order to give users a chance to switch their local profiles. |
245 | ~/.ssh and ~/.gnupg are tested by default. | 203 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 |
246 | |||
247 | OUTPUT | ||
248 | For each sandbox detected we print the following line: | ||
249 | |||
250 | PID:USER:Sandbox Name:Command | ||
251 | |||
252 | It is followed by relevant sandbox information, such as the virtual di‐ | ||
253 | rectories and various warnings. | ||
254 | |||
255 | EXAMPLE | ||
256 | $ sudo jailcheck | ||
257 | 2014:netblue::firejail /usr/bin/gimp | ||
258 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, | ||
259 | Warning: I can run programs in /home/netblue | ||
260 | |||
261 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
262 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
263 | Warning: I can read ~/.ssh | ||
264 | |||
265 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐ | ||
266 | pimage | ||
267 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
268 | |||
269 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
270 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
271 | /run/user/1000, | ||
272 | |||
273 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
274 | Warning: AppArmor not enabled | ||
275 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
276 | /usr/share, /run/user/1000, | ||
277 | Warning: I can run programs in /home/netblue | ||
278 | |||
279 | LICENSE | ||
280 | This program is free software; you can redistribute it and/or modify it | ||
281 | under the terms of the GNU General Public License as published by the | ||
282 | Free Software Foundation; either version 2 of the License, or (at your | ||
283 | option) any later version. | ||
284 | |||
285 | Homepage: https://firejail.wordpress.com | ||
286 | |||
287 | SEE ALSO | ||
288 | firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐ | ||
289 | gin(5), firejail-users(5), | ||
290 | |||
291 | 0.9.65 May 2021 JAILCHECK(1) | ||
292 | ````` | ||
293 | 204 | ||
294 | ### Profile Statistics | 205 | ### Profile Statistics |
295 | 206 | ||
@@ -298,40 +209,32 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi | |||
298 | $ sudo cp src/profstats/profstats /etc/firejail/. | 209 | $ sudo cp src/profstats/profstats /etc/firejail/. |
299 | $ cd /etc/firejail | 210 | $ cd /etc/firejail |
300 | $ ./profstats *.profile | 211 | $ ./profstats *.profile |
301 | Stats: | 212 | profiles 1150 |
302 | profiles 1135 | 213 | include local profile 1150 (include profile-name.local) |
303 | include local profile 1135 (include profile-name.local) | 214 | include globals 1120 (include globals.local) |
304 | include globals 1106 (include globals.local) | 215 | blacklist ~/.ssh 1026 (include disable-common.inc) |
305 | blacklist ~/.ssh 1009 (include disable-common.inc) | 216 | seccomp 1050 |
306 | seccomp 1035 | 217 | capabilities 1146 |
307 | capabilities 1130 | 218 | noexec 1030 (include disable-exec.inc) |
308 | noexec 1011 (include disable-exec.inc) | 219 | noroot 959 |
309 | noroot 944 | 220 | memory-deny-write-execute 253 |
310 | memory-deny-write-execute 242 | 221 | apparmor 681 |
311 | apparmor 667 | 222 | private-bin 667 |
312 | private-bin 635 | 223 | private-dev 1009 |
313 | private-dev 992 | 224 | private-etc 523 |
314 | private-etc 508 | 225 | private-tmp 883 |
315 | private-tmp 866 | 226 | whitelist home directory 547 |
316 | whitelist home directory 542 | 227 | whitelist var 818 (include whitelist-var-common.inc) |
317 | whitelist var 799 (include whitelist-var-common.inc) | 228 | whitelist run/user 616 (include whitelist-runuser-common.inc |
318 | whitelist run/user 597 (include whitelist-runuser-common.inc | ||
319 | or blacklist ${RUNUSER}) | 229 | or blacklist ${RUNUSER}) |
320 | whitelist usr/share 569 (include whitelist-usr-share-common.inc | 230 | whitelist usr/share 591 (include whitelist-usr-share-common.inc |
321 | net none 389 | 231 | net none 391 |
322 | dbus-user none 619 | 232 | dbus-user none 641 |
323 | dbus-user filter 105 | 233 | dbus-user filter 105 |
324 | dbus-system none 770 | 234 | dbus-system none 792 |
325 | dbus-system filter 7 | 235 | dbus-system filter 7 |
326 | ``` | 236 | ``` |
327 | 237 | ||
328 | ### New profiles: | 238 | ### New profiles: |
329 | 239 | ||
330 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | 240 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta |
331 | avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, | ||
332 | pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, | ||
333 | sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, | ||
334 | ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, | ||
335 | pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon, | ||
336 | neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr, | ||
337 | tin | ||