1 files changed, 90 insertions, 29 deletions
diff --git a/README.md b/README.md
index 33b23f418..e52a02d34 100644
--- a/README.md
+++ b/README.md
@@ -94,9 +94,49 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca
 ## Installing
-Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
+### Debian
-The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian stable (bullseye) we recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
+Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
+### Ubuntu
+For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
+How to add and install from the PPA:
+```sh
+sudo add-apt-repository ppa:deki/firejail
+sudo apt-get update
+sudo apt-get install firejail firejail-profiles
+```
+Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:
+* [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
+See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>:
+> What software is supported by the Ubuntu Security team?
+>
+> Ubuntu is currently divided into four components: main, restricted, universe
+> and multiverse. All binary packages in main and restricted are supported by
+> the Ubuntu Security team for the life of an Ubuntu release, while binary
+> packages in universe and multiverse are supported by the Ubuntu community.
+Additionally, the PPA version is likely to be more recent and to contain more profile fixes.
+See the following discussions for details:
+* [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666)
+* [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663)
+### Other
+Try installing Firejail from your distribution.
+Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
+Note: The firejail 0.9.52-LTS version is deprecated.
 You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
@@ -256,40 +296,61 @@ INTRUSION DETECTION SYSTEM (IDS)
              as it contains running processes.
 `````
+### Network Monitor
+`````
+       --nettrace=name|pid
+              Monitor TCP and UDP traffic coming into the sandbox specified by
+              name or pid. Only networked sandboxes  created  with  --net  are
+              supported.
+              $ firejail --nettrace=browser
+              9.9.9.9:53              =>      192.168.1.60    UDP: 122 B/sec
+              72.21.91.29:80          =>      192.168.1.60    TCP: 257 B/sec
+              80.92.126.65:123        =>      192.168.1.60    UDP: 25 B/sec
+              69.30.241.50:443        =>      192.168.1.60    TCP: 88 KB/sec
+              140.82.112.4:443        =>      192.168.1.60    TCP: 1861 B/sec
+              (14 streams in the last one minute)
+`````
 ### Profile Statistics
-A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+Run it over the profiles in /etc/profiles:
 ```
-$ sudo cp src/profstats/profstats /etc/firejail/.
+$ /usr/lib/firejail/profstats /etc/firejail/*.profile
-$ cd /etc/firejail
+No include .local found in /etc/firejail/noprofile.profile
-$ ./profstats *.profile
+Warning: multiple caps in /etc/firejail/transmission-daemon.profile
-    profiles                    1167
-    include local profile       1167   (include profile-name.local)
+Stats:
-    include globals             1136   (include globals.local)
+    profiles                    1176
-    blacklist ~/.ssh            1042   (include disable-common.inc)
+    include local profile       1175   (include profile-name.local)
-    seccomp                     1062
+    include globals             1144   (include globals.local)
-    capabilities                1163
+    blacklist ~/.ssh            1050   (include disable-common.inc)
-    noexec                      1049   (include disable-exec.inc)
+    seccomp                     1070
-    noroot                      971
+    capabilities                1171
-    memory-deny-write-execute   256
+    noexec                      1057   (include disable-exec.inc)
-    apparmor                    693
+    noroot                      979
-    private-bin                 677
+    memory-deny-write-execute   258
-    private-dev                 1027
+    apparmor                    700
-    private-etc                 532
+    private-bin                 681
-    private-tmp                 897
+    private-dev                 1033
-    whitelist home directory    557
+    private-etc                 533
-    whitelist var               836   (include whitelist-var-common.inc)
+    private-tmp                 905
-    whitelist run/user          1137   (include whitelist-runuser-common.inc
+    whitelist home directory    562
+    whitelist var               842   (include whitelist-var-common.inc)
+    whitelist run/user          1145   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         609   (include whitelist-usr-share-common.inc
+    whitelist usr/share         614   (include whitelist-usr-share-common.inc
-    net none                    396
+    net none                    399
-    dbus-user none              656
+    dbus-user none              662
-    dbus-user filter            108
+    dbus-user filter            113
-    dbus-system none            808
+    dbus-system none            816
    dbus-system filter          10
 ```
 ### New profiles:
 clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
-cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser
+cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser, CachyBrowser

diff --git a/README.md b/README.md index 33b23f418..e52a02d34 100644 --- a/README.md +++ b/README.md
@@ -94,9 +94,49 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca
94		94
95	## Installing	95	## Installing
96		96
97	Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.	97	### Debian
98		98
99	The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian stable (bullseye) we recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.	99	Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
		100
		101	### Ubuntu
		102
		103	For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are strongly advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
		104
		105	How to add and install from the PPA:
		106
		107	```sh
		108	sudo add-apt-repository ppa:deki/firejail
		109	sudo apt-get update
		110	sudo apt-get install firejail firejail-profiles
		111	```
		112
		113	Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:
		114
		115	* [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
		116
		117	See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>:
		118
		119	> What software is supported by the Ubuntu Security team?
		120	>
		121	> Ubuntu is currently divided into four components: main, restricted, universe
		122	> and multiverse. All binary packages in main and restricted are supported by
		123	> the Ubuntu Security team for the life of an Ubuntu release, while binary
		124	> packages in universe and multiverse are supported by the Ubuntu community.
		125
		126	Additionally, the PPA version is likely to be more recent and to contain more profile fixes.
		127
		128	See the following discussions for details:
		129
		130	* [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666)
		131	* [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663)
		132
		133	### Other
		134
		135	Try installing Firejail from your distribution.
		136
		137	Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
		138
		139	Note: The firejail 0.9.52-LTS version is deprecated.
100		140
101	You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:	141	You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
102		142
@@ -256,40 +296,61 @@ INTRUSION DETECTION SYSTEM (IDS)
256	as it contains running processes.	296	as it contains running processes.
257	`````	297	`````
258		298
		299	### Network Monitor
		300	`````
		301	--nettrace=name\|pid
		302	Monitor TCP and UDP traffic coming into the sandbox specified by
		303	name or pid. Only networked sandboxes created with --net are
		304	supported.
		305
		306	$ firejail --nettrace=browser
		307	9.9.9.9:53 => 192.168.1.60 UDP: 122 B/sec
		308	72.21.91.29:80 => 192.168.1.60 TCP: 257 B/sec
		309	80.92.126.65:123 => 192.168.1.60 UDP: 25 B/sec
		310	69.30.241.50:443 => 192.168.1.60 TCP: 88 KB/sec
		311	140.82.112.4:443 => 192.168.1.60 TCP: 1861 B/sec
		312
		313	(14 streams in the last one minute)
		314
		315	`````
		316
259	### Profile Statistics	317	### Profile Statistics
260		318
261	A small tool to print profile statistics. Compile as usual and run in /etc/profiles:	319	A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
		320	Run it over the profiles in /etc/profiles:
262	```	321	```
263	$ sudo cp src/profstats/profstats /etc/firejail/.	322	$ /usr/lib/firejail/profstats /etc/firejail/*.profile
264	$ cd /etc/firejail	323	No include .local found in /etc/firejail/noprofile.profile
265	$ ./profstats *.profile	324	Warning: multiple caps in /etc/firejail/transmission-daemon.profile
266	profiles 1167	325
267	include local profile 1167 (include profile-name.local)	326	Stats:
268	include globals 1136 (include globals.local)	327	profiles 1176
269	blacklist ~/.ssh 1042 (include disable-common.inc)	328	include local profile 1175 (include profile-name.local)
270	seccomp 1062	329	include globals 1144 (include globals.local)
271	capabilities 1163	330	blacklist ~/.ssh 1050 (include disable-common.inc)
272	noexec 1049 (include disable-exec.inc)	331	seccomp 1070
273	noroot 971	332	capabilities 1171
274	memory-deny-write-execute 256	333	noexec 1057 (include disable-exec.inc)
275	apparmor 693	334	noroot 979
276	private-bin 677	335	memory-deny-write-execute 258
277	private-dev 1027	336	apparmor 700
278	private-etc 532	337	private-bin 681
279	private-tmp 897	338	private-dev 1033
280	whitelist home directory 557	339	private-etc 533
281	whitelist var 836 (include whitelist-var-common.inc)	340	private-tmp 905
282	whitelist run/user 1137 (include whitelist-runuser-common.inc	341	whitelist home directory 562
		342	whitelist var 842 (include whitelist-var-common.inc)
		343	whitelist run/user 1145 (include whitelist-runuser-common.inc
283	or blacklist ${RUNUSER})	344	or blacklist ${RUNUSER})
284	whitelist usr/share 609 (include whitelist-usr-share-common.inc	345	whitelist usr/share 614 (include whitelist-usr-share-common.inc
285	net none 396	346	net none 399
286	dbus-user none 656	347	dbus-user none 662
287	dbus-user filter 108	348	dbus-user filter 113
288	dbus-system none 808	349	dbus-system none 816
289	dbus-system filter 10	350	dbus-system filter 10
290	```	351	```
291		352
292	### New profiles:	353	### New profiles:
293		354
294	clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,	355	clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
295	cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser	356	cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser, CachyBrowser