| Commit message (Collapse) | Author | Age |
|
|
|
|
|
| |
firejail can blacklist (and now also whitelist) files based on glob
pattern. This pattern is evaluated at firejail start, and not updated
at run time. This patch documents this behavior.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
|
|
| |
- spelling suggestion from @glitsj16 on fda62527
- drop python2 from openshot it never has a python2 version
- #3126 note in manpage: cannot combine --private with --private=
|
| |
|
|
|
| |
Fixes #3135.
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|
|/ |
|
|\
| |
| | |
Add further seccomp groups
|
| |
| |
| |
| | |
Get further seccomp group definitions from systemd.
|
|/
|
|
|
|
|
| |
Prefix ! can be used to make exceptions to system call blacklists and
whitelists used by seccomp, seccomp.drop and seccomp.keep.
Closes #1366
|
|
|
|
|
|
|
|
|
|
|
|
| |
- install contrib/syscalls.sh
- add GitLab-CI status to README.md
- read-only ${HOME}/.cargo/env
- move blacklist ${HOME}/.cargo/registry, ${HOME}/.cargo/config to
disable-programs
- typo in man firejail firejail-profiles firecfg
- better descriptions in man firejail-profiles
- fixes in man firejail
- template descriptions in firejail-profiles
|
| |
|
| |
|
|
|
|
| |
(found by lintian)
|
|\
| |
| | |
Add private-cwd option to control working directory within jail
|
| | |
|
|/
|
|
| |
childs exit code regardless of the termination ordering of orphaned children
|
| |
|
|
|
|
| |
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Remove obsolete snap support from disable-programs.inc
* Remove obsolete snap support from pycharm-community.profile
* Update RELNOTES to reflect non-existing/dropped flatpak/snap support
* Update firejail.txt to reflect flatpak/snap packages are not supported
|
| |
|
|
|
|
|
| |
Some profiles may need adjusting if app uses memfd_create(2) and
memory-deny-write-execute was enabled.
|
| |
|
| |
|
| |
|
|
|
| |
As per discussion on https://github.com/netblue30/firejail/pull/2390, we better use slightly stronger/less optional wording when it comes to where local apparmor overrides need to be done.
|
| |
|
| |
|
|
|
|
| |
profiles
|
|\
| |
| | |
enforce nonewprivs instead of seccomp for chroot sandboxes
|
| |
| |
| |
| |
| | |
currently users are able to specify a seccomp filter of their
choosing, leaving the real defense to nonewprivs anyway.
|
|/ |
|
|\
| |
| | |
refactor private-cache and tmpfs
|
| |
| |
| |
| |
| |
| | |
has the immediate benefit that the result of combining
--noexec and --tmpfs does not depend on the sequence of
the options
|
|/ |
|
|
|
| |
Found using `codespell -q 3 -L shotcut,objext,als,ans,creat,varius,chage,tthe`
|
| |
|
|
|
|
| |
search, and disallow a directory to match as a profile file.
|
| |
|
| |
|