| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We do not start /bin/bash in the sandbox, we use $SHELL (which is
usually /bin/bash). See #3434 and #3844. This commit updates the
manpage accordingly until #3434 is resolved with a final solution like
using /bin/bash or /bin/sh as hardcoded default. Close #3844.
The descriptions of --join* are not updated as there is currenly some
work, see #2934 and #3850.
|
| |
|
| |
|
| |
|
|
|
|
| |
appimages (#3530)
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Allow `log` as an alternative seccomp error action instead of killing
or returning an errno code.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|/ |
|
|
|
|
|
|
|
|
|
| |
* Man pages: link to .profile resolution, urls
* Man pages: firejail-profile add link to wiki profile creation
* Man pages: line break, slash in path
* Man pages remove space before dots
|
|
|
|
|
|
|
|
| |
Add verbiage to the man pages clarifying that the files/directories in
the lists given to options such as --private-bin must be relative to
the directory that is being limited (e.g., --private-opt requires a
list of files/directories that are relative to /opt).
Signed-off-by: Jeff Squyres <jeff@squyres.com>
|
| |
|
|
|
|
|
|
| |
firejail can blacklist (and now also whitelist) files based on glob
pattern. This pattern is evaluated at firejail start, and not updated
at run time. This patch documents this behavior.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
|
|
| |
- spelling suggestion from @glitsj16 on fda62527
- drop python2 from openshot it never has a python2 version
- #3126 note in manpage: cannot combine --private with --private=
|
| |
|
|
|
| |
Fixes #3135.
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|
|/ |
|
|\
| |
| | |
Add further seccomp groups
|
| |
| |
| |
| | |
Get further seccomp group definitions from systemd.
|
|/
|
|
|
|
|
| |
Prefix ! can be used to make exceptions to system call blacklists and
whitelists used by seccomp, seccomp.drop and seccomp.keep.
Closes #1366
|
|
|
|
|
|
|
|
|
|
|
|
| |
- install contrib/syscalls.sh
- add GitLab-CI status to README.md
- read-only ${HOME}/.cargo/env
- move blacklist ${HOME}/.cargo/registry, ${HOME}/.cargo/config to
disable-programs
- typo in man firejail firejail-profiles firecfg
- better descriptions in man firejail-profiles
- fixes in man firejail
- template descriptions in firejail-profiles
|
| |
|
| |
|
|
|
|
| |
(found by lintian)
|
|\
| |
| | |
Add private-cwd option to control working directory within jail
|
| | |
|