From 0533d6cbf29cdcd523aee57291cc0ff1dc72070f Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Thu, 7 Jan 2021 13:53:56 +0100 Subject: update manpages and RELNOTES --- RELNOTES | 1 + etc/templates/syscalls.txt | 2 +- src/man/firejail-profile.txt | 5 +++++ src/man/firejail.txt | 2 +- 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index 5f5b451e1..a5f25c181 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,6 +3,7 @@ firejail (0.9.65) baseline; urgency=low * --disable-usertmpfs compile time option * allow AF_BLUETOOTH via --protocol=bluetooth * Setup guide for new users: contrib/firejail-welcome.sh + * implement netns in profiles * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index c454887dd..ebc648548 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt @@ -35,7 +35,7 @@ Definition of groups @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup @default-nodebuggers=@default,ptrace,personality,process_vm_readv -@default-keep=execve,prctl +@default-keep=execveat,execve,prctl @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9524254c1..030a3c95c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -861,6 +861,11 @@ Use this option when you want to assign an IP address in a new namespace and the parent interface specified by --net is not configured. An IP address and a default gateway address also have to be added. +.TP +\fBnetns namespace +Run the program in a named, persistent network namespace. These can +be created and configured using "ip netns". + .TP \fBveth-name name Use this name for the interface connected to the bridge for --net=bridge_interface commands, diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 347e2b31b..e72ef48c2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2273,7 +2273,7 @@ rm: cannot remove `testfile': Operation not permitted .TP \fB\-\-seccomp.keep=syscall,@group,!syscall2 Enable seccomp filter, blacklist all syscall not listed and "syscall2". -The system calls needed by Firejail (group @default-keep: prctl, execve) +The system calls needed by Firejail (group @default-keep: prctl, execve, execveat) are handled with the preload library. On a 64 bit architecture, an additional filter for 32 bit system calls can be installed with \-\-seccomp.32.keep. -- cgit v1.2.3-70-g09d2