From c07e4d109fecacfa96e0e14e2b470895d9629574 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 19 Mar 2016 09:18:24 -0400
Subject: run time configuration support

---
 Makefile.in                  | 12 +++++++++---
 README.md                    | 37 +++++++++++++++++++++++++++++++++++++
 RELNOTES                     |  1 +
 src/man/firejail-login.txt   |  2 +-
 src/man/firejail-profile.txt |  1 +
 src/man/firejail.txt         |  1 +
 src/man/firemon.txt          |  1 +
 7 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index 20df3acf9..29d8004f3 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5
+all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5 firejail-config.5
 MYLIBS = src/lib
 APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee
 
@@ -33,6 +33,8 @@ firejail-profile.5: src/man/firejail-profile.txt
 	./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5
 firejail-login.5: src/man/firejail-login.txt
 	./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5
+firejail-config.5: src/man/firejail-config.txt
+	./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5
 
 clean:
 	for dir in $(APPS); do \
@@ -41,7 +43,7 @@ clean:
 	for dir in $(MYLIBS); do \
 		$(MAKE) -C $$dir clean; \
 	done
-	rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm
+	rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm
 
 distclean: clean
 	for dir in $(APPS); do \
@@ -160,13 +162,16 @@ realinstall:
 	gzip -9n firejail-profile.5
 	rm -f firejail-login.5.gz
 	gzip -9n firejail-login.5
+	rm -f firejail-config.5.gz
+	gzip -9n firejail-config.5
 	install -m 0755 -d $(DESTDIR)/$(mandir)/man1
 	install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/.
 	install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/.
 	install -m 0755 -d $(DESTDIR)/$(mandir)/man5
 	install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/.
 	install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/.
-	rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz
+	install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/.
+	rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz
 	# bash completion
 	install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
 	install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
@@ -193,6 +198,7 @@ uninstall:
 	rm -f $(DESTDIR)/$(mandir)/man1/firemon.1*
 	rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5*
 	rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5*
+	rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5*
 	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
 	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
 	
diff --git a/README.md b/README.md
index b3eb112bc..2406cfc49 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,43 @@ FILE TRANSFER
               $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
 `````
 
+## Compile time and run time configuration support
+
+Most Linux kernel security features require root privileges during configuration.
+The same is true for kernel networking features. Firejail (SUID binary) opens the 
+access to these features to regular users. The privilege escalation is restricted 
+to the sandbox being configured, and is not extended to the rest of the system. 
+This arrangement works fine for user desktops or servers where the access is already limited.
+
+If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
+or at run time by editing /etc/firejail/firejail.config file.
+
+The following features can be enabled or disabled:
+`````
+       secomp Enable or disable seccomp support, default enabled.
+
+       chroot Enable or disable chroot support, default enabled.
+
+       bind   Enable or disable bind support, default enabled.
+
+       network
+              Enable or disable networking features, default enabled.
+
+       restricted-network
+              Enable  or disable restricted network support, default disabled.
+              If enabled, networking features should also be enabled  (network
+              yes).   Restricted  networking  grants access to --interface and
+              --net=ethXXX only to root user. Regular users are  only  allowed
+              --net=none.
+
+       userns Enable or disable user namespace support, default enabled.
+
+       x11    Enable or disable X11 sandboxing support, default enabled.
+
+       file-transfer
+              Enable or disable file transfer support, default enabled.
+`````
+
 ## Default seccomp filter update
 
 Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
diff --git a/RELNOTES b/RELNOTES
index 00695006e..03261ddf7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,6 +7,7 @@ firejail (0.9.39) baseline; urgency=low
   * added mkdir, ipc-namespace and nosound profile commands
   * --version also prints compile options
   * added compile-time option to restrict --net= to root only
+  * run time config support, man firejail-config
   * build rpm packages using "make rpms"
   * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
   * new profiles: qutebrowser, SlimJet
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index e5bcf9436..13d045ee4 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -33,6 +33,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
-
+\&\flfirejail-config\fR\|(5)
 
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index c5de79118..82a0d2503 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -352,6 +352,7 @@ Homepage: http://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
 
 
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b72296387..f3c023aba 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1787,6 +1787,7 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
 
 
 
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 88b2ce59f..78a6dd5ea 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -107,5 +107,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
 
 
-- 
cgit v1.2.3-54-g00ecf