From d3965324d298d60c1f2ac59790e8f9b983aeb7ea Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 31 May 2016 06:51:49 -0400 Subject: 0.9.41 development starting --- README.md | 258 +---------------------------------------------------------- configure | 18 ++--- configure.ac | 2 +- 3 files changed, 11 insertions(+), 267 deletions(-) diff --git a/README.md b/README.md index b08be89c9..c61543452 100644 --- a/README.md +++ b/README.md @@ -34,260 +34,4 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` ````` -# Current development version: 0.9.40~rc2 -Version 0.9.40-rc1 released! - -## X11 sandboxing support - -X11 support is built around Xpra (http://xpra.org/) or Xephyr. -````` - --x11 Start a new X11 server using Xpra or Xephyr and attach the sand‐ - box to this server. The regular X11 server (display 0) is not - visible in the sandbox. This prevents screenshot and keylogger - applications started in the sandbox from accessing other X11 - displays. A network namespace needs to be instantiated in order - to deny access to X11 abstract Unix domain socket. - - Firejail will try first Xpra, and if Xpra is not installed on - the system, it will try to find Xephyr. This feature is not - available when running as root. - - Example: - $ firejail --x11 --net=eth0 firefox - - --x11=xpra - Start a new X11 server using Xpra (http://xpra.org) and attach - the sandbox to this server. Xpra is a persistent remote display - server and client for forwarding X11 applications and desktop - screens. On Debian platforms Xpra is installed with the command - sudo apt-get install xpra. This feature is not available when - running as root. - - Example: - $ firejail --x11 --net=eth0 firefox - - --x11=xephyr - Start a new X11 server using Xephyr and attach the sandbox to - this server. Xephyr is a display server implementing the X11 - display server protocol. It runs in a window just like other X - applications, but it is an X server itself in which you can run - other software. The default Xephyr window size is 800x600. This - can be modified in /etc/firejail/firejail.config file, see man 5 - firejail-config for more details. - - The recommended way to use this feature is to run a window man‐ - ager inside the sandbox. A security profile for OpenBox is pro‐ - vided. On Debian platforms Xephyr is installed with the command - sudo apt-get install xserver-xephyr. This feature is not avail‐ - able when running as root. - - Example: - $ firejail --x11 --net=eth0 openbox -````` -More information here: https://firejail.wordpress.com/documentation-2/x11-guide/ - -## File transfers -````` -FILE TRANSFER - These features allow the user to inspect the filesystem container of an - existing sandbox and transfer files from the container to the host - filesystem. - - --get=name filename - Retrieve the container file and store it on the host in the cur‐ - rent working directory. The container is specified by name - (--name option). Full path is needed for filename. - - --get=pid filename - Retrieve the container file and store it on the host in the cur‐ - rent working directory. The container is specified by process - ID. Full path is needed for filename. - - --ls=name dir_or_filename - List container files. The container is specified by name - (--name option). Full path is needed for dir_or_filename. - - --ls=pid dir_or_filename - List container files. The container is specified by process ID. - Full path is needed for dir_or_filename. - - Examples: - - $ firejail --name=mybrowser --private firefox - - $ firejail --ls=mybrowser ~/Downloads - drwxr-xr-x netblue netblue 4096 . - drwxr-xr-x netblue netblue 4096 .. - -rw-r--r-- netblue netblue 7847 x11-x305.png - -rw-r--r-- netblue netblue 6800 x11-x642.png - -rw-r--r-- netblue netblue 34139 xpra-clipboard.png - - $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png -````` - -## Firecfg -````` -NAME - Firecfg - Desktop configuration program for Firejail software. - -SYNOPSIS - firecfg [OPTIONS] - -DESCRIPTION - Firecfg is the desktop configuration utility for Firejail software. The - utility creates several symbolic links to firejail executable. This - allows the user to sandbox applications automatically, just by clicking - on a regular desktop menus and icons. - - The symbolic links are placed in /usr/local/bin. For more information, - see DESKTOP INTEGRATION section in man 1 firejail. - -OPTIONS - --clean - Remove all firejail symbolic links - - -?, --help - Print options end exit. - - --list List all firejail symbolic links - - --version - Print program version and exit. - - Example: - - $ sudo firecfg - /usr/local/bin/firefox created - /usr/local/bin/vlc created - [...] - $ firecfg --list - /usr/local/bin/firefox - /usr/local/bin/vlc - [...] - $ sudo firecfg --clean - /usr/local/bin/firefox removed - /usr/local/bin/vlc removed - [...] -````` - - -## Compile time and run time configuration support - -Most Linux kernel security features require root privileges during configuration. -The same is true for kernel networking features. Firejail (SUID binary) opens the -access to these features to regular users. The privilege escalation is restricted -to the sandbox being configured, and is not extended to the rest of the system. -This arrangement works fine for user desktops or servers where the access is already limited. - -If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time, -or at run time by editing /etc/firejail/firejail.config file. - -The following features can be enabled or disabled: -````` - bind Enable or disable bind support, default enabled. - - chroot Enable or disable chroot support, default enabled. - - file-transfer - Enable or disable file transfer support, default enabled. - - network - Enable or disable networking features, default enabled. - - restricted-network - Enable or disable restricted network support, default disabled. - If enabled, networking features should also be enabled (network - yes). Restricted networking grants access to --interface, - --net=ethXXX and --netfilter only to root user. Regular users - are only allowed --net=none. Default disabled - - secomp Enable or disable seccomp support, default enabled. - - userns Enable or disable user namespace support, default enabled. - - x11 Enable or disable X11 sandboxing support, default enabled. - - force-nonewprivs - Force use of theh NO_NEW_PRIVS prctl(2) flag. - This mitigates the possibility of a user abusing firejail's - features to trick a privileged (suid or file capabilities) - process into loading code or configuration that is partially - under their control. Default disabled - - xephyr-screen - Screen size for --x11=xephyr, default 800x600. Run - /usr/bin/xrandr for a full list of resolutions available on your - specific setup. Examples: - - xephyr-screen 640x480 - xephyr-screen 800x600 - xephyr-screen 1024x768 - xephyr-screen 1280x1024 -````` - -## Default seccomp filter update - -Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). - -## STUN/WebRTC disabled in default netfilter configuration - -The current netfilter configuration (--netfilter option) looks like this: -````` - *filter - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT ACCEPT [0:0] - -A INPUT -i lo -j ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - # allow ping - -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT - -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT - -A INPUT -p icmp --icmp-type echo-request -j ACCEPT - # drop STUN (WebRTC) requests - -A OUTPUT -p udp --dport 3478 -j DROP - -A OUTPUT -p udp --dport 3479 -j DROP - -A OUTPUT -p tcp --dport 3478 -j DROP - -A OUTPUT -p tcp --dport 3479 -j DROP - COMMIT -````` - -The filter is loaded by default for Firefox if a network namespace is configured: -````` -$ firejail --net=eth0 firefox -````` - -## Set sandbox nice value -````` - --nice=value - Set nice value for all processes running inside the sandbox. - - Example: - $ firejail --nice=-5 firefox -````` - -## mkdir - -````` -$ man firejail-profile -[...] - mkdir directory - Create a directory in user home. Use this command for - whitelisted directories you need to preserve when the sandbox is - closed. Subdirectories also need to be created using mkdir. - Example from firefox profile: - - mkdir ~/.mozilla - whitelist ~/.mozilla - mkdir ~/.cache - mkdir ~/.cache/mozilla - mkdir ~/.cache/mozilla/firefox - whitelist ~/.cache/mozilla/firefox - -[...] -````` - -## New security profiles -lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, -OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation, Brave +# Current development version: 0.9.41 diff --git a/configure b/configure index 946fb99bc..66b1663f9 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.40. +# Generated by GNU Autoconf 2.69 for firejail 0.9.41. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.40' -PACKAGE_STRING='firejail 0.9.40' +PACKAGE_VERSION='0.9.41' +PACKAGE_STRING='firejail 0.9.41' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.40 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.41 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1307,7 +1307,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.40:";; + short | recursive ) echo "Configuration of firejail 0.9.41:";; esac cat <<\_ACEOF @@ -1403,7 +1403,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.40 +firejail configure 0.9.41 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.40, which was +It was created by firejail $as_me 0.9.41, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.40, which was +This file was extended by firejail $as_me 0.9.41, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4238,7 +4238,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.40 +firejail config.status 0.9.41 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 47048046b..ef6a11af5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.40, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.41, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2