From d4323ae26f40216128cb461eccf98d1075e0236a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 14 Aug 2022 09:00:01 -0400 Subject: merges --- README | 2 ++ README.md | 37 +++++++++++++++++++++++++++++++++++++ RELNOTES | 10 ++++++---- 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/README b/README index 713f5ca3f..99c7b17f0 100644 --- a/README +++ b/README @@ -182,6 +182,8 @@ avoidr (https://github.com/avoidr) - added mcabber profile - fixed mpv profile - various other fixes +Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) + - add support for custom AppArmor profiles (--apparmor=) backspac (https://github.com/backspac) - firecfg fixes - add steam-runtime alias diff --git a/README.md b/README.md index 5a0991294..30e67bb16 100644 --- a/README.md +++ b/README.md @@ -182,6 +182,43 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe Milestone page: https://github.com/netblue30/firejail/milestone/1 +### Restrict namespaces + +````` + --restrict-namespaces + Install a seccomp filter that blocks attempts to create new + cgroup, ipc, net, mount, pid, time, user or uts namespaces. + + Example: + $ firejail --restrict-namespaces + + --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts + Install a seccomp filter that blocks attempts to create any of + the specified namespaces. The filter examines the arguments of + clone, unshare and setns system calls and returns error EPERM to + the process (or kills it or logs the attempt, see --seccomp-er‐ + ror-action below) if necessary. Note that the filter is not able + to examine the arguments of clone3 system calls, and always re‐ + sponds to these calls with error ENOSYS. + + Example: + $ firejail --restrict-namespaces=user,net +````` + +#### Support for custom AppArmor profiles + +````` + --apparmor + Enable AppArmor confinement with the "firejail-default" AppArmor + profile. For more information, please see APPARMOR section be‐ + low. + + --apparmor=profile_name + Enable AppArmor confinement with a custom AppArmor profile. + Note that profile in question must already be loaded into the + kernel. For more information, please see APPARMOR section be‐ +````` + ### Profile Statistics A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. diff --git a/RELNOTES b/RELNOTES index 84406e5d4..63da0ae5d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,13 +1,15 @@ firejail (0.9.71) baseline; urgency=low * work in progress - * feat: On failing to remount a fuse filesystem, give warning instead of - * erroring out (#5240 #5242) - * build: deduplicate configure-time vars into new config files (#5140 #5284) + * feature: restrict namespaces (--restrict-namespaces) inplemented as + a seccomp filter for both 64 and 32 bit architectures + * feature: On failing to remount a fuse filesystem, give warning instead of + erroring out (#5240 #5242) + * feature: support for custom AppArmor profiles (--apparmor=) (#5274) + * build: deduplicate configure-time vars into new config files (#5140) * build: fix file mode of shell scripts (644 -> 755) (#5206) * build: reduce autoconf input files from 32 to 2 (#5219) * build: add dist build directory to .gitignore (#5248) * build: add autoconf auto-generation comment to input files (#5251) - * build: Add files make uninstall forgot to remove (#5283) * ci: ignore git-related paths and the project license (#5249) -- netblue30 Sat, 11 Jun 2022 09:00:00 -0500 -- cgit v1.2.3-54-g00ecf