From 89fa2a7562e84338d88ea83777861f00e545135d Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 15 Dec 2018 17:00:49 +0100 Subject: enforce nonewprivs instead of seccomp for chroot sandboxes currently users are able to specify a seccomp filter of their choosing, leaving the real defense to nonewprivs anyway. --- src/man/firejail.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/man') diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 66663be35..9c1133756 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -100,8 +100,8 @@ $ firejail --allusers Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. .TP \fB\-\-appimage -Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started as a -regular user, default seccomp and capabilities filters are enabled. +Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started +as a regular user, nonewprivs and a default capabilities filter are enabled. .br .br @@ -275,7 +275,7 @@ Example: \fB\-\-chroot=dirname Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. If the sandbox is started as a -regular user, default seccomp and capabilities filters are enabled. +regular user, nonewprivs and a default capabilities filter are enabled. .br .br @@ -1287,7 +1287,7 @@ Similar to \-\-output, but stderr is also stored. Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/ directory. -If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. +If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled. .br .br @@ -1307,7 +1307,7 @@ Mount a filesystem overlay on top of the current filesystem. Unlike the regular the system directories are mounted read-write. All filesystem modifications go into the overlay. Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/ directory. The created overlay can be reused between multiple sessions. -If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. +If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled. .br .br @@ -1325,7 +1325,7 @@ $ firejail \-\-overlay-named=jail1 firefox \fB\-\-overlay-tmpfs Mount a filesystem overlay on top of the current filesystem. All filesystem modifications are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay. -If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. +If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled. .br .br -- cgit v1.2.3-70-g09d2