github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 06:06:02 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions

README.md

Browse source
This commit is contained in:
netblue30 2026-03-14 08:54:39 -04:00
parent 59c9598a1b
commit 4b3ab56040
1 changed files with 26 additions and 135 deletions
Download patch file Download diff file Expand all files Collapse all files

161
README.md
View file

@ -346,119 +346,9 @@ See `man firecfg` for details.
Note: Broken symlinks are ignored when searching for an executable in `$PATH`,
so uninstalling without doing the above should not cause issues.
## Latest released version: 0.9.78
## Latest released version: 0.9.80
This is an emergency release due to GTK library changes:
```
Applications that use glycin 2.0.0 or later via gdk-pixbuf2
(examples: Firefox, Thunderbird, GIMP) crash.
The library glycin provides a set of "safe" image format loaders
to gdk-pixbuf2, another library which is widely used in GTK-based
applications for loading images.
As of gdk-pixbuf2 2.44.1, the calls to glycin loaders are wrapped in
bubblewrap.
```
For details, see [#6906](https://github.com/netblue30/firejail/issues/6906).
## Current development version: 0.9.79
### --profile=filename|appname rework
Issue [#6896](https://github.com/netblue30/firejail/issues/6896): Require a
full path or a relative path for the filename.
```text
--profile=filename|appname
Load a custom security profile from filename, or use the name of
a specific application.
If the command line option --profile is not provided, Firejail
will attempt to extract the appname from the target program file
name. It will then search ~/.config/firejail directory for a
suitable profile, followed by a search in /etc/firejail/direc
tory.
Example:
$ firejail /usr/bin/firefox
Reading profile /home/netblue/.config/firejail/firefox.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
[...]
When using a filename, please include a full path or a relative
path.
$ firejail --profile=./firefox.profile /usr/bin/firefox
Reading profile ./firefox.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
[...]
--profile=appname comes in handy when running appimages:
$ firejail --appimage --profile=firefox firefox-
nightly-148.0.r20260103-x86_64.AppImage
Reading profile /home/netblue/.config/firejail/firefox.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
[...]
See man 5 firejail-profile for profile file syntax information.
For profile resolution details see https://github.com/net
blue30/firejail/wiki/Creating-Profiles.
```
### --unhide-pid1
```text
--unhide-pid1
Pid 1 is always present inside Firejail sandbox. By restricting
access to /proc kernel interface, general tools like ps are un
able to view and access this process. --unhide-pid1 option dis
ables this functionality. Example:
$ firejail --name=test ### by default pid 1 is not visible
[...]
Child process initialized in 59.41 ms
$ ps a
PID TTY STAT TIME COMMAND
4 ? S 0:00 /bin/bash
5 ? R+ 0:00 ps a
$ exit
Parent is shutting down, bye…
$ firejail --name=test --unhide-pid1 ### pid 1 is visible
[...]
Child process initialized in 58.29 ms
$ ps a
PID TTY STAT TIME COMMAND
1 ? S 0:00 firejail --name=test --unhide-pid1
4 ? S 0:00 /bin/bash
6 ? R+ 0:00 ps a
$ exit
Parent is shutting down, bye…
```
### --hostname-randomize
```text
--hostname-randomize
Set sandbox hostname to a random value generated by firejail.
This is incompatible with --hostname.
Example:
$ firejail --hostname-randomize /usr/bin/firefox
Note: Changing the hostname may cause breakage related to
networking (see #7048
<https://github.com/netblue30/firejail/issues/7048>) and may
cause X11 programs to crash on startup due to not being able to
authenticate to the X server (see #7062
<https://github.com/netblue30/firejail/issues/7062>).
```
## Current development version: 0.9.81
### Landlock support - ongoing/experimental
@ -523,32 +413,33 @@ Warning: multiple caps in /etc/firejail/transmission-daemon.profile
Warning: multiple caps in /etc/firejail/trivalent.profile
Stats:
profiles 1336
include local profile 1335 (include profile-name.local)
include globals 1301 (include globals.local)
blacklist ~/.ssh 1195 (include disable-common.inc)
seccomp 1207
capabilities 1329
noexec 1208 (include disable-exec.inc)
noroot 1099
memory-deny-write-execute 321
restrict-namespaces 1045
apparmor 860
private-bin 814
private-dev 1169
private-etc 837
private-cache 861
profiles 1342
include local profile 1341 (include profile-name.local)
include globals 1307 (include globals.local)
blacklist ~/.ssh 1201 (include disable-common.inc)
seccomp 1213
capabilities 1335
noexec 1214 (include disable-exec.inc)
noroot 1105
memory-deny-write-execute 320
restrict-namespaces 1048
apparmor 869
private-bin 817
private-dev 1172
private-etc 842
private-cache 865
private-lib 86
private-tmp 1030
whitelist home directory 656
whitelist var 969 (include whitelist-var-common.inc)
whitelist run/user 1299 (include whitelist-runuser-common.inc
private-tmp 1036
whitelist home directory 662
whitelist var 975 (include whitelist-var-common.inc)
whitelist run/user 1305 (include whitelist-runuser-common.inc
or blacklist ${RUNUSER})
whitelist usr/share 755 (include whitelist-usr-share-common.inc
whitelist usr/share 760 (include whitelist-usr-share-common.inc
net none 452
dbus-user none 761
dbus-user filter 202
dbus-system none 964
dbus-user none 766
dbus-user filter 206
dbus-system none 970
dbus-system filter 13
```