We are happy to announce the release of Firejail version 0.9.24. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, updated default profiles, and brings in several new features:
Double dash (“–“) signals the end of command line options and disables further option processing. It is used mainly for building commands when programs or directory names are starting in dash (“-“). Example:
$ firejail --private -- -somedirectory/myprogram
By default Firejail runs all programs through “/bin/bash -c”. The new option allows the user to run the program directly, without a POSIX shell. The program has to be an ELF binary. Example:
$ firejail --shell=none myprogram
Seccomp Whitelist and Blacklist Filters
This release introduces whitelist and blacklist filters support for seccomp filters. The current seccomp commands are as follows:
--seccomp Enable seccomp filter and blacklist the syscalls in the default list. --seccomp=syscall,syscall,syscall Enable seccomp filter, blacklist the default list and the syscalls specified by the command. --seccomp.drop=syscall,syscall,syscall Enable seccomp filter, and blacklist the syscalls specified by the command. --seccomp.keep=syscall,syscall,syscall Enable seccomp filter, and whitelist the syscalls specified by the command. --seccomp.print=name Print the seccomp filter for the sandbox started using --name option.
New syscalls have been added to the default blacklist filter enabled by –seccomp command. The current list is as follows: mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, mknod, sysfs, _sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp.
Note: empty attribute for –seccomp command was removed. Use –seccomp.drop instead.
Default profiles updates
There are several updates for the default application profiles stored in /etc/firejail. Most of them disable in this moment all Linux capabilities (–caps.drop=all). New default profiles have been added for Audacious, Clementine, gnome-mplayer, Rhythmbox and Totem (Gnome Videos). The default profiles cover in this moment the most popular video and audio players.
For more information please visit the project page.