Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   profile    ( 5 )

синтаксис файла профиля безопасности и информация о создании новых профилей приложений (Security profile file syntax, and information about building new application profiles.)

Security filters

The following security filters are currently implemented:

allow-debuggers Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv.

caps Enable default Linux capabilities filter.

caps.drop capability,capability,capability Deny given Linux capabilities.

caps.drop all Deny all Linux capabilities.

caps.keep capability,capability,capability Allow given Linux capabilities.

memory-deny-write-execute Install a seccomp filter to block attempts to create memory mappings that are both writable and executable, to change mappings to be executable or to create executable shared memory.

nonewprivs Sets the NO_NEW_PRIVS prctl. This ensures that child processes cannot acquire new privileges using execve(2); in particular, this means that calling a suid binary (or one with file capabilities) does not result in an increase of privilege.

noroot Use this command to enable an user namespace. The namespace has only one user, the current user. There is no root account (uid 0) defined in the namespace.

protocol protocol1,protocol2,protocol3 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. Recognized values: unix, inet, inet6, netlink, packet and bluetooth.

seccomp Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details.

seccomp.32 Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.

seccomp syscall,syscall,syscall Enable seccomp filter and deny the system calls in the list on top of default seccomp filter.

seccomp.32 syscall,syscall,syscall Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.

seccomp.block-secondary Enable seccomp filter and filter system call architectures so that only the native architecture is allowed.

seccomp.drop syscall,syscall,syscall Enable seccomp filter and deny the system calls in the list.

seccomp.32.drop syscall,syscall,syscall Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system.

seccomp.keep syscall,syscall,syscall Enable seccomp filter and allow the system calls in the list.

seccomp.32.keep syscall,syscall,syscall Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system.

seccomp-error-action kill | log | ERRNO Return a different error instead of EPERM to the process, kill it when an attempt is made to call a blocked system call, or allow but log the attempt.

x11 Enable X11 sandboxing.

x11 none Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 abstract socket will be accessible in jail.

x11 xephyr Enable X11 sandboxing with Xephyr server.

x11 xorg Enable X11 sandboxing with X11 security extension.

x11 xpra Enable X11 sandboxing with Xpra server.

x11 xvfb Enable X11 sandboxing with Xvfb server.

xephyr-screen WIDTHxHEIGHT Set screen size for x11 xephyr. This command should be included in the profile file before x11 xephyr command.

Example:

xephyr-screen 640x480 x11 xephyr