Indection openition operation firejail 0.9.72

published The release of the project Firejail 0.9.72 , developing a system for isolated execution of graphic, console and server applications, which allows minimizing the risk of compromising the main system when starting non -deserved trust or potentially vulnerable programs. The program is written in SI, is distributed under the GPLV2 license and can work in any Linux distribution with a nucleus older than 3.0. Ready -made packages with firejail prepared in the formats deb (debian, ubuntu) and RPM (centos, fedora). > For isolation in Firejail used names, apparmor and system call filtration in Linux. After starting, the program and all its subsidiaries use separate representations of the nucleus resources, such as network stack, a table of processes and mounting points. Dependent applications can be combined into one common Sandbox. If desired, Firejail can also be used to launch Docker, LXC and OpenVZ containers.

In contrast to the means of container insulation Firejail, the maximum simple in the configuration and does not require preparation of systemic image-does not require preparation of systemic image- The composition of the container is formed on the fly on the basis of the contents of the current FS and is removed after completion of the application. Flexible means of assigning the rules for accessing the file system can be provided, you can determine which files and directors are allowed or prohibited access, connect temporary FS (TMPFS) for data, limit access to files or directors only to read, combine the Directors through BIND-Mount and Overlayfs.

for a large number of popular applications, including Firefox, Chromium, VLC and Transmission, prepared ready Profiles systemic calls. To obtain privileges necessary for setting up an isolated environment, the executable Firejail file is installed with the SUID ROOT flag (after initializing the privilege, they are reset). To perform the program in isolation mode, it is enough to indicate the application name as the argument of the Firejail utility, for example, “Firejail Firefox” or “Sudo Firejail /etc/init.d/nginx Start”

in new issue :

  • Added a SECCOMP-filter of system calls that block the creation of names spaces (to turn on the option “—Restrict-amespace”). Seccomp.
  • system calls updated.

  • I improved Force-Nonewprivs (no_new_privs), which prohibits the receipt of additional privileges in new processes.
  • Added the possibility of using your own Apparmor profiles (for connecting the option “–pparmor” is proposed).

/Media reports cited above.