Added --seccomp to programs in firejail

seccomp (short for secure computing mode) is a computer security facility in the Linux kernel.
seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing
and was originally intended as a means of safely running untrusted compute-bound programs.
It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on
March 8, 2005. seccomp allows a process to make a one-way transition into a "secure" state
where it cannot make any system calls except exit(), sigreturn(), read() and write() to
already-open file descriptors. Should it attempt any other system calls, the kernel will
terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the
system's resources but isolates the process from them entirely.
This commit is contained in:
Jesús 2019-09-04 12:32:42 -05:00
parent a2acc896c7
commit 69035fc3de
No known key found for this signature in database
GPG Key ID: F6EE7BC59A315766

10
config
View File

@ -299,10 +299,10 @@ bindsym $mod+Shift+p mode "$mode_display_on_off"
# Icedove-UXP or return to the default mode, respectively.
set $mode_apps Launch: Shift enable mode private apps [i]ceweasel-uxp ice[d]ove-uxp
mode "$mode_apps" {
bindsym i exec "firejail iceweasel-uxp", mode "default"
bindsym Shift+i exec "firejail --private iceweasel-uxp", mode "default"
bindsym d exec "firejail icedove-uxp", mode "default"
bindsym Shift+d exec "firejail --private icedove-uxp", mode "default"
bindsym i exec "firejail --seccomp iceweasel-uxp", mode "default"
bindsym Shift+i exec "firejail --seccomp --private iceweasel-uxp", mode "default"
bindsym d exec "firejail --seccomp icedove-uxp", mode "default"
bindsym Shift+d exec "firejail --seccomp --private icedove-uxp", mode "default"
# back to normal: Enter or Escape
bindsym Return mode "default"
bindsym Escape mode "default"
@ -316,7 +316,7 @@ bindsym XF86AudioPlay exec playerctl play-pause
bindsym XF86AudioStop exec playerctl stop
# IRC weechat
bindsym $mod+Shift+w exec --no-startup-id termite --name=irc -e "firejail weechat"
bindsym $mod+Shift+w exec --no-startup-id termite --name=irc -e "firejail --seccomp weechat"
# Colors
client.focused #6C71C4 #6C71C4 #FDF6E3 #6C71C4