Added --seccomp to programs in firejail
seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.
This commit is contained in:
parent
a2acc896c7
commit
69035fc3de
10
config
10
config
@ -299,10 +299,10 @@ bindsym $mod+Shift+p mode "$mode_display_on_off"
|
||||
# Icedove-UXP or return to the default mode, respectively.
|
||||
set $mode_apps Launch: Shift enable mode private apps [i]ceweasel-uxp ice[d]ove-uxp
|
||||
mode "$mode_apps" {
|
||||
bindsym i exec "firejail iceweasel-uxp", mode "default"
|
||||
bindsym Shift+i exec "firejail --private iceweasel-uxp", mode "default"
|
||||
bindsym d exec "firejail icedove-uxp", mode "default"
|
||||
bindsym Shift+d exec "firejail --private icedove-uxp", mode "default"
|
||||
bindsym i exec "firejail --seccomp iceweasel-uxp", mode "default"
|
||||
bindsym Shift+i exec "firejail --seccomp --private iceweasel-uxp", mode "default"
|
||||
bindsym d exec "firejail --seccomp icedove-uxp", mode "default"
|
||||
bindsym Shift+d exec "firejail --seccomp --private icedove-uxp", mode "default"
|
||||
# back to normal: Enter or Escape
|
||||
bindsym Return mode "default"
|
||||
bindsym Escape mode "default"
|
||||
@ -316,7 +316,7 @@ bindsym XF86AudioPlay exec playerctl play-pause
|
||||
bindsym XF86AudioStop exec playerctl stop
|
||||
|
||||
# IRC weechat
|
||||
bindsym $mod+Shift+w exec --no-startup-id termite --name=irc -e "firejail weechat"
|
||||
bindsym $mod+Shift+w exec --no-startup-id termite --name=irc -e "firejail --seccomp weechat"
|
||||
|
||||
# Colors
|
||||
client.focused #6C71C4 #6C71C4 #FDF6E3 #6C71C4
|
||||
|
Loading…
x
Reference in New Issue
Block a user