From 69035fc3de736466c8e2243a71b2613762adac28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs?= Date: Wed, 4 Sep 2019 12:32:42 -0500 Subject: [PATCH] Added --seccomp to programs in firejail seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely. --- config | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config b/config index 018c713..d1aa0c1 100644 --- a/config +++ b/config @@ -299,10 +299,10 @@ bindsym $mod+Shift+p mode "$mode_display_on_off" # Icedove-UXP or return to the default mode, respectively. set $mode_apps Launch: Shift enable mode private apps [i]ceweasel-uxp ice[d]ove-uxp mode "$mode_apps" { - bindsym i exec "firejail iceweasel-uxp", mode "default" - bindsym Shift+i exec "firejail --private iceweasel-uxp", mode "default" - bindsym d exec "firejail icedove-uxp", mode "default" - bindsym Shift+d exec "firejail --private icedove-uxp", mode "default" + bindsym i exec "firejail --seccomp iceweasel-uxp", mode "default" + bindsym Shift+i exec "firejail --seccomp --private iceweasel-uxp", mode "default" + bindsym d exec "firejail --seccomp icedove-uxp", mode "default" + bindsym Shift+d exec "firejail --seccomp --private icedove-uxp", mode "default" # back to normal: Enter or Escape bindsym Return mode "default" bindsym Escape mode "default" @@ -316,7 +316,7 @@ bindsym XF86AudioPlay exec playerctl play-pause bindsym XF86AudioStop exec playerctl stop # IRC weechat -bindsym $mod+Shift+w exec --no-startup-id termite --name=irc -e "firejail weechat" +bindsym $mod+Shift+w exec --no-startup-id termite --name=irc -e "firejail --seccomp weechat" # Colors client.focused #6C71C4 #6C71C4 #FDF6E3 #6C71C4