--read-write option

author: netblue30 <netblue30@yahoo.com> 2016-04-21 10:47:52 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-21 10:47:52 -0400
commit: e547b142597568da678c54da8b5b4164fb3fee86 (patch)
tree: 6a738b916c330c85216d0cddcedc971150cb98b2
parent: added --read-write option (diff)
download: firejail-e547b142597568da678c54da8b5b4164fb3fee86.tar.gz
firejail-e547b142597568da678c54da8b5b4164fb3fee86.tar.zst
firejail-e547b142597568da678c54da8b5b4164fb3fee86.zip
4 files changed, 34 insertions, 16 deletions
diff --git a/RELNOTES b/RELNOTES
index 19bd54dd6..2a7e8ca60 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.40-rc1) baseline; urgency=low
  * added --cpu.print option
  * added filetransfer options --ls and --get
  * added --writable-etc and --writable-var options
+  * added --read-only option
  * added mkdir, ipc-namespace, and nosound profile commands
  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
  * --version also prints compile options
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 8b61629f4..8c738a0fc 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -209,6 +209,7 @@ void usage(void) {
        printf("\tcreated for the real user ID of the calling process.\n\n");
        printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
        printf("\tfor a process.\n\n");
+        printf("    --read-write=dirname_or_filename - set directory or file read-write..\n\n");
 #ifdef HAVE_NETWORK     
        printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
        printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 8ad2eefad..19063f5ef 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -122,12 +122,6 @@ blacklist ${PATH}/ifconfig
 blacklist ${HOME}/.ssh
 .TP
-\fBread-only file_or_directory
-Make directory or file read-only.
-.TP
-\fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
-.TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
 .TP
@@ -182,6 +176,18 @@ All modifications are discarded when the sandbox is closed.
 \fBprivate-tmp
 Mount an empty temporary filesystem on top of /tmp directory.
 .TP
+\fBread-only file_or_directory
+Make directory or file read-only.
+.TP
+\fBread-write file_or_directory
+Make directory or file read-write.
+.TP
+\fBtmpfs directory
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+.TP
+\fBtracelog
+Blacklist violations logged to syslog.
+.TP
 \fBwhitelist file_or_directory
 Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
 The modifications to file_or_directory are persistent, everything else is discarded
@@ -194,9 +200,6 @@ when running the sandbox as root user.
 \fBwritable-var
 Mount /var directory read-write. This option is  available  only
 when running the sandbox as root user.
-.TP
-\fBtracelog
-Blacklist violations logged to syslog.
 .SH Security filters
 The following security filters are currently implemented:
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 51abaef28..19415a332 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
 .SH USAGE
-Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace,
+Without any options, the sandbox consists of a filesystem build in a new mount namespace,
-and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options.
+and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
-The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only.
+command line options. The default Firejail filesystem is based on the host filesystem with the main 
-Only /home and /tmp are writable.
+system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, 
+/libx32 and /lib64. Only /home and /tmp are writable.
 .PP
 As it starts up, Firejail tries to find a security profile based on the name of the application.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 
-to disable it. For more information, please see \fBSECURITY PROFILES\fR section.
+to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
 If a program argument is not specified, Firejail starts /bin/bash shell.
 Examples:
@@ -194,7 +195,8 @@ Example:
 .TP
 \fB\-\-chroot=dirname
-Chroot the sandbox into a root filesystem. If the sandbox is started as a
+Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
+the system directories are mounted read-write. If the sandbox is started as a
 regular user, default seccomp and capabilities filters are enabled. This
 option is not available on Grsecurity systems.
 .br
@@ -946,7 +948,8 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-overlay
-Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
 The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
 .br
@@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of
 .TP
 \fB\-\-rlimit-sigpending=number
 Set the maximum number of pending signals for a process.
+.TP
+\fB\-\-read-write=dirname_or_filename
+By default, the sandbox mounts system directories read-only.
+These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
+Use this option to mount read-write files or directories inside the system directories.
+This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
+cases the system directories are mounted read-write.
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
author	netblue30 <netblue30@yahoo.com>	2016-04-21 10:47:52 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-21 10:47:52 -0400
commit	e547b142597568da678c54da8b5b4164fb3fee86 (patch)
tree	6a738b916c330c85216d0cddcedc971150cb98b2
parent	added --read-write option (diff)
download	firejail-e547b142597568da678c54da8b5b4164fb3fee86.tar.gz firejail-e547b142597568da678c54da8b5b4164fb3fee86.tar.zst firejail-e547b142597568da678c54da8b5b4164fb3fee86.zip

diff --git a/RELNOTES b/RELNOTES index 19bd54dd6..2a7e8ca60 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.40-rc1) baseline; urgency=low
6	* added --cpu.print option	6	* added --cpu.print option
7	* added filetransfer options --ls and --get	7	* added filetransfer options --ls and --get
8	* added --writable-etc and --writable-var options	8	* added --writable-etc and --writable-var options
		9	* added --read-only option
9	* added mkdir, ipc-namespace, and nosound profile commands	10	* added mkdir, ipc-namespace, and nosound profile commands
10	* added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands	11	* added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
11	* --version also prints compile options	12	* --version also prints compile options


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 8b61629f4..8c738a0fc 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -209,6 +209,7 @@ void usage(void) {
209	printf("\tcreated for the real user ID of the calling process.\n\n");	209	printf("\tcreated for the real user ID of the calling process.\n\n");
210	printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");	210	printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");
211	printf("\tfor a process.\n\n");	211	printf("\tfor a process.\n\n");
		212	printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n");
212	#ifdef HAVE_NETWORK	213	#ifdef HAVE_NETWORK
213	printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");	214	printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");
214	printf("\tThis makes it possible to detect macvlan kernel device drivers\n");	215	printf("\tThis makes it possible to detect macvlan kernel device drivers\n");


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8ad2eefad..19063f5ef 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -122,12 +122,6 @@ blacklist ${PATH}/ifconfig
122	blacklist ${HOME}/.ssh	122	blacklist ${HOME}/.ssh
123		123
124	.TP	124	.TP
125	\fBread-only file_or_directory
126	Make directory or file read-only.
127	.TP
128	\fBtmpfs directory
129	Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
130	.TP
131	\fBbind directory1,directory2	125	\fBbind directory1,directory2
132	Mount-bind directory1 on top of directory2. This option is only available when running as root.	126	Mount-bind directory1 on top of directory2. This option is only available when running as root.
133	.TP	127	.TP
@@ -182,6 +176,18 @@ All modifications are discarded when the sandbox is closed.
182	\fBprivate-tmp	176	\fBprivate-tmp
183	Mount an empty temporary filesystem on top of /tmp directory.	177	Mount an empty temporary filesystem on top of /tmp directory.
184	.TP	178	.TP
		179	\fBread-only file_or_directory
		180	Make directory or file read-only.
		181	.TP
		182	\fBread-write file_or_directory
		183	Make directory or file read-write.
		184	.TP
		185	\fBtmpfs directory
		186	Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
		187	.TP
		188	\fBtracelog
		189	Blacklist violations logged to syslog.
		190	.TP
185	\fBwhitelist file_or_directory	191	\fBwhitelist file_or_directory
186	Build a new user home in a temporary filesystem, and mount-bind file_or_directory.	192	Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
187	The modifications to file_or_directory are persistent, everything else is discarded	193	The modifications to file_or_directory are persistent, everything else is discarded
@@ -194,9 +200,6 @@ when running the sandbox as root user.
194	\fBwritable-var	200	\fBwritable-var
195	Mount /var directory read-write. This option is available only	201	Mount /var directory read-write. This option is available only
196	when running the sandbox as root user.	202	when running the sandbox as root user.
197	.TP
198	\fBtracelog
199	Blacklist violations logged to syslog.
200	.SH Security filters	203	.SH Security filters
201	The following security filters are currently implemented:	204	The following security filters are currently implemented:
202		205


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 51abaef28..19415a332 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co
50	Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.	50	Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
51		51
52	.SH USAGE	52	.SH USAGE
53	Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace,	53	Without any options, the sandbox consists of a filesystem build in a new mount namespace,
54	and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options.	54	and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
55	The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only.	55	command line options. The default Firejail filesystem is based on the host filesystem with the main
56	Only /home and /tmp are writable.	56	system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32,
		57	/libx32 and /lib64. Only /home and /tmp are writable.
57	.PP	58	.PP
58	As it starts up, Firejail tries to find a security profile based on the name of the application.	59	As it starts up, Firejail tries to find a security profile based on the name of the application.
59	If an appropriate profile is not found, Firejail will use a default profile.	60	If an appropriate profile is not found, Firejail will use a default profile.
60	The default profile is quite restrictive. In case the application doesn't work, use --noprofile option	61	The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
61	to disable it. For more information, please see \fBSECURITY PROFILES\fR section.	62	to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
62	.PP	63	.PP
63	If a program argument is not specified, Firejail starts /bin/bash shell.	64	If a program argument is not specified, Firejail starts /bin/bash shell.
64	Examples:	65	Examples:
@@ -194,7 +195,8 @@ Example:
194		195
195	.TP	196	.TP
196	\fB\-\-chroot=dirname	197	\fB\-\-chroot=dirname
197	Chroot the sandbox into a root filesystem. If the sandbox is started as a	198	Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
		199	the system directories are mounted read-write. If the sandbox is started as a
198	regular user, default seccomp and capabilities filters are enabled. This	200	regular user, default seccomp and capabilities filters are enabled. This
199	option is not available on Grsecurity systems.	201	option is not available on Grsecurity systems.
200	.br	202	.br
@@ -946,7 +948,8 @@ $ ls -l sandboxlog*
946		948
947	.TP	949	.TP
948	\fB\-\-overlay	950	\fB\-\-overlay
949	Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.	951	Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container,
		952	the system directories are mounted read-write. All filesystem modifications go into the overlay.
950	The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.	953	The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
951	.br	954	.br
952		955
@@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of
1143	.TP	1146	.TP
1144	\fB\-\-rlimit-sigpending=number	1147	\fB\-\-rlimit-sigpending=number
1145	Set the maximum number of pending signals for a process.	1148	Set the maximum number of pending signals for a process.
		1149
		1150	.TP
		1151	\fB\-\-read-write=dirname_or_filename
		1152	By default, the sandbox mounts system directories read-only.
		1153	These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64.
		1154	Use this option to mount read-write files or directories inside the system directories.
		1155
		1156	This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
		1157	cases the system directories are mounted read-write.
		1158
1146	.TP	1159	.TP
1147	\fB\-\-scan	1160	\fB\-\-scan
1148	ARP-scan all the networks from inside a network namespace.	1161	ARP-scan all the networks from inside a network namespace.