diff options
author | netblue30 <netblue30@yahoo.com> | 2018-04-02 08:43:10 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-04-02 08:43:10 -0400 |
commit | 6294e678dcc61b0ebe6cba52a6ab2a21753b33af (patch) | |
tree | 1481f687a5a5c64aaf473cf4629e4f5996dcbe2f | |
parent | testing (diff) | |
parent | merges (diff) | |
download | firejail-6294e678dcc61b0ebe6cba52a6ab2a21753b33af.tar.gz firejail-6294e678dcc61b0ebe6cba52a6ab2a21753b33af.tar.zst firejail-6294e678dcc61b0ebe6cba52a6ab2a21753b33af.zip |
merges
-rw-r--r-- | README | 10 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/evince.profile | 2 | ||||
-rw-r--r-- | etc/gnome-calculator.profile | 3 | ||||
-rw-r--r-- | etc/musixmatch.profile | 37 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 408 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 11 |
14 files changed, 277 insertions, 213 deletions
@@ -34,10 +34,10 @@ Maintainer: | |||
34 | 34 | ||
35 | Committers | 35 | Committers |
36 | - Fred-Barclay (https://github.com/Fred-Barclay) | 36 | - Fred-Barclay (https://github.com/Fred-Barclay) |
37 | - Reiner Herrmann (https://github.com/reinerh) | 37 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) |
38 | - smithsohu (https://github.com/smitsohu) | 38 | - smithsohu (https://github.com/smitsohu) |
39 | - SkewedZeppelin (https://github.com/SkewedZeppelin) | 39 | - SkewedZeppelin (https://github.com/SkewedZeppelin) |
40 | - startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer | 40 | - startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer) |
41 | - Topi Miettinen (https://github.com/topimiettinen) | 41 | - Topi Miettinen (https://github.com/topimiettinen) |
42 | - Vincent43 (https://github.com/Vincent43) | 42 | - Vincent43 (https://github.com/Vincent43) |
43 | - netblue30 (netblue30@yahoo.com) | 43 | - netblue30 (netblue30@yahoo.com) |
@@ -247,6 +247,7 @@ geg2048 (https://github.com/geg2048) | |||
247 | glitsj16 (https://github.com/glitsj16) | 247 | glitsj16 (https://github.com/glitsj16) |
248 | - evince-previewer, evince-thumbnailer profiles | 248 | - evince-previewer, evince-thumbnailer profiles |
249 | - gnome-recipes, gnome-logs profiles | 249 | - gnome-recipes, gnome-logs profiles |
250 | - fixed private-lib for gnome-calculator | ||
250 | graywolf (https://github.com/graywolf) | 251 | graywolf (https://github.com/graywolf) |
251 | - spelling fix | 252 | - spelling fix |
252 | greigdp (https://github.com/greigdp) | 253 | greigdp (https://github.com/greigdp) |
@@ -275,6 +276,8 @@ iiotx (https://github.com/iiotx) | |||
275 | - use generic.profile by default | 276 | - use generic.profile by default |
276 | Impyy (https://github.com/Impyy) | 277 | Impyy (https://github.com/Impyy) |
277 | - added mumble profile | 278 | - added mumble profile |
279 | intika (https://github.com/intika) | ||
280 | - added musixmatch profile | ||
278 | irregulator (https://github.com/irregulator) | 281 | irregulator (https://github.com/irregulator) |
279 | - thunderbird profile fixes for debian stretch | 282 | - thunderbird profile fixes for debian stretch |
280 | Irvine (https://github.com/Irvinehimself) | 283 | Irvine (https://github.com/Irvinehimself) |
@@ -361,8 +364,9 @@ Matthew Gyurgyik (https://github.com/pyther) | |||
361 | - rpm spec and several fixes | 364 | - rpm spec and several fixes |
362 | maxice8 (https://github.com/maxice8) | 365 | maxice8 (https://github.com/maxice8) |
363 | - fixed missing header | 366 | - fixed missing header |
364 | melvinvermeeren (https://github.com/melvinvermeeren) | 367 | Melvin Vermeeren (https://github.com/melvinvermeeren) |
365 | - added teamspeak3 profile | 368 | - added teamspeak3 profile |
369 | - added --noautopulse command line option | ||
366 | Michael Haas (https://github.com/mhaas) | 370 | Michael Haas (https://github.com/mhaas) |
367 | - bugfixes | 371 | - bugfixes |
368 | Mike Frysinger (vapier@gentoo.org) | 372 | Mike Frysinger (vapier@gentoo.org) |
@@ -308,4 +308,4 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can | |||
308 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, | 308 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, |
309 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, | 309 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, |
310 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, | 310 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, |
311 | thunderbird-beta, ncdu, gnome-logs, gcloud | 311 | thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch |
@@ -1,5 +1,6 @@ | |||
1 | firejail (0.9.53) baseline; urgency=low | 1 | firejail (0.9.53) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) | ||
3 | * modif: support for private-bin, private-lib and shell none has been | 4 | * modif: support for private-bin, private-lib and shell none has been |
4 | disabled while running AppImage archives in order to be able to use | 5 | disabled while running AppImage archives in order to be able to use |
5 | our regular profile files with AppImages. | 6 | our regular profile files with AppImages. |
@@ -31,6 +32,7 @@ firejail (0.9.53) baseline; urgency=low | |||
31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes | 32 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes |
32 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, | 33 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, |
33 | * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud | 34 | * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud |
35 | * new profiles: musixmatch | ||
34 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 | 36 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 |
35 | 37 | ||
36 | firejail (0.9.52) baseline; urgency=low | 38 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/evince.profile b/etc/evince.profile index 08c82086b..38c9ee9a9 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -37,7 +37,7 @@ private-dev | |||
37 | private-etc fonts | 37 | private-etc fonts |
38 | 38 | ||
39 | #private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711 | 39 | #private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711 |
40 | #private-lib evince,libpoppler-glib.so.8 | 40 | private-lib evince,gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libpoppler-glib.so.8,librsvg-2.so.2 |
41 | 41 | ||
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index ff3afe618..dfb93c3b0 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -6,7 +6,6 @@ include /etc/firejail/gnome-calculator.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
@@ -34,7 +33,7 @@ shell none | |||
34 | disable-mnt | 33 | disable-mnt |
35 | private-bin gnome-calculator | 34 | private-bin gnome-calculator |
36 | private-dev | 35 | private-dev |
37 | private-lib | 36 | private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2 |
38 | private-tmp | 37 | private-tmp |
39 | 38 | ||
40 | #memory-deny-write-execute - breaks on Arch | 39 | #memory-deny-write-execute - breaks on Arch |
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile new file mode 100644 index 000000000..1e547d11c --- /dev/null +++ b/etc/musixmatch.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for Musixmatch | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/default.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # generic gui profile | ||
9 | # depending on your usage, you can enable some of the commands below: | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | netfilter | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nogroups | ||
25 | nosound | ||
26 | notv | ||
27 | novideo | ||
28 | protocol unix,inet,inet6,netlink | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private-dev | ||
34 | private-etc none | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1f56e2532..c06291294 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -262,6 +262,7 @@ mumble | |||
262 | mupdf | 262 | mupdf |
263 | mupen64plus | 263 | mupen64plus |
264 | musescore | 264 | musescore |
265 | musixmatch | ||
265 | mutt | 266 | mutt |
266 | natron | 267 | natron |
267 | nautilus | 268 | nautilus |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index fdb5745cb..d6c39260b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -357,6 +357,7 @@ extern int arg_private_lib; // private lib directory | |||
357 | extern int arg_scan; // arp-scan all interfaces | 357 | extern int arg_scan; // arp-scan all interfaces |
358 | extern int arg_whitelist; // whitelist commad | 358 | extern int arg_whitelist; // whitelist commad |
359 | extern int arg_nosound; // disable sound | 359 | extern int arg_nosound; // disable sound |
360 | extern int arg_noautopulse; // disable automatic ~/.config/pulse init | ||
360 | extern int arg_novideo; //disable video devices in /dev | 361 | extern int arg_novideo; //disable video devices in /dev |
361 | extern int arg_no3d; // disable 3d hardware acceleration | 362 | extern int arg_no3d; // disable 3d hardware acceleration |
362 | extern int arg_quiet; // no output for scripting | 363 | extern int arg_quiet; // no output for scripting |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 6dc19abdd..52f6af667 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -94,6 +94,7 @@ int arg_private_lib = 0; // private lib directory | |||
94 | int arg_scan = 0; // arp-scan all interfaces | 94 | int arg_scan = 0; // arp-scan all interfaces |
95 | int arg_whitelist = 0; // whitelist commad | 95 | int arg_whitelist = 0; // whitelist commad |
96 | int arg_nosound = 0; // disable sound | 96 | int arg_nosound = 0; // disable sound |
97 | int arg_noautopulse = 0; // disable automatic ~/.config/pulse init | ||
97 | int arg_novideo = 0; //disable video devices in /dev | 98 | int arg_novideo = 0; //disable video devices in /dev |
98 | int arg_no3d; // disable 3d hardware acceleration | 99 | int arg_no3d; // disable 3d hardware acceleration |
99 | int arg_quiet = 0; // no output for scripting | 100 | int arg_quiet = 0; // no output for scripting |
@@ -1727,6 +1728,8 @@ int main(int argc, char **argv) { | |||
1727 | env_store(argv[i] + 8, RMENV); | 1728 | env_store(argv[i] + 8, RMENV); |
1728 | else if (strcmp(argv[i], "--nosound") == 0) | 1729 | else if (strcmp(argv[i], "--nosound") == 0) |
1729 | arg_nosound = 1; | 1730 | arg_nosound = 1; |
1731 | else if (strcmp(argv[i], "--noautopulse") == 0) | ||
1732 | arg_noautopulse = 1; | ||
1730 | else if (strcmp(argv[i], "--novideo") == 0) | 1733 | else if (strcmp(argv[i], "--novideo") == 0) |
1731 | arg_novideo = 1; | 1734 | arg_novideo = 1; |
1732 | else if (strcmp(argv[i], "--no3d") == 0) | 1735 | else if (strcmp(argv[i], "--no3d") == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2cb91964a..3ef9a1856 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -233,6 +233,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
233 | arg_nosound = 1; | 233 | arg_nosound = 1; |
234 | return 0; | 234 | return 0; |
235 | } | 235 | } |
236 | else if (strcmp(ptr, "noautopulse") == 0) { | ||
237 | arg_noautopulse = 1; | ||
238 | return 0; | ||
239 | } | ||
236 | else if (strcmp(ptr, "notv") == 0) { | 240 | else if (strcmp(ptr, "notv") == 0) { |
237 | arg_notv = 1; | 241 | arg_notv = 1; |
238 | return 0; | 242 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 75dbc976d..1e60b6477 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -889,7 +889,7 @@ int sandbox(void* sandbox_arg) { | |||
889 | // disable /dev/snd | 889 | // disable /dev/snd |
890 | fs_dev_disable_sound(); | 890 | fs_dev_disable_sound(); |
891 | } | 891 | } |
892 | else | 892 | else if (!arg_noautopulse) |
893 | pulseaudio_init(); | 893 | pulseaudio_init(); |
894 | 894 | ||
895 | if (arg_no3d) | 895 | if (arg_no3d) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index e35549398..cefb63a85 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -19,245 +19,243 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | 21 | ||
22 | static char *usage_str = | 22 | void usage(void) { |
23 | "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n" | 23 | printf("firejail - version %s\n\n", VERSION); |
24 | "restricting the running environment of untrusted applications using Linux\n" | 24 | printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"); |
25 | "namespaces.\n" | 25 | printf("restricting the running environment of untrusted applications using Linux\n"); |
26 | "\n" | 26 | printf("namespaces.\n"); |
27 | "Usage: firejail [options] [program and arguments]\n" | 27 | printf("\n"); |
28 | "\n" | 28 | printf("Usage: firejail [options] [program and arguments]\n"); |
29 | "Options:\n" | 29 | printf("\n"); |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | printf("Options:\n"); |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | printf(" -- - signal the end of options and disables further option processing.\n"); |
32 | " --allow-private-blacklist - allow blacklisting files in private\n" | 32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); |
33 | "\thome directories.\n" | 33 | printf(" --allow-private-blacklist - allow blacklisting files in private\n"); |
34 | " --allusers - all user home directories are visible inside the sandbox.\n" | 34 | printf("\thome directories.\n"); |
35 | " --apparmor - enable AppArmor confinement.\n" | 35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); |
36 | " --apparmor.print=name|pid - print apparmor status.\n" | 36 | printf(" --apparmor - enable AppArmor confinement.\n"); |
37 | " --appimage - sandbox an AppImage application.\n" | 37 | printf(" --apparmor.print=name|pid - print apparmor status.\n"); |
38 | " --audit[=test-program] - audit the sandbox.\n" | 38 | printf(" --appimage - sandbox an AppImage application.\n"); |
39 | printf(" --audit[=test-program] - audit the sandbox.\n"); | ||
39 | #ifdef HAVE_NETWORK | 40 | #ifdef HAVE_NETWORK |
40 | " --bandwidth=name|pid - set bandwidth limits.\n" | 41 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); |
41 | #endif | 42 | #endif |
42 | #ifdef HAVE_BIND | 43 | #ifdef HAVE_BIND |
43 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 44 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); |
44 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 45 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); |
45 | #endif | 46 | #endif |
46 | " --blacklist=filename - blacklist directory or file.\n" | 47 | printf(" --blacklist=filename - blacklist directory or file.\n"); |
47 | " --build - build a whitelisted profile for the application.\n" | 48 | printf(" --build - build a whitelisted profile for the application.\n"); |
48 | " --build=filename - build a whitelisted profile for the application.\n" | 49 | printf(" --build=filename - build a whitelisted profile for the application.\n"); |
49 | " -c - execute command and exit.\n" | 50 | printf(" -c - execute command and exit.\n"); |
50 | " --caps - enable default Linux capabilities filter.\n" | 51 | printf(" --caps - enable default Linux capabilities filter.\n"); |
51 | " --caps.drop=all - drop all capabilities.\n" | 52 | printf(" --caps.drop=all - drop all capabilities.\n"); |
52 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" | 53 | printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n"); |
53 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" | 54 | printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n"); |
54 | " --caps.print=name|pid - print the caps filter.\n" | 55 | printf(" --caps.print=name|pid - print the caps filter.\n"); |
55 | " --cgroup=tasks-file - place the sandbox in the specified control group.\n" | 56 | printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n"); |
56 | #ifdef HAVE_CHROOT | 57 | #ifdef HAVE_CHROOT |
57 | " --chroot=dirname - chroot into directory.\n" | 58 | printf(" --chroot=dirname - chroot into directory.\n"); |
58 | #endif | 59 | #endif |
59 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" | 60 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n"); |
60 | " --cpu.print=name|pid - print the cpus in use.\n" | 61 | printf(" --cpu.print=name|pid - print the cpus in use.\n"); |
61 | " --csh - use /bin/csh as default shell.\n" | 62 | printf(" --csh - use /bin/csh as default shell.\n"); |
62 | " --debug - print sandbox debug messages.\n" | 63 | printf(" --debug - print sandbox debug messages.\n"); |
63 | " --debug-blacklists - debug blacklisting.\n" | 64 | printf(" --debug-blacklists - debug blacklisting.\n"); |
64 | " --debug-caps - print all recognized capabilities.\n" | 65 | printf(" --debug-caps - print all recognized capabilities.\n"); |
65 | " --debug-check-filename - debug filename checking.\n" | 66 | printf(" --debug-check-filename - debug filename checking.\n"); |
66 | " --debug-errnos - print all recognized error numbers.\n" | 67 | printf(" --debug-errnos - print all recognized error numbers.\n"); |
67 | " --debug-private-lib - debug for --private-lib option.\n" | 68 | printf(" --debug-private-lib - debug for --private-lib option.\n"); |
68 | " --debug-protocols - print all recognized protocols.\n" | 69 | printf(" --debug-protocols - print all recognized protocols.\n"); |
69 | " --debug-syscalls - print all recognized system calls.\n" | 70 | printf(" --debug-syscalls - print all recognized system calls.\n"); |
70 | #ifdef HAVE_WHITELIST | 71 | #ifdef HAVE_WHITELIST |
71 | " --debug-whitelists - debug whitelisting.\n" | 72 | printf(" --debug-whitelists - debug whitelisting.\n"); |
72 | #endif | 73 | #endif |
73 | #ifdef HAVE_NETWORK | 74 | #ifdef HAVE_NETWORK |
74 | " --defaultgw=address - configure default gateway.\n" | 75 | printf(" --defaultgw=address - configure default gateway.\n"); |
75 | #endif | 76 | #endif |
76 | " --dns=address - set DNS server.\n" | 77 | printf(" --dns=address - set DNS server.\n"); |
77 | " --dns.print=name|pid - print DNS configuration.\n" | 78 | printf(" --dns.print=name|pid - print DNS configuration.\n"); |
78 | " --env=name=value - set environment variable.\n" | 79 | |
79 | " --force - attempt to start a new sandbox inside the existing sandbox.\n" | 80 | printf(" --env=name=value - set environment variable.\n"); |
80 | " --fs.print=name|pid - print the filesystem log.\n" | 81 | printf(" --force - attempt to start a new sandbox inside the existing sandbox.\n"); |
81 | " --get=name|pid filename - get a file from sandbox container.\n" | 82 | printf(" --fs.print=name|pid - print the filesystem log.\n"); |
83 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); | ||
82 | #ifdef HAVE_GIT_INSTALL | 84 | #ifdef HAVE_GIT_INSTALL |
83 | " --git-install - download, compile and install mainline git version\n" | 85 | printf(" --git-install - download, compile and install mainline git version\n"); |
84 | "\tof Firejail.\n" | 86 | printf("\tof Firejail.\n"); |
85 | " --git-uninstall - uninstall mainline git version of Firejail\n" | 87 | printf(" --git-uninstall - uninstall mainline git version of Firejail\n"); |
86 | #endif | 88 | #endif |
87 | " --help, -? - this help screen.\n" | 89 | printf(" --help, -? - this help screen.\n"); |
88 | " --hostname=name - set sandbox hostname.\n" | 90 | printf(" --hostname=name - set sandbox hostname.\n"); |
89 | " --hosts-file=file - use file as /etc/hosts.\n" | 91 | printf(" --hosts-file=file - use file as /etc/hosts.\n"); |
90 | " --ignore=command - ignore command in profile files.\n" | 92 | printf(" --ignore=command - ignore command in profile files.\n"); |
91 | #ifdef HAVE_NETWORK | 93 | #ifdef HAVE_NETWORK |
92 | " --interface=name - move interface in sandbox.\n" | 94 | printf(" --interface=name - move interface in sandbox.\n"); |
93 | " --ip=address - set interface IP address.\n" | 95 | printf(" --ip=address - set interface IP address.\n"); |
94 | " --ip=none - no IP address and no default gateway are configured.\n" | 96 | printf(" --ip=none - no IP address and no default gateway are configured.\n"); |
95 | " --ip6=address - set interface IPv6 address.\n" | 97 | printf(" --ip6=address - set interface IPv6 address.\n"); |
96 | " --iprange=address,address - configure an IP address in this range.\n" | 98 | printf(" --iprange=address,address - configure an IP address in this range.\n"); |
97 | #endif | 99 | #endif |
98 | " --ipc-namespace - enable a new IPC namespace.\n" | 100 | printf(" --ipc-namespace - enable a new IPC namespace.\n"); |
99 | " --join=name|pid - join the sandbox.\n" | 101 | printf(" --join=name|pid - join the sandbox.\n"); |
100 | " --join-filesystem=name|pid - join the mount namespace.\n" | 102 | printf(" --join-filesystem=name|pid - join the mount namespace.\n"); |
101 | #ifdef HAVE_NETWORK | 103 | #ifdef HAVE_NETWORK |
102 | " --join-network=name|pid - join the network namespace.\n" | 104 | printf(" --join-network=name|pid - join the network namespace.\n"); |
103 | #endif | 105 | #endif |
104 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" | 106 | printf(" --join-or-start=name|pid - join the sandbox or start a new one.\n"); |
105 | " --list - list all sandboxes.\n" | 107 | printf(" --list - list all sandboxes.\n"); |
106 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" | 108 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); |
107 | #ifdef HAVE_NETWORK | 109 | #ifdef HAVE_NETWORK |
108 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" | 110 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); |
109 | #endif | 111 | #endif |
110 | " --machine-id - preserve /etc/machine-id\n" | 112 | printf(" --machine-id - preserve /etc/machine-id\n"); |
111 | #ifdef HAVE_SECCOMP | 113 | #ifdef HAVE_SECCOMP |
112 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" | 114 | printf(" --memory-deny-write-execute - seccomp filter to block attempts to create\n"); |
113 | "\tmemory mappings that are both writable and executable.\n" | 115 | printf("\tmemory mappings that are both writable and executable.\n"); |
114 | #endif | 116 | #endif |
115 | #ifdef HAVE_NETWORK | 117 | #ifdef HAVE_NETWORK |
116 | " --mtu=number - set interface MTU.\n" | 118 | printf(" --mtu=number - set interface MTU.\n"); |
117 | #endif | 119 | #endif |
118 | " --name=name - set sandbox name.\n" | 120 | printf(" --name=name - set sandbox name.\n"); |
119 | #ifdef HAVE_NETWORK | 121 | #ifdef HAVE_NETWORK |
120 | " --net=bridgename - enable network namespaces and connect to this bridge.\n" | 122 | printf(" --net=bridgename - enable network namespaces and connect to this bridge.\n"); |
121 | " --net=ethernet_interface - enable network namespaces and connect to this\n" | 123 | printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); |
122 | "\tEthernet interface.\n" | 124 | printf("\tEthernet interface.\n"); |
123 | " --net=none - enable a new, unconnected network namespace.\n" | 125 | printf(" --net=none - enable a new, unconnected network namespace.\n"); |
124 | " --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n" | 126 | printf(" --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n"); |
125 | " --netfilter.print=name|pid - print the firewall.\n" | 127 | printf(" --netfilter.print=name|pid - print the firewall.\n"); |
126 | " --netfilter6=filename - enable IPv6 firewall.\n" | 128 | printf(" --netfilter6=filename - enable IPv6 firewall.\n"); |
127 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" | 129 | printf(" --netfilter6.print=name|pid - print the IPv6 firewall.\n"); |
128 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 130 | printf(" --netns=name - Run the program in a named, persistent network namespace.\n"); |
129 | " --netstats - monitor network statistics.\n" | 131 | printf(" --netstats - monitor network statistics.\n"); |
130 | #endif | 132 | #endif |
131 | " --nice=value - set nice value.\n" | 133 | printf(" --nice=value - set nice value.\n"); |
132 | " --no3d - disable 3D hardware acceleration.\n" | 134 | printf(" --no3d - disable 3D hardware acceleration.\n"); |
133 | " --noblacklist=filename - disable blacklist for file or directory.\n" | 135 | printf(" --noblacklist=filename - disable blacklist for file or directory.\n"); |
134 | " --nodbus - disable D-Bus access.\n" | 136 | printf(" --nodbus - disable D-Bus access.\n"); |
135 | " --nodvd - disable DVD and audio CD devices.\n" | 137 | printf(" --nodvd - disable DVD and audio CD devices.\n"); |
136 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 138 | printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); |
137 | " --nogroups - disable supplementary groups.\n" | 139 | printf(" --nogroups - disable supplementary groups.\n"); |
138 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" | 140 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); |
139 | " --noprofile - do not use a security profile.\n" | 141 | printf(" --noprofile - do not use a security profile.\n"); |
140 | #ifdef HAVE_USERNS | 142 | #ifdef HAVE_USERNS |
141 | " --noroot - install a user namespace with only the current user.\n" | 143 | printf(" --noroot - install a user namespace with only the current user.\n"); |
142 | #endif | 144 | #endif |
143 | " --nosound - disable sound system.\n" | 145 | printf(" --nosound - disable sound system.\n"); |
144 | " --novideo - disable video devices.\n" | 146 | printf(" --noautopulse - disable automatic ~/.config/pulse init.\n"); |
145 | " --nowhitelist=filename - disable whitelist for file or directory .\n" | 147 | printf(" --novideo - disable video devices.\n"); |
146 | " --output=logfile - stdout logging and log rotation.\n" | 148 | printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); |
147 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 149 | printf(" --output=logfile - stdout logging and log rotation.\n"); |
148 | " --overlay - mount a filesystem overlay on top of the current filesystem.\n" | 150 | printf(" --output-stderr=logfile - stdout and stderr logging and log rotation.\n"); |
149 | " --overlay-named=name - mount a filesystem overlay on top of the current\n" | 151 | printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); |
150 | "\tfilesystem, and store it in name directory.\n" | 152 | printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); |
151 | " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" | 153 | printf("\tfilesystem, and store it in name directory.\n"); |
152 | "\tcurrent filesystem.\n" | 154 | printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n"); |
153 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" | 155 | printf("\tcurrent filesystem.\n"); |
154 | " --private - temporary home directory.\n" | 156 | printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"); |
155 | " --private=directory - use directory as user home.\n" | 157 | printf(" --private - temporary home directory.\n"); |
156 | " --private-home=file,directory - build a new user home in a temporary\n" | 158 | printf(" --private=directory - use directory as user home.\n"); |
157 | "\tfilesystem, and copy the files and directories in the list in\n" | 159 | printf(" --private-home=file,directory - build a new user home in a temporary\n"); |
158 | "\tthe new home.\n" | 160 | printf("\tfilesystem, and copy the files and directories in the list in\n"); |
159 | " --private-bin=file,file - build a new /bin in a temporary filesystem,\n" | 161 | printf("\tthe new home.\n"); |
160 | "\tand copy the programs in the list.\n" | 162 | printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); |
161 | " --private-dev - create a new /dev directory with a small number of\n" | 163 | printf("\tand copy the programs in the list.\n"); |
162 | "\tcommon device files.\n" | 164 | printf(" --private-dev - create a new /dev directory with a small number of\n"); |
163 | " --private-etc=file,directory - build a new /etc in a temporary\n" | 165 | printf("\tcommon device files.\n"); |
164 | "\tfilesystem, and copy the files and directories in the list.\n" | 166 | printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); |
165 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 167 | printf("\tfilesystem, and copy the files and directories in the list.\n"); |
166 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | 168 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); |
167 | " --profile=filename - use a custom profile.\n" | 169 | printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); |
168 | " --profile.print=name|pid - print the name of profile file.\n" | 170 | printf(" --profile=filename - use a custom profile.\n"); |
169 | " --profile-path=directory - use this directory to look for profile files.\n" | 171 | printf(" --profile.print=name|pid - print the name of profile file.\n"); |
170 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" | 172 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); |
171 | " --protocol.print=name|pid - print the protocol filter.\n" | 173 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); |
172 | " --put=name|pid src-filename dest-filename - put a file in sandbox\n" | 174 | printf(" --protocol.print=name|pid - print the protocol filter.\n"); |
173 | "\tcontainer.\n" | 175 | printf(" --put=name|pid src-filename dest-filename - put a file in sandbox\n"); |
174 | " --quiet - turn off Firejail's output.\n" | 176 | printf("\tcontainer.\n"); |
175 | " --read-only=filename - set directory or file read-only..\n" | 177 | printf(" --quiet - turn off Firejail's output.\n"); |
176 | " --read-write=filename - set directory or file read-write.\n" | 178 | printf(" --read-only=filename - set directory or file read-only..\n"); |
177 | " --rlimit-as=number - set the maximum size of the process's virtual memory\n" | 179 | printf(" --read-write=filename - set directory or file read-write.\n"); |
178 | "\t(address space) in bytes.\n" | 180 | printf(" --rlimit-as=number - set the maximum size of the process's virtual memory\n"); |
179 | " --rlimit-cpu=number - set the maximum CPU time in seconds.\n" | 181 | printf("\t(address space) in bytes.\n"); |
180 | " --rlimit-fsize=number - set the maximum file size that can be created\n" | 182 | printf(" --rlimit-cpu=number - set the maximum CPU time in seconds.\n"); |
181 | "\tby a process.\n" | 183 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); |
182 | " --rlimit-nofile=number - set the maximum number of files that can be\n" | 184 | printf("\tby a process.\n"); |
183 | "\topened by a process.\n" | 185 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); |
184 | " --rlimit-nproc=number - set the maximum number of processes that can be\n" | 186 | printf("\topened by a process.\n"); |
185 | "\tcreated for the real user ID of the calling process.\n" | 187 | printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n"); |
186 | " --rlimit-sigpending=number - set the maximum number of pending signals\n" | 188 | printf("\tcreated for the real user ID of the calling process.\n"); |
187 | "\tfor a process.\n" | 189 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); |
188 | " --rmenv=name - remove environment variable in the new sandbox.\n" | 190 | printf("\tfor a process.\n"); |
191 | printf(" --rmenv=name - remove environment variable in the new sandbox.\n"); | ||
189 | #ifdef HAVE_NETWORK | 192 | #ifdef HAVE_NETWORK |
190 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 193 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); |
191 | #endif | 194 | #endif |
192 | #ifdef HAVE_SECCOMP | 195 | #ifdef HAVE_SECCOMP |
193 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" | 196 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); |
194 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" | 197 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
195 | "\tdefault syscall list and the syscalls specified by the command.\n" | 198 | printf("\tdefault syscall list and the syscalls specified by the command.\n"); |
196 | " --seccomp.block-secondary - build only the native architecture filters.\n" | 199 | printf(" --seccomp.block-secondary - build only the native architecture filters.\n"); |
197 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" | 200 | printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); |
198 | "\tblacklist the syscalls specified by the command.\n" | 201 | printf("\tblacklist the syscalls specified by the command.\n"); |
199 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" | 202 | printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); |
200 | "\twhitelist the syscalls specified by the command.\n" | 203 | printf("\twhitelist the syscalls specified by the command.\n"); |
201 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 204 | printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); |
202 | "\tidentified by name or PID.\n" | 205 | printf("\tidentified by name or PID.\n"); |
203 | #endif | 206 | #endif |
204 | " --shell=none - run the program directly without a user shell.\n" | 207 | printf(" --shell=none - run the program directly without a user shell.\n"); |
205 | " --shell=program - set default user shell.\n" | 208 | printf(" --shell=program - set default user shell.\n"); |
206 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" | 209 | printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"); |
207 | " --timeout=hh:mm:ss - kill the sandbox automatically after the time\n" | 210 | printf(" --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"); |
208 | "\thas elapsed.\n" | 211 | printf("\thas elapsed.\n"); |
209 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" | 212 | printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); |
210 | " --top - monitor the most CPU-intensive sandboxes.\n" | 213 | printf(" --top - monitor the most CPU-intensive sandboxes.\n"); |
211 | " --trace - trace open, access and connect system calls.\n" | 214 | printf(" --trace - trace open, access and connect system calls.\n"); |
212 | " --tracelog - add a syslog message for every access to files or\n" | 215 | printf(" --tracelog - add a syslog message for every access to files or\n"); |
213 | "\tdirectoires blacklisted by the security profile.\n" | 216 | printf("\tdirectoires blacklisted by the security profile.\n"); |
214 | " --tree - print a tree of all sandboxed processes.\n" | 217 | printf(" --tree - print a tree of all sandboxed processes.\n"); |
215 | " --version - print program version and exit.\n" | 218 | printf(" --version - print program version and exit.\n"); |
216 | #ifdef HAVE_NETWORK | 219 | #ifdef HAVE_NETWORK |
217 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 220 | printf(" --veth-name=name - use this name for the interface connected to the bridge.\n"); |
218 | #endif | 221 | #endif |
219 | #ifdef HAVE_WHITELIST | 222 | #ifdef HAVE_WHITELIST |
220 | " --whitelist=filename - whitelist directory or file.\n" | 223 | printf(" --whitelist=filename - whitelist directory or file.\n"); |
221 | #endif | 224 | #endif |
222 | " --writable-etc - /etc directory is mounted read-write.\n" | 225 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); |
223 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 226 | printf(" --writable-run-user - allow access to /run/user/$UID/systemd and\n"); |
224 | "\t/run/user/$UID/gnupg.\n" | 227 | printf("\t/run/user/$UID/gnupg.\n"); |
225 | " --writable-var - /var directory is mounted read-write.\n" | 228 | printf(" --writable-var - /var directory is mounted read-write.\n"); |
226 | " --writable-var-log - use the real /var/log directory, not a clone.\n" | 229 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); |
227 | #ifdef HAVE_X11 | 230 | #ifdef HAVE_X11 |
228 | " --x11 - enable X11 sandboxing. The software checks first if Xpra is\n" | 231 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); |
229 | "\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n" | 232 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); |
230 | "\tattempt to use X11 security extension.\n" | 233 | printf("\tattempt to use X11 security extension.\n"); |
231 | " --x11=none - disable access to X11 sockets.\n" | 234 | printf(" --x11=none - disable access to X11 sockets.\n"); |
232 | " --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n" | 235 | printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n"); |
233 | " --x11=xorg - enable X11 security extension.\n" | 236 | printf(" --x11=xorg - enable X11 security extension.\n"); |
234 | " --x11=xpra - enable Xpra X11 server.\n" | 237 | printf(" --x11=xpra - enable Xpra X11 server.\n"); |
235 | " --x11=xvfb - enable Xvfb X11 server.\n" | 238 | printf(" --x11=xvfb - enable Xvfb X11 server.\n"); |
236 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" | 239 | printf(" --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"); |
237 | #endif | 240 | #endif |
238 | " --zsh - use /usr/bin/zsh as default shell.\n" | 241 | printf(" --zsh - use /usr/bin/zsh as default shell.\n"); |
239 | "\n" | 242 | printf("\n"); |
240 | "Examples:\n" | 243 | printf("Examples:\n"); |
241 | " $ firejail firefox\n" | 244 | printf(" $ firejail firefox\n"); |
242 | "\tstart Mozilla Firefox\n" | 245 | printf("\tstart Mozilla Firefox\n"); |
243 | " $ firejail --debug firefox\n" | 246 | printf(" $ firejail --debug firefox\n"); |
244 | "\tdebug Firefox sandbox\n" | 247 | printf("\tdebug Firefox sandbox\n"); |
245 | " $ firejail --private --dns=8.8.8.8 firefox\n" | 248 | printf(" $ firejail --private --dns=8.8.8.8 firefox\n"); |
246 | "\tstart Firefox with a new, empty home directory, and a well-known DNS\n" | 249 | printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); |
247 | "\tserver setting.\n" | 250 | printf("\tserver setting.\n"); |
248 | " $ firejail --net=eth0 firefox\n" | 251 | printf(" $ firejail --net=eth0 firefox\n"); |
249 | "\tstart Firefox in a new network namespace\n" | 252 | printf("\tstart Firefox in a new network namespace\n"); |
250 | " $ firejail --x11=xorg firefox\n" | 253 | printf(" $ firejail --x11=xorg firefox\n"); |
251 | "\tstart Firefox and sandbox X11\n" | 254 | printf("\tstart Firefox and sandbox X11\n"); |
252 | " $ firejail --list\n" | 255 | printf(" $ firejail --list\n"); |
253 | "\tlist all running sandboxes\n" | 256 | printf("\tlist all running sandboxes\n"); |
254 | "\n" | 257 | printf("\n"); |
255 | "License GPL version 2 or later\n" | 258 | printf("License GPL version 2 or later\n"); |
256 | "Homepage: http://firejail.wordpress.com\n" | 259 | printf("Homepage: http://firejail.wordpress.com\n"); |
257 | "\n"; | 260 | printf("\n"); |
258 | |||
259 | |||
260 | void usage(void) { | ||
261 | printf("firejail - version %s\n\n", VERSION); | ||
262 | puts(usage_str); | ||
263 | } | 261 | } |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 77bdffb62..4b6e9766f 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -451,6 +451,10 @@ Enable IPC namespace. | |||
451 | \fBnosound | 451 | \fBnosound |
452 | Disable sound system. | 452 | Disable sound system. |
453 | .TP | 453 | .TP |
454 | \fBnoautopulse | ||
455 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
456 | pulse servers or non-standard socket paths. | ||
457 | .TP | ||
454 | \fBnotv | 458 | \fBnotv |
455 | Disable DVB (Digital Video Broadcasting) TV devices. | 459 | Disable DVB (Digital Video Broadcasting) TV devices. |
456 | .TP | 460 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f080c8c7b..f481f5c46 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1199,6 +1199,17 @@ Example: | |||
1199 | $ firejail \-\-nosound firefox | 1199 | $ firejail \-\-nosound firefox |
1200 | 1200 | ||
1201 | .TP | 1201 | .TP |
1202 | \fB\-\-noautopulse | ||
1203 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
1204 | pulse servers or non-standard socket paths. | ||
1205 | .br | ||
1206 | |||
1207 | .br | ||
1208 | Example: | ||
1209 | .br | ||
1210 | $ firejail \-\-noautopulse firefox | ||
1211 | |||
1212 | .TP | ||
1202 | \fB\-\-notv | 1213 | \fB\-\-notv |
1203 | Disable DVB (Digital Video Broadcasting) TV devices. | 1214 | Disable DVB (Digital Video Broadcasting) TV devices. |
1204 | .br | 1215 | .br |