diff options
author | netblue30 <netblue30@protonmail.com> | 2023-01-25 11:56:08 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2023-01-25 11:56:08 -0500 |
commit | 9774ab8a35f79be0b3bb1fd6313bac2bdbfaf6c0 (patch) | |
tree | d251ae0fbd740d17647459ecff9c2bdc1729e6ea | |
parent | private-etc rework: file groups moved to src/include/etc_groups.h, new groups... (diff) | |
download | firejail-9774ab8a35f79be0b3bb1fd6313bac2bdbfaf6c0.tar.gz firejail-9774ab8a35f79be0b3bb1fd6313bac2bdbfaf6c0.tar.zst firejail-9774ab8a35f79be0b3bb1fd6313bac2bdbfaf6c0.zip |
private-etc rework: new man page
-rw-r--r-- | README.md | 38 | ||||
-rw-r--r-- | src/man/firejail.txt | 40 |
2 files changed, 64 insertions, 14 deletions
@@ -182,6 +182,44 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
182 | 182 | ||
183 | ## Current development version: 0.9.73 | 183 | ## Current development version: 0.9.73 |
184 | 184 | ||
185 | ### private-etc rework | ||
186 | ````` | ||
187 | --private-etc | ||
188 | |||
189 | --private-etc=file,directory | ||
190 | The files installed by --private-etc are copies of the original | ||
191 | system files from /etc directory. By default, the command | ||
192 | brings in a skeleton of files and directories used by most con‐ | ||
193 | sole tools: | ||
194 | |||
195 | $ firejail --private-etc dig debian.org | ||
196 | |||
197 | For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. | ||
198 | Example: | ||
199 | |||
200 | $ firejail --private-etc=GUI,python* gimp | ||
201 | |||
202 | /etc/python* directories are not part of the generic GUI group. | ||
203 | These directories are reuqired by Gimp plugin system. File glob‐ | ||
204 | bing is supported. | ||
205 | |||
206 | For games, add GAMES group: | ||
207 | |||
208 | $ firejail --private-etc=GUI,GAMES warzone2100 | ||
209 | |||
210 | Sound and networking files are included automatically, unless | ||
211 | --nosound or --net=none are specified. Files for encrypted | ||
212 | TLS/SSL protocol are in TLS-CA group. | ||
213 | |||
214 | $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org | ||
215 | |||
216 | Note: The easiest way to extract the list of /etc files accessed | ||
217 | by your program is using strace utility: | ||
218 | |||
219 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc | ||
220 | |||
221 | ````` | ||
222 | We keep the list of groups in [src/include/etc_groups.h](https://github.com/netblue30/firejail/blob/master/src/include/etc_groups.h) | ||
185 | 223 | ||
186 | ### Profile Statistics | 224 | ### Profile Statistics |
187 | 225 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e5020e37e..2e08b12f3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2127,22 +2127,34 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 | |||
2127 | .br | 2127 | .br |
2128 | $ | 2128 | $ |
2129 | .TP | 2129 | .TP |
2130 | \fB\-\-private-etc | ||
2131 | .TP | ||
2130 | \fB\-\-private-etc=file,directory | 2132 | \fB\-\-private-etc=file,directory |
2131 | Build a new /etc in a temporary | 2133 | The files installed by \-\-private-etc are copies of the original system files from /etc directory. |
2132 | filesystem, and copy the files and directories in the list. | 2134 | By default, the command brings in a skeleton of files and directories used by most console tools: |
2133 | The files and directories in the list must be expressed as relative to | ||
2134 | the /etc directory (e.g., /etc/foo must be expressed as foo). | ||
2135 | If no listed file is found, /etc directory will be empty. | ||
2136 | All modifications are discarded when the sandbox is closed. | ||
2137 | Multiple private-etc commands are allowed and they accumulate. | ||
2138 | .br | ||
2139 | 2135 | ||
2140 | .br | 2136 | $ firejail --private-etc dig debian.org |
2141 | Example: | 2137 | |
2142 | .br | 2138 | For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. Example: |
2143 | $ firejail --private-etc=group,hostname,localtime, \\ | 2139 | |
2144 | .br | 2140 | $ firejail --private-etc=GUI,python* gimp |
2145 | nsswitch.conf,passwd,resolv.conf | 2141 | |
2142 | /etc/python* directories are not part of the generic GUI group. | ||
2143 | These directories are reuqired by Gimp plugin system. File globbing is supported. | ||
2144 | |||
2145 | For games, add GAMES group: | ||
2146 | |||
2147 | $ firejail --private-etc=GUI,GAMES warzone2100 | ||
2148 | |||
2149 | Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified. | ||
2150 | Files for encrypted TLS/SSL protocol are in TLS-CA group. | ||
2151 | |||
2152 | $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org | ||
2153 | |||
2154 | |||
2155 | Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: | ||
2156 | |||
2157 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc | ||
2146 | #ifdef HAVE_PRIVATE_HOME | 2158 | #ifdef HAVE_PRIVATE_HOME |
2147 | .TP | 2159 | .TP |
2148 | \fB\-\-private-home=file,directory | 2160 | \fB\-\-private-home=file,directory |