Clarify that file globbing occurs only at start

firejail can blacklist (and now also whitelist) files based on glob pattern. This pattern is evaluated at firejail start, and not updated at run time. This patch documents this behavior.
author: Antonio Russo <antonio.e.russo@gmail.com> 2020-04-11 14:12:53 -0600
committer: Antonio Russo <antonio.e.russo@gmail.com> 2020-04-11 14:12:53 -0600
commit: 73525015e11100db0972d40c02e35fb682a6c44a (patch)
tree: 481e961d43939ce20f024cde6ec7bdb68fe67f92
parent: Fix (fatal-warnings) warning by adding braces (diff)
download: firejail-73525015e11100db0972d40c02e35fb682a6c44a.tar.gz
firejail-73525015e11100db0972d40c02e35fb682a6c44a.tar.zst
firejail-73525015e11100db0972d40c02e35fb682a6c44a.zip
2 files changed, 13 insertions, 5 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 0d83b8fd7..6405fd301 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -165,8 +165,9 @@ host filesystem. Each line describes a file/directory that is inaccessible
 (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
 a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
 or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
-Use \fBprivate\fR to set private mode.
+Use \fBprivate\fR to set private mode.  File globbing is supported, and PATH and
-File globbing is supported, and PATH and HOME directories are searched.
+HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section
+for more details.
 Examples:
 .TP
 \fBblacklist file_or_directory
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f5042b79a..fae97ceb7 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2835,7 +2835,11 @@ List all sandboxed processes.
 .SH FILE GLOBBING
 .TP
-Globbing is the operation that expands a wildcard pattern into the list of pathnames matching the pattern. Matching is defined by:
+Globbing is the operation that expands a wildcard pattern into the
+list of pathnames matching the pattern.  This pattern is matched at
+firejail \fBstart\fR, and is NOT UPDATED at runtime.  \fBFiles matching
+a blacklist, but created after firejail start will be accessible within
+the jail.\fR Matching is defined by:
 .br
 .br
@@ -2846,12 +2850,15 @@ Globbing is the operation that expands a wildcard pattern into the list of pathn
 - '[' denotes a range of characters
 .br
 .TP
-The globbing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob.
+The globbing feature is implemented using glibc glob command. For
+more information on the wildcard syntax see man 7 glob.
 .br
 .br
 .TP
-The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, \-\-tmpfs, and \-\-whitelist.
+The following command line options are supported: \-\-blacklist,
+\-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write,
+\-\-tmpfs, and \-\-whitelist.
 .br
 .br
author	Antonio Russo <antonio.e.russo@gmail.com>	2020-04-11 14:12:53 -0600
committer	Antonio Russo <antonio.e.russo@gmail.com>	2020-04-11 14:12:53 -0600
commit	73525015e11100db0972d40c02e35fb682a6c44a (patch)
tree	481e961d43939ce20f024cde6ec7bdb68fe67f92
parent	Fix (fatal-warnings) warning by adding braces (diff)
download	firejail-73525015e11100db0972d40c02e35fb682a6c44a.tar.gz firejail-73525015e11100db0972d40c02e35fb682a6c44a.tar.zst firejail-73525015e11100db0972d40c02e35fb682a6c44a.zip

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 0d83b8fd7..6405fd301 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -165,8 +165,9 @@ host filesystem. Each line describes a file/directory that is inaccessible
165	(\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),	165	(\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
166	a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),	166	a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
167	or mount-bind a directory or file on top of another directory or file (\fBbind\fR).	167	or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
168	Use \fBprivate\fR to set private mode.	168	Use \fBprivate\fR to set private mode. File globbing is supported, and PATH and
169	File globbing is supported, and PATH and HOME directories are searched.	169	HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section
		170	for more details.
170	Examples:	171	Examples:
171	.TP	172	.TP
172	\fBblacklist file_or_directory	173	\fBblacklist file_or_directory


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f5042b79a..fae97ceb7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -2835,7 +2835,11 @@ List all sandboxed processes.
2835		2835
2836	.SH FILE GLOBBING	2836	.SH FILE GLOBBING
2837	.TP	2837	.TP
2838	Globbing is the operation that expands a wildcard pattern into the list of pathnames matching the pattern. Matching is defined by:	2838	Globbing is the operation that expands a wildcard pattern into the
		2839	list of pathnames matching the pattern. This pattern is matched at
		2840	firejail \fBstart\fR, and is NOT UPDATED at runtime. \fBFiles matching
		2841	a blacklist, but created after firejail start will be accessible within
		2842	the jail.\fR Matching is defined by:
2839	.br	2843	.br
2840		2844
2841	.br	2845	.br
@@ -2846,12 +2850,15 @@ Globbing is the operation that expands a wildcard pattern into the list of pathn
2846	- '[' denotes a range of characters	2850	- '[' denotes a range of characters
2847	.br	2851	.br
2848	.TP	2852	.TP
2849	The globbing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob.	2853	The globbing feature is implemented using glibc glob command. For
		2854	more information on the wildcard syntax see man 7 glob.
2850	.br	2855	.br
2851		2856
2852	.br	2857	.br
2853	.TP	2858	.TP
2854	The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, \-\-tmpfs, and \-\-whitelist.	2859	The following command line options are supported: \-\-blacklist,
		2860	\-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write,
		2861	\-\-tmpfs, and \-\-whitelist.
2855	.br	2862	.br
2856		2863
2857	.br	2864	.br