diff options
author | netblue30 <netblue30@yahoo.com> | 2015-08-30 06:25:07 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-08-30 06:25:07 -0400 |
commit | eafb460d94703e995e03a1c705b2e259bc5cfb65 (patch) | |
tree | 034b36f2f59bc15d67317e6c20154b3b487eaff1 | |
parent | more fixes for blacklist on Arch systems (diff) | |
download | firejail-eafb460d94703e995e03a1c705b2e259bc5cfb65.tar.gz firejail-eafb460d94703e995e03a1c705b2e259bc5cfb65.tar.zst firejail-eafb460d94703e995e03a1c705b2e259bc5cfb65.zip |
fixing manpages
-rw-r--r-- | src/man/firejail-login.txt | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 54 | ||||
-rw-r--r-- | src/man/firejail.txt | 65 |
3 files changed, 100 insertions, 21 deletions
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 768896872..1d6a8d80e 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -4,7 +4,7 @@ login.users \- Login file syntax for Firejail | |||
4 | 4 | ||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/login.users file describes additional arguments passed to firejail executable | 6 | /etc/firejail/login.users file describes additional arguments passed to firejail executable |
7 | upon user logging into a Firejail restircted shell. Each user entry in the file consists of | 7 | upon user logging into a Firejail restricted shell. Each user entry in the file consists of |
8 | a user name followed by the arguments passed to firejail. The format is as follows: | 8 | a user name followed by the arguments passed to firejail. The format is as follows: |
9 | 9 | ||
10 | user_name: arguments | 10 | user_name: arguments |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 59fde72a6..246098bb7 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -1,6 +1,6 @@ | |||
1 | .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" | 1 | .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" |
2 | .SH NAME | 2 | .SH NAME |
3 | profile \- Profile file syntax for Firejail | 3 | profile \- Security profile file syntax for Firejail |
4 | 4 | ||
5 | .SH USAGE | 5 | .SH USAGE |
6 | .TP | 6 | .TP |
@@ -8,8 +8,56 @@ firejail \-\-profile=filename.profile | |||
8 | 8 | ||
9 | .SH DESCRIPTION | 9 | .SH DESCRIPTION |
10 | Several Firejail command line configuration options can be passed to the program using | 10 | Several Firejail command line configuration options can be passed to the program using |
11 | profile files. Default Firejail profile files are stored in /etc/firejail | 11 | profile files. |
12 | directory and ~/.config/firejail directory. | 12 | Firejail chooses a security profile in the following order: |
13 | |||
14 | 1. If a profile is provided by the user with --profile option, the profile is loaded. | ||
15 | Example: | ||
16 | .PP | ||
17 | .RS | ||
18 | $ firejail --profile=/home/netblue/icecat.profile icecat | ||
19 | .RE | ||
20 | |||
21 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or | ||
22 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: | ||
23 | .PP | ||
24 | .RS | ||
25 | $ firejail icecat | ||
26 | .br | ||
27 | Command name #icecat# | ||
28 | .br | ||
29 | .br | ||
30 | Found icecat profile in /home/netblue/.config/firejail directory | ||
31 | .br | ||
32 | Reading profile /home/netblue/.config/firejail/icecat.profile | ||
33 | .br | ||
34 | [...] | ||
35 | .RE | ||
36 | |||
37 | 3. Use the default profile in /etc/firejail/generic.profile. This can be disabled with --noprofile. Example: | ||
38 | .PP | ||
39 | .RS | ||
40 | $ firejail \-\-noprofile | ||
41 | .br | ||
42 | Parent pid 8553, child pid 8554 | ||
43 | .br | ||
44 | Child process initialized | ||
45 | .br | ||
46 | $ exit | ||
47 | .br | ||
48 | .br | ||
49 | parent is shutting down, bye... | ||
50 | .br | ||
51 | $ firejail | ||
52 | .br | ||
53 | Reading profile /etc/firejail/generic.profile | ||
54 | .br | ||
55 | Parent pid 8553, child pid 8554 | ||
56 | .br | ||
57 | Child process initialized | ||
58 | .br | ||
59 | $ | ||
60 | .RE | ||
13 | 61 | ||
14 | .SH Scripting | 62 | .SH Scripting |
15 | Include and comment support: | 63 | Include and comment support: |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d78ce6723..c07a02c57 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -39,15 +39,24 @@ and it is integrated with Linux Control Groups. | |||
39 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version | 39 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version |
40 | or newer. | 40 | or newer. |
41 | It can sandbox any type of processes: servers, graphical applications, and even user login sessions. | 41 | It can sandbox any type of processes: servers, graphical applications, and even user login sessions. |
42 | The software includes sandbox profiles for a number of more common | 42 | .PP |
43 | Firejail allows the user to manage application security using security profiles. | ||
44 | Each profile defines a set of permissions for a specific application or group | ||
45 | of applications. The software includes security profiles for a number of more common | ||
43 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 46 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
47 | |||
44 | .SH USAGE | 48 | .SH USAGE |
45 | Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, | 49 | Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, |
46 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. | 50 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. |
47 | The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. | 51 | The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. |
48 | Only /home, /tmp and /var directories are writable. | 52 | Only /home, /tmp and /var directories are writable. |
49 | .PP | 53 | .PP |
50 | If no program is specified as an argument, /bin/bash is started by default. | 54 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
55 | If an appropriate profile is not found, Firejail will use the default profile stored in /etc/firejail/default.profile. | ||
56 | The default security profile is quite restrictive. In case the application doesn't work, use --noprofile option | ||
57 | to disable it. For more information, please see SECURITY PROFILES section. | ||
58 | .PP | ||
59 | If a program argument is not specified, Firejail starts /bin/bash shell. | ||
51 | Examples: | 60 | Examples: |
52 | .PP | 61 | .PP |
53 | $ firejail [OPTIONS] # starting a /bin/bash shell | 62 | $ firejail [OPTIONS] # starting a /bin/bash shell |
@@ -56,7 +65,7 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
56 | .PP | 65 | .PP |
57 | Multiple commands can be run in sandbox using regular bash logic operators: | 66 | Multiple commands can be run in sandbox using regular bash logic operators: |
58 | .PP | 67 | .PP |
59 | $ sudo firejail [OPTIONS] "/etc/init.d/nginx start && sleep inf" | 68 | # sudo firejail [OPTIONS] "/etc/init.d/nginx start && sleep inf" |
60 | .PP | 69 | .PP |
61 | In the previous example, "sleep inf" command is required in order to keep the session open for the daemon program. | 70 | In the previous example, "sleep inf" command is required in order to keep the session open for the daemon program. |
62 | 71 | ||
@@ -195,7 +204,7 @@ Example: | |||
195 | .TP | 204 | .TP |
196 | \fB\-\-chroot=dirname | 205 | \fB\-\-chroot=dirname |
197 | Chroot the sandbox into a root filesystem. If the sandbox is started as a | 206 | Chroot the sandbox into a root filesystem. If the sandbox is started as a |
198 | regular user, default seccomp and capabilities filters are eanbled. | 207 | regular user, default seccomp and capabilities filters are enabled. |
199 | .br | 208 | .br |
200 | 209 | ||
201 | .br | 210 | .br |
@@ -566,9 +575,7 @@ $ | |||
566 | 575 | ||
567 | .TP | 576 | .TP |
568 | \fB\-\-noprofile | 577 | \fB\-\-noprofile |
569 | Do not use a profile. Profile priority is use the one | 578 | Do not use a profile. |
570 | specified on the command line, next try to find one that | ||
571 | matches the command name, and lastly use generic.profile. | ||
572 | .br | 579 | .br |
573 | 580 | ||
574 | .br | 581 | .br |
@@ -633,7 +640,7 @@ $ firejail \-\-output=sandboxlog /bin/bash | |||
633 | .br | 640 | .br |
634 | $ ls -l sandboxlog* | 641 | $ ls -l sandboxlog* |
635 | .br | 642 | .br |
636 | -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sadnboxlog | 643 | -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog |
637 | .br | 644 | .br |
638 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1 | 645 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1 |
639 | .br | 646 | .br |
@@ -744,8 +751,8 @@ $ firejail --private-etc=group,hostname,localtime, \\ | |||
744 | nsswitch.conf,passwd,resolv.conf | 751 | nsswitch.conf,passwd,resolv.conf |
745 | .TP | 752 | .TP |
746 | \fB\-\-profile=filename | 753 | \fB\-\-profile=filename |
747 | Load a custom profile from filename. For filename use an absolute path or a path relative to the current path. | 754 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. |
748 | For more information, see PROFILES section below. | 755 | For more information, see SECURITY PROFILES section below. |
749 | .br | 756 | .br |
750 | 757 | ||
751 | .br | 758 | .br |
@@ -1088,7 +1095,7 @@ Use /usr/bin/zsh as default user shell. | |||
1088 | .br | 1095 | .br |
1089 | Example: | 1096 | Example: |
1090 | .br | 1097 | .br |
1091 | $ firejakil \-\-zsh | 1098 | $ firejail \-\-zsh |
1092 | .SH TRAFFIC SHAPING | 1099 | .SH TRAFFIC SHAPING |
1093 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. | 1100 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. |
1094 | Traffic shaping allows the user to increase network performance by controlling | 1101 | Traffic shaping allows the user to increase network performance by controlling |
@@ -1186,20 +1193,19 @@ Sandbox running time in hours:minutes:seconds format. | |||
1186 | User | 1193 | User |
1187 | The owner of the sandbox. | 1194 | The owner of the sandbox. |
1188 | 1195 | ||
1189 | .SH PROFILES | 1196 | .SH SECURITY PROFILES |
1190 | Several command line configuration options can be passed to the program using | 1197 | Several command line configuration options can be passed to the program using |
1191 | profile files. Firejail supports user specified profile files and automatic profile files, | 1198 | profile files. Firejail chooses a security profile in the following order: |
1192 | as follows: | ||
1193 | 1199 | ||
1194 | 1. Load a specific profile file from a full path, or a path relative to the current directory. | 1200 | 1. If a profile is provided by the user with --profile option, the profile is loaded. |
1195 | Example: | 1201 | Example: |
1196 | .PP | 1202 | .PP |
1197 | .RS | 1203 | .RS |
1198 | $ firejail --profile=/home/netblue/icecat.profile icecat | 1204 | $ firejail --profile=/home/netblue/icecat.profile icecat |
1199 | .RE | 1205 | .RE |
1200 | 1206 | ||
1201 | 2. Load a default profile file automatically from ~/.config/firejail or from /etc/firejail, based | 1207 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or |
1202 | on the name of the executable started in the sandbox. Example: | 1208 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: |
1203 | .PP | 1209 | .PP |
1204 | .RS | 1210 | .RS |
1205 | $ firejail icecat | 1211 | $ firejail icecat |
@@ -1214,6 +1220,31 @@ Reading profile /home/netblue/.config/firejail/icecat.profile | |||
1214 | [...] | 1220 | [...] |
1215 | .RE | 1221 | .RE |
1216 | 1222 | ||
1223 | 3. Use the default profile in /etc/firejail/generic.profile | ||
1224 | .PP | ||
1225 | .RS | ||
1226 | $ firejail \-\-noprofile | ||
1227 | .br | ||
1228 | Parent pid 8553, child pid 8554 | ||
1229 | .br | ||
1230 | Child process initialized | ||
1231 | .br | ||
1232 | $ exit | ||
1233 | .br | ||
1234 | .br | ||
1235 | parent is shutting down, bye... | ||
1236 | .br | ||
1237 | $ firejail | ||
1238 | .br | ||
1239 | Reading profile /etc/firejail/generic.profile | ||
1240 | .br | ||
1241 | Parent pid 8553, child pid 8554 | ||
1242 | .br | ||
1243 | Child process initialized | ||
1244 | .br | ||
1245 | $ | ||
1246 | .RE | ||
1247 | |||
1217 | See man 5 firejail-profile for profile file syntax information. | 1248 | See man 5 firejail-profile for profile file syntax information. |
1218 | 1249 | ||
1219 | .SH RESTRICTED SHELL | 1250 | .SH RESTRICTED SHELL |