aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-11-03 17:26:06 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2016-11-03 17:26:06 -0400
commit08478335e5f49605c96beac6575715781b167724 (patch)
tree70ce9be7e6a0ed3a5a39c299da8f21cad6c8d767
parenttesting fix (diff)
downloadfirejail-08478335e5f49605c96beac6575715781b167724.tar.gz
firejail-08478335e5f49605c96beac6575715781b167724.tar.zst
firejail-08478335e5f49605c96beac6575715781b167724.zip
usage
Diffstat
-rw-r--r--src/firejail/usage.c441
1 files changed, 125 insertions, 316 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 7db91b5a9..c8bed06e3 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -23,381 +23,190 @@ void usage(void) {
23 printf("firejail - version %s\n\n", VERSION); 23 printf("firejail - version %s\n\n", VERSION);
24 printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"); 24 printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n");
25 printf("restricting the running environment of untrusted applications using Linux\n"); 25 printf("restricting the running environment of untrusted applications using Linux\n");
26 printf("namespaces. It includes a sandbox profile for Mozilla Firefox.\n\n"); 26 printf("namespaces.\n");
27 printf("\n"); 27 printf("\n");
28 printf("Usage: firejail [options] [program and arguments]\n\n"); 28 printf("Usage: firejail [options] [program and arguments]\n");
29 printf("\n"); 29 printf("\n");
30 printf("Without any options, the sandbox consists of a filesystem chroot build from the\n"); 30 printf("Options:\n");
31 printf("current system directories mounted read-only, and new PID and IPC\n"); 31 printf(" -- - signal the end of options and disables further option processing.\n");
32 printf("namespaces. If no program is specified as an argument, /bin/bash is started by\n"); 32 printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
33 printf("default in the sandbox.\n\n"); 33 printf(" --allusers - all user home directories are visible inside the sandbox.\n");
34 printf("\n"); 34 printf(" --apparmor - enable AppArmor confinement.\n");
35 printf("Options:\n\n"); 35 printf(" --appimage - sandbox an AppImage application.\n");
36 printf(" -- - signal the end of options and disables further option processing.\n\n"); 36 printf(" --audit[=test-program] - audit the sandbox.\n");
37 printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n\n");
38 printf(" --allusers - all user home directories are visible inside the sandbox.\n\n");
39 printf(" --apparmor - enable AppArmor confinement\n\n");
40 printf(" --appimage - sandbox an AppImage application\n\n");
41 printf(" --audit - audit the sandbox, see Audit section for more details\n\n");
42 printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n");
43#ifdef HAVE_NETWORK 37#ifdef HAVE_NETWORK
44 printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); 38 printf(" --bandwidth=name|pid - set bandwidth limits\n");
45 printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
46#endif 39#endif
47#ifdef HAVE_BIND 40#ifdef HAVE_BIND
48 printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); 41 printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");
49 printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n\n"); 42 printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
50#endif 43#endif
51 printf(" --blacklist=dirname_or_filename - blacklist directory or file.\n\n"); 44 printf(" --blacklist=filename - blacklist directory or file.\n");
52 printf(" -c - execute command and exit.\n\n"); 45 printf(" -c - execute command and exit.\n");
53 printf(" --caps - enable default Linux capabilities filter.\n\n"); 46 printf(" --caps - enable default Linux capabilities filter.\n");
54 printf(" --caps.drop=all - drop all capabilities.\n\n"); 47 printf(" --caps.drop=all - drop all capabilities.\n");
55 printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n\n"); 48 printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n");
56 printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n\n"); 49 printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n");
57 printf(" --caps.print=name|pid - print the caps filter for the sandbox identified\n"); 50 printf(" --caps.print=name|pid - print the caps filter.\n");
58 printf("\tby name or PID.\n\n");
59 printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n"); 51 printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n");
60 printf("\ttasks-file is the full path of cgroup tasks file.\n\n");
61#ifdef HAVE_CHROOT 52#ifdef HAVE_CHROOT
62 printf(" --chroot=dirname - chroot into directory.\n\n"); 53 printf(" --chroot=dirname - chroot into directory.\n");
63#endif 54#endif
64 printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n"); 55 printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n");
65 printf(" --cpu.print=name|pid - print the cup in use by the sandbox identified\n"); 56 printf(" --cpu.print=name|pid - print the cpus in use.\n");
66 printf("\tby name or PID.\n\n"); 57 printf(" --csh - use /bin/csh as default shell.\n");
67 printf(" --csh - use /bin/csh as default shell.\n\n"); 58 printf(" --debug - print sandbox debug messages.\n");
68 59 printf(" --debug-blacklists - debug blacklisting.\n");
69 printf(" --debug - print sandbox debug messages.\n\n"); 60 printf(" --debug-caps - print all recognized capabilities.\n");
70 printf(" --debug-blacklists - debug blacklisting.\n\n"); 61 printf(" --debug-check-filename - debug filename checking.\n");
71 printf(" --debug-caps - print all recognized capabilities in the current Firejail\n"); 62 printf(" --debug-errnos - print all recognized error numbers.\n");
72 printf("\tsoftware build.\n\n"); 63 printf(" --debug-protocols - print all recognized protocols.\n");
73 printf(" --debug-check-filename - debug filename checking.\n\n"); 64 printf(" --debug-syscalls - print all recognized system calls.\n");
74 printf(" --debug-errnos - print all recognized error numbers in the current Firejail\n");
75 printf("\tsoftware build.\n\n");
76 printf(" --debug-protocols - print all recognized protocols in the current Firejail\n");
77 printf("\tsoftware build.\n\n");
78 printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n");
79 printf("\tsoftware build.\n\n");
80#ifdef HAVE_WHITELIST 65#ifdef HAVE_WHITELIST
81 printf(" --debug-whitelists - debug whitelisting.\n\n"); 66 printf(" --debug-whitelists - debug whitelisting.\n");
82#endif 67#endif
83
84
85#ifdef HAVE_NETWORK 68#ifdef HAVE_NETWORK
86 printf(" --defaultgw=address - use this address as default gateway in the new network\n"); 69 printf(" --defaultgw=address - configure default gateway.\n");
87 printf("\tnamespace.\n\n");
88#endif 70#endif
89 printf(" --dns=address - set a DNS server for the sandbox. Up to three DNS servers\n"); 71 printf(" --dns=address - set DNS server.\n");
90 printf("\tcan be defined.\n\n"); 72 printf(" --dns.print=name|pid - print DNS configuration.\n");
91 printf(" --dns.print=name|pid - print DNS configuration for the sandbox identified\n"); 73
92 printf("\tby name or PID.\n\n"); 74 printf(" --env=name=value - set environment variable.\n");
93 75 printf(" --fs.print=name|pid - print the filesystem log.\n");
94 printf(" --env=name=value - set environment variable in the new sandbox.\n\n"); 76 printf(" --get=name|pid filename - get a file from sandbox container.\n");
95 printf(" --fs.print=name|pid - print the filesystem log for the sandbox identified\n"); 77 printf(" --help, -? - this help screen.\n");
96 printf("\tby name or PID.\n\n"); 78 printf(" --hostname=name - set sandbox hostname.\n");
97 printf(" --get=name|pid filename - get a file from sandbox container.\n\n"); 79 printf(" --ignore=command - ignore command in profile files.\n");
98 printf(" --help, -? - this help screen.\n\n");
99 printf(" --hostname=name - set sandbox hostname.\n\n");
100 printf(" --ignore=command - ignore command in profile files.\n\n");
101#ifdef HAVE_NETWORK 80#ifdef HAVE_NETWORK
102 printf(" --interface=name - move interface in a new network namespace. Up to four\n"); 81 printf(" --interface=name - move interface in sandbox.\n");
103 printf("\t--interface options can be specified.\n\n"); 82 printf(" --ip=address - set interface IP address.\n");
104 printf(" --ip=address - set interface IP address.\n\n"); 83 printf(" --ip=none - no IP address and no default gateway are configured.\n");
105 printf(" --ip=none - no IP address and no default gateway address are configured\n"); 84 printf(" --ip6=address - set interface IPv6 address.\n");
106 printf("\tin the new network namespace. Use this option in case you intend to\n"); 85 printf(" --iprange=address,address - configure an IP address in this range.\n");
107 printf("\tstart an external DHCP client in the sandbox.\n\n");
108 printf(" --ip6=address - set interface IPv6 address.\n\n");
109 printf(" --iprange=address,address - configure an IP address in this range.\n\n");
110#endif 86#endif
111 printf(" --ipc-namespace - enable a new IPC namespace if the sandbox was started as\n"); 87 printf(" --ipc-namespace - enable a new IPC namespace.\n");
112 printf("\tregular user. IPC namespace is enabled by default only if the sandbox\n"); 88 printf(" --join=name|pid - join the sandbox.\n");
113 printf("\tis started as root.\n\n"); 89 printf(" --join-filesystem=name|pid - join the mount namespace.\n");
114 printf(" --join=name|pid - join the sandbox identified by name or PID.\n\n");
115 printf(" --join-filesystem=name|pid - join the mount namespace of the sandbox\n");
116 printf("\tidentified by name or PID.\n\n");
117#ifdef HAVE_NETWORK 90#ifdef HAVE_NETWORK
118 printf(" --join-network=name|pid - join the network namespace of the sandbox\n"); 91 printf(" --join-network=name|pid - join the network namespace.\n");
119 printf("\tidentified by name or PID.\n\n");
120#endif 92#endif
121 printf(" --list - list all sandboxes.\n\n"); 93 printf(" --list - list all sandboxes.\n");
122 printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n\n"); 94 printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n");
123#ifdef HAVE_NETWORK 95#ifdef HAVE_NETWORK
124 printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); 96 printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
125 printf(" --mtu=number - set interface MTU.\n\n"); 97 printf(" --mtu=number - set interface MTU.\n");
126#endif 98#endif
127 printf(" --name=name - set sandbox name.\n\n"); 99 printf(" --name=name - set sandbox name.\n");
128#ifdef HAVE_NETWORK 100#ifdef HAVE_NETWORK
129 printf(" --net=bridgename - enable network namespaces and connect to this bridge\n"); 101 printf(" --net=bridgename - enable network namespaces and connect to this bridge.\n");
130 printf("\tdevice. Up to four --net devices can be defined.\n\n");
131
132 printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); 102 printf(" --net=ethernet_interface - enable network namespaces and connect to this\n");
133 printf("\tEthernet interface using the standard Linux macvlan driver. Up to four\n"); 103 printf("\tEthernet interface.\n");
134 printf("\t--net devices can be defined.\n\n"); 104 printf(" --net=none - enable a new, unconnected network namespace.\n");
135 105 printf(" --netfilter[=filename] - enable the default client network filter.\n");
136 printf(" --net=none - enable a new, unconnected network namespace.\n\n"); 106 printf(" --netfilter6=filename - enable the IPv6 network filter.\n");
137 107 printf(" --netstats - monitor network statistics.\n");
138 printf(" --netfilter - enable the default client network filter in the new\n");
139 printf("\tnetwork namespace.\n\n");
140 printf(" --netfilter=filename - enable the network filter specified by\n");
141 printf("\tfilename in the new network namespace. The filter file format\n");
142 printf("\tis the format of iptables-save and iptable-restore commands.\n\n");
143 printf(" --netfilter6=filename - enable the IPv6 network filter specified by\n");
144 printf("\tfilename in the new network namespace. The filter file format\n");
145 printf("\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
146
147 printf(" --netstats - monitor network statistics for sandboxes creating a new\n");
148 printf("\tnetwork namespace.\n\n");
149#endif 108#endif
150 printf(" --nice=value - set nice value.\n\n"); 109 printf(" --nice=value - set nice value.\n");
151 printf(" --no3d - disable 3D hardware acceleration.\n\n"); 110 printf(" --no3d - disable 3D hardware acceleration.\n");
152 printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); 111 printf(" --noblacklist=filename - disable blacklist for file or directory .\n");
153 printf("\tfile.\n\n"); 112 printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n");
154 printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n"); 113 printf(" --nogroups - disable supplementary groups.\n");
155 printf("\tnosuid and nodev\n\n"); 114 printf(" --noprofile - do not use a security profile.\n");
156 printf(" --nogroups - disable supplementary groups. Without this option,\n");
157 printf("\tsupplementary groups are enabled for the user starting the sandbox.\n");
158 printf("\tFor root, groups are always disabled.\n\n");
159
160 printf(" --noprofile - do not use a profile. Profile priority is use the one\n");
161 printf("\tspecified on the command line, next try to find one that\n");
162 printf("\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
163 printf("\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
164 printf("\troot.\n\n");
165#ifdef HAVE_USERNS 115#ifdef HAVE_USERNS
166 printf(" --noroot - install a user namespace with a single user - the current\n"); 116 printf(" --noroot - install a user namespace with only the current user.\n");
167 printf("\tuser. root user does not exist in the new namespace. This option\n");
168 printf("\tis not supported for --chroot and --overlay configurations.\n\n");
169#endif 117#endif
170 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n"); 118 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n");
171 printf("\tcannot gain privileges using execve(2); in particular, this prevents\n"); 119 printf(" --output=logfile - stdout logging and log rotation.\n");
172 printf("\tgaining privileges by calling a suid binary\n\n");
173 printf(" --nosound - disable sound system.\n\n");
174
175 printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");
176 printf("\tto logfile, and keep the size of the file under 500KB using log\n");
177 printf("\trotation. Five files with prefixes .1 to .5 are used in\n");
178 printf("\trotation.\n\n");
179
180 printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); 120 printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n");
181 printf("\tThe upper filesystem layer is persistent, and stored in\n");
182 printf("\t$HOME/.firejail/<PID> directory. (OverlayFS support is required in\n");
183 printf("\tLinux kernel for this option to work). \n\n");
184
185 printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); 121 printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n");
186 printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); 122 printf("\tfilesystem, and store it in name directory.\n");
187 printf("\t$HOME/.firejail/<NAME> directory. (OverlayFS support is required in\n"); 123 printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the current\n");
188 printf("\tLinux kernel for this option to work). \n\n"); 124 printf("\tfilesystem.\n");
189 125 printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n");
190 printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); 126 printf(" --private - temporary home directory.\n");
191 printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); 127 printf(" --private=directory - use directory as user home.\n");
192 printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n");
193 printf("\tsupport is required in Linux kernel for this option to work).\n\n");
194
195 printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n\n");
196
197 printf(" --private - mount new /root and /home/user directories in temporary\n");
198 printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
199 printf("\tclosed.\n\n");
200 printf(" --private=directory - use directory as user home.\n\n");
201 printf(" --private-home=file,directory - build a new user home in a temporary\n"); 128 printf(" --private-home=file,directory - build a new user home in a temporary\n");
202 printf("\t\tfilesystem, and copy the files and directories in the list in\n"); 129 printf("\tfilesystem, and copy the files and directories in the list in\n");
203 printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); 130 printf("\tthe new home.\n");
204 printf("\t\tis closed.\n\n");
205
206 printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); 131 printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
207 printf("\tand copy the programs in the list.\n\n"); 132 printf("\tand copy the programs in the list.\n");
208
209 printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); 133 printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
210 printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n\n"); 134 printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n");
211
212 printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); 135 printf(" --private-etc=file,directory - build a new /etc in a temporary\n");
213 printf("\tfilesystem, and copy the files and directories in the list.\n"); 136 printf("\tfilesystem, and copy the files and directories in the list.\n");
214 printf("\tAll modifications are discarded when the sandbox is closed.\n\n"); 137 printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n");
215 138 printf(" --profile=filename - use a custom profile.\n");
216 printf(" --private-tmp - mount a tmpfs on top of /tmp directory\n\n"); 139 printf(" --profile-path=directory - use this directory to look for profile files.\n");
217
218 printf(" --profile=filename - use a custom profile.\n\n");
219 printf(" --profile-path=directory - use this directory to look for profile files.\n\n");
220
221 printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); 140 printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n");
222 printf("\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); 141 printf(" --protocol.print=name|pid - print the protocol filter.\n");
223 printf(" --protocol.print=name|pid - print the protocol filter for the sandbox\n"); 142 printf(" --put=name|pid src-filename dest-filename - put a file in sandbox container.\n");
224 printf("\tidentified by name or PID.\n\n"); 143 printf(" --quiet - turn off Firejail's output.\n");
225 144 printf(" --read-only=filename - set directory or file read-only..\n");
226 printf(" --put=name|pid src-filename dest-filename - put a file in sandbox container.\n\n"); 145 printf(" --read-write=filename - set directory or file read-write..\n");
227
228 printf(" --quiet - turn off Firejail's output.\n\n");
229 printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n");
230 printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n");
231 printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); 146 printf(" --rlimit-fsize=number - set the maximum file size that can be created\n");
232 printf("\tby a process.\n\n"); 147 printf("\tby a process.\n");
233 printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); 148 printf(" --rlimit-nofile=number - set the maximum number of files that can be\n");
234 printf("\topened by a process.\n\n"); 149 printf("\topened by a process.\n");
235 printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n"); 150 printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n");
236 printf("\tcreated for the real user ID of the calling process.\n\n"); 151 printf("\tcreated for the real user ID of the calling process.\n");
237 printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); 152 printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");
238 printf("\tfor a process.\n\n"); 153 printf("\tfor a process.\n");
239 printf(" --rmenv=name - remove environment variable in the new sandbox.\n\n"); 154 printf(" --rmenv=name - remove environment variable in the new sandbox.\n");
240#ifdef HAVE_NETWORK 155#ifdef HAVE_NETWORK
241 printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); 156 printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");
242 printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
243 printf("\trunning on the current host.\n\n");
244#endif 157#endif
245#ifdef HAVE_SECCOMP 158#ifdef HAVE_SECCOMP
246 printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n\n"); 159 printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n");
247
248 printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); 160 printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
249 printf("\tdefault syscall list and the syscalls specified by the command.\n\n"); 161 printf("\tdefault syscall list and the syscalls specified by the command.\n");
250
251 printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); 162 printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
252 printf("\tblacklist the syscalls specified by the command.\n\n"); 163 printf("\tblacklist the syscalls specified by the command.\n");
253
254 printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); 164 printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
255 printf("\twhitelist the syscalls specified by the command.\n\n"); 165 printf("\twhitelist the syscalls specified by the command.\n");
256
257 printf(" --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n"); 166 printf(" --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n");
258 printf("\treturn errno for the syscalls specified by the command.\n\n"); 167 printf("\treturn errno for the syscalls specified by the command.\n");
259
260 printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); 168 printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
261 printf("\tidentified by name or PID.\n\n"); 169 printf("\tidentified by name or PID.\n");
262#endif 170#endif
263 171 printf(" --shell=none - run the program directly without a user shell.\n");
264 printf(" --shell=none - run the program directly without a user shell.\n\n"); 172 printf(" --shell=program - set default user shell.\n");
265 printf(" --shell=program - set default user shell.\n\n"); 173 printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n");
266 printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n\n");
267 printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); 174 printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
268 printf("\tThis option is available only when running the sandbox as root.\n\n"); 175 printf(" --top - monitor the most CPU-intensive sandboxes.\n");
269 printf(" --top - monitor the most CPU-intensive sandboxes.\n\n"); 176 printf(" --trace - trace open, access and connect system calls.\n");
270 printf(" --trace - trace open, access and connect system calls.\n\n");
271 printf(" --tracelog - add a syslog message for every access to files or\n"); 177 printf(" --tracelog - add a syslog message for every access to files or\n");
272 printf("\tdirectoires blacklisted by the security profile.\n\n"); 178 printf("\tdirectoires blacklisted by the security profile.\n");
273 printf(" --tree - print a tree of all sandboxed processes.\n\n"); 179 printf(" --tree - print a tree of all sandboxed processes.\n");
274 printf(" --version - print program version and exit.\n\n"); 180 printf(" --version - print program version and exit.\n");
275#ifdef HAVE_NETWORK 181#ifdef HAVE_NETWORK
276 printf(" --veth-name=name - use this name for the interface connected to the bridge\n"); 182 printf(" --veth-name=name - use this name for the interface connected to the bridge.\n");
277 printf("\tfor --net=bridgename commands, instead of the default one.\n\n");
278#endif 183#endif
279#ifdef HAVE_WHITELIST 184#ifdef HAVE_WHITELIST
280 printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); 185 printf(" --whitelist=filename - whitelist directory or file.\n");
281#endif 186#endif
282 printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); 187 printf(" --writable-etc - /etc directory is mounted read-write.\n");
283 printf(" --writable-var - /var directory is mounted read-write.\n\n"); 188 printf(" --writable-var - /var directory is mounted read-write.\n");
284
285 printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); 189 printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
286 printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); 190 printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
287 printf("\tattempt to use X11 security extension.\n\n"); 191 printf("\tattempt to use X11 security extension.\n");
288 printf(" --x11=none - disable access to X11 sockets.\n\n"); 192 printf(" --x11=none - disable access to X11 sockets.\n");
289 printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n"); 193 printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n");
290 printf(" --x11=xorg - enable X11 security extension.\n\n"); 194 printf(" --x11=xorg - enable X11 security extension.\n");
291 printf(" --x11=xpra - enable Xpra X11 server.\n\n"); 195 printf(" --x11=xpra - enable Xpra X11 server.\n");
292 printf(" --zsh - use /usr/bin/zsh as default shell.\n\n"); 196 printf(" --zsh - use /usr/bin/zsh as default shell.\n");
293 printf("\n");
294 printf("\n");
295
296
297#ifdef HAVE_NETWORK
298 printf("Traffic Shaping\n\n");
299
300 printf("Network bandwidth is an expensive resource shared among all sandboxes\n");
301 printf("running on a system. Traffic shaping allows the user to increase network\n");
302 printf("performance by controlling the amount of data that flows into and out of the\n");
303 printf("sandboxes. Firejail implements a simple rate-limiting shaper based on Linux\n");
304 printf("command tc. The shaper works at sandbox level, and can be used only for\n");
305 printf("sandboxes configured with new network namespaces.\n\n");
306
307 printf("Set rate-limits:\n");
308 printf(" firejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n");
309 printf("Clear rate-limits:\n");
310 printf(" firejail --bandwidth={name|pid} clear network-name\n\n");
311 printf("Status:\n");
312 printf(" firejail --bandwidth={name|pid} status\n\n");
313 printf("where:\n");
314 printf(" name - sandbox name\n");
315 printf(" pid - sandbox pid\n");
316 printf(" network-name - network name as used by --net option\n");
317 printf(" down-speed - download speed in KB/s (decimal kilobyte per second)\n");
318 printf(" up-speed - upload speed in KB/s (decimal kilobyte per second)\n");
319 printf("\n");
320 printf("Example:\n");
321 printf(" $ firejail --name=mybrowser --net=eth0 firefox &\n");
322 printf(" $ firejail --bandwidth=mybrowser set eth0 80 20\n");
323 printf(" $ firejail --bandwidth=mybrowser status\n");
324 printf(" $ firejail --bandwidth=mybrowser clear eth0\n");
325 printf("\n");
326 printf("\n");
327#endif
328
329 printf("Audit\n\n");
330 printf("Audit feature allows the user to point out gaps in security profiles. The\n");
331 printf("implementation replaces the program to be sandboxed with a test program. By\n");
332 printf("default, we use faudit program distributed with Firejail. A custom test program\n");
333 printf("can also be supplied by the user. Examples:\n\n");
334 printf("Running the default audit program:\n");
335 printf(" $ firejail --audit transmission-gtk\n\n");
336 printf("Running a custom audit program:\n");
337 printf(" $ firejail --audit=~/sandbox-test transmission-gtk\n\n");
338 printf("In the examples above, the sandbox configures transmission-gtk profile and\n");
339 printf("starts the test program. The real program, transmission-gtk, will not be\n");
340 printf("started.\n\n\n");
341
342 printf("Monitoring\n\n");
343
344 printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
345 printf("follows:\n\n");
346 printf(" PID:USER:Command\n\n");
347
348 printf("Option --tree prints the tree of processes running in the sandbox. The format\n");
349 printf("for each process entry is as follows:\n\n");
350 printf(" PID:USER:Command\n\n");
351
352 printf("Option --top is similar to the UNIX top command, however it applies only to\n");
353 printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n");
354 printf("order:\n\n");
355 printf(" Command - command used to start the sandbox.\n");
356 printf(" CPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n");
357 printf("\tlast screen update\n");
358 printf(" PID - Unique process ID for the task controlling the sandbox.\n");
359 printf(" Prcs - number of processes running in sandbox, including the controlling\n");
360 printf("\tprocess.\n");
361 printf(" RES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
362 printf("\tIt is a sum of the RES values for all processes running in the\n");
363 printf("\tsandbox.\n");
364 printf(" SHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
365 printf("\tprocesses. It is a sum of the SHR values for all processes running\n");
366 printf("\tin the sandbox, including the controlling process.\n");
367 printf(" Uptime - sandbox running time in hours:minutes:seconds format.\n");
368 printf(" User - The owner of the sandbox.\n");
369 printf("\n");
370 printf("\n");
371 printf("Profile files\n\n");
372 printf("Several command line configuration options can be passed to the program using\n");
373 printf("profile files. Default Firejail profile files are stored in /etc/firejail\n");
374 printf("directory, user profile files are stored in ~/.config/firejail directory. See\n");
375 printf("man 5 firejail-profile for more information.\n\n");
376 printf("\n");
377 printf("Restricted shell\n\n");
378 printf("To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in\n");
379 printf("/etc/passwd file for each user that needs to be restricted.\n");
380 printf("Alternatively, you can specify /usr/bin/firejail in adduser command:\n\n");
381 printf(" adduser --shell /usr/bin/firejail username\n\n");
382 printf("Arguments to be passed to firejail executable upon login are declared in\n");
383 printf("/etc/firejail/login.users file.\n\n");
384 printf("\n"); 197 printf("\n");
385 printf("Examples:\n\n"); 198 printf("Examples:\n");
386 printf(" $ firejail\n");
387 printf("\tstart a regular /bin/bash session in sandbox\n");
388 printf(" $ firejail firefox\n"); 199 printf(" $ firejail firefox\n");
389 printf("\tstart Mozilla Firefox\n"); 200 printf("\tstart Mozilla Firefox\n");
390 printf(" $ firejail --debug firefox\n"); 201 printf(" $ firejail --debug firefox\n");
391 printf("\tdebug Firefox sandbox\n"); 202 printf("\tdebug Firefox sandbox\n");
392 printf(" $ firejail --private firefox\n"); 203 printf(" $ firejail --private --sna=8.8.8.8 firefox\n");
393 printf("\tstart Firefox with a new, empty home directory\n"); 204 printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n");
394 printf(" $ firejail --net=br0 ip=10.10.20.10\n"); 205 printf("\tserver setting.\n");
395 printf("\tstart a /bin/bash session in a new network namespace; the session is\n"); 206 printf(" $ firejail --net=eth0 firefox\n");
396 printf("\tconnected to the main network using br0 bridge device, an IP address\n"); 207 printf("\tstart Firefox in a new network namespace\n");
397 printf("\tof 10.10.20.10 is assigned to the sandbox\n"); 208 printf(" $ firejail --x11=xorg firefox\n");
398 printf(" $ firejail --net=br0 --net=br1 --net=br2\n"); 209 printf("\tstart Firefox and sandbox X11\n");
399 printf("\tstart a /bin/bash session in a new network namespace and connect it\n");
400 printf("\tto br0, br1, and br2 host bridge devices\n");
401 printf(" $ firejail --list\n"); 210 printf(" $ firejail --list\n");
402 printf("\tlist all running sandboxes\n"); 211 printf("\tlist all running sandboxes\n");
403 printf("\n"); 212 printf("\n");
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 18:08:48 +0000