diff options
author | 2018-08-27 12:44:33 -0400 | |
---|---|---|
committer | 2018-08-27 12:44:33 -0400 | |
commit | f89ab8c8d0def54201a5970040ac42b92ba79f52 (patch) | |
tree | 7701b531afa7bf850becb74faefcc8753c3dc1be | |
parent | checkcfg.c cleanup (diff) | |
download | firejail-f89ab8c8d0def54201a5970040ac42b92ba79f52.tar.gz firejail-f89ab8c8d0def54201a5970040ac42b92ba79f52.tar.zst firejail-f89ab8c8d0def54201a5970040ac42b92ba79f52.zip |
manpage cleanup
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | src/man/firecfg.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 41 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 119 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 569 | ||||
-rw-r--r-- | src/man/firemon.txt | 1 |
7 files changed, 10 insertions, 724 deletions
diff --git a/Makefile.in b/Makefile.in index 03dba1f61..557b0289e 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,7 +1,7 @@ | |||
1 | all: apps man filters | 1 | all: apps man filters |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/fnet src/fseccomp src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/fnet src/fseccomp src/libpostexecseccomp |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-users.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx |
6 | 6 | ||
7 | prefix=@prefix@ | 7 | prefix=@prefix@ |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 80cb201d9..8811e17e5 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -123,5 +123,4 @@ Homepage: https://firejail.wordpress.com | |||
123 | \&\flfirejail\fR\|(1), | 123 | \&\flfirejail\fR\|(1), |
124 | \&\flfiremon\fR\|(1), | 124 | \&\flfiremon\fR\|(1), |
125 | \&\flfirejail-profile\fR\|(5), | 125 | \&\flfirejail-profile\fR\|(5), |
126 | \&\flfirejail-login\fR\|(5) | ||
127 | \&\flfirejail-users\fR\|(5) | 126 | \&\flfirejail-users\fR\|(5) |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt deleted file mode 100644 index c2fa63dc4..000000000 --- a/src/man/firejail-login.txt +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | .TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page" | ||
2 | .SH NAME | ||
3 | login.users \- Login file syntax for Firejail | ||
4 | |||
5 | .SH DESCRIPTION | ||
6 | /etc/firejail/login.users file describes additional arguments passed to firejail executable | ||
7 | upon user logging into a Firejail restricted shell. Each user entry in the file consists of | ||
8 | a user name followed by the arguments passed to firejail. The format is as follows: | ||
9 | |||
10 | user_name: arguments | ||
11 | |||
12 | Example: | ||
13 | |||
14 | netblue:--net=none --protocol=unix | ||
15 | |||
16 | Wildcard patterns are accepted in the user name field: | ||
17 | |||
18 | user*: --private | ||
19 | |||
20 | .SH RESTRICTED SHELL | ||
21 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | ||
22 | /etc/passwd file for each user that needs to be restricted. Alternatively, | ||
23 | you can specify /usr/bin/firejail using adduser or usermod commands: | ||
24 | |||
25 | adduser \-\-shell /usr/bin/firejail username | ||
26 | .br | ||
27 | usermod \-\-shell /usr/bin/firejail username | ||
28 | |||
29 | .SH FILES | ||
30 | /etc/firejail/login.users | ||
31 | |||
32 | .SH LICENSE | ||
33 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
34 | .PP | ||
35 | Homepage: https://firejail.wordpress.com | ||
36 | .SH SEE ALSO | ||
37 | \&\flfirejail\fR\|(1), | ||
38 | \&\flfiremon\fR\|(1), | ||
39 | \&\flfirecfg\fR\|(1), | ||
40 | \&\flfirejail-profile\fR\|(5) | ||
41 | \&\flfirejail-users\fR\|(5) | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 17562c503..92e95f165 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -197,18 +197,6 @@ The file is created if it doesn't already exist. | |||
197 | \fBnoexec file_or_directory | 197 | \fBnoexec file_or_directory |
198 | Remount the file or the directory noexec, nodev and nosuid. | 198 | Remount the file or the directory noexec, nodev and nosuid. |
199 | .TP | 199 | .TP |
200 | \fBoverlay | ||
201 | Mount a filesystem overlay on top of the current filesystem. | ||
202 | The overlay is stored in $HOME/.firejail/<PID> directory. | ||
203 | .TP | ||
204 | \fBoverlay-named name | ||
205 | Mount a filesystem overlay on top of the current filesystem. | ||
206 | The overlay is stored in $HOME/.firejail/name directory. | ||
207 | .TP | ||
208 | \fBoverlay-tmpfs | ||
209 | Mount a filesystem overlay on top of the current filesystem. | ||
210 | All filesystem modifications are discarded when the sandbox is closed. | ||
211 | .TP | ||
212 | \fBprivate | 200 | \fBprivate |
213 | Mount new /root and /home/user directories in temporary | 201 | Mount new /root and /home/user directories in temporary |
214 | filesystems. All modifications are discarded when the sandbox is | 202 | filesystems. All modifications are discarded when the sandbox is |
@@ -217,20 +205,10 @@ closed. | |||
217 | \fBprivate directory | 205 | \fBprivate directory |
218 | Use directory as user home. | 206 | Use directory as user home. |
219 | .TP | 207 | .TP |
220 | \fBprivate-home file,directory | ||
221 | Build a new user home in a temporary | ||
222 | filesystem, and copy the files and directories in the list in the | ||
223 | new home. All modifications are discarded when the sandbox is | ||
224 | closed. | ||
225 | .TP | ||
226 | \fBprivate-cache | 208 | \fBprivate-cache |
227 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | 209 | Mount an empty temporary filesystem on top of the .cache directory in user home. All |
228 | modifications are discarded when the sandbox is closed. | 210 | modifications are discarded when the sandbox is closed. |
229 | .TP | 211 | .TP |
230 | \fBprivate-bin file,file | ||
231 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | ||
232 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | ||
233 | .TP | ||
234 | \fBprivate-dev | 212 | \fBprivate-dev |
235 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, | 213 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, |
236 | random, snd, urandom, video, log and shm devices are available. | 214 | random, snd, urandom, video, log and shm devices are available. |
@@ -238,25 +216,6 @@ random, snd, urandom, video, log and shm devices are available. | |||
238 | \fBkeep-dev-shm | 216 | \fBkeep-dev-shm |
239 | /dev/shm directory is untouched (even with private-dev). | 217 | /dev/shm directory is untouched (even with private-dev). |
240 | .TP | 218 | .TP |
241 | \fBprivate-etc file,directory | ||
242 | Build a new /etc in a temporary | ||
243 | filesystem, and copy the files and directories in the list. | ||
244 | All modifications are discarded when the sandbox is closed. | ||
245 | .TP | ||
246 | \fBprivate-lib file,directory | ||
247 | Build a new /lib directory and bring in the libraries required by the application to run. | ||
248 | This feature is still under development, see \fBman 1 firejail\fR for some examples. | ||
249 | .TP | ||
250 | \fBprivate-opt file,directory | ||
251 | Build a new /optin a temporary | ||
252 | filesystem, and copy the files and directories in the list. | ||
253 | All modifications are discarded when the sandbox is closed. | ||
254 | .TP | ||
255 | \fBprivate-srv file,directory | ||
256 | Build a new /srv in a temporary | ||
257 | filesystem, and copy the files and directories in the list. | ||
258 | All modifications are discarded when the sandbox is closed. | ||
259 | .TP | ||
260 | \fBprivate-tmp | 219 | \fBprivate-tmp |
261 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 220 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
262 | .TP | 221 | .TP |
@@ -269,9 +228,6 @@ Make directory or file read-write. | |||
269 | \fBtmpfs directory | 228 | \fBtmpfs directory |
270 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | 229 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. |
271 | .TP | 230 | .TP |
272 | \fBtracelog | ||
273 | Blacklist violations logged to syslog. | ||
274 | .TP | ||
275 | \fBwhitelist file_or_directory | 231 | \fBwhitelist file_or_directory |
276 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 232 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
277 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | 233 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
@@ -350,82 +306,26 @@ does not result in an increase of privilege. | |||
350 | \fBnoroot | 306 | \fBnoroot |
351 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 307 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
352 | There is no root account (uid 0) defined in the namespace. | 308 | There is no root account (uid 0) defined in the namespace. |
353 | .TP | ||
354 | \fBx11 | ||
355 | Enable X11 sandboxing. | ||
356 | .TP | ||
357 | \fBx11 none | ||
358 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | ||
359 | Remove DISPLAY and XAUTHORITY environment variables. | ||
360 | Stop with error message if X11 abstract socket will be accessible in jail. | ||
361 | .TP | ||
362 | \fBx11 xephyr | ||
363 | Enable X11 sandboxing with Xephyr server. | ||
364 | .TP | ||
365 | \fBx11 xorg | ||
366 | Enable X11 sandboxing with X11 security extension. | ||
367 | .TP | ||
368 | \fBx11 xpra | ||
369 | Enable X11 sandboxing with Xpra server. | ||
370 | .TP | ||
371 | \fBx11 xvfb | ||
372 | Enable X11 sandboxing with Xvfb server. | ||
373 | .TP | ||
374 | \fBxephyr-screen WIDTHxHEIGHT | ||
375 | Set screen size for x11 xephyr. This command should be included in the profile file before x11 xephyr command. | ||
376 | .br | ||
377 | 309 | ||
378 | .br | 310 | |
379 | Example: | 311 | .SH User Environment |
312 | |||
313 | .TP | ||
314 | \fBcpu cpu-number,cpu-number,cpu-number | ||
315 | Set CPU affinity. Example: | ||
380 | .br | 316 | .br |
381 | 317 | ||
382 | .br | 318 | .br |
383 | xephyr-screen 640x480 | 319 | cpu 0,1,2 |
384 | .br | 320 | .br |
385 | x11 xephyr | ||
386 | |||
387 | |||
388 | |||
389 | .SH Resource limits, CPU affinity, Control Groups | ||
390 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | ||
391 | The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command | ||
392 | configures the CPU cores available, and \fBcgroup\fR command | ||
393 | place the sandbox in an existing control group. | ||
394 | |||
395 | Examples: | ||
396 | 321 | ||
397 | .TP | 322 | .TP |
398 | \fBrlimit-as 123456789012 | 323 | \fBnice value |
399 | Set the maximum size of the process's virtual memory to 123456789012 bytes. | 324 | Set nice value for all processes running inside the sandbox. |
400 | .TP | ||
401 | \fBrlimit-cpu 123 | ||
402 | Set the maximum CPU time in seconds. | ||
403 | .TP | ||
404 | \fBrlimit-fsize 1024 | ||
405 | Set the maximum file size that can be created by a process to 1024 bytes. | ||
406 | .TP | ||
407 | \fBrlimit-nproc 1000 | ||
408 | Set the maximum number of processes that can be created for the real user ID of the calling process to 1000. | ||
409 | .TP | ||
410 | \fBrlimit-nofile 500 | ||
411 | Set the maximum number of files that can be opened by a process to 500. | ||
412 | .TP | ||
413 | \fBrlimit-sigpending 200 | ||
414 | Set the maximum number of processes that can be created for the real user ID of the calling process to 200. | ||
415 | .TP | ||
416 | \fBcpu 0,1,2 | ||
417 | Use only CPU cores 0, 1 and 2. | ||
418 | .TP | ||
419 | \fBnice -5 | ||
420 | Set a nice value of -5 to all processes running inside the sandbox. | ||
421 | .TP | ||
422 | \fBcgroup /sys/fs/cgroup/g1/tasks | ||
423 | The sandbox is placed in g1 control group. | ||
424 | .TP | 325 | .TP |
425 | \fBtimeout hh:mm:ss | 326 | \fBtimeout hh:mm:ss |
426 | Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. | 327 | Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. |
427 | 328 | ||
428 | .SH User Environment | ||
429 | .TP | 329 | .TP |
430 | \fBallusers | 330 | \fBallusers |
431 | All user home directories are visible inside the sandbox. By default, only current user home directory is visible. | 331 | All user home directories are visible inside the sandbox. By default, only current user home directory is visible. |
@@ -644,5 +544,4 @@ Homepage: https://firejail.wordpress.com | |||
644 | \&\flfirejail\fR\|(1), | 544 | \&\flfirejail\fR\|(1), |
645 | \&\flfiremon\fR\|(1), | 545 | \&\flfiremon\fR\|(1), |
646 | \&\flfirecfg\fR\|(1), | 546 | \&\flfirecfg\fR\|(1), |
647 | \&\flfirejail-login\fR\|(5) | ||
648 | \&\flfirejail-users\fR\|(5) | 547 | \&\flfirejail-users\fR\|(5) |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index 88b4041b0..aa81bd304 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -58,4 +58,3 @@ Homepage: https://firejail.wordpress.com | |||
58 | \&\flfiremon\fR\|(1), | 58 | \&\flfiremon\fR\|(1), |
59 | \&\flfirecfg\fR\|(1), | 59 | \&\flfirecfg\fR\|(1), |
60 | \&\flfirejail-profile\fR\|(5) | 60 | \&\flfirejail-profile\fR\|(5) |
61 | \&\flfirejail-login\fR\|(5) | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7de1bff50..b2ad2cba5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -8,12 +8,6 @@ Start a sandbox: | |||
8 | firejail [OPTIONS] [program and arguments] | 8 | firejail [OPTIONS] [program and arguments] |
9 | .RE | 9 | .RE |
10 | .PP | 10 | .PP |
11 | File transfer from an existing sandbox | ||
12 | .PP | ||
13 | .RS | ||
14 | firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename | ||
15 | .RE | ||
16 | .PP | ||
17 | Network traffic shaping for an existing sandbox: | 11 | Network traffic shaping for an existing sandbox: |
18 | .PP | 12 | .PP |
19 | .RS | 13 | .RS |
@@ -127,12 +121,6 @@ $ firejail \-\-apparmor.print=browser | |||
127 | AppArmor: firejail-default enforce | 121 | AppArmor: firejail-default enforce |
128 | 122 | ||
129 | .TP | 123 | .TP |
130 | \fB\-\-audit | ||
131 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
132 | .TP | ||
133 | \fB\-\-audit=test-program | ||
134 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
135 | .TP | ||
136 | \fB\-\-bandwidth=name|pid | 124 | \fB\-\-bandwidth=name|pid |
137 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 125 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
138 | .TP | 126 | .TP |
@@ -159,30 +147,7 @@ $ firejail \-\-blacklist=~/.mozilla | |||
159 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | 147 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" |
160 | .br | 148 | .br |
161 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | 149 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines |
162 | .TP | ||
163 | \fB\-\-build | ||
164 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also | ||
165 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
166 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
167 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
168 | .br | ||
169 | |||
170 | .br | ||
171 | Example: | ||
172 | .br | ||
173 | $ firejail --build vlc ~/Videos/test.mp4 | ||
174 | .TP | ||
175 | \fB\-\-build=profile-file | ||
176 | The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also | ||
177 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
178 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
179 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
180 | .br | ||
181 | 150 | ||
182 | .br | ||
183 | Example: | ||
184 | .br | ||
185 | $ firejail --build=vlc.profile vlc ~/Videos/test.mp4 | ||
186 | .TP | 151 | .TP |
187 | \fB\-c | 152 | \fB\-c |
188 | Execute command and exit. | 153 | Execute command and exit. |
@@ -259,29 +224,6 @@ $ firejail \-\-list | |||
259 | $ firejail \-\-caps.print=3272 | 224 | $ firejail \-\-caps.print=3272 |
260 | 225 | ||
261 | .TP | 226 | .TP |
262 | \fB\-\-cgroup=tasks-file | ||
263 | Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. | ||
264 | .br | ||
265 | |||
266 | .br | ||
267 | Example: | ||
268 | .br | ||
269 | # firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks | ||
270 | |||
271 | .TP | ||
272 | \fB\-\-chroot=dirname | ||
273 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, | ||
274 | the system directories are mounted read-write. If the sandbox is started as a | ||
275 | regular user, default seccomp and capabilities filters are enabled. This | ||
276 | option is not available on Grsecurity systems. | ||
277 | .br | ||
278 | |||
279 | .br | ||
280 | Example: | ||
281 | .br | ||
282 | $ firejail \-\-chroot=/media/ubuntu warzone2100 | ||
283 | |||
284 | .TP | ||
285 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number | 227 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number |
286 | Set CPU affinity. | 228 | Set CPU affinity. |
287 | .br | 229 | .br |
@@ -472,10 +414,6 @@ $ firejail \-\-list | |||
472 | $ firejail \-\-fs.print=3272 | 414 | $ firejail \-\-fs.print=3272 |
473 | 415 | ||
474 | .TP | 416 | .TP |
475 | \fB\-\-get=name|pid filename | ||
476 | Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. | ||
477 | |||
478 | .TP | ||
479 | \fB\-?\fR, \fB\-\-help\fR | 417 | \fB\-?\fR, \fB\-\-help\fR |
480 | Print options end exit. | 418 | Print options end exit. |
481 | 419 | ||
@@ -699,10 +637,6 @@ Example: | |||
699 | $ firejail --keep-var-tmp | 637 | $ firejail --keep-var-tmp |
700 | 638 | ||
701 | .TP | 639 | .TP |
702 | \fB\-\-ls=name|pid dir_or_filename | ||
703 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | ||
704 | |||
705 | .TP | ||
706 | \fB\-\-list | 640 | \fB\-\-list |
707 | List all sandboxes, see \fBMONITORING\fR section for more details. | 641 | List all sandboxes, see \fBMONITORING\fR section for more details. |
708 | .br | 642 | .br |
@@ -1233,101 +1167,6 @@ Disable video devices. | |||
1233 | Disable whitelist for this directory or file. | 1167 | Disable whitelist for this directory or file. |
1234 | 1168 | ||
1235 | .TP | 1169 | .TP |
1236 | \fB\-\-output=logfile | ||
1237 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log | ||
1238 | rotation. Five files with prefixes .1 to .5 are used in rotation. | ||
1239 | .br | ||
1240 | |||
1241 | .br | ||
1242 | Example: | ||
1243 | .br | ||
1244 | $ firejail \-\-output=sandboxlog /bin/bash | ||
1245 | .br | ||
1246 | [...] | ||
1247 | .br | ||
1248 | $ ls -l sandboxlog* | ||
1249 | .br | ||
1250 | -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog | ||
1251 | .br | ||
1252 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1 | ||
1253 | .br | ||
1254 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2 | ||
1255 | .br | ||
1256 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3 | ||
1257 | .br | ||
1258 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4 | ||
1259 | .br | ||
1260 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5 | ||
1261 | |||
1262 | .TP | ||
1263 | \fB\-\-output-stderr=logfile | ||
1264 | Similar to \-\-output, but stderr is also stored. | ||
1265 | |||
1266 | .TP | ||
1267 | \fB\-\-overlay | ||
1268 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | ||
1269 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
1270 | The overlay is stored in $HOME/.firejail/<PID> directory. | ||
1271 | .br | ||
1272 | |||
1273 | .br | ||
1274 | OverlayFS support is required in Linux kernel for this option to work. | ||
1275 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
1276 | This option is not available on Grsecurity systems. | ||
1277 | .br | ||
1278 | |||
1279 | .br | ||
1280 | Example: | ||
1281 | .br | ||
1282 | $ firejail \-\-overlay firefox | ||
1283 | |||
1284 | .TP | ||
1285 | \fB\-\-overlay-named=name | ||
1286 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | ||
1287 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
1288 | The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple | ||
1289 | sessions. | ||
1290 | .br | ||
1291 | |||
1292 | .br | ||
1293 | OverlayFS support is required in Linux kernel for this option to work. | ||
1294 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
1295 | This option is not available on Grsecurity systems. | ||
1296 | .br | ||
1297 | |||
1298 | .br | ||
1299 | Example: | ||
1300 | .br | ||
1301 | $ firejail \-\-overlay-named=jail1 firefox | ||
1302 | |||
1303 | .TP | ||
1304 | \fB\-\-overlay-tmpfs | ||
1305 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications | ||
1306 | are discarded when the sandbox is closed. | ||
1307 | .br | ||
1308 | |||
1309 | .br | ||
1310 | OverlayFS support is required in Linux kernel for this option to work. | ||
1311 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
1312 | This option is not available on Grsecurity systems. | ||
1313 | .br | ||
1314 | |||
1315 | .br | ||
1316 | Example: | ||
1317 | .br | ||
1318 | $ firejail \-\-overlay-tmpfs firefox | ||
1319 | |||
1320 | .TP | ||
1321 | \fB\-\-overlay-clean | ||
1322 | Clean all overlays stored in $HOME/.firejail directory. | ||
1323 | .br | ||
1324 | |||
1325 | .br | ||
1326 | Example: | ||
1327 | .br | ||
1328 | $ firejail \-\-overlay-clean | ||
1329 | |||
1330 | .TP | ||
1331 | \fB\-\-private | 1170 | \fB\-\-private |
1332 | Mount new /root and /home/user directories in temporary | 1171 | Mount new /root and /home/user directories in temporary |
1333 | filesystems. All modifications are discarded when the sandbox is | 1172 | filesystems. All modifications are discarded when the sandbox is |
@@ -1349,19 +1188,6 @@ Example: | |||
1349 | $ firejail \-\-private=/home/netblue/firefox-home firefox | 1188 | $ firejail \-\-private=/home/netblue/firefox-home firefox |
1350 | 1189 | ||
1351 | .TP | 1190 | .TP |
1352 | \fB\-\-private-home=file,directory | ||
1353 | Build a new user home in a temporary | ||
1354 | filesystem, and copy the files and directories in the list in the | ||
1355 | new home. All modifications are discarded when the sandbox is | ||
1356 | closed. | ||
1357 | .br | ||
1358 | |||
1359 | .br | ||
1360 | Example: | ||
1361 | .br | ||
1362 | $ firejail \-\-private-home=.mozilla firefox | ||
1363 | |||
1364 | .TP | ||
1365 | \fB\-\-private-cache | 1191 | \fB\-\-private-cache |
1366 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | 1192 | Mount an empty temporary filesystem on top of the .cache directory in user home. All |
1367 | modifications are discarded when the sandbox is closed. | 1193 | modifications are discarded when the sandbox is closed. |
@@ -1373,79 +1199,6 @@ Example: | |||
1373 | $ firejail \-\-private-cache openbox | 1199 | $ firejail \-\-private-cache openbox |
1374 | 1200 | ||
1375 | .TP | 1201 | .TP |
1376 | \fB\-\-private-bin=file,file | ||
1377 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | ||
1378 | If no listed file is found, /bin directory will be empty. | ||
1379 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. | ||
1380 | All modifications are discarded when the sandbox is closed. File globbing is supported, | ||
1381 | see \fBFILE GLOBBING\fR section for more details. | ||
1382 | .br | ||
1383 | |||
1384 | .br | ||
1385 | Example: | ||
1386 | .br | ||
1387 | $ firejail \-\-private-bin=bash,sed,ls,cat | ||
1388 | .br | ||
1389 | Parent pid 20841, child pid 20842 | ||
1390 | .br | ||
1391 | Child process initialized | ||
1392 | .br | ||
1393 | $ ls /bin | ||
1394 | .br | ||
1395 | bash cat ls sed | ||
1396 | |||
1397 | .TP | ||
1398 | \fB\-\-private-lib=file,directory | ||
1399 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. | ||
1400 | The idea is to build a new /lib in a temporary filesystem, | ||
1401 | with only the library files necessary to run the application. | ||
1402 | It could be as simple as: | ||
1403 | .br | ||
1404 | |||
1405 | .br | ||
1406 | $ firejail --private-lib galculator | ||
1407 | .br | ||
1408 | |||
1409 | .br | ||
1410 | but it gets complicated really fast: | ||
1411 | .br | ||
1412 | |||
1413 | .br | ||
1414 | $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed | ||
1415 | .br | ||
1416 | |||
1417 | .br | ||
1418 | The feature is integrated with \-\-private-bin: | ||
1419 | .br | ||
1420 | |||
1421 | .br | ||
1422 | $ firejail --private-lib --private-bin=bash,ls,ps | ||
1423 | .br | ||
1424 | $ ls /lib | ||
1425 | .br | ||
1426 | ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0 | ||
1427 | .br | ||
1428 | libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 | ||
1429 | .br | ||
1430 | libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu | ||
1431 | .br | ||
1432 | libgcrypt.so.20 libpcre.so.3 libselinux.so.1 | ||
1433 | .br | ||
1434 | $ ps | ||
1435 | .br | ||
1436 | PID TTY TIME CMD | ||
1437 | .br | ||
1438 | 1 pts/0 00:00:00 firejail | ||
1439 | .br | ||
1440 | 45 pts/0 00:00:00 bash | ||
1441 | .br | ||
1442 | 48 pts/0 00:00:00 ps | ||
1443 | .br | ||
1444 | $ | ||
1445 | .br | ||
1446 | |||
1447 | |||
1448 | .TP | ||
1449 | \fB\-\-private-dev | 1202 | \fB\-\-private-dev |
1450 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. | 1203 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. |
1451 | .br | 1204 | .br |
@@ -1464,46 +1217,6 @@ $ ls /dev | |||
1464 | cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 tty urandom zero | 1217 | cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 tty urandom zero |
1465 | .br | 1218 | .br |
1466 | $ | 1219 | $ |
1467 | .TP | ||
1468 | \fB\-\-private-etc=file,directory | ||
1469 | Build a new /etc in a temporary | ||
1470 | filesystem, and copy the files and directories in the list. | ||
1471 | If no listed file is found, /etc directory will be empty. | ||
1472 | All modifications are discarded when the sandbox is closed. | ||
1473 | .br | ||
1474 | |||
1475 | .br | ||
1476 | Example: | ||
1477 | .br | ||
1478 | $ firejail --private-etc=group,hostname,localtime, \\ | ||
1479 | .br | ||
1480 | nsswitch.conf,passwd,resolv.conf | ||
1481 | |||
1482 | .TP | ||
1483 | \fB\-\-private-opt=file,directory | ||
1484 | Build a new /opt in a temporary | ||
1485 | filesystem, and copy the files and directories in the list. | ||
1486 | If no listed file is found, /opt directory will be empty. | ||
1487 | All modifications are discarded when the sandbox is closed. | ||
1488 | .br | ||
1489 | |||
1490 | .br | ||
1491 | Example: | ||
1492 | .br | ||
1493 | $ firejail --private-opt=firefox /opt/firefox/firefox | ||
1494 | |||
1495 | .TP | ||
1496 | \fB\-\-private-srv=file,directory | ||
1497 | Build a new /srv in a temporary | ||
1498 | filesystem, and copy the files and directories in the list. | ||
1499 | If no listed file is found, /srv directory will be empty. | ||
1500 | All modifications are discarded when the sandbox is closed. | ||
1501 | .br | ||
1502 | |||
1503 | .br | ||
1504 | Example: | ||
1505 | .br | ||
1506 | # firejail --private-srv=www /etc/init.d/apache2 start | ||
1507 | 1220 | ||
1508 | .TP | 1221 | .TP |
1509 | \fB\-\-private-tmp | 1222 | \fB\-\-private-tmp |
@@ -1586,9 +1299,6 @@ $ firejail \-\-protocol.print=3272 | |||
1586 | .br | 1299 | .br |
1587 | unix,inet,inet6,netlink | 1300 | unix,inet,inet6,netlink |
1588 | .TP | 1301 | .TP |
1589 | \fB\-\-put=name|pid src-filename dest-filename | ||
1590 | Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details. | ||
1591 | .TP | ||
1592 | \fB\-\-quiet | 1302 | \fB\-\-quiet |
1593 | Turn off Firejail's output. | 1303 | Turn off Firejail's output. |
1594 | .TP | 1304 | .TP |
@@ -1625,33 +1335,6 @@ $ touch ~/test/a | |||
1625 | .br | 1335 | .br |
1626 | $ firejail --read-only=~/test --read-write=~/test/a | 1336 | $ firejail --read-only=~/test --read-write=~/test/a |
1627 | 1337 | ||
1628 | |||
1629 | .TP | ||
1630 | \fB\-\-rlimit-as=number | ||
1631 | Set the maximum size of the process's virtual memory (address space) in bytes. | ||
1632 | |||
1633 | .TP | ||
1634 | \fB\-\-rlimit-cpu=number | ||
1635 | Set the maximum limit, in seconds, for the amount of CPU time each | ||
1636 | sandboxed process can consume. When the limit is reached, the processes are killed. | ||
1637 | |||
1638 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds | ||
1639 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps | ||
1640 | track of CPU seconds for each process independently. | ||
1641 | |||
1642 | .TP | ||
1643 | \fB\-\-rlimit-fsize=number | ||
1644 | Set the maximum file size that can be created by a process. | ||
1645 | .TP | ||
1646 | \fB\-\-rlimit-nofile=number | ||
1647 | Set the maximum number of files that can be opened by a process. | ||
1648 | .TP | ||
1649 | \fB\-\-rlimit-nproc=number | ||
1650 | Set the maximum number of processes that can be created for the real user ID of the calling process. | ||
1651 | .TP | ||
1652 | \fB\-\-rlimit-sigpending=number | ||
1653 | Set the maximum number of pending signals for a process. | ||
1654 | |||
1655 | .TP | 1338 | .TP |
1656 | \fB\-\-rmenv=name | 1339 | \fB\-\-rmenv=name |
1657 | Remove environment variable in the new sandbox. | 1340 | Remove environment variable in the new sandbox. |
@@ -2082,30 +1765,7 @@ Reading profile /etc/firejail/wget.profile | |||
2082 | 1765 | ||
2083 | .br | 1766 | .br |
2084 | parent is shutting down, bye... | 1767 | parent is shutting down, bye... |
2085 | .TP | ||
2086 | \fB\-\-tracelog | ||
2087 | This option enables auditing blacklisted files and directories. A message | ||
2088 | is sent to syslog in case the file or the directory is accessed. | ||
2089 | .br | ||
2090 | |||
2091 | .br | ||
2092 | Example: | ||
2093 | .br | ||
2094 | $ firejail --tracelog firefox | ||
2095 | .br | ||
2096 | 1768 | ||
2097 | .br | ||
2098 | Sample messages: | ||
2099 | .br | ||
2100 | $ sudo tail -f /var/log/syslog | ||
2101 | .br | ||
2102 | [...] | ||
2103 | .br | ||
2104 | Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow | ||
2105 | .br | ||
2106 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot | ||
2107 | .br | ||
2108 | [...] | ||
2109 | .TP | 1769 | .TP |
2110 | \fB\-\-tree | 1770 | \fB\-\-tree |
2111 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. | 1771 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. |
@@ -2213,167 +1873,6 @@ Example: | |||
2213 | $ sudo firejail --writable-var-log | 1873 | $ sudo firejail --writable-var-log |
2214 | 1874 | ||
2215 | 1875 | ||
2216 | .TP | ||
2217 | \fB\-\-x11 | ||
2218 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. | ||
2219 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing | ||
2220 | clients running outside the sandbox. | ||
2221 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | ||
2222 | If all fails, Firejail will not attempt to use Xvfb or X11 security extension. | ||
2223 | .br | ||
2224 | |||
2225 | .br | ||
2226 | Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable | ||
2227 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket | ||
2228 | by adding "-nolisten local" on Xorg command line at system level. | ||
2229 | .br | ||
2230 | |||
2231 | .br | ||
2232 | Example: | ||
2233 | .br | ||
2234 | $ firejail \-\-x11 --net=eth0 firefox | ||
2235 | |||
2236 | .TP | ||
2237 | \fB\-\-x11=none | ||
2238 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable. | ||
2239 | Remove DISPLAY and XAUTHORITY environment variables. | ||
2240 | Stop with error message if X11 abstract socket will be accessible in jail. | ||
2241 | |||
2242 | .TP | ||
2243 | \fB\-\-x11=xephyr | ||
2244 | Start Xephyr and attach the sandbox to this server. | ||
2245 | Xephyr is a display server implementing the X11 display server protocol. | ||
2246 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
2247 | .br | ||
2248 | |||
2249 | .br | ||
2250 | Xephyr runs in a window just like any other X11 application. The default window size is 800x600. | ||
2251 | This can be modified in /etc/firejail/firejail.config file. | ||
2252 | .br | ||
2253 | |||
2254 | .br | ||
2255 | The recommended way to use this feature is to run a window manager inside the sandbox. | ||
2256 | A security profile for OpenBox is provided. | ||
2257 | .br | ||
2258 | |||
2259 | .br | ||
2260 | Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | ||
2261 | This feature is not available when running as root. | ||
2262 | .br | ||
2263 | |||
2264 | .br | ||
2265 | Example: | ||
2266 | .br | ||
2267 | $ firejail \-\-x11=xephyr --net=eth0 openbox | ||
2268 | |||
2269 | .TP | ||
2270 | \fB\-\-x11=xorg | ||
2271 | Sandbox the application using the untrusted mode implemented by X11 security extension. | ||
2272 | The extension is available in Xorg package | ||
2273 | and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted | ||
2274 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | ||
2275 | contents of other clients, stealing input events, etc. | ||
2276 | |||
2277 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | ||
2278 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | ||
2279 | Firefox and transmission-gtk seem to be working fine. | ||
2280 | A network namespace is not required for this option. | ||
2281 | .br | ||
2282 | |||
2283 | .br | ||
2284 | Example: | ||
2285 | .br | ||
2286 | $ firejail \-\-x11=xorg firefox | ||
2287 | |||
2288 | .TP | ||
2289 | \fB\-\-x11=xpra | ||
2290 | Start Xpra (https://xpra.org) and attach the sandbox to this server. | ||
2291 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | ||
2292 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
2293 | .br | ||
2294 | |||
2295 | .br | ||
2296 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | ||
2297 | This feature is not available when running as root. | ||
2298 | .br | ||
2299 | |||
2300 | .br | ||
2301 | Example: | ||
2302 | .br | ||
2303 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
2304 | |||
2305 | |||
2306 | .TP | ||
2307 | \fB\-\-x11=xvfb | ||
2308 | Start Xvfb X11 server and attach the sandbox to this server. | ||
2309 | Xvfb, short for X virtual framebuffer, performs all graphical operations in memory | ||
2310 | without showing any screen output. Xvfb is mainly used for remote access and software | ||
2311 | testing on headless servers. | ||
2312 | .br | ||
2313 | |||
2314 | .br | ||
2315 | On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR. | ||
2316 | This feature is not available when running as root. | ||
2317 | .br | ||
2318 | |||
2319 | .br | ||
2320 | Example: remote VNC access | ||
2321 | .br | ||
2322 | |||
2323 | .br | ||
2324 | On the server we start a sandbox using Xvfb and openbox | ||
2325 | window manager. The default size of Xvfb screen is 800x600 - it can be changed | ||
2326 | in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required | ||
2327 | in order to isolate the abstract sockets used by other X servers. | ||
2328 | .br | ||
2329 | |||
2330 | .br | ||
2331 | $ firejail --net=none --x11=xvfb openbox | ||
2332 | .br | ||
2333 | |||
2334 | .br | ||
2335 | *** Attaching to Xvfb display 792 *** | ||
2336 | .br | ||
2337 | |||
2338 | .br | ||
2339 | Reading profile /etc/firejail/openbox.profile | ||
2340 | .br | ||
2341 | Reading profile /etc/firejail/disable-common.inc | ||
2342 | .br | ||
2343 | Reading profile /etc/firejail/disable-common.local | ||
2344 | .br | ||
2345 | Parent pid 5400, child pid 5401 | ||
2346 | .br | ||
2347 | |||
2348 | .br | ||
2349 | On the server we also start a VNC server and attach it to the display handled by our | ||
2350 | Xvfb server (792). | ||
2351 | .br | ||
2352 | |||
2353 | .br | ||
2354 | $ x11vnc -display :792 | ||
2355 | .br | ||
2356 | |||
2357 | .br | ||
2358 | On the client machine we start a VNC viewer and use it to connect to our server: | ||
2359 | .br | ||
2360 | |||
2361 | .br | ||
2362 | $ vncviewer | ||
2363 | .br | ||
2364 | |||
2365 | .TP | ||
2366 | \fB\-\-xephyr-screen=WIDTHxHEIGHT | ||
2367 | Set screen size for --x11=xephyr. The setting will overwrite the default set in /etc/firejail/firejail.config | ||
2368 | for the current sandbox. Run xrandr to get a list of supported resolutions on your computer. | ||
2369 | .br | ||
2370 | |||
2371 | .br | ||
2372 | Example: | ||
2373 | .br | ||
2374 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | ||
2375 | .br | ||
2376 | |||
2377 | .SH DESKTOP INTEGRATION | 1876 | .SH DESKTOP INTEGRATION |
2378 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 1877 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
2379 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 1878 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
@@ -2506,54 +2005,6 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
2506 | .br | 2005 | .br |
2507 | $ firejail --apparmor firefox | 2006 | $ firejail --apparmor firefox |
2508 | 2007 | ||
2509 | .SH FILE TRANSFER | ||
2510 | These features allow the user to inspect the filesystem container of an existing sandbox | ||
2511 | and transfer files from the container to the host filesystem. | ||
2512 | |||
2513 | .TP | ||
2514 | \fB\-\-get=name|pid filename | ||
2515 | Retrieve the container file and store it on the host in the current working directory. | ||
2516 | The container is specified by name or PID. | ||
2517 | |||
2518 | .TP | ||
2519 | \fB\-\-ls=name|pid dir_or_filename | ||
2520 | List container files. The container is specified by name or PID. | ||
2521 | |||
2522 | .TP | ||
2523 | \fB\-\-put=name|pid src-filename dest-filename | ||
2524 | Put src-filename in sandbox container. | ||
2525 | The container is specified by name or PID. | ||
2526 | |||
2527 | .TP | ||
2528 | Examples: | ||
2529 | .br | ||
2530 | |||
2531 | .br | ||
2532 | $ firejail \-\-name=mybrowser --private firefox | ||
2533 | .br | ||
2534 | |||
2535 | .br | ||
2536 | $ firejail \-\-ls=mybrowser ~/Downloads | ||
2537 | .br | ||
2538 | drwxr-xr-x netblue netblue 4096 . | ||
2539 | .br | ||
2540 | drwxr-xr-x netblue netblue 4096 .. | ||
2541 | .br | ||
2542 | -rw-r--r-- netblue netblue 7847 x11-x305.png | ||
2543 | .br | ||
2544 | -rw-r--r-- netblue netblue 6800 x11-x642.png | ||
2545 | .br | ||
2546 | -rw-r--r-- netblue netblue 34139 xpra-clipboard.png | ||
2547 | .br | ||
2548 | |||
2549 | .br | ||
2550 | $ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png | ||
2551 | .br | ||
2552 | |||
2553 | .br | ||
2554 | $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png | ||
2555 | .br | ||
2556 | |||
2557 | .SH TRAFFIC SHAPING | 2008 | .SH TRAFFIC SHAPING |
2558 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. | 2009 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. |
2559 | Traffic shaping allows the user to increase network performance by controlling | 2010 | Traffic shaping allows the user to increase network performance by controlling |
@@ -2596,25 +2047,6 @@ Example: | |||
2596 | .br | 2047 | .br |
2597 | $ firejail \-\-bandwidth=mybrowser clear eth0 | 2048 | $ firejail \-\-bandwidth=mybrowser clear eth0 |
2598 | 2049 | ||
2599 | .SH AUDIT | ||
2600 | Audit feature allows the user to point out gaps in security profiles. The | ||
2601 | implementation replaces the program to be sandboxed with a test program. By | ||
2602 | default, we use faudit program distributed with Firejail. A custom test program | ||
2603 | can also be supplied by the user. Examples: | ||
2604 | |||
2605 | Running the default audit program: | ||
2606 | .br | ||
2607 | $ firejail --audit transmission-gtk | ||
2608 | |||
2609 | Running a custom audit program: | ||
2610 | .br | ||
2611 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
2612 | |||
2613 | In the examples above, the sandbox configures transmission-gtk profile and | ||
2614 | starts the test program. The real program, transmission-gtk, will not be | ||
2615 | started. | ||
2616 | |||
2617 | Limitations: audit feature is not implemented for --x11 commands. | ||
2618 | 2050 | ||
2619 | .SH MONITORING | 2051 | .SH MONITORING |
2620 | Option \-\-list prints a list of all sandboxes. The format | 2052 | Option \-\-list prints a list of all sandboxes. The format |
@@ -2778,5 +2210,4 @@ Homepage: https://firejail.wordpress.com | |||
2778 | \&\flfiremon\fR\|(1), | 2210 | \&\flfiremon\fR\|(1), |
2779 | \&\flfirecfg\fR\|(1), | 2211 | \&\flfirecfg\fR\|(1), |
2780 | \&\flfirejail-profile\fR\|(5), | 2212 | \&\flfirejail-profile\fR\|(5), |
2781 | \&\flfirejail-login\fR\|(5) | ||
2782 | \&\flfirejail-users\fR\|(5) | 2213 | \&\flfirejail-users\fR\|(5) |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 214fcac44..bcc1820bf 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -110,5 +110,4 @@ Homepage: https://firejail.wordpress.com | |||
110 | \&\flfirejail\fR\|(1), | 110 | \&\flfirejail\fR\|(1), |
111 | \&\flfirecfg\fR\|(1), | 111 | \&\flfirecfg\fR\|(1), |
112 | \&\flfirejail-profile\fR\|(5), | 112 | \&\flfirejail-profile\fR\|(5), |
113 | \&\flfirejail-login\fR\|(5) | ||
114 | \&\flfirejail-users\fR\|(5) | 113 | \&\flfirejail-users\fR\|(5) |