diff options
author | netblue30 <netblue30@yahoo.com> | 2018-04-02 08:47:06 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-04-02 08:47:06 -0400 |
commit | 3b942cba342140db2ca772f9b4f828b561faf8ee (patch) | |
tree | d995aac557138621bf6ab3fc81bca0f179d1fd9a /src/firejail/usage.c | |
parent | merges (diff) | |
download | firejail-3b942cba342140db2ca772f9b4f828b561faf8ee.tar.gz firejail-3b942cba342140db2ca772f9b4f828b561faf8ee.tar.zst firejail-3b942cba342140db2ca772f9b4f828b561faf8ee.zip |
merges
Diffstat (limited to 'src/firejail/usage.c')
-rw-r--r-- | src/firejail/usage.c | 409 |
1 files changed, 206 insertions, 203 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index cefb63a85..1c878c818 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -19,243 +19,246 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | 21 | ||
22 | void usage(void) { | 22 | static char *usage_str = |
23 | printf("firejail - version %s\n\n", VERSION); | 23 | "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n" |
24 | printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"); | 24 | "restricting the running environment of untrusted applications using Linux\n" |
25 | printf("restricting the running environment of untrusted applications using Linux\n"); | 25 | "namespaces.\n" |
26 | printf("namespaces.\n"); | 26 | "\n" |
27 | printf("\n"); | 27 | "Usage: firejail [options] [program and arguments]\n" |
28 | printf("Usage: firejail [options] [program and arguments]\n"); | 28 | "\n" |
29 | printf("\n"); | 29 | "Options:\n" |
30 | printf("Options:\n"); | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | printf(" -- - signal the end of options and disables further option processing.\n"); | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); | 32 | " --allow-private-blacklist - allow blacklisting files in private\n" |
33 | printf(" --allow-private-blacklist - allow blacklisting files in private\n"); | 33 | "\thome directories.\n" |
34 | printf("\thome directories.\n"); | 34 | " --allusers - all user home directories are visible inside the sandbox.\n" |
35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); | 35 | " --apparmor - enable AppArmor confinement.\n" |
36 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | " --apparmor.print=name|pid - print apparmor status.\n" |
37 | printf(" --apparmor.print=name|pid - print apparmor status.\n"); | 37 | " --appimage - sandbox an AppImage application.\n" |
38 | printf(" --appimage - sandbox an AppImage application.\n"); | 38 | " --audit[=test-program] - audit the sandbox.\n" |
39 | printf(" --audit[=test-program] - audit the sandbox.\n"); | ||
40 | #ifdef HAVE_NETWORK | 39 | #ifdef HAVE_NETWORK |
41 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); | 40 | " --bandwidth=name|pid - set bandwidth limits.\n" |
42 | #endif | 41 | #endif |
43 | #ifdef HAVE_BIND | 42 | #ifdef HAVE_BIND |
44 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); | 43 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
45 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); | 44 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
46 | #endif | 45 | #endif |
47 | printf(" --blacklist=filename - blacklist directory or file.\n"); | 46 | " --blacklist=filename - blacklist directory or file.\n" |
48 | printf(" --build - build a whitelisted profile for the application.\n"); | 47 | " --build - build a whitelisted profile for the application.\n" |
49 | printf(" --build=filename - build a whitelisted profile for the application.\n"); | 48 | " --build=filename - build a whitelisted profile for the application.\n" |
50 | printf(" -c - execute command and exit.\n"); | 49 | " -c - execute command and exit.\n" |
51 | printf(" --caps - enable default Linux capabilities filter.\n"); | 50 | " --caps - enable default Linux capabilities filter.\n" |
52 | printf(" --caps.drop=all - drop all capabilities.\n"); | 51 | " --caps.drop=all - drop all capabilities.\n" |
53 | printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n"); | 52 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" |
54 | printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n"); | 53 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" |
55 | printf(" --caps.print=name|pid - print the caps filter.\n"); | 54 | " --caps.print=name|pid - print the caps filter.\n" |
56 | printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n"); | 55 | " --cgroup=tasks-file - place the sandbox in the specified control group.\n" |
57 | #ifdef HAVE_CHROOT | 56 | #ifdef HAVE_CHROOT |
58 | printf(" --chroot=dirname - chroot into directory.\n"); | 57 | " --chroot=dirname - chroot into directory.\n" |
59 | #endif | 58 | #endif |
60 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n"); | 59 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
61 | printf(" --cpu.print=name|pid - print the cpus in use.\n"); | 60 | " --cpu.print=name|pid - print the cpus in use.\n" |
62 | printf(" --csh - use /bin/csh as default shell.\n"); | 61 | " --csh - use /bin/csh as default shell.\n" |
63 | printf(" --debug - print sandbox debug messages.\n"); | 62 | " --debug - print sandbox debug messages.\n" |
64 | printf(" --debug-blacklists - debug blacklisting.\n"); | 63 | " --debug-blacklists - debug blacklisting.\n" |
65 | printf(" --debug-caps - print all recognized capabilities.\n"); | 64 | " --debug-caps - print all recognized capabilities.\n" |
66 | printf(" --debug-check-filename - debug filename checking.\n"); | 65 | " --debug-check-filename - debug filename checking.\n" |
67 | printf(" --debug-errnos - print all recognized error numbers.\n"); | 66 | " --debug-errnos - print all recognized error numbers.\n" |
68 | printf(" --debug-private-lib - debug for --private-lib option.\n"); | 67 | " --debug-private-lib - debug for --private-lib option.\n" |
69 | printf(" --debug-protocols - print all recognized protocols.\n"); | 68 | " --debug-protocols - print all recognized protocols.\n" |
70 | printf(" --debug-syscalls - print all recognized system calls.\n"); | 69 | " --debug-syscalls - print all recognized system calls.\n" |
71 | #ifdef HAVE_WHITELIST | 70 | #ifdef HAVE_WHITELIST |
72 | printf(" --debug-whitelists - debug whitelisting.\n"); | 71 | " --debug-whitelists - debug whitelisting.\n" |
73 | #endif | 72 | #endif |
74 | #ifdef HAVE_NETWORK | 73 | #ifdef HAVE_NETWORK |
75 | printf(" --defaultgw=address - configure default gateway.\n"); | 74 | " --defaultgw=address - configure default gateway.\n" |
76 | #endif | 75 | #endif |
77 | printf(" --dns=address - set DNS server.\n"); | 76 | " --dns=address - set DNS server.\n" |
78 | printf(" --dns.print=name|pid - print DNS configuration.\n"); | 77 | " --dns.print=name|pid - print DNS configuration.\n" |
79 | 78 | " --env=name=value - set environment variable.\n" | |
80 | printf(" --env=name=value - set environment variable.\n"); | 79 | " --force - attempt to start a new sandbox inside the existing sandbox.\n" |
81 | printf(" --force - attempt to start a new sandbox inside the existing sandbox.\n"); | 80 | " --fs.print=name|pid - print the filesystem log.\n" |
82 | printf(" --fs.print=name|pid - print the filesystem log.\n"); | 81 | " --get=name|pid filename - get a file from sandbox container.\n" |
83 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); | ||
84 | #ifdef HAVE_GIT_INSTALL | 82 | #ifdef HAVE_GIT_INSTALL |
85 | printf(" --git-install - download, compile and install mainline git version\n"); | 83 | " --git-install - download, compile and install mainline git version\n" |
86 | printf("\tof Firejail.\n"); | 84 | "\tof Firejail.\n" |
87 | printf(" --git-uninstall - uninstall mainline git version of Firejail\n"); | 85 | " --git-uninstall - uninstall mainline git version of Firejail\n" |
88 | #endif | 86 | #endif |
89 | printf(" --help, -? - this help screen.\n"); | 87 | " --help, -? - this help screen.\n" |
90 | printf(" --hostname=name - set sandbox hostname.\n"); | 88 | " --hostname=name - set sandbox hostname.\n" |
91 | printf(" --hosts-file=file - use file as /etc/hosts.\n"); | 89 | " --hosts-file=file - use file as /etc/hosts.\n" |
92 | printf(" --ignore=command - ignore command in profile files.\n"); | 90 | " --ignore=command - ignore command in profile files.\n" |
93 | #ifdef HAVE_NETWORK | 91 | #ifdef HAVE_NETWORK |
94 | printf(" --interface=name - move interface in sandbox.\n"); | 92 | " --interface=name - move interface in sandbox.\n" |
95 | printf(" --ip=address - set interface IP address.\n"); | 93 | " --ip=address - set interface IP address.\n" |
96 | printf(" --ip=none - no IP address and no default gateway are configured.\n"); | 94 | " --ip=none - no IP address and no default gateway are configured.\n" |
97 | printf(" --ip6=address - set interface IPv6 address.\n"); | 95 | " --ip6=address - set interface IPv6 address.\n" |
98 | printf(" --iprange=address,address - configure an IP address in this range.\n"); | 96 | " --iprange=address,address - configure an IP address in this range.\n" |
99 | #endif | 97 | #endif |
100 | printf(" --ipc-namespace - enable a new IPC namespace.\n"); | 98 | " --ipc-namespace - enable a new IPC namespace.\n" |
101 | printf(" --join=name|pid - join the sandbox.\n"); | 99 | " --join=name|pid - join the sandbox.\n" |
102 | printf(" --join-filesystem=name|pid - join the mount namespace.\n"); | 100 | " --join-filesystem=name|pid - join the mount namespace.\n" |
103 | #ifdef HAVE_NETWORK | 101 | #ifdef HAVE_NETWORK |
104 | printf(" --join-network=name|pid - join the network namespace.\n"); | 102 | " --join-network=name|pid - join the network namespace.\n" |
105 | #endif | 103 | #endif |
106 | printf(" --join-or-start=name|pid - join the sandbox or start a new one.\n"); | 104 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
107 | printf(" --list - list all sandboxes.\n"); | 105 | " --list - list all sandboxes.\n" |
108 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); | 106 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" |
109 | #ifdef HAVE_NETWORK | 107 | #ifdef HAVE_NETWORK |
110 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); | 108 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" |
111 | #endif | 109 | #endif |
112 | printf(" --machine-id - preserve /etc/machine-id\n"); | 110 | " --machine-id - preserve /etc/machine-id\n" |
113 | #ifdef HAVE_SECCOMP | 111 | #ifdef HAVE_SECCOMP |
114 | printf(" --memory-deny-write-execute - seccomp filter to block attempts to create\n"); | 112 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" |
115 | printf("\tmemory mappings that are both writable and executable.\n"); | 113 | "\tmemory mappings that are both writable and executable.\n" |
116 | #endif | 114 | #endif |
117 | #ifdef HAVE_NETWORK | 115 | #ifdef HAVE_NETWORK |
118 | printf(" --mtu=number - set interface MTU.\n"); | 116 | " --mtu=number - set interface MTU.\n" |
119 | #endif | 117 | #endif |
120 | printf(" --name=name - set sandbox name.\n"); | 118 | " --name=name - set sandbox name.\n" |
121 | #ifdef HAVE_NETWORK | 119 | #ifdef HAVE_NETWORK |
122 | printf(" --net=bridgename - enable network namespaces and connect to this bridge.\n"); | 120 | " --net=bridgename - enable network namespaces and connect to this bridge.\n" |
123 | printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); | 121 | " --net=ethernet_interface - enable network namespaces and connect to this\n" |
124 | printf("\tEthernet interface.\n"); | 122 | "\tEthernet interface.\n" |
125 | printf(" --net=none - enable a new, unconnected network namespace.\n"); | 123 | " --net=none - enable a new, unconnected network namespace.\n" |
126 | printf(" --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n"); | 124 | " --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n" |
127 | printf(" --netfilter.print=name|pid - print the firewall.\n"); | 125 | " --netfilter.print=name|pid - print the firewall.\n" |
128 | printf(" --netfilter6=filename - enable IPv6 firewall.\n"); | 126 | " --netfilter6=filename - enable IPv6 firewall.\n" |
129 | printf(" --netfilter6.print=name|pid - print the IPv6 firewall.\n"); | 127 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" |
130 | printf(" --netns=name - Run the program in a named, persistent network namespace.\n"); | 128 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
131 | printf(" --netstats - monitor network statistics.\n"); | 129 | " --netstats - monitor network statistics.\n" |
132 | #endif | 130 | #endif |
133 | printf(" --nice=value - set nice value.\n"); | 131 | " --nice=value - set nice value.\n" |
134 | printf(" --no3d - disable 3D hardware acceleration.\n"); | 132 | " --no3d - disable 3D hardware acceleration.\n" |
135 | printf(" --noblacklist=filename - disable blacklist for file or directory.\n"); | 133 | " --noblacklist=filename - disable blacklist for file or directory.\n" |
136 | printf(" --nodbus - disable D-Bus access.\n"); | 134 | " --nodbus - disable D-Bus access.\n" |
137 | printf(" --nodvd - disable DVD and audio CD devices.\n"); | 135 | " --nodvd - disable DVD and audio CD devices.\n" |
138 | printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); | 136 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
139 | printf(" --nogroups - disable supplementary groups.\n"); | 137 | " --nogroups - disable supplementary groups.\n" |
140 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); | 138 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" |
141 | printf(" --noprofile - do not use a security profile.\n"); | 139 | " --noprofile - do not use a security profile.\n" |
142 | #ifdef HAVE_USERNS | 140 | #ifdef HAVE_USERNS |
143 | printf(" --noroot - install a user namespace with only the current user.\n"); | 141 | " --noroot - install a user namespace with only the current user.\n" |
144 | #endif | 142 | #endif |
145 | printf(" --nosound - disable sound system.\n"); | 143 | " --nosound - disable sound system.\n" |
146 | printf(" --noautopulse - disable automatic ~/.config/pulse init.\n"); | 144 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
147 | printf(" --novideo - disable video devices.\n"); | 145 | " --novideo - disable video devices.\n" |
148 | printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); | 146 | " --nowhitelist=filename - disable whitelist for file or directory .\n" |
149 | printf(" --output=logfile - stdout logging and log rotation.\n"); | 147 | " --output=logfile - stdout logging and log rotation.\n" |
150 | printf(" --output-stderr=logfile - stdout and stderr logging and log rotation.\n"); | 148 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
151 | printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); | 149 | " --overlay - mount a filesystem overlay on top of the current filesystem.\n" |
152 | printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); | 150 | " --overlay-named=name - mount a filesystem overlay on top of the current\n" |
153 | printf("\tfilesystem, and store it in name directory.\n"); | 151 | "\tfilesystem, and store it in name directory.\n" |
154 | printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n"); | 152 | " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" |
155 | printf("\tcurrent filesystem.\n"); | 153 | "\tcurrent filesystem.\n" |
156 | printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"); | 154 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" |
157 | printf(" --private - temporary home directory.\n"); | 155 | " --private - temporary home directory.\n" |
158 | printf(" --private=directory - use directory as user home.\n"); | 156 | " --private=directory - use directory as user home.\n" |
159 | printf(" --private-home=file,directory - build a new user home in a temporary\n"); | 157 | " --private-home=file,directory - build a new user home in a temporary\n" |
160 | printf("\tfilesystem, and copy the files and directories in the list in\n"); | 158 | "\tfilesystem, and copy the files and directories in the list in\n" |
161 | printf("\tthe new home.\n"); | 159 | "\tthe new home.\n" |
162 | printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); | 160 | " --private-bin=file,file - build a new /bin in a temporary filesystem,\n" |
163 | printf("\tand copy the programs in the list.\n"); | 161 | "\tand copy the programs in the list.\n" |
164 | printf(" --private-dev - create a new /dev directory with a small number of\n"); | 162 | " --private-dev - create a new /dev directory with a small number of\n" |
165 | printf("\tcommon device files.\n"); | 163 | "\tcommon device files.\n" |
166 | printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); | 164 | " --private-etc=file,directory - build a new /etc in a temporary\n" |
167 | printf("\tfilesystem, and copy the files and directories in the list.\n"); | 165 | "\tfilesystem, and copy the files and directories in the list.\n" |
168 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); | 166 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
169 | printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); | 167 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
170 | printf(" --profile=filename - use a custom profile.\n"); | 168 | " --profile=filename - use a custom profile.\n" |
171 | printf(" --profile.print=name|pid - print the name of profile file.\n"); | 169 | " --profile.print=name|pid - print the name of profile file.\n" |
172 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); | 170 | " --profile-path=directory - use this directory to look for profile files.\n" |
173 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); | 171 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
174 | printf(" --protocol.print=name|pid - print the protocol filter.\n"); | 172 | " --protocol.print=name|pid - print the protocol filter.\n" |
175 | printf(" --put=name|pid src-filename dest-filename - put a file in sandbox\n"); | 173 | " --put=name|pid src-filename dest-filename - put a file in sandbox\n" |
176 | printf("\tcontainer.\n"); | 174 | "\tcontainer.\n" |
177 | printf(" --quiet - turn off Firejail's output.\n"); | 175 | " --quiet - turn off Firejail's output.\n" |
178 | printf(" --read-only=filename - set directory or file read-only..\n"); | 176 | " --read-only=filename - set directory or file read-only..\n" |
179 | printf(" --read-write=filename - set directory or file read-write.\n"); | 177 | " --read-write=filename - set directory or file read-write.\n" |
180 | printf(" --rlimit-as=number - set the maximum size of the process's virtual memory\n"); | 178 | " --rlimit-as=number - set the maximum size of the process's virtual memory\n" |
181 | printf("\t(address space) in bytes.\n"); | 179 | "\t(address space) in bytes.\n" |
182 | printf(" --rlimit-cpu=number - set the maximum CPU time in seconds.\n"); | 180 | " --rlimit-cpu=number - set the maximum CPU time in seconds.\n" |
183 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); | 181 | " --rlimit-fsize=number - set the maximum file size that can be created\n" |
184 | printf("\tby a process.\n"); | 182 | "\tby a process.\n" |
185 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); | 183 | " --rlimit-nofile=number - set the maximum number of files that can be\n" |
186 | printf("\topened by a process.\n"); | 184 | "\topened by a process.\n" |
187 | printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n"); | 185 | " --rlimit-nproc=number - set the maximum number of processes that can be\n" |
188 | printf("\tcreated for the real user ID of the calling process.\n"); | 186 | "\tcreated for the real user ID of the calling process.\n" |
189 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); | 187 | " --rlimit-sigpending=number - set the maximum number of pending signals\n" |
190 | printf("\tfor a process.\n"); | 188 | "\tfor a process.\n" |
191 | printf(" --rmenv=name - remove environment variable in the new sandbox.\n"); | 189 | " --rmenv=name - remove environment variable in the new sandbox.\n" |
192 | #ifdef HAVE_NETWORK | 190 | #ifdef HAVE_NETWORK |
193 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); | 191 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
194 | #endif | 192 | #endif |
195 | #ifdef HAVE_SECCOMP | 193 | #ifdef HAVE_SECCOMP |
196 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); | 194 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" |
197 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 195 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" |
198 | printf("\tdefault syscall list and the syscalls specified by the command.\n"); | 196 | "\tdefault syscall list and the syscalls specified by the command.\n" |
199 | printf(" --seccomp.block-secondary - build only the native architecture filters.\n"); | 197 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
200 | printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); | 198 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
201 | printf("\tblacklist the syscalls specified by the command.\n"); | 199 | "\tblacklist the syscalls specified by the command.\n" |
202 | printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); | 200 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
203 | printf("\twhitelist the syscalls specified by the command.\n"); | 201 | "\twhitelist the syscalls specified by the command.\n" |
204 | printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); | 202 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
205 | printf("\tidentified by name or PID.\n"); | 203 | "\tidentified by name or PID.\n" |
206 | #endif | 204 | #endif |
207 | printf(" --shell=none - run the program directly without a user shell.\n"); | 205 | " --shell=none - run the program directly without a user shell.\n" |
208 | printf(" --shell=program - set default user shell.\n"); | 206 | " --shell=program - set default user shell.\n" |
209 | printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"); | 207 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" |
210 | printf(" --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"); | 208 | " --timeout=hh:mm:ss - kill the sandbox automatically after the time\n" |
211 | printf("\thas elapsed.\n"); | 209 | "\thas elapsed.\n" |
212 | printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); | 210 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" |
213 | printf(" --top - monitor the most CPU-intensive sandboxes.\n"); | 211 | " --top - monitor the most CPU-intensive sandboxes.\n" |
214 | printf(" --trace - trace open, access and connect system calls.\n"); | 212 | " --trace - trace open, access and connect system calls.\n" |
215 | printf(" --tracelog - add a syslog message for every access to files or\n"); | 213 | " --tracelog - add a syslog message for every access to files or\n" |
216 | printf("\tdirectoires blacklisted by the security profile.\n"); | 214 | "\tdirectoires blacklisted by the security profile.\n" |
217 | printf(" --tree - print a tree of all sandboxed processes.\n"); | 215 | " --tree - print a tree of all sandboxed processes.\n" |
218 | printf(" --version - print program version and exit.\n"); | 216 | " --version - print program version and exit.\n" |
219 | #ifdef HAVE_NETWORK | 217 | #ifdef HAVE_NETWORK |
220 | printf(" --veth-name=name - use this name for the interface connected to the bridge.\n"); | 218 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
221 | #endif | 219 | #endif |
222 | #ifdef HAVE_WHITELIST | 220 | #ifdef HAVE_WHITELIST |
223 | printf(" --whitelist=filename - whitelist directory or file.\n"); | 221 | " --whitelist=filename - whitelist directory or file.\n" |
224 | #endif | 222 | #endif |
225 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); | 223 | " --writable-etc - /etc directory is mounted read-write.\n" |
226 | printf(" --writable-run-user - allow access to /run/user/$UID/systemd and\n"); | 224 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
227 | printf("\t/run/user/$UID/gnupg.\n"); | 225 | "\t/run/user/$UID/gnupg.\n" |
228 | printf(" --writable-var - /var directory is mounted read-write.\n"); | 226 | " --writable-var - /var directory is mounted read-write.\n" |
229 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); | 227 | " --writable-var-log - use the real /var/log directory, not a clone.\n" |
230 | #ifdef HAVE_X11 | 228 | #ifdef HAVE_X11 |
231 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); | 229 | " --x11 - enable X11 sandboxing. The software checks first if Xpra is\n" |
232 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); | 230 | "\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n" |
233 | printf("\tattempt to use X11 security extension.\n"); | 231 | "\tattempt to use X11 security extension.\n" |
234 | printf(" --x11=none - disable access to X11 sockets.\n"); | 232 | " --x11=none - disable access to X11 sockets.\n" |
235 | printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n"); | 233 | " --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n" |
236 | printf(" --x11=xorg - enable X11 security extension.\n"); | 234 | " --x11=xorg - enable X11 security extension.\n" |
237 | printf(" --x11=xpra - enable Xpra X11 server.\n"); | 235 | " --x11=xpra - enable Xpra X11 server.\n" |
238 | printf(" --x11=xvfb - enable Xvfb X11 server.\n"); | 236 | " --x11=xvfb - enable Xvfb X11 server.\n" |
239 | printf(" --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"); | 237 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" |
240 | #endif | 238 | #endif |
241 | printf(" --zsh - use /usr/bin/zsh as default shell.\n"); | 239 | " --zsh - use /usr/bin/zsh as default shell.\n" |
242 | printf("\n"); | 240 | "\n" |
243 | printf("Examples:\n"); | 241 | "Examples:\n" |
244 | printf(" $ firejail firefox\n"); | 242 | " $ firejail firefox\n" |
245 | printf("\tstart Mozilla Firefox\n"); | 243 | "\tstart Mozilla Firefox\n" |
246 | printf(" $ firejail --debug firefox\n"); | 244 | " $ firejail --debug firefox\n" |
247 | printf("\tdebug Firefox sandbox\n"); | 245 | "\tdebug Firefox sandbox\n" |
248 | printf(" $ firejail --private --dns=8.8.8.8 firefox\n"); | 246 | " $ firejail --private --dns=8.8.8.8 firefox\n" |
249 | printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); | 247 | "\tstart Firefox with a new, empty home directory, and a well-known DNS\n" |
250 | printf("\tserver setting.\n"); | 248 | "\tserver setting.\n" |
251 | printf(" $ firejail --net=eth0 firefox\n"); | 249 | " $ firejail --net=eth0 firefox\n" |
252 | printf("\tstart Firefox in a new network namespace\n"); | 250 | "\tstart Firefox in a new network namespace\n" |
253 | printf(" $ firejail --x11=xorg firefox\n"); | 251 | " $ firejail --x11=xorg firefox\n" |
254 | printf("\tstart Firefox and sandbox X11\n"); | 252 | "\tstart Firefox and sandbox X11\n" |
255 | printf(" $ firejail --list\n"); | 253 | " $ firejail --list\n" |
256 | printf("\tlist all running sandboxes\n"); | 254 | "\tlist all running sandboxes\n" |
257 | printf("\n"); | 255 | "\n" |
258 | printf("License GPL version 2 or later\n"); | 256 | "License GPL version 2 or later\n" |
259 | printf("Homepage: http://firejail.wordpress.com\n"); | 257 | "Homepage: http://firejail.wordpress.com\n" |
260 | printf("\n"); | 258 | "\n"; |
259 | |||
260 | |||
261 | void usage(void) { | ||
262 | printf("firejail - version %s\n\n", VERSION); | ||
263 | puts(usage_str); | ||
261 | } | 264 | } |