--profile-path option

author: netblue30 <netblue30@yahoo.com> 2015-12-04 12:36:44 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-12-04 12:36:44 -0500
commit: 129af459ad895b329afb62f3fe9cbcbd6a578072 (patch)
tree: b5ac2a42b2b6ca9c2ecb503c0fe4411f37fe5382 /src/man/firejail-profile.txt
parent: --tracelog work (diff)
download: firejail-129af459ad895b329afb62f3fe9cbcbd6a578072.tar.gz
firejail-129af459ad895b329afb62f3fe9cbcbd6a578072.tar.zst
firejail-129af459ad895b329afb62f3fe9cbcbd6a578072.zip
1 files changed, 55 insertions, 33 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 1713b74dd..91c151fe8 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -81,7 +81,7 @@ file in user home directory.
 Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
 .TP
-\f\noblacklist file_name
+\f\ noblacklist file_name
 If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
 Example: "noblacklist ${HOME}/.mozilla"
@@ -102,37 +102,31 @@ Use \fBprivate\fR to set private mode.
 File globbing is supported, and PATH and HOME directories are searched.
 Examples:
 .TP
-\f\blacklist /usr/bin
+\f\blacklist file_or_directory
-Remove /usr/bin directory.
+Blacklist directory or file. Examples:
-.TP
+.br
-\f\blacklist /etc/passwd
-Remove /etc/passwd file.
+.br
-.TP
+blacklist /usr/bin
-\f\read-only /etc/passwd
+.br
-Read-only /etc/passwd file.
+blacklist /usr/bin/gcc*
-.TP
+.br
-tmpfs /etc
+blacklist ${PATH}/ifconfig
-Mount an empty tmpfs filesystem on top of /etc directory.
+.br
-.TP
+blacklist ${HOME}/.ssh
-bind /root/config/ssh,/etc/ssh
-Mount-bind /root/config/ssh on /etc/ssh.
 .TP
-\f\blacklist /usr/bin/gcc*
+\f\read-only file_or_directory
-Remove all gcc files in /usr/bin (file globbing).
+Make directory or file read-only.
 .TP
-\f\blacklist ${PATH}/ifconfig
+\f\ tmpfs directory
-Remove ifconfig command from the regular path directories.
+Mount an empty tmpfs filesystem on top of directory.
 .TP
-\f\blacklist ${HOME}/.ssh
+\f\bind directory1,directory2
-Remove .ssh directory from user home directory.
+Mount-bind directory1 on top of directory2. This option is only available when running as root.
 .TP
-\f\noblacklist ${HOME}/config/evince
+\f\bind file1,file2
-Prevent any new blacklist commands from blacklisting
+Mount-bind file1 on top of file2. This option is only available when running as root.
-config/evince in the user home directory. Useful for defining
-exceptions before including a large blacklist from a file. Note
-that blacklisting ${HOME}/config can still make
-${HOME}/config/evince effectively unreachable through filesystem
-traversal.
 .TP
 \f\private
 Mount new /root and /home/user directories in temporary
@@ -153,7 +147,7 @@ new home. All modifications are discarded when the sandbox is
 closed.
 .TP
 \f\private-dev
-Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.
+Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
 .TP
 \f\private-etc file,directory
 Build a new /etc in a temporary
@@ -240,10 +234,8 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 .TP
-env LD_LIBRARY_PATH=/opt/test/lib
+env name=value
-Set environment variable.
+Set environment variable. Examples:
-.br
-Examples:
 .br
 .br
@@ -284,6 +276,36 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 hostname name
 Set a hostname for the sandbox.
+.SH RELOCATING PROFILES
+For various reasons some users might want to keep the profile files in a different directory.
+Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
+into this directory.
+This is an example of relocating the profile files into a new
+directory, /home/netblue/myprofiles. Start by creating the new directory and copy all
+the profile files in:
+.br
+.br
+$ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* .
+.br
+.br
+Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands:
+.br
+.br
+$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile
+.br
+$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc
+.br
+.br
+Start Firejail using the new path:
+.br
+.br
+$ firejail --profile-path=~/myprofile
 .SH FILES
 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
author	netblue30 <netblue30@yahoo.com>	2015-12-04 12:36:44 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-12-04 12:36:44 -0500
commit	129af459ad895b329afb62f3fe9cbcbd6a578072 (patch)
tree	b5ac2a42b2b6ca9c2ecb503c0fe4411f37fe5382 /src/man/firejail-profile.txt
parent	--tracelog work (diff)
download	firejail-129af459ad895b329afb62f3fe9cbcbd6a578072.tar.gz firejail-129af459ad895b329afb62f3fe9cbcbd6a578072.tar.zst firejail-129af459ad895b329afb62f3fe9cbcbd6a578072.zip

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1713b74dd..91c151fe8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -81,7 +81,7 @@ file in user home directory.
81	Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.	81	Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
82		82
83	.TP	83	.TP
84	\f\noblacklist file_name	84	\f\ noblacklist file_name
85	If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.	85	If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
86		86
87	Example: "noblacklist ${HOME}/.mozilla"	87	Example: "noblacklist ${HOME}/.mozilla"
@@ -102,37 +102,31 @@ Use \fBprivate\fR to set private mode.
102	File globbing is supported, and PATH and HOME directories are searched.	102	File globbing is supported, and PATH and HOME directories are searched.
103	Examples:	103	Examples:
104	.TP	104	.TP
105	\f\blacklist /usr/bin	105	\f\blacklist file_or_directory
106	Remove /usr/bin directory.	106	Blacklist directory or file. Examples:
107	.TP	107	.br
108	\f\blacklist /etc/passwd	108
109	Remove /etc/passwd file.	109	.br
110	.TP	110	blacklist /usr/bin
111	\f\read-only /etc/passwd	111	.br
112	Read-only /etc/passwd file.	112	blacklist /usr/bin/gcc*
113	.TP	113	.br
114	tmpfs /etc	114	blacklist ${PATH}/ifconfig
115	Mount an empty tmpfs filesystem on top of /etc directory.	115	.br
116	.TP	116	blacklist ${HOME}/.ssh
117	bind /root/config/ssh,/etc/ssh	117
118	Mount-bind /root/config/ssh on /etc/ssh.
119	.TP	118	.TP
120	\f\blacklist /usr/bin/gcc*	119	\f\read-only file_or_directory
121	Remove all gcc files in /usr/bin (file globbing).	120	Make directory or file read-only.
122	.TP	121	.TP
123	\f\blacklist ${PATH}/ifconfig	122	\f\ tmpfs directory
124	Remove ifconfig command from the regular path directories.	123	Mount an empty tmpfs filesystem on top of directory.
125	.TP	124	.TP
126	\f\blacklist ${HOME}/.ssh	125	\f\bind directory1,directory2
127	Remove .ssh directory from user home directory.	126	Mount-bind directory1 on top of directory2. This option is only available when running as root.
128	.TP	127	.TP
129	\f\noblacklist ${HOME}/config/evince	128	\f\bind file1,file2
130	Prevent any new blacklist commands from blacklisting	129	Mount-bind file1 on top of file2. This option is only available when running as root.
131	config/evince in the user home directory. Useful for defining
132	exceptions before including a large blacklist from a file. Note
133	that blacklisting ${HOME}/config can still make
134	${HOME}/config/evince effectively unreachable through filesystem
135	traversal.
136	.TP	130	.TP
137	\f\private	131	\f\private
138	Mount new /root and /home/user directories in temporary	132	Mount new /root and /home/user directories in temporary
@@ -153,7 +147,7 @@ new home. All modifications are discarded when the sandbox is
153	closed.	147	closed.
154	.TP	148	.TP
155	\f\private-dev	149	\f\private-dev
156	Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.	150	Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
157	.TP	151	.TP
158	\f\private-etc file,directory	152	\f\private-etc file,directory
159	Build a new /etc in a temporary	153	Build a new /etc in a temporary
@@ -240,10 +234,8 @@ The sandbox is placed in g1 control group.
240	.SH User Environment	234	.SH User Environment
241		235
242	.TP	236	.TP
243	env LD_LIBRARY_PATH=/opt/test/lib	237	env name=value
244	Set environment variable.	238	Set environment variable. Examples:
245	.br
246	Examples:
247	.br	239	.br
248		240
249	.br	241	.br
@@ -284,6 +276,36 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
284	hostname name	276	hostname name
285	Set a hostname for the sandbox.	277	Set a hostname for the sandbox.
286		278
		279	.SH RELOCATING PROFILES
		280	For various reasons some users might want to keep the profile files in a different directory.
		281	Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
		282	into this directory.
		283
		284	This is an example of relocating the profile files into a new
		285	directory, /home/netblue/myprofiles. Start by creating the new directory and copy all
		286	the profile files in:
		287	.br
		288
		289	.br
		290	$ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* .
		291	.br
		292
		293	.br
		294	Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands:
		295	.br
		296
		297	.br
		298	$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile
		299	.br
		300	$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc
		301	.br
		302
		303	.br
		304	Start Firejail using the new path:
		305	.br
		306
		307	.br
		308	$ firejail --profile-path=~/myprofile
287		309
288	.SH FILES	310	.SH FILES
289	/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile	311	/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile