private-etc rework: new man page

1 files changed, 26 insertions, 14 deletions

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e5020e37e..2e08b12f3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2127,22 +2127,34 @@ cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0
 .br
 $
 .TP
+\fB\-\-private-etc
+.TP
 \fB\-\-private-etc=file,directory
-Build a new /etc in a temporary
-filesystem, and copy the files and directories in the list.
-The files and directories in the list must be expressed as relative to
-the /etc directory (e.g., /etc/foo must be expressed as foo).
-If no listed file is found, /etc directory will be empty.
-All modifications are discarded when the sandbox is closed.
-Multiple private-etc commands are allowed and they accumulate.
-.br
+The files installed by \-\-private-etc are copies of the original system files from /etc directory.
+By default, the command brings in a skeleton of files and directories used by most console tools:
 
-.br
-Example:
-.br
-$ firejail --private-etc=group,hostname,localtime, \\
-.br
-nsswitch.conf,passwd,resolv.conf
+$ firejail --private-etc dig debian.org
+
+For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter. Example:
+
+$ firejail --private-etc=GUI,python* gimp
+
+/etc/python* directories are not part of the generic GUI group.
+These directories are reuqired by Gimp plugin system. File globbing is supported.
+
+For games, add GAMES group:
+
+$ firejail --private-etc=GUI,GAMES warzone2100
+
+Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
+Files for encrypted TLS/SSL protocol are in TLS-CA group.
+
+$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+
+
+Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility:
+
+$ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc
 #ifdef HAVE_PRIVATE_HOME
 .TP
 \fB\-\-private-home=file,directory