diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-08-31 18:22:49 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-09-02 20:35:52 -0300 |
| commit | dd13595b80dccffd2f67288f2b79cb69bb8dfc99 (patch) | |
| tree | 436deb9c378ce1ed0255027a74e739e6a820f58b /src/man/firejail.txt | |
| parent | merges (diff) | |
| download | firejail-dd13595b80dccffd2f67288f2b79cb69bb8dfc99.tar.gz firejail-dd13595b80dccffd2f67288f2b79cb69bb8dfc99.tar.zst firejail-dd13595b80dccffd2f67288f2b79cb69bb8dfc99.zip | |
Revert "allow/deny help and man pages"
This reverts commit a11707ea273e5665047f8a7d9387ba07f08d72f6.
The man pages currently direct users to use the aliases instead of the
commands, which some users of firejail-git may end up doing. Example:
https://github.com/netblue30/firejail/discussions/4496
So revert the man page changes as well to avoid confusion.
Note: This is not a full revert. The commit in question also contains
some string formatting fixes on src/firejail/usage.c (related to dbus
and netmask), which are left intact.
Relates to #4410.
Diffstat (limited to 'src/man/firejail.txt')
| -rw-r--r-- | src/man/firejail.txt | 138 |
1 files changed, 63 insertions, 75 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 498ff9aa9..0462705c0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
| 99 | \fB\-\- | 99 | \fB\-\- |
| 100 | Signal the end of options and disables further option processing. | 100 | Signal the end of options and disables further option processing. |
| 101 | .TP | 101 | .TP |
| 102 | \fB\-\-allow=dirname_or_filename | ||
| 103 | Allow access to a directory or file. A temporary file system is mounted on the top directory, and the | ||
| 104 | allowed files are mount-binded inside. Modifications to allowed files are persistent, | ||
| 105 | everything else is discarded when the sandbox is closed. The top directory can be | ||
| 106 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
| 107 | all directories in /usr. | ||
| 108 | .br | ||
| 109 | |||
| 110 | .br | ||
| 111 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
| 112 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
| 113 | .br | ||
| 114 | |||
| 115 | .br | ||
| 116 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
| 117 | .br | ||
| 118 | |||
| 119 | .br | ||
| 120 | Example: | ||
| 121 | .br | ||
| 122 | $ firejail \-\-noprofile \-\-allow=~/.mozilla | ||
| 123 | .br | ||
| 124 | $ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null | ||
| 125 | .br | ||
| 126 | $ firejail "\-\-allow=/home/username/My Virtual Machines" | ||
| 127 | .br | ||
| 128 | $ firejail \-\-allow=~/work* \-\-allow=/var/backups* | ||
| 129 | |||
| 130 | |||
| 131 | |||
| 132 | |||
| 133 | |||
| 134 | |||
| 135 | .TP | ||
| 136 | \fB\-\-allow-debuggers | 102 | \fB\-\-allow-debuggers |
| 137 | Allow tools such as strace and gdb inside the sandbox by whitelisting | 103 | Allow tools such as strace and gdb inside the sandbox by whitelisting |
| 138 | system calls ptrace and process_vm_readv. This option is only | 104 | system calls ptrace and process_vm_readv. This option is only |
| @@ -203,6 +169,21 @@ Example: | |||
| 203 | .br | 169 | .br |
| 204 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | 170 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd |
| 205 | .TP | 171 | .TP |
| 172 | \fB\-\-blacklist=dirname_or_filename | ||
| 173 | Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
| 174 | .br | ||
| 175 | |||
| 176 | .br | ||
| 177 | Example: | ||
| 178 | .br | ||
| 179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | ||
| 180 | .br | ||
| 181 | $ firejail \-\-blacklist=~/.mozilla | ||
| 182 | .br | ||
| 183 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | ||
| 184 | .br | ||
| 185 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | ||
| 186 | .TP | ||
| 206 | \fB\-\-build | 187 | \fB\-\-build |
| 207 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also | 188 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also |
| 208 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | 189 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, |
| @@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100 | |||
| 262 | 243 | ||
| 263 | .TP | 244 | .TP |
| 264 | \fB\-\-caps.drop=capability,capability,capability | 245 | \fB\-\-caps.drop=capability,capability,capability |
| 265 | Define a custom Linux capabilities filter. | 246 | Define a custom blacklist Linux capabilities filter. |
| 266 | .br | 247 | .br |
| 267 | 248 | ||
| 268 | .br | 249 | .br |
| @@ -643,14 +624,14 @@ Example: | |||
| 643 | $ firejail \-\-debug firefox | 624 | $ firejail \-\-debug firefox |
| 644 | 625 | ||
| 645 | .TP | 626 | .TP |
| 646 | \fB\-\-debug-allow\fR | 627 | \fB\-\-debug-blacklists\fR |
| 647 | Debug file system access. | 628 | Debug blacklisting. |
| 648 | .br | 629 | .br |
| 649 | 630 | ||
| 650 | .br | 631 | .br |
| 651 | Example: | 632 | Example: |
| 652 | .br | 633 | .br |
| 653 | $ firejail \-\-debug-allow firefox | 634 | $ firejail \-\-debug-blacklists firefox |
| 654 | 635 | ||
| 655 | .TP | 636 | .TP |
| 656 | \fB\-\-debug-caps | 637 | \fB\-\-debug-caps |
| @@ -663,16 +644,6 @@ Example: | |||
| 663 | $ firejail \-\-debug-caps | 644 | $ firejail \-\-debug-caps |
| 664 | 645 | ||
| 665 | .TP | 646 | .TP |
| 666 | \fB\-\-debug-deny\fR | ||
| 667 | Debug file access. | ||
| 668 | .br | ||
| 669 | |||
| 670 | .br | ||
| 671 | Example: | ||
| 672 | .br | ||
| 673 | $ firejail \-\-debug-deny firefox | ||
| 674 | |||
| 675 | .TP | ||
| 676 | \fB\-\-debug-errnos | 647 | \fB\-\-debug-errnos |
| 677 | Print all recognized error numbers in the current Firejail software build and exit. | 648 | Print all recognized error numbers in the current Firejail software build and exit. |
| 678 | .br | 649 | .br |
| @@ -706,44 +677,33 @@ $ firejail \-\-debug-syscalls | |||
| 706 | \fB\-\-debug-syscalls32 | 677 | \fB\-\-debug-syscalls32 |
| 707 | Print all recognized 32 bit system calls in the current Firejail software build and exit. | 678 | Print all recognized 32 bit system calls in the current Firejail software build and exit. |
| 708 | .br | 679 | .br |
| 709 | |||
| 710 | #ifdef HAVE_NETWORK | ||
| 711 | .TP | 680 | .TP |
| 712 | \fB\-\-defaultgw=address | 681 | \fB\-\-debug-whitelists\fR |
| 713 | Use this address as default gateway in the new network namespace. | 682 | Debug whitelisting. |
| 714 | .br | 683 | .br |
| 715 | 684 | ||
| 716 | .br | 685 | .br |
| 717 | Example: | 686 | Example: |
| 718 | .br | 687 | .br |
| 719 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 688 | $ firejail \-\-debug-whitelists firefox |
| 720 | #endif | 689 | #ifdef HAVE_NETWORK |
| 721 | |||
| 722 | .TP | 690 | .TP |
| 723 | \fB\-\-deny=dirname_or_filename | 691 | \fB\-\-defaultgw=address |
| 724 | Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 692 | Use this address as default gateway in the new network namespace. |
| 725 | .br | 693 | .br |
| 726 | 694 | ||
| 727 | .br | 695 | .br |
| 728 | Example: | 696 | Example: |
| 729 | .br | 697 | .br |
| 730 | $ firejail \-\-deny=/sbin \-\-deny=/usr/sbin | 698 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
| 731 | .br | 699 | #endif |
| 732 | $ firejail \-\-deny=~/.mozilla | ||
| 733 | .br | ||
| 734 | $ firejail "\-\-deny=/home/username/My Virtual Machines" | ||
| 735 | .br | ||
| 736 | $ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines | ||
| 737 | |||
| 738 | |||
| 739 | |||
| 740 | .TP | 700 | .TP |
| 741 | \fB\-\-deterministic-exit-code | 701 | \fB\-\-deterministic-exit-code |
| 742 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 702 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
| 743 | .br | 703 | .br |
| 744 | .TP | 704 | .TP |
| 745 | \fB\-\-disable-mnt | 705 | \fB\-\-disable-mnt |
| 746 | Deny access to /mnt, /media, /run/mount and /run/media. | 706 | Blacklist /mnt, /media, /run/mount and /run/media access. |
| 747 | .br | 707 | .br |
| 748 | 708 | ||
| 749 | .br | 709 | .br |
| @@ -1511,16 +1471,12 @@ Example: | |||
| 1511 | $ firejail --no3d firefox | 1471 | $ firejail --no3d firefox |
| 1512 | 1472 | ||
| 1513 | .TP | 1473 | .TP |
| 1514 | \fB\-\-noallow=dirname_or_filename | ||
| 1515 | Disable \-\-allow for this directory or file. | ||
| 1516 | |||
| 1517 | .TP | ||
| 1518 | \fB\-\-noautopulse \fR(deprecated) | 1474 | \fB\-\-noautopulse \fR(deprecated) |
| 1519 | See --keep-config-pulse. | 1475 | See --keep-config-pulse. |
| 1520 | 1476 | ||
| 1521 | .TP | 1477 | .TP |
| 1522 | \fB\-\-nodeny=dirname_or_filename | 1478 | \fB\-\-noblacklist=dirname_or_filename |
| 1523 | Disable \-\-deny for this directory or file. | 1479 | Disable blacklist for this directory or file. |
| 1524 | .br | 1480 | .br |
| 1525 | 1481 | ||
| 1526 | .br | 1482 | .br |
| @@ -1536,7 +1492,7 @@ $ exit | |||
| 1536 | .br | 1492 | .br |
| 1537 | 1493 | ||
| 1538 | .br | 1494 | .br |
| 1539 | $ firejail --nodeny=/bin/nc | 1495 | $ firejail --noblacklist=/bin/nc |
| 1540 | .br | 1496 | .br |
| 1541 | $ nc dict.org 2628 | 1497 | $ nc dict.org 2628 |
| 1542 | .br | 1498 | .br |
| @@ -1710,6 +1666,10 @@ $ firejail \-\-nou2f | |||
| 1710 | Disable video devices. | 1666 | Disable video devices. |
| 1711 | .br | 1667 | .br |
| 1712 | 1668 | ||
| 1669 | .TP | ||
| 1670 | \fB\-\-nowhitelist=dirname_or_filename | ||
| 1671 | Disable whitelist for this directory or file. | ||
| 1672 | |||
| 1713 | #ifdef HAVE_OUTPUT | 1673 | #ifdef HAVE_OUTPUT |
| 1714 | .TP | 1674 | .TP |
| 1715 | \fB\-\-output=logfile | 1675 | \fB\-\-output=logfile |
| @@ -2773,6 +2733,34 @@ Example: | |||
| 2773 | .br | 2733 | .br |
| 2774 | $ firejail \-\-net=br0 --veth-name=if0 | 2734 | $ firejail \-\-net=br0 --veth-name=if0 |
| 2775 | #endif | 2735 | #endif |
| 2736 | .TP | ||
| 2737 | \fB\-\-whitelist=dirname_or_filename | ||
| 2738 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
| 2739 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
| 2740 | everything else is discarded when the sandbox is closed. The top directory can be | ||
| 2741 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
| 2742 | all directories in /usr. | ||
| 2743 | .br | ||
| 2744 | |||
| 2745 | .br | ||
| 2746 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
| 2747 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
| 2748 | .br | ||
| 2749 | |||
| 2750 | .br | ||
| 2751 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
| 2752 | .br | ||
| 2753 | |||
| 2754 | .br | ||
| 2755 | Example: | ||
| 2756 | .br | ||
| 2757 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | ||
| 2758 | .br | ||
| 2759 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
| 2760 | .br | ||
| 2761 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | ||
| 2762 | .br | ||
| 2763 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* | ||
| 2776 | 2764 | ||
| 2777 | .TP | 2765 | .TP |
| 2778 | \fB\-\-writable-etc | 2766 | \fB\-\-writable-etc |