diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-10-15 08:44:34 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2017-10-15 08:44:34 -0400 |
commit | a780fd7eb021385eb404983b036d9190fd4c7e81 (patch) | |
tree | 9c9b18a6bf2b8e9ceafadbe2de6a9dda52547941 /src/man/firejail.txt | |
parent | Merge pull request #1604 from gosre/master (diff) | |
download | firejail-a780fd7eb021385eb404983b036d9190fd4c7e81.tar.gz firejail-a780fd7eb021385eb404983b036d9190fd4c7e81.tar.zst firejail-a780fd7eb021385eb404983b036d9190fd4c7e81.zip |
globbing - manpage
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 47 |
1 files changed, 42 insertions, 5 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 20f2b7f8c..54a332e7f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -140,7 +140,7 @@ Example: | |||
140 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | 140 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd |
141 | .TP | 141 | .TP |
142 | \fB\-\-blacklist=dirname_or_filename | 142 | \fB\-\-blacklist=dirname_or_filename |
143 | Blacklist directory or file. | 143 | Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
144 | .br | 144 | .br |
145 | 145 | ||
146 | .br | 146 | .br |
@@ -1009,7 +1009,7 @@ Example: | |||
1009 | $ firejail \-\-nodvd | 1009 | $ firejail \-\-nodvd |
1010 | .TP | 1010 | .TP |
1011 | \fB\-\-noexec=dirname_or_filename | 1011 | \fB\-\-noexec=dirname_or_filename |
1012 | Remount directory or file noexec, nodev and nosuid. | 1012 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1013 | .br | 1013 | .br |
1014 | 1014 | ||
1015 | .br | 1015 | .br |
@@ -1275,7 +1275,8 @@ $ firejail \-\-private-home=.mozilla firefox | |||
1275 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 1275 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
1276 | If no listed file is found, /bin directory will be empty. | 1276 | If no listed file is found, /bin directory will be empty. |
1277 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. | 1277 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. |
1278 | All modifications are discarded when the sandbox is closed. | 1278 | All modifications are discarded when the sandbox is closed. File globbing is supported, |
1279 | see \fBFILE GLOBBING\fR section for more details. | ||
1279 | .br | 1280 | .br |
1280 | 1281 | ||
1281 | .br | 1282 | .br |
@@ -1505,7 +1506,7 @@ Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more detail | |||
1505 | Turn off Firejail's output. | 1506 | Turn off Firejail's output. |
1506 | .TP | 1507 | .TP |
1507 | \fB\-\-read-only=dirname_or_filename | 1508 | \fB\-\-read-only=dirname_or_filename |
1508 | Set directory or file read-only. | 1509 | Set directory or file read-only. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1509 | .br | 1510 | .br |
1510 | 1511 | ||
1511 | .br | 1512 | .br |
@@ -1526,7 +1527,8 @@ $ firejail --whitelist=~/work --read-only=~ --read-only=~/work | |||
1526 | .TP | 1527 | .TP |
1527 | \fB\-\-read-write=dirname_or_filename | 1528 | \fB\-\-read-write=dirname_or_filename |
1528 | Set directory or file read-write. Only files or directories belonging to the current user are allowed for | 1529 | Set directory or file read-write. Only files or directories belonging to the current user are allowed for |
1529 | this operation. Example: | 1530 | this operation. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1531 | Example: | ||
1530 | .br | 1532 | .br |
1531 | 1533 | ||
1532 | .br | 1534 | .br |
@@ -1833,6 +1835,7 @@ $ firejail \-\-shutdown=3272 | |||
1833 | .TP | 1835 | .TP |
1834 | \fB\-\-tmpfs=dirname | 1836 | \fB\-\-tmpfs=dirname |
1835 | Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. | 1837 | Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. |
1838 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
1836 | .br | 1839 | .br |
1837 | 1840 | ||
1838 | .br | 1841 | .br |
@@ -2234,6 +2237,40 @@ $ firejail --tree | |||
2234 | 2237 | ||
2235 | We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details. | 2238 | We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details. |
2236 | 2239 | ||
2240 | .SH FILE GLOBBING | ||
2241 | .TP | ||
2242 | Globbing is the operation that expands a wildcard pattern into the list of pathnames matching the pattern. Matching is defined by: | ||
2243 | .br | ||
2244 | |||
2245 | .br | ||
2246 | - '?' matches any character | ||
2247 | .br | ||
2248 | - '*' matches any string | ||
2249 | .br | ||
2250 | - '[' denotes a range of characters | ||
2251 | .br | ||
2252 | .TP | ||
2253 | The gobing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob. | ||
2254 | .br | ||
2255 | |||
2256 | .br | ||
2257 | .TP | ||
2258 | The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, and \-\-tmpfs. | ||
2259 | .br | ||
2260 | |||
2261 | .br | ||
2262 | .TP | ||
2263 | Examples: | ||
2264 | .br | ||
2265 | |||
2266 | .br | ||
2267 | $ firejail --private-bin=sh,bash,python* | ||
2268 | .br | ||
2269 | $ firejail --blacklist=~/dir[1234] | ||
2270 | .br | ||
2271 | $ firejail --read-only=~/dir[1-4] | ||
2272 | .br | ||
2273 | |||
2237 | .SH APPARMOR | 2274 | .SH APPARMOR |
2238 | .TP | 2275 | .TP |
2239 | AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: | 2276 | AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: |