diff options
author | a1346054 <36859588+a1346054@users.noreply.github.com> | 2021-08-31 12:21:43 +0000 |
---|---|---|
committer | a1346054 <36859588+a1346054@users.noreply.github.com> | 2021-09-25 19:09:14 +0000 |
commit | 6eafbfdfcc261b8d89ed22358ed9f351d4bf5bf2 (patch) | |
tree | c533c541f1a6b48967e193060041705a616bba73 /src/man/firejail.txt | |
parent | private-lib fixup (diff) | |
download | firejail-6eafbfdfcc261b8d89ed22358ed9f351d4bf5bf2.tar.gz firejail-6eafbfdfcc261b8d89ed22358ed9f351d4bf5bf2.tar.zst firejail-6eafbfdfcc261b8d89ed22358ed9f351d4bf5bf2.zip |
trim excess whitespace
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0462705c0..2883ab257 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb | |||
45 | #ifdef HAVE_LTS | 45 | #ifdef HAVE_LTS |
46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, | 46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, |
47 | LTS is usually supported for two or three years. | 47 | LTS is usually supported for two or three years. |
48 | During this time only bugs and the occasional documentation problems are fixed. | 48 | During this time only bugs and the occasional documentation problems are fixed. |
49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. | 49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. |
50 | .br | 50 | .br |
51 | 51 | ||
@@ -109,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter. | |||
109 | .br | 109 | .br |
110 | Example: | 110 | Example: |
111 | .br | 111 | .br |
112 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox | 112 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox |
113 | .TP | 113 | .TP |
114 | \fB\-\-allusers | 114 | \fB\-\-allusers |
115 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. | 115 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. |
@@ -947,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 | |||
947 | 947 | ||
948 | .TP | 948 | .TP |
949 | \fB\-\-ipc-namespace | 949 | \fB\-\-ipc-namespace |
950 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default | 950 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default |
951 | for sandboxes started as root. | 951 | for sandboxes started as root. |
952 | .br | 952 | .br |
953 | 953 | ||
@@ -1014,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL | |||
1014 | .br | 1014 | .br |
1015 | 1015 | ||
1016 | .br | 1016 | .br |
1017 | # verify IP addresses | 1017 | # verify IP addresses |
1018 | .br | 1018 | .br |
1019 | $ sudo firejail --join-network=browser ip addr | 1019 | $ sudo firejail --join-network=browser ip addr |
1020 | .br | 1020 | .br |
@@ -2134,7 +2134,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | |||
2134 | .TP | 2134 | .TP |
2135 | \fB\-\-rlimit-cpu=number | 2135 | \fB\-\-rlimit-cpu=number |
2136 | Set the maximum limit, in seconds, for the amount of CPU time each | 2136 | Set the maximum limit, in seconds, for the amount of CPU time each |
2137 | sandboxed process can consume. When the limit is reached, the processes are killed. | 2137 | sandboxed process can consume. When the limit is reached, the processes are killed. |
2138 | 2138 | ||
2139 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds | 2139 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds |
2140 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps | 2140 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps |
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
2178 | .TP | 2178 | .TP |
2179 | \fB\-\-seccomp | 2179 | \fB\-\-seccomp |
2180 | Enable seccomp filter and blacklist the syscalls in the default list, | 2180 | Enable seccomp filter and blacklist the syscalls in the default list, |
2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, | 2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
2182 | then it is @default. | 2182 | then it is @default. |
2183 | 2183 | ||
2184 | .br | 2184 | .br |
@@ -2865,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support | |||
2865 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | 2865 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window |
2866 | contents of other clients, stealing input events, etc. | 2866 | contents of other clients, stealing input events, etc. |
2867 | 2867 | ||
2868 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | 2868 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients |
2869 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | 2869 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. |
2870 | Firefox and transmission-gtk seem to be working fine. | 2870 | Firefox and transmission-gtk seem to be working fine. |
2871 | A network namespace is not required for this option. | 2871 | A network namespace is not required for this option. |
@@ -3256,7 +3256,7 @@ The owner of the sandbox. | |||
3256 | .SH RESTRICTED SHELL | 3256 | .SH RESTRICTED SHELL |
3257 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 3257 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
3258 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 3258 | /etc/passwd file for each user that needs to be restricted. Alternatively, |
3259 | you can specify /usr/bin/firejail in adduser command: | 3259 | you can specify /usr/bin/firejail in adduser command: |
3260 | 3260 | ||
3261 | adduser \-\-shell /usr/bin/firejail username | 3261 | adduser \-\-shell /usr/bin/firejail username |
3262 | 3262 | ||
@@ -3266,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e | |||
3266 | Several command line options can be passed to the program using | 3266 | Several command line options can be passed to the program using |
3267 | profile files. Firejail chooses the profile file as follows: | 3267 | profile files. Firejail chooses the profile file as follows: |
3268 | 3268 | ||
3269 | 1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. | 3269 | 1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. |
3270 | Example: | 3270 | Example: |
3271 | .PP | 3271 | .PP |
3272 | .RS | 3272 | .RS |