diff options
author | netblue30 <netblue30@yahoo.com> | 2016-04-21 10:47:52 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-04-21 10:47:52 -0400 |
commit | e547b142597568da678c54da8b5b4164fb3fee86 (patch) | |
tree | 6a738b916c330c85216d0cddcedc971150cb98b2 /src/man/firejail.txt | |
parent | added --read-write option (diff) | |
download | firejail-e547b142597568da678c54da8b5b4164fb3fee86.tar.gz firejail-e547b142597568da678c54da8b5b4164fb3fee86.tar.zst firejail-e547b142597568da678c54da8b5b4164fb3fee86.zip |
--read-write option
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 51abaef28..19415a332 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co | |||
50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
51 | 51 | ||
52 | .SH USAGE | 52 | .SH USAGE |
53 | Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, | 53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, |
54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. | 54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the |
55 | The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. | 55 | command line options. The default Firejail filesystem is based on the host filesystem with the main |
56 | Only /home and /tmp are writable. | 56 | system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, |
57 | /libx32 and /lib64. Only /home and /tmp are writable. | ||
57 | .PP | 58 | .PP |
58 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 59 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
59 | If an appropriate profile is not found, Firejail will use a default profile. | 60 | If an appropriate profile is not found, Firejail will use a default profile. |
60 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 61 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
61 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section. | 62 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
62 | .PP | 63 | .PP |
63 | If a program argument is not specified, Firejail starts /bin/bash shell. | 64 | If a program argument is not specified, Firejail starts /bin/bash shell. |
64 | Examples: | 65 | Examples: |
@@ -194,7 +195,8 @@ Example: | |||
194 | 195 | ||
195 | .TP | 196 | .TP |
196 | \fB\-\-chroot=dirname | 197 | \fB\-\-chroot=dirname |
197 | Chroot the sandbox into a root filesystem. If the sandbox is started as a | 198 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, |
199 | the system directories are mounted read-write. If the sandbox is started as a | ||
198 | regular user, default seccomp and capabilities filters are enabled. This | 200 | regular user, default seccomp and capabilities filters are enabled. This |
199 | option is not available on Grsecurity systems. | 201 | option is not available on Grsecurity systems. |
200 | .br | 202 | .br |
@@ -946,7 +948,8 @@ $ ls -l sandboxlog* | |||
946 | 948 | ||
947 | .TP | 949 | .TP |
948 | \fB\-\-overlay | 950 | \fB\-\-overlay |
949 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. | 951 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
952 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
950 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. | 953 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. |
951 | .br | 954 | .br |
952 | 955 | ||
@@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of | |||
1143 | .TP | 1146 | .TP |
1144 | \fB\-\-rlimit-sigpending=number | 1147 | \fB\-\-rlimit-sigpending=number |
1145 | Set the maximum number of pending signals for a process. | 1148 | Set the maximum number of pending signals for a process. |
1149 | |||
1150 | .TP | ||
1151 | \fB\-\-read-write=dirname_or_filename | ||
1152 | By default, the sandbox mounts system directories read-only. | ||
1153 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | ||
1154 | Use this option to mount read-write files or directories inside the system directories. | ||
1155 | |||
1156 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1157 | cases the system directories are mounted read-write. | ||
1158 | |||
1146 | .TP | 1159 | .TP |
1147 | \fB\-\-scan | 1160 | \fB\-\-scan |
1148 | ARP-scan all the networks from inside a network namespace. | 1161 | ARP-scan all the networks from inside a network namespace. |