private-lib

author: netblue30 <netblue30@yahoo.com> 2017-08-17 11:31:21 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-08-17 11:31:21 -0400
commit: 89e3454eb3f0ca22d423bc3aaba5472d3c249115 (patch)
tree: 1928af809086e3fc30e177ac07eddc7483699769 /src/man/firejail.txt
parent: memory-deny-write-execute (diff)
download: firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.gz
firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.zst
firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.zip
1 files changed, 38 insertions, 15 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 690d0c1c1..4a396b809 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1272,32 +1272,55 @@ $ ls /bin
 bash  cat  ls  sed
 .TP
-\fB\-\-private-lib=file,file
+\fB\-\-private-lib=file,directory
-Build a new /lib in a temporary filesystem. For command to be executed,
+This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
-the shell (if \-\-shell=none is not used), and the listed libraries
+The idea is to build a new /lib in a temporary filesystem,
-find out dynamic libraries and copy them to the /lib directory.
+with only the library files necessary to run the application.
-If no listed file is found, /lib directory will be empty and no programs will be able to execute.
+It could be as simple as:
-The same directory is also bind-mounted over /lib64 and /usr/lib.
-All modifications are discarded when the sandbox is closed.
 .br
 .br
-Example:
+$ firejail --private-lib galculator
+.br
+.br
+but it gets complicated really fast:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin
+.br
+$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
 .br
-Parent pid 15733, child pid 15734
 .br
-Child process initialized in 69.61 ms
+The feature is integrated with \-\-private-bin:
+.br
 .br
-/bin:
+$ firejail --private-lib --private-bin=bash,ls,ps
 .br
-ls
+$ ls /lib
 .br
+ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
 .br
-/lib:
+libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
 .br
-ld-linux-x86-64.so.2  libc.so.6  libdl.so.2  libpcre.so.3  libpthread.so.0  libselinux.so.1
+libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
+.br
+libgcrypt.so.20 libpcre.so.3 libselinux.so.1
+.br
+$ ps
+.br
+ PID TTY          TIME CMD
+.br
+    1 pts/0    00:00:00 firejail
+.br
+   45 pts/0    00:00:00 bash
+.br
+   48 pts/0    00:00:00 ps
+.br
+$ 
+.br
 .TP
 \fB\-\-private-dev
author	netblue30 <netblue30@yahoo.com>	2017-08-17 11:31:21 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-08-17 11:31:21 -0400
commit	89e3454eb3f0ca22d423bc3aaba5472d3c249115 (patch)
tree	1928af809086e3fc30e177ac07eddc7483699769 /src/man/firejail.txt
parent	memory-deny-write-execute (diff)
download	firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.gz firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.zst firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 690d0c1c1..4a396b809 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1272,32 +1272,55 @@ $ ls /bin
1272	bash cat ls sed	1272	bash cat ls sed
1273		1273
1274	.TP	1274	.TP
1275	\fB\-\-private-lib=file,file	1275	\fB\-\-private-lib=file,directory
1276	Build a new /lib in a temporary filesystem. For command to be executed,	1276	This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
1277	the shell (if \-\-shell=none is not used), and the listed libraries	1277	The idea is to build a new /lib in a temporary filesystem,
1278	find out dynamic libraries and copy them to the /lib directory.	1278	with only the library files necessary to run the application.
1279	If no listed file is found, /lib directory will be empty and no programs will be able to execute.	1279	It could be as simple as:
1280	The same directory is also bind-mounted over /lib64 and /usr/lib.
1281	All modifications are discarded when the sandbox is closed.
1282	.br	1280	.br
1283		1281
1284	.br	1282	.br
1285	Example:	1283	$ firejail --private-lib galculator
		1284	.br
		1285
		1286	.br
		1287	but it gets complicated really fast:
1286	.br	1288	.br
1287	$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin	1289
		1290	.br
		1291	$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1288	.br	1292	.br
1289	Parent pid 15733, child pid 15734	1293
1290	.br	1294	.br
1291	Child process initialized in 69.61 ms	1295	The feature is integrated with \-\-private-bin:
		1296	.br
		1297
1292	.br	1298	.br
1293	/bin:	1299	$ firejail --private-lib --private-bin=bash,ls,ps
1294	.br	1300	.br
1295	ls	1301	$ ls /lib
1296	.br	1302	.br
		1303	ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
1297	.br	1304	.br
1298	/lib:	1305	libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1299	.br	1306	.br
1300	ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libpcre.so.3 libpthread.so.0 libselinux.so.1	1307	libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
		1308	.br
		1309	libgcrypt.so.20 libpcre.so.3 libselinux.so.1
		1310	.br
		1311	$ ps
		1312	.br
		1313	PID TTY TIME CMD
		1314	.br
		1315	1 pts/0 00:00:00 firejail
		1316	.br
		1317	45 pts/0 00:00:00 bash
		1318	.br
		1319	48 pts/0 00:00:00 ps
		1320	.br
		1321	$
		1322	.br
		1323
1301		1324
1302	.TP	1325	.TP
1303	\fB\-\-private-dev	1326	\fB\-\-private-dev