diff options
author | smitsohu <smitsohu@gmail.com> | 2018-12-15 17:00:49 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-12-15 17:37:22 +0100 |
commit | 89fa2a7562e84338d88ea83777861f00e545135d (patch) | |
tree | 78e9ab303fb28d9b94542ee96fbdb51ca6e8982c /src/man/firejail.txt | |
parent | join: check prctl return value (diff) | |
download | firejail-89fa2a7562e84338d88ea83777861f00e545135d.tar.gz firejail-89fa2a7562e84338d88ea83777861f00e545135d.tar.zst firejail-89fa2a7562e84338d88ea83777861f00e545135d.zip |
enforce nonewprivs instead of seccomp for chroot sandboxes
currently users are able to specify a seccomp filter of their
choosing, leaving the real defense to nonewprivs anyway.
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 66663be35..9c1133756 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -100,8 +100,8 @@ $ firejail --allusers | |||
100 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 100 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. |
101 | .TP | 101 | .TP |
102 | \fB\-\-appimage | 102 | \fB\-\-appimage |
103 | Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started as a | 103 | Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started |
104 | regular user, default seccomp and capabilities filters are enabled. | 104 | as a regular user, nonewprivs and a default capabilities filter are enabled. |
105 | .br | 105 | .br |
106 | 106 | ||
107 | .br | 107 | .br |
@@ -275,7 +275,7 @@ Example: | |||
275 | \fB\-\-chroot=dirname | 275 | \fB\-\-chroot=dirname |
276 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, | 276 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, |
277 | the system directories are mounted read-write. If the sandbox is started as a | 277 | the system directories are mounted read-write. If the sandbox is started as a |
278 | regular user, default seccomp and capabilities filters are enabled. | 278 | regular user, nonewprivs and a default capabilities filter are enabled. |
279 | .br | 279 | .br |
280 | 280 | ||
281 | .br | 281 | .br |
@@ -1287,7 +1287,7 @@ Similar to \-\-output, but stderr is also stored. | |||
1287 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | 1287 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
1288 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | 1288 | the system directories are mounted read-write. All filesystem modifications go into the overlay. |
1289 | Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<PID> directory. | 1289 | Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<PID> directory. |
1290 | If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. | 1290 | If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled. |
1291 | .br | 1291 | .br |
1292 | 1292 | ||
1293 | .br | 1293 | .br |
@@ -1307,7 +1307,7 @@ Mount a filesystem overlay on top of the current filesystem. Unlike the regular | |||
1307 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | 1307 | the system directories are mounted read-write. All filesystem modifications go into the overlay. |
1308 | Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<NAME> directory. | 1308 | Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<NAME> directory. |
1309 | The created overlay can be reused between multiple sessions. | 1309 | The created overlay can be reused between multiple sessions. |
1310 | If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. | 1310 | If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled. |
1311 | .br | 1311 | .br |
1312 | 1312 | ||
1313 | .br | 1313 | .br |
@@ -1325,7 +1325,7 @@ $ firejail \-\-overlay-named=jail1 firefox | |||
1325 | \fB\-\-overlay-tmpfs | 1325 | \fB\-\-overlay-tmpfs |
1326 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications | 1326 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications |
1327 | are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay. | 1327 | are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay. |
1328 | If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. | 1328 | If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled. |
1329 | .br | 1329 | .br |
1330 | 1330 | ||
1331 | .br | 1331 | .br |