allow/deny help and man pages

author: netblue30 <netblue30@protonmail.com> 2021-07-03 22:09:20 -0400
committer: netblue30 <netblue30@protonmail.com> 2021-07-03 22:09:20 -0400
commit: a11707ea273e5665047f8a7d9387ba07f08d72f6 (patch)
tree: bda18d3ee113071107978962a0adb66dbc240f84 /src/man/firejail.txt
parent: allow/noallow/deny/nodeny aliases for whitelist/nowhitelist/blacklist/noblack... (diff)
download: firejail-a11707ea273e5665047f8a7d9387ba07f08d72f6.tar.gz
firejail-a11707ea273e5665047f8a7d9387ba07f08d72f6.tar.zst
firejail-a11707ea273e5665047f8a7d9387ba07f08d72f6.zip
1 files changed, 75 insertions, 63 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0462705c0..498ff9aa9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -99,6 +99,40 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-allow=dirname_or_filename
+Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
+allowed files are mount-binded inside. Modifications to allowed files are persistent,
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.br
+.br
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noprofile \-\-allow=~/.mozilla
+.br
+$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
+.br
+$ firejail "\-\-allow=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
+.TP
 \fB\-\-allow-debuggers
 Allow tools such as strace and gdb inside the sandbox by whitelisting
 system calls ptrace and process_vm_readv. This option is only
@@ -169,21 +203,6 @@ Example:
 .br
 # firejail \-\-bind=/config/etc/passwd,/etc/passwd
 .TP
-\fB\-\-blacklist=dirname_or_filename
-Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-.br
-.br
-Example:
-.br
-$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
-.br
-$ firejail \-\-blacklist=~/.mozilla
-.br
-$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
-.TP
 \fB\-\-build
 The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
 builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -243,7 +262,7 @@ $ firejail \-\-caps.drop=all warzone2100
 .TP
 \fB\-\-caps.drop=capability,capability,capability
-Define a custom blacklist Linux capabilities filter.
+Define a custom Linux capabilities filter.
 .br
 .br
@@ -624,14 +643,14 @@ Example:
 $ firejail \-\-debug firefox
 .TP
-\fB\-\-debug-blacklists\fR
+\fB\-\-debug-allow\fR
-Debug blacklisting.
+Debug file system access.
 .br
 .br
 Example:
 .br
-$ firejail \-\-debug-blacklists firefox
+$ firejail \-\-debug-allow firefox
 .TP
 \fB\-\-debug-caps
@@ -644,6 +663,16 @@ Example:
 $ firejail \-\-debug-caps
 .TP
+\fB\-\-debug-deny\fR
+Debug file access.
+.br
+.br
+Example:
+.br
+$ firejail \-\-debug-deny firefox
+.TP
 \fB\-\-debug-errnos
 Print all recognized error numbers in the current Firejail software build and exit.
 .br
@@ -677,15 +706,7 @@ $ firejail \-\-debug-syscalls
 \fB\-\-debug-syscalls32
 Print all recognized 32 bit system calls in the current Firejail software build and exit.
 .br
-.TP
-\fB\-\-debug-whitelists\fR
-Debug whitelisting.
-.br
-.br
-Example:
-.br
-$ firejail \-\-debug-whitelists firefox
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-defaultgw=address
@@ -697,13 +718,32 @@ Example:
 .br
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 #endif
+.TP
+\fB\-\-deny=dirname_or_filename
+Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+.br
+Example:
+.br
+$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin
+.br
+$ firejail \-\-deny=~/.mozilla
+.br
+$ firejail "\-\-deny=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
 .TP
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .br
 .TP
 \fB\-\-disable-mnt
-Blacklist /mnt, /media, /run/mount and /run/media access.
+Deny access to /mnt, /media, /run/mount and /run/media.
 .br
 .br
@@ -1471,12 +1511,16 @@ Example:
 $ firejail --no3d firefox
 .TP
+\fB\-\-noallow=dirname_or_filename
+Disable \-\-allow for this directory or file.
+.TP
 \fB\-\-noautopulse \fR(deprecated)
 See --keep-config-pulse.
 .TP
-\fB\-\-noblacklist=dirname_or_filename
+\fB\-\-nodeny=dirname_or_filename
-Disable blacklist for this directory or file.
+Disable \-\-deny for this directory or file.
 .br
 .br
@@ -1492,7 +1536,7 @@ $ exit
 .br
 .br
-$ firejail --noblacklist=/bin/nc
+$ firejail --nodeny=/bin/nc
 .br
 $ nc dict.org 2628
 .br
@@ -1666,10 +1710,6 @@ $ firejail \-\-nou2f
 Disable video devices.
 .br
-.TP
-\fB\-\-nowhitelist=dirname_or_filename
-Disable whitelist for this directory or file.
 #ifdef HAVE_OUTPUT
 .TP
 \fB\-\-output=logfile
@@ -2733,34 +2773,6 @@ Example:
 .br
 $ firejail \-\-net=br0 --veth-name=if0
 #endif
-.TP
-\fB\-\-whitelist=dirname_or_filename
-Whitelist directory or file. A temporary file system is mounted on the top directory, and the
-whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory can be
-all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
-all directories in /usr.
-.br
-.br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
-.br
-.br
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-.br
-.br
-Example:
-.br
-$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
-.br
-$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
-.br
-$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 .TP
 \fB\-\-writable-etc
author	netblue30 <netblue30@protonmail.com>	2021-07-03 22:09:20 -0400
committer	netblue30 <netblue30@protonmail.com>	2021-07-03 22:09:20 -0400
commit	a11707ea273e5665047f8a7d9387ba07f08d72f6 (patch)
tree	bda18d3ee113071107978962a0adb66dbc240f84 /src/man/firejail.txt
parent	allow/noallow/deny/nodeny aliases for whitelist/nowhitelist/blacklist/noblack... (diff)
download	firejail-a11707ea273e5665047f8a7d9387ba07f08d72f6.tar.gz firejail-a11707ea273e5665047f8a7d9387ba07f08d72f6.tar.zst firejail-a11707ea273e5665047f8a7d9387ba07f08d72f6.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0462705c0..498ff9aa9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -99,6 +99,40 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
99	\fB\-\-	99	\fB\-\-
100	Signal the end of options and disables further option processing.	100	Signal the end of options and disables further option processing.
101	.TP	101	.TP
		102	\fB\-\-allow=dirname_or_filename
		103	Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
		104	allowed files are mount-binded inside. Modifications to allowed files are persistent,
		105	everything else is discarded when the sandbox is closed. The top directory can be
		106	all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
		107	all directories in /usr.
		108	.br
		109
		110	.br
		111	Symbolic link handling: with the exception of user home, both the link and the real file should be in
		112	the same top directory. For user home, both the link and the real file should be owned by the user.
		113	.br
		114
		115	.br
		116	File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
		117	.br
		118
		119	.br
		120	Example:
		121	.br
		122	$ firejail \-\-noprofile \-\-allow=~/.mozilla
		123	.br
		124	$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
		125	.br
		126	$ firejail "\-\-allow=/home/username/My Virtual Machines"
		127	.br
		128	$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
		129
		130
		131
		132
		133
		134
		135	.TP
102	\fB\-\-allow-debuggers	136	\fB\-\-allow-debuggers
103	Allow tools such as strace and gdb inside the sandbox by whitelisting	137	Allow tools such as strace and gdb inside the sandbox by whitelisting
104	system calls ptrace and process_vm_readv. This option is only	138	system calls ptrace and process_vm_readv. This option is only
@@ -169,21 +203,6 @@ Example:
169	.br	203	.br
170	# firejail \-\-bind=/config/etc/passwd,/etc/passwd	204	# firejail \-\-bind=/config/etc/passwd,/etc/passwd
171	.TP	205	.TP
172	\fB\-\-blacklist=dirname_or_filename
173	Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
174	.br
175
176	.br
177	Example:
178	.br
179	$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
180	.br
181	$ firejail \-\-blacklist=~/.mozilla
182	.br
183	$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
184	.br
185	$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
186	.TP
187	\fB\-\-build	206	\fB\-\-build
188	The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also	207	The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
189	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,	208	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -243,7 +262,7 @@ $ firejail \-\-caps.drop=all warzone2100
243		262
244	.TP	263	.TP
245	\fB\-\-caps.drop=capability,capability,capability	264	\fB\-\-caps.drop=capability,capability,capability
246	Define a custom blacklist Linux capabilities filter.	265	Define a custom Linux capabilities filter.
247	.br	266	.br
248		267
249	.br	268	.br
@@ -624,14 +643,14 @@ Example:
624	$ firejail \-\-debug firefox	643	$ firejail \-\-debug firefox
625		644
626	.TP	645	.TP
627	\fB\-\-debug-blacklists\fR	646	\fB\-\-debug-allow\fR
628	Debug blacklisting.	647	Debug file system access.
629	.br	648	.br
630		649
631	.br	650	.br
632	Example:	651	Example:
633	.br	652	.br
634	$ firejail \-\-debug-blacklists firefox	653	$ firejail \-\-debug-allow firefox
635		654
636	.TP	655	.TP
637	\fB\-\-debug-caps	656	\fB\-\-debug-caps
@@ -644,6 +663,16 @@ Example:
644	$ firejail \-\-debug-caps	663	$ firejail \-\-debug-caps
645		664
646	.TP	665	.TP
		666	\fB\-\-debug-deny\fR
		667	Debug file access.
		668	.br
		669
		670	.br
		671	Example:
		672	.br
		673	$ firejail \-\-debug-deny firefox
		674
		675	.TP
647	\fB\-\-debug-errnos	676	\fB\-\-debug-errnos
648	Print all recognized error numbers in the current Firejail software build and exit.	677	Print all recognized error numbers in the current Firejail software build and exit.
649	.br	678	.br
@@ -677,15 +706,7 @@ $ firejail \-\-debug-syscalls
677	\fB\-\-debug-syscalls32	706	\fB\-\-debug-syscalls32
678	Print all recognized 32 bit system calls in the current Firejail software build and exit.	707	Print all recognized 32 bit system calls in the current Firejail software build and exit.
679	.br	708	.br
680	.TP
681	\fB\-\-debug-whitelists\fR
682	Debug whitelisting.
683	.br
684		709
685	.br
686	Example:
687	.br
688	$ firejail \-\-debug-whitelists firefox
689	#ifdef HAVE_NETWORK	710	#ifdef HAVE_NETWORK
690	.TP	711	.TP
691	\fB\-\-defaultgw=address	712	\fB\-\-defaultgw=address
@@ -697,13 +718,32 @@ Example:
697	.br	718	.br
698	$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox	719	$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
699	#endif	720	#endif
		721
		722	.TP
		723	\fB\-\-deny=dirname_or_filename
		724	Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
		725	.br
		726
		727	.br
		728	Example:
		729	.br
		730	$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin
		731	.br
		732	$ firejail \-\-deny=~/.mozilla
		733	.br
		734	$ firejail "\-\-deny=/home/username/My Virtual Machines"
		735	.br
		736	$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
		737
		738
		739
700	.TP	740	.TP
701	\fB\-\-deterministic-exit-code	741	\fB\-\-deterministic-exit-code
702	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.	742	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
703	.br	743	.br
704	.TP	744	.TP
705	\fB\-\-disable-mnt	745	\fB\-\-disable-mnt
706	Blacklist /mnt, /media, /run/mount and /run/media access.	746	Deny access to /mnt, /media, /run/mount and /run/media.
707	.br	747	.br
708		748
709	.br	749	.br
@@ -1471,12 +1511,16 @@ Example:
1471	$ firejail --no3d firefox	1511	$ firejail --no3d firefox
1472		1512
1473	.TP	1513	.TP
		1514	\fB\-\-noallow=dirname_or_filename
		1515	Disable \-\-allow for this directory or file.
		1516
		1517	.TP
1474	\fB\-\-noautopulse \fR(deprecated)	1518	\fB\-\-noautopulse \fR(deprecated)
1475	See --keep-config-pulse.	1519	See --keep-config-pulse.
1476		1520
1477	.TP	1521	.TP
1478	\fB\-\-noblacklist=dirname_or_filename	1522	\fB\-\-nodeny=dirname_or_filename
1479	Disable blacklist for this directory or file.	1523	Disable \-\-deny for this directory or file.
1480	.br	1524	.br
1481		1525
1482	.br	1526	.br
@@ -1492,7 +1536,7 @@ $ exit
1492	.br	1536	.br
1493		1537
1494	.br	1538	.br
1495	$ firejail --noblacklist=/bin/nc	1539	$ firejail --nodeny=/bin/nc
1496	.br	1540	.br
1497	$ nc dict.org 2628	1541	$ nc dict.org 2628
1498	.br	1542	.br
@@ -1666,10 +1710,6 @@ $ firejail \-\-nou2f
1666	Disable video devices.	1710	Disable video devices.
1667	.br	1711	.br
1668		1712
1669	.TP
1670	\fB\-\-nowhitelist=dirname_or_filename
1671	Disable whitelist for this directory or file.
1672
1673	#ifdef HAVE_OUTPUT	1713	#ifdef HAVE_OUTPUT
1674	.TP	1714	.TP
1675	\fB\-\-output=logfile	1715	\fB\-\-output=logfile
@@ -2733,34 +2773,6 @@ Example:
2733	.br	2773	.br
2734	$ firejail \-\-net=br0 --veth-name=if0	2774	$ firejail \-\-net=br0 --veth-name=if0
2735	#endif	2775	#endif
2736	.TP
2737	\fB\-\-whitelist=dirname_or_filename
2738	Whitelist directory or file. A temporary file system is mounted on the top directory, and the
2739	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
2740	everything else is discarded when the sandbox is closed. The top directory can be
2741	all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
2742	all directories in /usr.
2743	.br
2744
2745	.br
2746	Symbolic link handling: with the exception of user home, both the link and the real file should be in
2747	the same top directory. For user home, both the link and the real file should be owned by the user.
2748	.br
2749
2750	.br
2751	File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
2752	.br
2753
2754	.br
2755	Example:
2756	.br
2757	$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
2758	.br
2759	$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
2760	.br
2761	$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
2762	.br
2763	$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
2764		2776
2765	.TP	2777	.TP
2766	\fB\-\-writable-etc	2778	\fB\-\-writable-etc