Private /lib feature

author: Topi Miettinen <toiwoton@gmail.com> 2017-07-24 11:45:13 +0300
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2017-07-30 16:35:17 +0000
commit: 1da9f74b4dbfe186f893a2f3712135eb00bbed09 (patch)
tree: 0c4e3a587e5df6f99fbd58d316e1dddb55b5da64 /src/man
parent: merges (diff)
download: firejail-1da9f74b4dbfe186f893a2f3712135eb00bbed09.tar.gz
firejail-1da9f74b4dbfe186f893a2f3712135eb00bbed09.tar.zst
firejail-1da9f74b4dbfe186f893a2f3712135eb00bbed09.zip
1 files changed, 28 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cd47800c5..0ce72f845 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1232,6 +1232,34 @@ $ ls /bin
 bash  cat  ls  sed
 .TP
+\fB\-\-private-lib=file,file
+Build a new /lib in a temporary filesystem. For command to be executed,
+the shell (if \-\-shell=none is not used), and the listed libraries
+find out dynamic libraries and copy them to the /lib directory.
+If no listed file is found, /lib directory will be empty and no programs will be able to execute.
+The same directory is also bind-mounted over /lib64 and /usr/lib.
+All modifications are discarded when the sandbox is closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin
+.br
+Parent pid 15733, child pid 15734
+.br
+Child process initialized in 69.61 ms
+.br
+/bin:
+.br
+ls
+.br
+.br
+/lib:
+.br
+ld-linux-x86-64.so.2  libc.so.6  libdl.so.2  libpcre.so.3  libpthread.so.0  libselinux.so.1
+.TP
 \fB\-\-private-dev
 Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
 .br
author	Topi Miettinen <toiwoton@gmail.com>	2017-07-24 11:45:13 +0300
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2017-07-30 16:35:17 +0000
commit	1da9f74b4dbfe186f893a2f3712135eb00bbed09 (patch)
tree	0c4e3a587e5df6f99fbd58d316e1dddb55b5da64 /src/man
parent	merges (diff)
download	firejail-1da9f74b4dbfe186f893a2f3712135eb00bbed09.tar.gz firejail-1da9f74b4dbfe186f893a2f3712135eb00bbed09.tar.zst firejail-1da9f74b4dbfe186f893a2f3712135eb00bbed09.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cd47800c5..0ce72f845 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1232,6 +1232,34 @@ $ ls /bin
1232	bash cat ls sed	1232	bash cat ls sed
1233		1233
1234	.TP	1234	.TP
		1235	\fB\-\-private-lib=file,file
		1236	Build a new /lib in a temporary filesystem. For command to be executed,
		1237	the shell (if \-\-shell=none is not used), and the listed libraries
		1238	find out dynamic libraries and copy them to the /lib directory.
		1239	If no listed file is found, /lib directory will be empty and no programs will be able to execute.
		1240	The same directory is also bind-mounted over /lib64 and /usr/lib.
		1241	All modifications are discarded when the sandbox is closed.
		1242	.br
		1243
		1244	.br
		1245	Example:
		1246	.br
		1247	$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin
		1248	.br
		1249	Parent pid 15733, child pid 15734
		1250	.br
		1251	Child process initialized in 69.61 ms
		1252	.br
		1253	/bin:
		1254	.br
		1255	ls
		1256	.br
		1257	.br
		1258	/lib:
		1259	.br
		1260	ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libpcre.so.3 libpthread.so.0 libselinux.so.1
		1261
		1262	.TP
1235	\fB\-\-private-dev	1263	\fB\-\-private-dev
1236	Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.	1264	Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
1237	.br	1265	.br