diff options
author | sarneaud <sarneaud@users.noreply.github.com> | 2015-09-01 15:07:30 +1000 |
---|---|---|
committer | sarneaud <sarneaud@users.noreply.github.com> | 2015-09-01 15:23:26 +1000 |
commit | 2aa7ec97db26c567a6b2d45cd906c062960584dd (patch) | |
tree | 6a8b026d4688f8a4fe579f55d499c19d8b890fa9 /src/man | |
parent | Update profiles to use the new noblacklist command. (diff) | |
download | firejail-2aa7ec97db26c567a6b2d45cd906c062960584dd.tar.gz firejail-2aa7ec97db26c567a6b2d45cd906c062960584dd.tar.zst firejail-2aa7ec97db26c567a6b2d45cd906c062960584dd.zip |
Add noblacklist command to firejail.
* Basic implementation
* Updates to standard profiles
* Update to firejail-profile manpage
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5167a4c42..64565ab0b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -87,6 +87,7 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" | |||
87 | These profile entries define a chroot filesystem built on top of the existing | 87 | These profile entries define a chroot filesystem built on top of the existing |
88 | host filesystem. Each line describes a file element that is removed from | 88 | host filesystem. Each line describes a file element that is removed from |
89 | the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), | 89 | the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), |
90 | a filter for finer control of blacklisting (\fBnoblacklist\fR), | ||
90 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), | 91 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), |
91 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). | 92 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). |
92 | Use \fBprivate\fR to set private mode. | 93 | Use \fBprivate\fR to set private mode. |
@@ -117,6 +118,14 @@ Remove ifconfig command from the regular path directories. | |||
117 | \f\blacklist ${HOME}/.ssh | 118 | \f\blacklist ${HOME}/.ssh |
118 | Remove .ssh directory from user home directory. | 119 | Remove .ssh directory from user home directory. |
119 | .TP | 120 | .TP |
121 | \f\ noblacklist ${HOME}/config/evince | ||
122 | Prevent any new blacklist commands from blacklisting | ||
123 | config/evince in the user home directory. Useful for defining | ||
124 | exceptions before including a large blacklist from a file. Note | ||
125 | that blacklisting ${HOME}/config can still make | ||
126 | ${HOME}/config/evince effectively unreachable through filesystem | ||
127 | traversal. | ||
128 | .TP | ||
120 | \f\private | 129 | \f\private |
121 | Mount new /root and /home/user directories in temporary | 130 | Mount new /root and /home/user directories in temporary |
122 | filesystems. All modifications are discarded when the sandbox is | 131 | filesystems. All modifications are discarded when the sandbox is |