diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-17 11:31:21 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-17 11:31:21 -0400 |
commit | 89e3454eb3f0ca22d423bc3aaba5472d3c249115 (patch) | |
tree | 1928af809086e3fc30e177ac07eddc7483699769 /src/man | |
parent | memory-deny-write-execute (diff) | |
download | firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.gz firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.tar.zst firejail-89e3454eb3f0ca22d423bc3aaba5472d3c249115.zip |
private-lib
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 53 |
2 files changed, 42 insertions, 15 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9dafb3c65..2a7d926b9 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -230,6 +230,10 @@ Build a new /etc in a temporary | |||
230 | filesystem, and copy the files and directories in the list. | 230 | filesystem, and copy the files and directories in the list. |
231 | All modifications are discarded when the sandbox is closed. | 231 | All modifications are discarded when the sandbox is closed. |
232 | .TP | 232 | .TP |
233 | \fBprivate-lib file,directory | ||
234 | Build a new /lib directory and bring in the libraries required by the application to run. | ||
235 | This feature is still under development, see man 1 firejail for some examples. | ||
236 | .TP | ||
233 | \fBprivate-opt file,directory | 237 | \fBprivate-opt file,directory |
234 | Build a new /optin a temporary | 238 | Build a new /optin a temporary |
235 | filesystem, and copy the files and directories in the list. | 239 | filesystem, and copy the files and directories in the list. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 690d0c1c1..4a396b809 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1272,32 +1272,55 @@ $ ls /bin | |||
1272 | bash cat ls sed | 1272 | bash cat ls sed |
1273 | 1273 | ||
1274 | .TP | 1274 | .TP |
1275 | \fB\-\-private-lib=file,file | 1275 | \fB\-\-private-lib=file,directory |
1276 | Build a new /lib in a temporary filesystem. For command to be executed, | 1276 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. |
1277 | the shell (if \-\-shell=none is not used), and the listed libraries | 1277 | The idea is to build a new /lib in a temporary filesystem, |
1278 | find out dynamic libraries and copy them to the /lib directory. | 1278 | with only the library files necessary to run the application. |
1279 | If no listed file is found, /lib directory will be empty and no programs will be able to execute. | 1279 | It could be as simple as: |
1280 | The same directory is also bind-mounted over /lib64 and /usr/lib. | ||
1281 | All modifications are discarded when the sandbox is closed. | ||
1282 | .br | 1280 | .br |
1283 | 1281 | ||
1284 | .br | 1282 | .br |
1285 | Example: | 1283 | $ firejail --private-lib galculator |
1284 | .br | ||
1285 | |||
1286 | .br | ||
1287 | but it gets complicated really fast: | ||
1286 | .br | 1288 | .br |
1287 | $ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin | 1289 | |
1290 | .br | ||
1291 | $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed | ||
1288 | .br | 1292 | .br |
1289 | Parent pid 15733, child pid 15734 | 1293 | |
1290 | .br | 1294 | .br |
1291 | Child process initialized in 69.61 ms | 1295 | The feature is integrated with \-\-private-bin: |
1296 | .br | ||
1297 | |||
1292 | .br | 1298 | .br |
1293 | /bin: | 1299 | $ firejail --private-lib --private-bin=bash,ls,ps |
1294 | .br | 1300 | .br |
1295 | ls | 1301 | $ ls /lib |
1296 | .br | 1302 | .br |
1303 | ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0 | ||
1297 | .br | 1304 | .br |
1298 | /lib: | 1305 | libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 |
1299 | .br | 1306 | .br |
1300 | ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libpcre.so.3 libpthread.so.0 libselinux.so.1 | 1307 | libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu |
1308 | .br | ||
1309 | libgcrypt.so.20 libpcre.so.3 libselinux.so.1 | ||
1310 | .br | ||
1311 | $ ps | ||
1312 | .br | ||
1313 | PID TTY TIME CMD | ||
1314 | .br | ||
1315 | 1 pts/0 00:00:00 firejail | ||
1316 | .br | ||
1317 | 45 pts/0 00:00:00 bash | ||
1318 | .br | ||
1319 | 48 pts/0 00:00:00 ps | ||
1320 | .br | ||
1321 | $ | ||
1322 | .br | ||
1323 | |||
1301 | 1324 | ||
1302 | .TP | 1325 | .TP |
1303 | \fB\-\-private-dev | 1326 | \fB\-\-private-dev |