diff options
author | a1346054 <36859588+a1346054@users.noreply.github.com> | 2021-08-31 12:21:43 +0000 |
---|---|---|
committer | a1346054 <36859588+a1346054@users.noreply.github.com> | 2021-09-25 19:09:14 +0000 |
commit | 6eafbfdfcc261b8d89ed22358ed9f351d4bf5bf2 (patch) | |
tree | c533c541f1a6b48967e193060041705a616bba73 /src/man | |
parent | private-lib fixup (diff) | |
download | firejail-6eafbfdfcc261b8d89ed22358ed9f351d4bf5bf2.tar.gz firejail-6eafbfdfcc261b8d89ed22358ed9f351d4bf5bf2.tar.zst firejail-6eafbfdfcc261b8d89ed22358ed9f351d4bf5bf2.zip |
trim excess whitespace
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 22 | ||||
-rw-r--r-- | src/man/firejail.txt | 18 | ||||
-rw-r--r-- | src/man/firemon.txt | 2 |
3 files changed, 21 insertions, 21 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index a768829a1..a76fd3765 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director | |||
78 | Several command line options can be passed to the program using | 78 | Several command line options can be passed to the program using |
79 | profile files. Firejail chooses the profile file as follows: | 79 | profile files. Firejail chooses the profile file as follows: |
80 | 80 | ||
81 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. | 81 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. |
82 | Example: | 82 | Example: |
83 | .PP | 83 | .PP |
84 | .RS | 84 | .RS |
@@ -324,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid. | |||
324 | #ifdef HAVE_OVERLAYFS | 324 | #ifdef HAVE_OVERLAYFS |
325 | .TP | 325 | .TP |
326 | \fBoverlay | 326 | \fBoverlay |
327 | Mount a filesystem overlay on top of the current filesystem. | 327 | Mount a filesystem overlay on top of the current filesystem. |
328 | The overlay is stored in $HOME/.firejail/<PID> directory. | 328 | The overlay is stored in $HOME/.firejail/<PID> directory. |
329 | .TP | 329 | .TP |
330 | \fBoverlay-named name | 330 | \fBoverlay-named name |
331 | Mount a filesystem overlay on top of the current filesystem. | 331 | Mount a filesystem overlay on top of the current filesystem. |
332 | The overlay is stored in $HOME/.firejail/name directory. | 332 | The overlay is stored in $HOME/.firejail/name directory. |
333 | .TP | 333 | .TP |
334 | \fBoverlay-tmpfs | 334 | \fBoverlay-tmpfs |
335 | Mount a filesystem overlay on top of the current filesystem. | 335 | Mount a filesystem overlay on top of the current filesystem. |
336 | All filesystem modifications are discarded when the sandbox is closed. | 336 | All filesystem modifications are discarded when the sandbox is closed. |
337 | #endif | 337 | #endif |
338 | .TP | 338 | .TP |
339 | \fBprivate | 339 | \fBprivate |
@@ -487,12 +487,12 @@ does not result in an increase of privilege. | |||
487 | #ifdef HAVE_USERNS | 487 | #ifdef HAVE_USERNS |
488 | .TP | 488 | .TP |
489 | \fBnoroot | 489 | \fBnoroot |
490 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 490 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
491 | There is no root account (uid 0) defined in the namespace. | 491 | There is no root account (uid 0) defined in the namespace. |
492 | #endif | 492 | #endif |
493 | .TP | 493 | .TP |
494 | \fBprotocol protocol1,protocol2,protocol3 | 494 | \fBprotocol protocol1,protocol2,protocol3 |
495 | Enable protocol filter. The filter is based on seccomp and checks the | 495 | Enable protocol filter. The filter is based on seccomp and checks the |
496 | first argument to socket system call. Recognized values: \fBunix\fR, | 496 | first argument to socket system call. Recognized values: \fBunix\fR, |
497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. | 497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. |
498 | .TP | 498 | .TP |
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually. | |||
873 | 873 | ||
874 | .TP | 874 | .TP |
875 | \fBiprange address,address | 875 | \fBiprange address,address |
876 | Assign an IP address in the provided range to the last network | 876 | Assign an IP address in the provided range to the last network |
877 | interface defined by a net command. A default gateway is assigned by default. | 877 | interface defined by a net command. A default gateway is assigned by default. |
878 | .br | 878 | .br |
879 | 879 | ||
880 | .br | 880 | .br |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0462705c0..2883ab257 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb | |||
45 | #ifdef HAVE_LTS | 45 | #ifdef HAVE_LTS |
46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, | 46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, |
47 | LTS is usually supported for two or three years. | 47 | LTS is usually supported for two or three years. |
48 | During this time only bugs and the occasional documentation problems are fixed. | 48 | During this time only bugs and the occasional documentation problems are fixed. |
49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. | 49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. |
50 | .br | 50 | .br |
51 | 51 | ||
@@ -109,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter. | |||
109 | .br | 109 | .br |
110 | Example: | 110 | Example: |
111 | .br | 111 | .br |
112 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox | 112 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox |
113 | .TP | 113 | .TP |
114 | \fB\-\-allusers | 114 | \fB\-\-allusers |
115 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. | 115 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. |
@@ -947,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 | |||
947 | 947 | ||
948 | .TP | 948 | .TP |
949 | \fB\-\-ipc-namespace | 949 | \fB\-\-ipc-namespace |
950 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default | 950 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default |
951 | for sandboxes started as root. | 951 | for sandboxes started as root. |
952 | .br | 952 | .br |
953 | 953 | ||
@@ -1014,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL | |||
1014 | .br | 1014 | .br |
1015 | 1015 | ||
1016 | .br | 1016 | .br |
1017 | # verify IP addresses | 1017 | # verify IP addresses |
1018 | .br | 1018 | .br |
1019 | $ sudo firejail --join-network=browser ip addr | 1019 | $ sudo firejail --join-network=browser ip addr |
1020 | .br | 1020 | .br |
@@ -2134,7 +2134,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | |||
2134 | .TP | 2134 | .TP |
2135 | \fB\-\-rlimit-cpu=number | 2135 | \fB\-\-rlimit-cpu=number |
2136 | Set the maximum limit, in seconds, for the amount of CPU time each | 2136 | Set the maximum limit, in seconds, for the amount of CPU time each |
2137 | sandboxed process can consume. When the limit is reached, the processes are killed. | 2137 | sandboxed process can consume. When the limit is reached, the processes are killed. |
2138 | 2138 | ||
2139 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds | 2139 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds |
2140 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps | 2140 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps |
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
2178 | .TP | 2178 | .TP |
2179 | \fB\-\-seccomp | 2179 | \fB\-\-seccomp |
2180 | Enable seccomp filter and blacklist the syscalls in the default list, | 2180 | Enable seccomp filter and blacklist the syscalls in the default list, |
2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, | 2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
2182 | then it is @default. | 2182 | then it is @default. |
2183 | 2183 | ||
2184 | .br | 2184 | .br |
@@ -2865,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support | |||
2865 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | 2865 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window |
2866 | contents of other clients, stealing input events, etc. | 2866 | contents of other clients, stealing input events, etc. |
2867 | 2867 | ||
2868 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | 2868 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients |
2869 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | 2869 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. |
2870 | Firefox and transmission-gtk seem to be working fine. | 2870 | Firefox and transmission-gtk seem to be working fine. |
2871 | A network namespace is not required for this option. | 2871 | A network namespace is not required for this option. |
@@ -3256,7 +3256,7 @@ The owner of the sandbox. | |||
3256 | .SH RESTRICTED SHELL | 3256 | .SH RESTRICTED SHELL |
3257 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 3257 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
3258 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 3258 | /etc/passwd file for each user that needs to be restricted. Alternatively, |
3259 | you can specify /usr/bin/firejail in adduser command: | 3259 | you can specify /usr/bin/firejail in adduser command: |
3260 | 3260 | ||
3261 | adduser \-\-shell /usr/bin/firejail username | 3261 | adduser \-\-shell /usr/bin/firejail username |
3262 | 3262 | ||
@@ -3266,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e | |||
3266 | Several command line options can be passed to the program using | 3266 | Several command line options can be passed to the program using |
3267 | profile files. Firejail chooses the profile file as follows: | 3267 | profile files. Firejail chooses the profile file as follows: |
3268 | 3268 | ||
3269 | 1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. | 3269 | 1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. |
3270 | Example: | 3270 | Example: |
3271 | .PP | 3271 | .PP |
3272 | .RS | 3272 | .RS |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 76b2f7be2..c4e6e15b3 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -56,7 +56,7 @@ Print route table for each sandbox. | |||
56 | Print seccomp configuration for each sandbox. | 56 | Print seccomp configuration for each sandbox. |
57 | .TP | 57 | .TP |
58 | \fB\-\-top | 58 | \fB\-\-top |
59 | Monitor the most CPU-intensive sandboxes. This command is similar to | 59 | Monitor the most CPU-intensive sandboxes. This command is similar to |
60 | the regular UNIX top command, however it applies only to sandboxes. | 60 | the regular UNIX top command, however it applies only to sandboxes. |
61 | .TP | 61 | .TP |
62 | \fB\-\-tree | 62 | \fB\-\-tree |