diff options
author | netblue30 <netblue30@yahoo.com> | 2016-04-21 10:47:52 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-04-21 10:47:52 -0400 |
commit | e547b142597568da678c54da8b5b4164fb3fee86 (patch) | |
tree | 6a738b916c330c85216d0cddcedc971150cb98b2 /src/man | |
parent | added --read-write option (diff) | |
download | firejail-e547b142597568da678c54da8b5b4164fb3fee86.tar.gz firejail-e547b142597568da678c54da8b5b4164fb3fee86.tar.zst firejail-e547b142597568da678c54da8b5b4164fb3fee86.zip |
--read-write option
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 21 | ||||
-rw-r--r-- | src/man/firejail.txt | 27 |
2 files changed, 32 insertions, 16 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8ad2eefad..19063f5ef 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -122,12 +122,6 @@ blacklist ${PATH}/ifconfig | |||
122 | blacklist ${HOME}/.ssh | 122 | blacklist ${HOME}/.ssh |
123 | 123 | ||
124 | .TP | 124 | .TP |
125 | \fBread-only file_or_directory | ||
126 | Make directory or file read-only. | ||
127 | .TP | ||
128 | \fBtmpfs directory | ||
129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
130 | .TP | ||
131 | \fBbind directory1,directory2 | 125 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 126 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
133 | .TP | 127 | .TP |
@@ -182,6 +176,18 @@ All modifications are discarded when the sandbox is closed. | |||
182 | \fBprivate-tmp | 176 | \fBprivate-tmp |
183 | Mount an empty temporary filesystem on top of /tmp directory. | 177 | Mount an empty temporary filesystem on top of /tmp directory. |
184 | .TP | 178 | .TP |
179 | \fBread-only file_or_directory | ||
180 | Make directory or file read-only. | ||
181 | .TP | ||
182 | \fBread-write file_or_directory | ||
183 | Make directory or file read-write. | ||
184 | .TP | ||
185 | \fBtmpfs directory | ||
186 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
187 | .TP | ||
188 | \fBtracelog | ||
189 | Blacklist violations logged to syslog. | ||
190 | .TP | ||
185 | \fBwhitelist file_or_directory | 191 | \fBwhitelist file_or_directory |
186 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 192 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. |
187 | The modifications to file_or_directory are persistent, everything else is discarded | 193 | The modifications to file_or_directory are persistent, everything else is discarded |
@@ -194,9 +200,6 @@ when running the sandbox as root user. | |||
194 | \fBwritable-var | 200 | \fBwritable-var |
195 | Mount /var directory read-write. This option is available only | 201 | Mount /var directory read-write. This option is available only |
196 | when running the sandbox as root user. | 202 | when running the sandbox as root user. |
197 | .TP | ||
198 | \fBtracelog | ||
199 | Blacklist violations logged to syslog. | ||
200 | .SH Security filters | 203 | .SH Security filters |
201 | The following security filters are currently implemented: | 204 | The following security filters are currently implemented: |
202 | 205 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 51abaef28..19415a332 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co | |||
50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
51 | 51 | ||
52 | .SH USAGE | 52 | .SH USAGE |
53 | Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, | 53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, |
54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. | 54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the |
55 | The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. | 55 | command line options. The default Firejail filesystem is based on the host filesystem with the main |
56 | Only /home and /tmp are writable. | 56 | system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, |
57 | /libx32 and /lib64. Only /home and /tmp are writable. | ||
57 | .PP | 58 | .PP |
58 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 59 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
59 | If an appropriate profile is not found, Firejail will use a default profile. | 60 | If an appropriate profile is not found, Firejail will use a default profile. |
60 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 61 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
61 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section. | 62 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
62 | .PP | 63 | .PP |
63 | If a program argument is not specified, Firejail starts /bin/bash shell. | 64 | If a program argument is not specified, Firejail starts /bin/bash shell. |
64 | Examples: | 65 | Examples: |
@@ -194,7 +195,8 @@ Example: | |||
194 | 195 | ||
195 | .TP | 196 | .TP |
196 | \fB\-\-chroot=dirname | 197 | \fB\-\-chroot=dirname |
197 | Chroot the sandbox into a root filesystem. If the sandbox is started as a | 198 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, |
199 | the system directories are mounted read-write. If the sandbox is started as a | ||
198 | regular user, default seccomp and capabilities filters are enabled. This | 200 | regular user, default seccomp and capabilities filters are enabled. This |
199 | option is not available on Grsecurity systems. | 201 | option is not available on Grsecurity systems. |
200 | .br | 202 | .br |
@@ -946,7 +948,8 @@ $ ls -l sandboxlog* | |||
946 | 948 | ||
947 | .TP | 949 | .TP |
948 | \fB\-\-overlay | 950 | \fB\-\-overlay |
949 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. | 951 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
952 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
950 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. | 953 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. |
951 | .br | 954 | .br |
952 | 955 | ||
@@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of | |||
1143 | .TP | 1146 | .TP |
1144 | \fB\-\-rlimit-sigpending=number | 1147 | \fB\-\-rlimit-sigpending=number |
1145 | Set the maximum number of pending signals for a process. | 1148 | Set the maximum number of pending signals for a process. |
1149 | |||
1150 | .TP | ||
1151 | \fB\-\-read-write=dirname_or_filename | ||
1152 | By default, the sandbox mounts system directories read-only. | ||
1153 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | ||
1154 | Use this option to mount read-write files or directories inside the system directories. | ||
1155 | |||
1156 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1157 | cases the system directories are mounted read-write. | ||
1158 | |||
1146 | .TP | 1159 | .TP |
1147 | \fB\-\-scan | 1160 | \fB\-\-scan |
1148 | ARP-scan all the networks from inside a network namespace. | 1161 | ARP-scan all the networks from inside a network namespace. |