diff options
| author |  Reiner Herrmann <reiner@reiner-h.de> | 2021-06-21 23:10:09 +0200 |
|---|---|---|
| committer | Reiner Herrmann <reiner@reiner-h.de> | 2021-06-21 23:10:09 +0200 |
| commit | 0f0325459e211ff31895ed7cbbbaae6c2c6ae9a2 (patch) | |
| tree | 0875693a6ceef54818511972601d587a09a1aab4 /src/man | |
| parent | style: grammer and codestyle improvements (diff) | |
| parent | creating alpine.profile (#4350) (diff) | |
| download | firejail-0f0325459e211ff31895ed7cbbbaae6c2c6ae9a2.tar.gz firejail-0f0325459e211ff31895ed7cbbbaae6c2c6ae9a2.tar.zst firejail-0f0325459e211ff31895ed7cbbbaae6c2c6ae9a2.zip | |
Merge branch 'master' into kuesji/master
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/firejail-profile.txt | 7 | ||||
| -rw-r--r-- | src/man/firejail.txt | 10 | ||||
| -rw-r--r-- | src/man/jailcheck.txt | 12 |
3 files changed, 21 insertions, 8 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 12e841af5..db58e0910 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -420,7 +420,7 @@ Make directory or file read-only. | |||
| 420 | Make directory or file read-write. | 420 | Make directory or file read-write. |
| 421 | .TP | 421 | .TP |
| 422 | \fBtmpfs directory | 422 | \fBtmpfs directory |
| 423 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | 423 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. |
| 424 | .TP | 424 | .TP |
| 425 | \fBtracelog | 425 | \fBtracelog |
| 426 | Blacklist violations logged to syslog. | 426 | Blacklist violations logged to syslog. |
| @@ -428,8 +428,9 @@ Blacklist violations logged to syslog. | |||
| 428 | \fBwhitelist file_or_directory | 428 | \fBwhitelist file_or_directory |
| 429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
| 430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | 430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
| 431 | everything else is discarded when the sandbox is closed. The top directory could be | 431 | everything else is discarded when the sandbox is closed. The top directory can be |
| 432 | user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp. | 432 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and |
| 433 | all directories in /usr. | ||
| 433 | .br | 434 | .br |
| 434 | 435 | ||
| 435 | .br | 436 | .br |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c72a1dbd8..d18811316 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -2568,14 +2568,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified | |||
| 2568 | $ firejail \-\-timeout=01:30:00 firefox | 2568 | $ firejail \-\-timeout=01:30:00 firefox |
| 2569 | .TP | 2569 | .TP |
| 2570 | \fB\-\-tmpfs=dirname | 2570 | \fB\-\-tmpfs=dirname |
| 2571 | Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. | 2571 | Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
| 2572 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
| 2573 | .br | 2572 | .br |
| 2574 | 2573 | ||
| 2575 | .br | 2574 | .br |
| 2576 | Example: | 2575 | Example: |
| 2577 | .br | 2576 | .br |
| 2578 | # firejail \-\-tmpfs=/var | 2577 | $ firejail \-\-tmpfs=~/.local/share |
| 2579 | .TP | 2578 | .TP |
| 2580 | \fB\-\-top | 2579 | \fB\-\-top |
| 2581 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. | 2580 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. |
| @@ -2725,8 +2724,9 @@ $ firejail \-\-net=br0 --veth-name=if0 | |||
| 2725 | \fB\-\-whitelist=dirname_or_filename | 2724 | \fB\-\-whitelist=dirname_or_filename |
| 2726 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 2725 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
| 2727 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | 2726 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
| 2728 | everything else is discarded when the sandbox is closed. The top directory could be | 2727 | everything else is discarded when the sandbox is closed. The top directory can be |
| 2729 | user home, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var. | 2728 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and |
| 2729 | all directories in /usr. | ||
| 2730 | .br | 2730 | .br |
| 2731 | 2731 | ||
| 2732 | .br | 2732 | .br |
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt index c80e305cc..483f47fb9 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.txt | |||
| @@ -23,6 +23,8 @@ them from inside the sandbox. | |||
| 23 | .TP | 23 | .TP |
| 24 | \fB5. Seccomp test | 24 | \fB5. Seccomp test |
| 25 | .TP | 25 | .TP |
| 26 | \fB6. Networking test | ||
| 27 | .TP | ||
| 26 | The program is started as root using sudo. | 28 | The program is started as root using sudo. |
| 27 | 29 | ||
| 28 | .SH OPTIONS | 30 | .SH OPTIONS |
| @@ -56,6 +58,8 @@ $ sudo jailcheck | |||
| 56 | .br | 58 | .br |
| 57 | Warning: I can run programs in /home/netblue | 59 | Warning: I can run programs in /home/netblue |
| 58 | .br | 60 | .br |
| 61 | Networking: disabled | ||
| 62 | .br | ||
| 59 | 63 | ||
| 60 | .br | 64 | .br |
| 61 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | 65 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net |
| @@ -64,12 +68,16 @@ $ sudo jailcheck | |||
| 64 | .br | 68 | .br |
| 65 | Warning: I can read ~/.ssh | 69 | Warning: I can read ~/.ssh |
| 66 | .br | 70 | .br |
| 71 | Networking: enabled | ||
| 72 | .br | ||
| 67 | 73 | ||
| 68 | .br | 74 | .br |
| 69 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage | 75 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage |
| 70 | .br | 76 | .br |
| 71 | Virtual dirs: /tmp, /var/tmp, /dev, | 77 | Virtual dirs: /tmp, /var/tmp, /dev, |
| 72 | .br | 78 | .br |
| 79 | Networking: enabled | ||
| 80 | .br | ||
| 73 | 81 | ||
| 74 | .br | 82 | .br |
| 75 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | 83 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox |
| @@ -78,6 +86,8 @@ $ sudo jailcheck | |||
| 78 | .br | 86 | .br |
| 79 | /run/user/1000, | 87 | /run/user/1000, |
| 80 | .br | 88 | .br |
| 89 | Networking: enabled | ||
| 90 | .br | ||
| 81 | 91 | ||
| 82 | .br | 92 | .br |
| 83 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | 93 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor |
| @@ -90,6 +100,8 @@ $ sudo jailcheck | |||
| 90 | .br | 100 | .br |
| 91 | Warning: I can run programs in /home/netblue | 101 | Warning: I can run programs in /home/netblue |
| 92 | .br | 102 | .br |
| 103 | Networking: enabled | ||
| 104 | .br | ||
| 93 | 105 | ||
| 94 | 106 | ||
| 95 | .SH LICENSE | 107 | .SH LICENSE |