Baseline firejail 0.9.28

4 files changed, 1520 insertions, 0 deletions

diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
new file mode 100644
index 000000000..6613dc044
--- /dev/null
+++ b/src/man/firejail-login.txt
@@ -0,0 +1,36 @@
+.TH man 5 "MONTH YEAR" "VERSION" "firejail login.users man page"
+.SH NAME
+login.users \- Login file syntax for Firejail
+
+.SH DESCRIPTION
+/etc/firejail/login.users file describes additional arguments passed to firejail executable
+upon user logging into a Firejail restircted shell. Each user entry in the file consists of
+a user name followed by the arguments passed to firejail. The format is as follows:
+
+        user_name: arguments
+
+Example:
+
+        netblue:--debug --net=none
+
+.SH RESTRICTED SHELL
+To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
+/etc/password file for each user that needs to be restricted. Alternatively,
+you can specify /usr/bin/firejail  in adduser command:
+
+adduser \-\-shell /usr/bin/firejail username
+
+.SH FILES
+/etc/firejail/login.users
+
+.SH LICENSE
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: http://firejail.sourceforge.net
+.SH SEE ALSO
+\&\flfirejail\fR\|(1),
+\&\flfiremon\fR\|(1),
+\&\flfirejail-profile\fR\|(5)
+
+
+
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
new file mode 100644
index 000000000..46da19ecd
--- /dev/null
+++ b/src/man/firejail-profile.txt
@@ -0,0 +1,181 @@
+.TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
+.SH NAME
+profile \- Profile file syntax for Firejail
+
+.SH USAGE
+.TP
+firejail \-\-profile=filename.profile
+
+.SH DESCRIPTION
+Several Firejail command line configuration options can be passed to the program using
+profile files. Default Firejail profile files are stored in /etc/firejail
+directory and ~/.config/firejail directory.
+
+.SH Scripting
+Include and comment support:
+
+.TP
+\f\include other.profile
+Include other.profile file.
+.TP
+# this is a comment
+
+.SH Filesystem
+These profile entries define a chroot filesystem built on top of the existing
+host filesystem. Each line describes a file element that is removed from
+the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
+a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
+or mount-bind a directory  or file on top of another directory or file (\fBbind\fR).
+Use \fBprivate\fR to set private mode.
+File globbing is supported, and PATH and HOME directories are searched.
+Examples:
+.TP
+\f\blacklist /usr/bin
+Remove /usr/bin directory.
+.TP
+\f\blacklist /etc/password
+Remove /etc/password file.
+.TP
+\f\read-only /etc/password
+Read-only /etc/password file.
+.TP
+tmpfs /etc
+Mount an empty tmpfs filesystem on top of /etc directory.
+.TP
+bind /root/config/ssh,/etc/ssh
+Mount-bind /root/config/ssh on /etc/ssh.
+.TP
+\f\blacklist /usr/bin/gcc*
+Remove all gcc files in /usr/bin (file globbing).
+.TP
+\f\blacklist ${PATH}/ifconfig
+Remove ifconfig command from the regular path directories.
+.TP
+\f\blacklist ${HOME}/.ssh
+Remove .ssh directory from user home directory.
+.TP
+\f\private
+Mount new /root and /home/user directories in temporary
+filesystems. All modifications are discarded when the sandbox is
+closed.
+.TP
+\f\private directory
+Use directory as user home.
+.TP
+\f\private.keep file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.TP
+\f\private-dev
+Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.
+
+.SH Filters
+\fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:
+
+.TP
+caps
+Enable default Linux capabilities filter.
+.TP
+caps.drop all
+Blacklist all Linux capabilities.
+.TP
+caps.drop capability,capability,capability
+Blacklist Linux capabilities filter.
+.TP
+caps.drop capability,capability,capability
+Whitelist Linux capabilities filter.
+.TP
+\f\seccomp
+Enable default seccomp filter.
+.TP
+\f\seccomp syscall,syscall,syscall
+Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
+.TP
+\f\seccomp.drop syscall,syscall,syscall
+Enable seccomp filter and blacklist  the system calls in the list.
+.TP
+\f\seccomp.keep syscall,syscall,syscall
+Enable seccomp filter and whitelist the system calls in the list.
+
+
+.SH User Namespace
+Use \fBnoroot\fR to enable an user namespace. The namespace has only one user, the current user.
+There is no root account defined in the namespace.
+
+.TP
+noroot
+Enable an user namespace without root user defined.
+
+
+.SH Resource limits
+These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
+The limits can be modified inside the sandbox using the regular \fBulimt\fR command. Examples:
+
+.TP
+\f\rlimit-fsize 1024
+Set the maximum file size that can be created by a process to 1024 bytes.
+.TP
+\f\rlimit-nproc 1000
+Set the maximum number of processes that can be created for the real user ID of the calling process to 1000.
+.TP
+\f\rlimit-nofile 500
+Set the maximum number of files that can be opened by a process to 500.
+.TP
+\f\rlimit-sigpending 200
+Set the maximum number of processes that can be created for the real user ID of the calling process to 200.
+
+.SH CPU Affinity
+Set the CPU cores available for this sandbox. Examples:
+
+.TP
+cpu 1,2,3
+Use only CPU cores 0, 1 and 2.
+
+.SH Control Groups
+Place the sandbox in an existing control group specified by the full path of the task file. Example:
+
+.TP
+cgroup /sys/fs/cgroup/g1/tasks
+The sandbox is placed in g1 control group.
+
+.SH User Environment
+
+.TP
+nogroups
+Disable supplementary user groups
+.TP
+shell none
+Run the program directly, without a shell.
+
+.SH Networking
+Networking features available in profile files.
+
+.TP
+netfilter
+If a new network namespace is created, enabled default network filter.
+
+.TP
+netfilter filename
+If a new network namespace is created, enabled the network filter in filename.
+
+.TP
+dns address
+Set a DNS server for the sandbox. Up to three DNS servers can be defined.
+
+
+.SH FILES
+/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
+
+.SH LICENSE
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: http://firejail.sourceforge.net
+.SH SEE ALSO
+\&\flfirejail\fR\|(1),
+\&\flfiremon\fR\|(1),
+\&\flfirejail-login\fR\|(5)
+
+
+
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
new file mode 100644
index 000000000..51f21975e
--- /dev/null
+++ b/src/man/firejail.txt
@@ -0,0 +1,1196 @@
+.TH man 1 "MONTH YEAR" "VERSION" "firejail man page"
+.SH NAME
+Firejail \- Linux namespaces sandbox program
+.SH SYNOPSIS
+Start a sandbox:
+.PP
+.RS
+firejail [OPTIONS] [program and arguments]
+.RE
+.PP
+Network traffic shaping for an existing sandbox:
+.PP
+.RS
+firejail \-\-bandwidth={<name>|<PID>} bandwidth-command
+.RE
+.PP
+Monitoring:
+.PP
+.RS
+firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree}
+.RE
+.PP
+Miscellaneous:
+.PP
+.RS
+firejail {\-? | \-\-debug-caps | \-\-debug-syscalls | \-\-help |
+.br
+\-\-version}
+.RE
+.SH DESCRIPTION
+Firejail is a SUID sandbox program that reduces the risk of security breaches by
+restricting the running environment of untrusted applications using Linux
+namespaces, seccomp-bpf and Linux capabilities.
+It allows a process and all its descendants to have their own private view of the
+globally shared kernel resources, such as the network stack, process table, mount table.
+Firejail can work in a SELinux or AppArmor environment,
+and it is integrated with Linux Control Groups.
+.PP
+Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version
+or newer.
+It can sandbox any type of processes: servers, graphical applications, and even user login sessions. 
+The software includes sandbox profiles for a number of more common
+Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.SH USAGE
+Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace,
+and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options.
+The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only.
+Only /home, /tmp and /var directories are writable.
+.PP
+If no program is specified as an argument, /bin/bash is started by default.
+Examples:
+.PP
+$ firejail [OPTIONS]                # starting a /bin/bash shell
+.PP
+$ firejail [OPTIONS] firefox        # starting Mozilla Firefox
+.PP
+Multiple commands can be run in sandbox using regular bash logic operators:
+.PP
+$ sudo firejail [OPTIONS] "/etc/init.d/nginx start && sleep inf"
+.PP
+In the previous example, "sleep inf" command is required in order to keep the session open for the daemon program.
+
+.SH OPTIONS
+.TP
+\fB\-\-
+Signal the end of options and disables further option processing.
+.TP
+\fB\-\-bandwidth=name
+Set bandwidth limits for the sandbox identified by name, see TRAFFIC SHAPING section for more details.
+.TP
+\fB\-\-bandwidth=pid
+Set bandwidth limits for the sandbox identified by PID, see TRAFFIC SHAPING section for more details.
+.TP
+\fB\-\-bind=dirname1,dirname2
+Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root.
+.br
+
+.br
+Example:
+.br
+# firejail \-\-bind=/config/www,/var/www
+.TP
+\fB\-\-bind=filename1,filename2
+Mount-bind filename1 on top of filename2. This option is only available when running as root.
+.br
+
+.br
+Example:
+.br
+# firejail \-\-bind=/config/etc/passwd,/etc/passwd
+.TP
+\fB\-\-blacklist=dirname_or_filename
+Blacklist directory or file.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
+.TP
+\fB\-c
+Execute command and exit.
+.TP
+\fB\-\-caps
+Linux capabilities is a kernel feature designed to split up the root privilege into a set of distinct privileges.
+These privileges can be enabled or disabled independently, thus restricting what a process running
+as root can do in the system.
+
+By default root programs run with all capabilities enabled. \-\-caps option disables the following capabilities:
+CAP_SYS_MODULE, CAP_SYS_RAWIO,
+CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.
+The filter is applied to all processes started in the sandbox.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail \-\-caps "/etc/init.d/nginx start && sleep inf"
+
+.TP
+\fB\-\-caps.drop=all
+Drop all capabilities for the processes running in the sandbox. This option is recommended for running GUI programs
+or any other program that doesn't require root privileges. It is a must-have option for sandboxing untrusted programs
+installed from unofficial sources - such as games, Java programs, etc.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-caps.drop=all warzone2100
+
+.TP
+\fB\-\-caps.drop=capability,capability,capability
+Define a custom blacklist Linux capabilities filter.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw
+
+.TP
+\fB\-\-caps.keep=capability,capability,capability
+Define a custom whitelist Linux capabilities filter.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\
+setuid "/etc/init.d/nginx start && sleep inf"
+
+.TP
+\fB\-\-caps.print=name
+Print the caps filter for the sandbox identified by name.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+[...]
+.br
+$ firejail \-\-caps.print=mygame
+
+.TP
+\fB\-\-caps.print=pid
+Print the caps filter for a sandbox identified by PID.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+3272:netblue:firejail \-\-private firefox
+.br
+$ firejail \-\-caps.print=3272
+
+.TP
+\fB\-\-cgroup=tasks-file
+Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
+.br
+
+.br
+Example:
+.br
+# firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks
+
+.TP
+\fB\-\-chroot=dirname
+Chroot the sandbox into a root filesystem. If the sandbox is started as a
+regular user, default seccomp and capabilities filters are eanbled.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-chroot=/media/ubuntu warzone2100
+
+.TP
+\fB\-\-cpu=cpu-number,cpu-number,cpu-number
+Set CPU affinity.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-cpu=0,1 handbrake
+
+.TP
+\fB\-\-csh
+Use /bin/csh as default user shell.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-csh
+.TP
+\fB\-\-debug\fR
+Print debug messages.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-debug firefox
+.TP
+\fB\-\-debug-syscalls
+Print all recognized system calls in the current Firejail software build and exit.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-debug-syscalls
+.TP
+\fB\-\-debug-caps
+Print all recognized capabilities in the current Firejail software build and exit.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-debug-caps
+.TP
+\fB\-\-defaultgw=address
+Use this address as default gateway in the new network namespace.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
+
+.TP
+\fB\-\-dns=address
+Set a DNS server for the sandbox. Up to three DNS servers can be defined.
+Use this option if you don't trust the DNS setup on your network.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox
+
+.TP
+\fB\-\-dns.print=name
+Print DNS configuration for a sandbox identified by name.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+[...]
+.br
+$ firejail \-\-dns.print=mygame
+
+.TP
+\fB\-\-dns.print=pid
+Print DNS configuration for a sandbox identified by PID.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+3272:netblue:firejail \-\-private firefox
+.br
+$ firejail \-\-dns.print=3272
+
+.TP
+\fB\-?\fR, \fB\-\-help\fR
+Print options end exit.
+.TP
+\fB\-\-ip=address
+Assign IP addresses to the last network interface defined by a \-\-net option. A
+default gateway is assigned by default.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox
+
+.TP
+\fB\-\-ip=none
+No IP address and no default gateway are configured for the last interface
+defined by a \-\-net option. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-\ip=none
+
+.TP
+\fB\-\-iprange=address,address
+Assign an IP address in the provided range to the last network interface defined by a \-\-net option. A
+default gateway is assigned by default.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
+
+.TP
+\fB\-\-ipc-namespace
+Enable  a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
+for sandboxes started as root.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-ipc-namespace firefox
+.TP
+\fB\-\-join=name
+Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+If a program is specified, the program is run in the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+[...]
+.br
+$ firejail \-\-join=mygame
+
+
+.TP
+\fB\-\-join=pid
+Join the sandbox identified by PID. By default a /bin/bash shell is started after joining the sandbox.
+If a program is specified, the program is run in the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+3272:netblue:firejail \-\-private firefox
+.br
+$ firejail \-\-join=3272
+
+.TP
+\fB\-\-list
+List all sandboxes, see MONITORING section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+7015:netblue:firejail firefox 
+.br
+7056:netblue:firejail \-\-net=eth0 transmission-gtk 
+.br
+7064:netblue:firejail \-\-noroot xterm 
+.br
+$ 
+.TP
+\fB\-\-mac=address
+Assign MAC addresses to the last network interface defined by a \-\-net option.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
+
+.TP
+\fB\-\-name=name
+Set sandbox hostname. Several options, such as \-\-join and \-\-shutdown, can use
+this name to identify a sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-name=mybrowser firefox
+
+.TP
+\fB\-\-net=bridge_interface
+Enable a new network namespace and connect it to this bridge interface.
+Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned
+automatically to the sandbox. The IP address is verified using ARP before assignment. The address
+configured as default gateway is the bridge device IP address. Up to four \-\-net
+bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
+.br
+
+.br
+Example:
+.br
+$ sudo brctl addbr br0
+.br
+$ sudo ifconfig br0 10.10.20.1/24
+.br
+$ sudo brctl addbr br1
+.br
+$ sudo ifconfig br1 10.10.30.1/24
+.br
+$ firejail \-\-net=br0 \-\-net=br1
+
+.TP
+\fB\-\-net=ethernet_interface
+Enable a new network namespace and connect it
+to this ethernet interface using the standard Linux macvlan
+driver. Unless specified with option \-\-ip and \-\-defaultgw, an
+IP address and a default gateway will be assigned automatically
+to the sandbox. The IP address is verified using ARP before
+assignment. The address configured as default gateway is the
+default gateway of the host. Up to four \-\-net devices can
+be defined. Mixing bridge and macvlan devices is allowed.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
+
+.TP
+\fB\-\-net=none
+Enable a new, unconnected network namespace. The only interface
+available in the new namespace is a new loopback interface (lo).
+Use this option to deny
+network access to programs that don't really need network access.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=none vlc
+
+.TP
+\fB\-\-netfilter
+Enable a default client network filter in the new network namespace.
+New network namespaces are created using \-\-net option. If a new network namespaces is not created,
+\-\-netfilter option does nothing.
+The default filter is as follows:
+.br
+
+.br
+*filter
+.br
+:INPUT DROP [0:0]
+.br
+:FORWARD DROP [0:0]
+.br
+:OUTPUT ACCEPT [0:0]
+.br
+\-A INPUT \-i lo \-j ACCEPT
+.br
+\-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT
+.br
+\-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT
+.br
+\-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT
+.br
+\-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT
+.br
+COMMIT
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-netfilter firefox
+.TP
+\fB\-\-netfilter=filename
+Enable the network filter specified by filename in the new network namespace. The filter file format
+is the format of iptables-save and iptable-restore commands.
+New network namespaces are created using \-\-net option. If a new network namespaces is not created,
+\-\-netfilter option does nothing.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-netfilter=myfile firefox
+.TP
+\fB\-\-netstats
+Monitor network namespace statistics, see MONITORING section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-netstats
+.br
+PID  User    RX(KB/s) TX(KB/s) Command
+.br
+1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
+.br
+7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
+
+
+.TP
+\fB\-\-nogroups
+Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the
+sandbox. For root user supplementary groups are always disabled.
+.br
+
+.br
+Example:
+.br
+$ id
+.br
+uid=1000(netblue) gid=1000(netblue) groups=1000(netblue),24(cdrom),25(floppy),27(sudo),29(audio)
+.br
+$ firejail \-\-nogroups
+.br
+Parent pid 8704, child pid 8705
+.br
+Child process initialized
+.br
+$ id
+.br
+uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
+.br
+$
+
+.TP
+\fB\-\-noroot
+Install a user namespace with a single user - the current user.
+root user does not exist in the new namespace. This option
+requires a Linux kernel version 3.8 or newer. The option
+is not supported for \-\-chroot and \-\-overlay configurations,
+or for sandboxes started as root.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noroot
+.br
+Parent pid 8553, child pid 8554
+.br
+Child process initialized
+.br
+$ ping google.com
+.br
+ping: icmp open socket: Operation not permitted
+.br
+$
+.TP
+\fB\-\-output=logfile
+stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log
+rotation. Five files with prefixes .1 to .5 are used in rotation.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-output=sandboxlog /bin/bash
+.br
+[...]
+.br
+$ ls -l sandboxlog*
+.br
+-rw-r--r-- 1 netblue netblue 333890 Jun  2 07:48 sadnboxlog
+.br
+-rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.1
+.br
+-rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.2
+.br
+-rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.3
+.br
+-rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.4
+.br
+-rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.5
+
+.TP
+\fB\-\-overlay
+Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
+and are discarded when the sandbox is closed.
+.br
+
+.br
+OverlayFS support is required in Linux kernel for this option to work.
+OverlayFS was officially introduced in Linux kernel version 3.18. It was also
+available in earlier kernel versions in some distributions such as Ubuntu and OpenSUSE. 
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-overlay firefox
+
+.TP
+\fB\-\-private
+Mount new /root and /home/user directories in temporary
+filesystems. All modifications are discarded when the sandbox is
+closed.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private firefox
+.TP
+\fB\-\-private=directory
+Use directory as user home.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private=/home/netblue/firefox-home firefox
+
+.TP
+\fB\-\-private.keep=file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private.keep=.mozilla firefox
+.TP
+\fB\-\-private-dev
+Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private-dev
+.br
+Parent pid 9887, child pid 9888
+.br
+Child process initialized
+.br
+$ ls /dev
+.br
+full  null  ptmx  pts  random  shm  tty  urandom  zero
+.br
+$
+.TP
+\fB\-\-profile=filename
+Load a custom profile from filename. For filename use an absolute path or a path relative to the current path.
+For more information, see PROFILES section below.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-profile=myprofile
+.TP
+\fB\-\-read-only=dirname_or_filename
+Set directory or file read-only.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-read-only=~/.mozilla firefox
+.TP
+\fB\-\-rlimit-fsize=number
+Set the maximum file size that can be created by a process.
+.TP
+\fB\-\-rlimit-nofile=number
+Set the maximum number of files that can be opened by a process.
+.TP
+\fB\-\-rlimit-nproc=number
+Set the maximum number of processes that can be created for the real user ID of the calling process.
+.TP
+\fB\-\-rlimit-sigpending=number
+Set the maximum number of pending signals for a process.
+.TP
+\fB\-\-scan
+ARP-scan all the networks from inside a network namespace.
+This makes it possible to detect macvlan kernel device drivers running on the current host.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-scan
+.TP
+\fB\-\-seccomp
+Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
+mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
+iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
+sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-sccomp
+.TP
+\fB\-\-seccomp=syscall,syscall,syscall
+Enable seccomp filter, blacklist the default list and the syscalls specified by the command.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-seccomp=utime,utimensat,utimes firefox
+.TP
+\fB\-\-seccomp.drop=syscall,syscall,syscall
+Enable seccomp filter, and blacklist the syscalls specified by the command.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-seccomp.drop=utime,utimensat,utimes
+.TP
+\fB\-\-seccomp.keep=syscall,syscall,syscall
+Enable seccomp filter, and whitelist the syscalls specified by the command.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk
+.TP
+\fB\-\-seccomp.print=name
+Print the seccomp filter for the sandbox started using \-\-name option.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-name=browser firefox &
+.br
+$ firejail \-\-seccomp.print=browser
+.br
+SECCOMP Filter:
+.br
+  VALIDATE_ARCHITECTURE
+.br
+  EXAMINE_SYSCAL
+.br
+  BLACKLIST 165 mount
+.br
+  BLACKLIST 166 umount2
+.br
+  BLACKLIST 101 ptrace
+.br
+  BLACKLIST 246 kexec_load
+.br
+  BLACKLIST 304 open_by_handle_at
+.br
+  BLACKLIST 175 init_module
+.br
+  BLACKLIST 176 delete_module
+.br
+  BLACKLIST 172 iopl
+.br
+  BLACKLIST 173 ioperm
+.br
+  BLACKLIST 167 swapon
+.br
+  BLACKLIST 168 swapoff
+.br
+  BLACKLIST 103 syslog
+.br
+  BLACKLIST 310 process_vm_readv
+.br
+  BLACKLIST 311 process_vm_writev
+.br
+  BLACKLIST 133 mknod
+.br
+  BLACKLIST 139 sysfs
+.br
+  BLACKLIST 156 _sysctl
+.br
+  BLACKLIST 159 adjtimex
+.br
+  BLACKLIST 305 clock_adjtime
+.br
+  BLACKLIST 212 lookup_dcookie
+.br
+  BLACKLIST 298 perf_event_open
+.br
+  BLACKLIST 300 fanotify_init
+.br
+  RETURN_ALLOW
+.br
+$ 
+.TP
+\fB\-\-seccomp.print=pid
+Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+10786:netblue:firejail \-\-name=browser firefox 
+$ firejail \-\-seccomp.print=10786
+.br
+SECCOMP Filter:
+.br
+  VALIDATE_ARCHITECTURE
+.br
+  EXAMINE_SYSCAL
+.br
+  BLACKLIST 165 mount
+.br
+  BLACKLIST 166 umount2
+.br
+  BLACKLIST 101 ptrace
+.br
+  BLACKLIST 246 kexec_load
+.br
+  BLACKLIST 304 open_by_handle_at
+.br
+  BLACKLIST 175 init_module
+.br
+  BLACKLIST 176 delete_module
+.br
+  BLACKLIST 172 iopl
+.br
+  BLACKLIST 173 ioperm
+.br
+  BLACKLIST 167 swapon
+.br
+  BLACKLIST 168 swapoff
+.br
+  BLACKLIST 103 syslog
+.br
+  BLACKLIST 310 process_vm_readv
+.br
+  BLACKLIST 311 process_vm_writev
+.br
+  BLACKLIST 133 mknod
+.br
+  BLACKLIST 139 sysfs
+.br
+  BLACKLIST 156 _sysctl
+.br
+  BLACKLIST 159 adjtimex
+.br
+  BLACKLIST 305 clock_adjtime
+.br
+  BLACKLIST 212 lookup_dcookie
+.br
+  BLACKLIST 298 perf_event_open
+.br
+  BLACKLIST 300 fanotify_init
+.br
+  RETURN_ALLOW
+.br
+$ 
+.TP
+\fB\-\-shell=none
+Run the program directly, without a user shell.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-shell=none script.sh
+.TP
+\fB\-\-shell=program
+Set default user shell. Use this shell to run the application using \-c shell option.
+For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
+By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
+shell.
+.br
+
+.br
+Example:
+$firejail \-\-shell=/bin/dash script.sh
+.TP
+\fB\-\-shutdown=name
+Shutdown the sandbox started using \-\-name option.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+[...]
+.br
+$ firejail \-\-shutdown=mygame
+.TP
+\fB\-\-shutdown=pid
+Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+3272:netblue:firejail \-\-private firefox
+.br
+$ firejail \-\-shutdown=3272
+.TP
+\fB\-\-tmpfs=dirname
+Mount a tmpfs filesystem on directory dirname.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-tmpfs=/var
+.TP
+\fB\-\-top
+Monitor the most CPU-intensive sandboxes, see MONITORING section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-top
+.TP
+\fB\-\-trace
+Trace open, access and connect system calls.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-trace wget -q www.debian.org
+.br
+Parent pid 11793, child pid 11794
+.br
+Child process initialized
+.br
+1:bash:open /dev/tty
+.br
+1:wget:fopen64 /etc/wgetrc
+.br
+1:wget:fopen /etc/hosts
+.br
+1:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP
+.br
+1:wget:connect 8.8.8.8:53
+.br
+1:wget:socket AF_INET SOCK_STREAM IPPROTO_IP
+.br
+1:wget:connect 140.211.15.34:80
+.br
+1:wget:fopen64 index.html.1
+.br
+
+.br
+parent is shutting down, bye...
+.TP
+\fB\-\-tree
+Print a tree of all sandboxed processes, see MONITORING section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-tree
+.br
+11903:netblue:firejail iceweasel
+.br
+  11904:netblue:iceweasel 
+.br
+    11957:netblue:/usr/lib/iceweasel/plugin-container
+.br
+11969:netblue:firejail \-\-net=eth0 transmission-gtk 
+.br
+  11970:netblue:transmission-gtk 
+.TP
+\fB\-\-version
+Print program version and exit.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-version
+.br
+firejail version 0.9.27
+.TP
+\fB\-\-zsh
+Use /usr/bin/zsh as default user shell.
+.br
+
+.br
+Example:
+.br
+$ firejakil \-\-zsh
+.SH TRAFFIC SHAPING
+Network bandwidth is an expensive resource shared among all sandboxes running on a system.
+Traffic shaping allows the user to increase network performance by controlling
+the amount of data that flows into and out of the sandboxes.
+
+Firejail implements a simple rate-limiting shaper based on Linux command tc.
+The shaper works at sandbox level, and can be used only for sandboxes configured with new network namespaces.
+
+Set rate-limits:
+
+        firejail --bandwidth={name|pid} set network download upload
+
+Clear rate-limits:
+
+        firejail --bandwidth={name|pid} clear network
+
+Status:
+
+        firejail --bandwidth={name|pid} status
+
+where:
+.br
+        name - sandbox name
+.br
+        pid - sandbox pid
+.br
+        network - network interface as used by \-\-net option
+.br
+        download - download speed in KB/s (kilobyte per second)
+.br
+        upload - upload speed in KB/s (kilobyte per second)
+
+Example:
+.br
+        $ firejail \-\-name=mybrowser \-\-net=eth0 firefox &
+.br
+        $ firejail \-\-bandwidth=mybrowser set eth0 80 20
+.br
+        $ firejail \-\-bandwidth=mybrowser status
+.br
+        $ firejail \-\-bandwidth=mybrowser clear eth0
+
+.SH MONITORING
+Option \-\-list prints a list of all sandboxes. The format
+for each process entry is as follows:
+
+        PID:USER:Command
+
+Option \-\-tree prints the tree of processes running in the sandbox. The format
+for each process entry is as follows:
+
+        PID:USER:Command
+
+Option \-\-top is similar to the UNIX top command, however it applies only to
+sandboxes.
+
+Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces.
+
+
+Listed below are the available fields (columns) in alphabetical
+order for \-\-top and \-\-netstat options:
+
+.TP
+Command
+Command used to start the sandbox.
+.TP
+CPU%
+CPU usage, the sandbox share of the elapsed CPU time since the
+last screen update
+.TP
+PID
+Unique process ID for the task controlling the sandbox.
+.TP
+Prcs
+Number of processes running in sandbox, including the controlling process.
+.TP
+RES
+Resident Memory Size (KiB), sandbox non-swapped physical memory.
+It is a sum of the RES values for all processes running in the sandbox.
+.TP
+RX(KB/s)
+Network receive speed.
+.TP
+SHR
+Shared Memory Size (KiB), it reflects memory shared with other
+processes. It is a sum of the SHR values for all processes running
+in the sandbox, including the controlling process.
+.TP
+TX(KB/s)
+Network transmit speed.
+.TP
+Uptime
+Sandbox running time in hours:minutes:seconds format.
+.TP
+User
+The owner of the sandbox.
+
+.SH PROFILES
+Several command line configuration options can be passed to the program using
+profile files. Firejail supports user specified profile files and automatic profile files,
+as follows:
+
+1. Load a specific profile file from a full path, or a path relative to the current directory.
+Example:
+.PP
+.RS
+$ firejail --profile=/home/netblue/icecat.profile icecat
+.RE
+
+2. Load a default profile file automatically from ~/.config/firejail or from /etc/firejail, based 
+on the name of the executable started in the sandbox. Example:
+.PP
+.RS
+$ firejail icecat
+.br
+Command name #icecat#
+.br
+.br
+Found icecat profile in /home/netblue/.config/firejail directory
+.br
+Reading profile /home/netblue/.config/firejail/icecat.profile
+.br
+[...]
+.RE
+
+See man 5 firejail-profile for profile file syntax information.
+        
+.SH RESTRICTED SHELL
+To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
+/etc/password file for each user that needs to be restricted. Alternatively,
+you can specify /usr/bin/firejail  in adduser command:
+
+adduser \-\-shell /usr/bin/firejail username
+
+Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
+
+.SH EXAMPLES
+.TP
+\f\firejail
+Start a regular /bin/bash session in sandbox.
+.TP
+\f\firejail firefox
+Start Mozilla Firefox.
+.TP
+\f\firejail \-\-seccomp firefox
+Start Mozilla Firefox in a seccomp sandbox.
+.TP
+\f\firejail \-\-caps firefox
+Start Mozilla Firefox in a Linux capabilities sandbox.
+.TP
+\f\firejail \-\-debug firefox
+Debug Firefox sandbox.
+.TP
+\f\firejail \-\-private
+Start a /bin/bash session with a new tmpfs home directory.
+.TP
+\f\firejail \-\-net=br0 ip=10.10.20.10
+Start a /bin/bash session in a new network namespace. The session is
+connected to the main network using br0 bridge device. An IP address
+of 10.10.20.10 is assigned to the sandbox.
+.TP
+\f\firejail \-\-net=br0 \-\-net=br1 \-\-net=br2
+Start a /bin/bash session in a new network namespace and connect it
+to br0, br1, and br2 host bridge devices.
+.TP
+\f\firejail \-\-list
+List all sandboxed processes.
+.SH LICENSE
+This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: http://firejail.sourceforge.net
+.SH SEE ALSO
+\&\flfiremon\fR\|(1),
+\&\flfirejail-profile\fR\|(5),
+\&\flfirejail-login\fR\|(5)
+
+
+
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
new file mode 100644
index 000000000..b6010f46e
--- /dev/null
+++ b/src/man/firemon.txt
@@ -0,0 +1,107 @@
+.TH man 1 "MONTH YEAR" "VERSION" "firemon man page"
+.SH NAME
+Firemon \- Monitoring program for processes started in a Firejail sandbox.
+.SH SYNOPSIS
+firemon [OPTIONS] [PID]
+.SH DESCRIPTION
+Firemon monitors programs started in a Firejail sandbox.
+Without a PID specified, all processes started by Firejail are monitored. Descendants of
+these processes are also being monitored.
+.SH OPTIONS
+.TP
+\fB\-\-arp
+Print ARP table for each sandbox.
+.TP
+\fB\-\-caps
+Print capabilities configuration for each sandbox.
+.TP
+\fB\-\-cgroup
+Print control group information for each sandbox.
+.TP
+\fB\-\-cpu
+Print CPU affinity for each sandbox.
+.TP
+\fB\-?\fR, \fB\-\-help\fR
+Print options end exit.
+.TP
+\fB\-\-interface
+Print network interface information for each sandbox.
+.TP
+\fB\-\-list
+List all sandboxes.
+.TP
+\fB\-\-name=name
+Print information only about named sandbox.
+.TP
+\fB\-\-netstats
+Monitor network statistics for sandboxes creating a new network namespace.
+.TP
+\fB\-\-route
+Print route table for each sandbox.
+.TP
+\fB\-\-seccomp
+Print seccomp configuration for each sandbox.
+.TP
+\fB\-\-top
+Monitor the most CPU-intensive sandboxes.
+.TP
+\fB\-\-tree
+Print a tree of all sandboxed processes.
+.TP
+\fB\-\-version
+Print program version and exit.
+
+.PP
+Option \-\-list prints a list of all sandboxes. The format
+for each entry is as follows:
+
+        PID:USER:Command
+
+Option \-\-tree prints the tree of processes running in the sandbox. The format
+for each process entry is as follows:
+
+        PID:USER:Command
+
+Option \-\-top is similar to the UNIX top command, however it applies only to
+sandboxes. Listed below are the available fields (columns) in alphabetical
+order:
+
+.TP
+Command
+Command used to start the sandbox.
+.TP
+CPU%
+CPU usage, the sandbox share of the elapsed CPU time since the
+last screen update
+.TP
+PID
+Unique process ID for the task controlling the sandbox.
+.TP
+Prcs
+Number of processes running in sandbox, including the controlling process.
+.TP
+RES
+Resident Memory Size (KiB), sandbox non-swapped physical memory.
+It is a sum of the RES values for all processes running in the sandbox.
+.TP
+SHR
+Shared Memory Size (KiB), it reflects memory shared with other
+processes. It is a sum of the SHR values for all processes running
+in the sandbox, including the controlling process.
+.TP
+Uptime
+Sandbox running time in hours:minutes:seconds format.
+.TP
+User
+The owner of the sandbox.
+
+.SH LICENSE
+This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: http://firejail.sourceforge.net
+.SH SEE ALSO
+\&\flfirejail\fR\|(1),
+\&\flfirejail-profile\fR\|(5),
+\&\flfirejail-login\fR\|(5)
+
+