removed --disable-bind configuration option; some ohter minor cleanup

author: startx2017 <vradu.startx@yandex.com> 2018-08-22 08:32:01 -0400
committer: startx2017 <vradu.startx@yandex.com> 2018-08-22 08:32:01 -0400
commit: ddd307e3447e609241abadb8d073e97b948a5bb0 (patch)
tree: 041028cc53f7ab392f124d68dff4cf3f11375de7 /src
parent: relax restrictions imposed on filesystem log (fslogger) in ec7f59b8d370c29bd2... (diff)
download: firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.tar.gz
firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.tar.zst
firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.zip
7 files changed, 2 insertions, 195 deletions
diff --git a/src/common.mk.in b/src/common.mk.in
index fd9f2e5a5..7a2056e7b 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -11,7 +11,6 @@ NAME=@PACKAGE_NAME@
 HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
 HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
@@ -29,7 +28,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 EXTRA_CFLAGS +=@EXTRA_CFLAGS@
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt
deleted file mode 100644
index cfed454f8..000000000
--- a/src/firejail/arg-checking.txt
+++ /dev/null
@@ -1,84 +0,0 @@
-arg checking:
-1. --output=filename
-        - not supported in profiles
-        - checking no "..",
-        - checking no link,
-        - checking no dir,
-        - checking same permissions,
-        - checking no hard links
-        - unit test
-2. --chroot=dirname
-        - not supported in profiles
-        - expand "~"
-        - checking no "..",
-        - checking is dir,
-        - checking no link
-        - checking directory structure
-        - unit test
-3. --bind=dirname1,dirname2, --bind=filename1,filenam2
-        - supported in profiles
-        - accepted only when running as root
-        - checking string chars
-        - checking no ".."
-        - unit test non root
-4. --tmpfs=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-5. --blacklist=filename, --blacklist=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-6. --read-only=filename, --read-only=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-7. --profile=filename
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
-8. --private=dirname
-        - supported in profiles
-        - expand "~"
-        - check is dir
-        - check no link
-        - checking no ".."
-        - check same owner
-        - unit test
-9. --private-home=filelist
-        - supported in profiles
-        - checking no ".."
-        - checking file found
-        - checking same owner
-        - checking no link
-        - unit test
-10. --netfilter=filename
-        - supported in profiles
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
-11. --shell=filename
-        - not supported in profiles
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7483136f4..06820ce24 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -410,14 +410,6 @@ void print_compiletime_support(void) {
 #endif
                );
-        printf("\t- bind support is %s\n",
-#ifdef HAVE_BIND
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
        printf("\t- chroot support is %s\n",
 #ifdef HAVE_CHROOT
                "enabled"
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4faef025a..b3a8dcfd7 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1270,7 +1270,6 @@ int main(int argc, char **argv) {
                //*************************************
                else if (strcmp(argv[i], "--allusers") == 0)
                        arg_allusers = 1;
-#ifdef HAVE_BIND
                else if (strncmp(argv[i], "--bind=", 7) == 0) {
                        if (checkcfg(CFG_BIND)) {
                                char *line;
@@ -1283,7 +1282,6 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("bind");
                }
-#endif
                else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
                        char *line;
                        if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)
diff --git a/src/firejail/network.txt b/src/firejail/network.txt
deleted file mode 100644
index 75bdc346d..000000000
--- a/src/firejail/network.txt
+++ /dev/null
@@ -1,95 +0,0 @@
-struct Bridge {
-        char *dev;              // bridge device name
-        uint32_t ip;            // bridge device IP address
-        uint32_t mask;          // bridge device mask
-        uint32_t ipsandbox      // sandbox interface IP address
-}
-net_configure_bridge(br, device) {
-        br->dev  = devname;
-        br->ip = extracted from kernel device - using net_get_if_addr() in network.c
-        br->mask = extracted from kernel device - using net_get_if_addr() in network.c
-        check available network range; /31 networks are not supported
-}
-net_configure_sandbox_ip(br) {
-        if br->ip_sandbox
-                check br->ipsandbox inside the bridge network
-                arp_check(br->ipsandbox)        // send an arp req to check if anybody else is using this address
-        else
-                br->ipsandbox = arp_assign();
-}
-net_configure_veth_pair {
-        create a veth pair
-        place one interface end in the bridge
-        place the other end in the namespace of the child process
-}
-net_bridge_wait_ip {
-        arp_check br->ipsandbox address to come up
-        wait for not more than 5 seconds
-}
-main() {
-        foreach argv[i] {
-                if --net
-                        br = next bridge available
-                        net_configure_bridge(br, device name from argv[i]);
-                else if --ip
-                        br = last bridge configured
-                        br->ipsandbox = ip address extracted from argv[i]
-                else if --defaultgw
-                        cfg.defaultgw = ip address extracted from argv[i]
-        }
-        net_check_cfg(); // check the validity of network configuration so far
-        if (any bridge configured) {
-                lock /var/lock/firejail.lock file
-                for each bridge
-                        net_configure_sandbox_ip(br)
-        }
-        clone (new network namespace if any bridge configured or --net=none)
-        if (any bridge configured) {
-                for each bridge
-                        net_configure_veth_pair
-        }
-        notify child init is done
-        if (any bridge configured) {
-                for each bridge
-                        net_bridge_wait_ip
-                unlock /var/lock/firejail.lock file
-        }
-        wait on child
-        exit
-}
-******************************************************
-* macvlan notes
-******************************************************
-Configure a macvlan interface
-# ip link add virtual0 link eth0 type macvlan mode bridge
-(you can configure it with # ifconfig virtual0 192.168.1.52/24 up)
-Create a new network namespace and move the interface in the new network namespace
-# ip netns add dummy0
-# ip link set virtual0 netns dummy0
-Join the namespace and configure the interfaces
-# ip netns exec dummy0 bash
-# ifconfig lo up
-# ifconfig virtual0 192.168.1.52/24
-Investigate ipvlan interface - added to linux kernel 3.19
-https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 606378908..168d7e268 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1044,7 +1044,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // filesystem bind
        if (strncmp(ptr, "bind ", 5) == 0) {
-#ifdef HAVE_BIND
                if (checkcfg(CFG_BIND)) {
                        if (getuid() != 0) {
                                fprintf(stderr, "Error: --bind option is available only if running as root\n");
@@ -1077,7 +1076,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                else
                        warning_feature_disabled("bind");
-#endif
                return 0;
        }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 78cd30926..c8866da3a 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -37,10 +37,8 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
        "    --bandwidth=name|pid - set bandwidth limits.\n"
 #endif
-#ifdef HAVE_BIND
        "    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
        "    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
-#endif
        "    --blacklist=filename - blacklist directory or file.\n"
        "    --build - build a whitelisted profile for the application.\n"
        "    --build=filename - build a whitelisted profile for the application.\n"
@@ -153,6 +151,7 @@ static char *usage_str =
        "    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
        "    --private - temporary home directory.\n"
        "    --private=directory - use directory as user home.\n"
+        "    --private-cache - temporary ~/.cache directory.\n"
        "    --private-home=file,directory - build a new user home in a temporary\n"
        "\tfilesystem, and copy the files and directories in the list in\n"
        "\tthe new home.\n"
author	startx2017 <vradu.startx@yandex.com>	2018-08-22 08:32:01 -0400
committer	startx2017 <vradu.startx@yandex.com>	2018-08-22 08:32:01 -0400
commit	ddd307e3447e609241abadb8d073e97b948a5bb0 (patch)
tree	041028cc53f7ab392f124d68dff4cf3f11375de7 /src
parent	relax restrictions imposed on filesystem log (fslogger) in ec7f59b8d370c29bd2... (diff)
download	firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.tar.gz firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.tar.zst firejail-ddd307e3447e609241abadb8d073e97b948a5bb0.zip

diff --git a/src/common.mk.in b/src/common.mk.in index fd9f2e5a5..7a2056e7b 100644 --- a/src/common.mk.in +++ b/src/common.mk.in
@@ -11,7 +11,6 @@ NAME=@PACKAGE_NAME@
11	HAVE_SECCOMP_H=@HAVE_SECCOMP_H@	11	HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12	HAVE_SECCOMP=@HAVE_SECCOMP@	12	HAVE_SECCOMP=@HAVE_SECCOMP@
13	HAVE_CHROOT=@HAVE_CHROOT@	13	HAVE_CHROOT=@HAVE_CHROOT@
14	HAVE_BIND=@HAVE_BIND@
15	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@	14	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16	HAVE_NETWORK=@HAVE_NETWORK@	15	HAVE_NETWORK=@HAVE_NETWORK@
17	HAVE_USERNS=@HAVE_USERNS@	16	HAVE_USERNS=@HAVE_USERNS@
@@ -29,7 +28,7 @@ C_FILE_LIST = $(sort $(wildcard *.c))
29	OBJS = $(C_FILE_LIST:.c=.o)	28	OBJS = $(C_FILE_LIST:.c=.o)
30	BINOBJS = $(foreach file, $(OBJS), $file)	29	BINOBJS = $(foreach file, $(OBJS), $file)
31		30
32	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	31	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
33	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	32	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
34	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@	33	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
35	EXTRA_CFLAGS +=@EXTRA_CFLAGS@	34	EXTRA_CFLAGS +=@EXTRA_CFLAGS@


diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt deleted file mode 100644 index cfed454f8..000000000 --- a/src/firejail/arg-checking.txt +++ /dev/null
@@ -1,84 +0,0 @@
1	arg checking:
2
3	1. --output=filename
4	- not supported in profiles
5	- checking no "..",
6	- checking no link,
7	- checking no dir,
8	- checking same permissions,
9	- checking no hard links
10	- unit test
11
12	2. --chroot=dirname
13	- not supported in profiles
14	- expand "~"
15	- checking no "..",
16	- checking is dir,
17	- checking no link
18	- checking directory structure
19	- unit test
20
21	3. --bind=dirname1,dirname2, --bind=filename1,filenam2
22	- supported in profiles
23	- accepted only when running as root
24	- checking string chars
25	- checking no ".."
26	- unit test non root
27
28	4. --tmpfs=dirname
29	- supported in profiles
30	- checking string chars
31	- checking no ".."
32	- unit test
33
34	5. --blacklist=filename, --blacklist=dirname
35	- supported in profiles
36	- checking string chars
37	- checking no ".."
38	- unit test
39
40	6. --read-only=filename, --read-only=dirname
41	- supported in profiles
42	- checking string chars
43	- checking no ".."
44	- unit test
45
46	7. --profile=filename
47	- check access as real GID/UID
48	- checking no dir
49	- checking no link
50	- checking no ".."
51	- unit test
52
53	8. --private=dirname
54	- supported in profiles
55	- expand "~"
56	- check is dir
57	- check no link
58	- checking no ".."
59	- check same owner
60	- unit test
61
62	9. --private-home=filelist
63	- supported in profiles
64	- checking no ".."
65	- checking file found
66	- checking same owner
67	- checking no link
68	- unit test
69
70	10. --netfilter=filename
71	- supported in profiles
72	- check access as real GID/UID
73	- checking no dir
74	- checking no link
75	- checking no ".."
76	- unit test
77
78	11. --shell=filename
79	- not supported in profiles
80	- check access as real GID/UID
81	- checking no dir
82	- checking no link
83	- checking no ".."
84	- unit test


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7483136f4..06820ce24 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -410,14 +410,6 @@ void print_compiletime_support(void) {
410	#endif	410	#endif
411	);	411	);
412		412
413	printf("\t- bind support is %s\n",
414	#ifdef HAVE_BIND
415	"enabled"
416	#else
417	"disabled"
418	#endif
419	);
420
421	printf("\t- chroot support is %s\n",	413	printf("\t- chroot support is %s\n",
422	#ifdef HAVE_CHROOT	414	#ifdef HAVE_CHROOT
423	"enabled"	415	"enabled"


diff --git a/src/firejail/main.c b/src/firejail/main.c index 4faef025a..b3a8dcfd7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1270,7 +1270,6 @@ int main(int argc, char **argv) {
1270	//*************************************	1270	//*************************************
1271	else if (strcmp(argv[i], "--allusers") == 0)	1271	else if (strcmp(argv[i], "--allusers") == 0)
1272	arg_allusers = 1;	1272	arg_allusers = 1;
1273	#ifdef HAVE_BIND
1274	else if (strncmp(argv[i], "--bind=", 7) == 0) {	1273	else if (strncmp(argv[i], "--bind=", 7) == 0) {
1275	if (checkcfg(CFG_BIND)) {	1274	if (checkcfg(CFG_BIND)) {
1276	char *line;	1275	char *line;
@@ -1283,7 +1282,6 @@ int main(int argc, char **argv) {
1283	else	1282	else
1284	exit_err_feature("bind");	1283	exit_err_feature("bind");
1285	}	1284	}
1286	#endif
1287	else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {	1285	else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
1288	char *line;	1286	char *line;
1289	if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)	1287	if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)


diff --git a/src/firejail/network.txt b/src/firejail/network.txt deleted file mode 100644 index 75bdc346d..000000000 --- a/src/firejail/network.txt +++ /dev/null
@@ -1,95 +0,0 @@
1	struct Bridge {
2	char *dev; // bridge device name
3	uint32_t ip; // bridge device IP address
4	uint32_t mask; // bridge device mask
5	uint32_t ipsandbox // sandbox interface IP address
6	}
7
8	net_configure_bridge(br, device) {
9	br->dev = devname;
10	br->ip = extracted from kernel device - using net_get_if_addr() in network.c
11	br->mask = extracted from kernel device - using net_get_if_addr() in network.c
12	check available network range; /31 networks are not supported
13	}
14
15	net_configure_sandbox_ip(br) {
16	if br->ip_sandbox
17	check br->ipsandbox inside the bridge network
18	arp_check(br->ipsandbox) // send an arp req to check if anybody else is using this address
19	else
20	br->ipsandbox = arp_assign();
21	}
22
23	net_configure_veth_pair {
24	create a veth pair
25	place one interface end in the bridge
26	place the other end in the namespace of the child process
27	}
28
29	net_bridge_wait_ip {
30	arp_check br->ipsandbox address to come up
31	wait for not more than 5 seconds
32	}
33
34	main() {
35
36	foreach argv[i] {
37	if --net
38	br = next bridge available
39	net_configure_bridge(br, device name from argv[i]);
40	else if --ip
41	br = last bridge configured
42	br->ipsandbox = ip address extracted from argv[i]
43	else if --defaultgw
44	cfg.defaultgw = ip address extracted from argv[i]
45	}
46
47	net_check_cfg(); // check the validity of network configuration so far
48
49	if (any bridge configured) {
50	lock /var/lock/firejail.lock file
51	for each bridge
52	net_configure_sandbox_ip(br)
53	}
54
55	clone (new network namespace if any bridge configured or --net=none)
56
57	if (any bridge configured) {
58	for each bridge
59	net_configure_veth_pair
60	}
61
62	notify child init is done
63
64	if (any bridge configured) {
65	for each bridge
66	net_bridge_wait_ip
67	unlock /var/lock/firejail.lock file
68	}
69
70	wait on child
71	exit
72	}
73
74
75	******************************************************
76	* macvlan notes
77	******************************************************
78	Configure a macvlan interface
79
80	# ip link add virtual0 link eth0 type macvlan mode bridge
81	(you can configure it with # ifconfig virtual0 192.168.1.52/24 up)
82
83	Create a new network namespace and move the interface in the new network namespace
84
85	# ip netns add dummy0
86	# ip link set virtual0 netns dummy0
87
88	Join the namespace and configure the interfaces
89
90	# ip netns exec dummy0 bash
91	# ifconfig lo up
92	# ifconfig virtual0 192.168.1.52/24
93
94	Investigate ipvlan interface - added to linux kernel 3.19
95	https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 606378908..168d7e268 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -1044,7 +1044,6 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1044		1044
1045	// filesystem bind	1045	// filesystem bind
1046	if (strncmp(ptr, "bind ", 5) == 0) {	1046	if (strncmp(ptr, "bind ", 5) == 0) {
1047	#ifdef HAVE_BIND
1048	if (checkcfg(CFG_BIND)) {	1047	if (checkcfg(CFG_BIND)) {
1049	if (getuid() != 0) {	1048	if (getuid() != 0) {
1050	fprintf(stderr, "Error: --bind option is available only if running as root\n");	1049	fprintf(stderr, "Error: --bind option is available only if running as root\n");
@@ -1077,7 +1076,6 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1077	}	1076	}
1078	else	1077	else
1079	warning_feature_disabled("bind");	1078	warning_feature_disabled("bind");
1080	#endif
1081	return 0;	1079	return 0;
1082	}	1080	}
1083		1081


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 78cd30926..c8866da3a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -37,10 +37,8 @@ static char *usage_str =
37	#ifdef HAVE_NETWORK	37	#ifdef HAVE_NETWORK
38	" --bandwidth=name\|pid - set bandwidth limits.\n"	38	" --bandwidth=name\|pid - set bandwidth limits.\n"
39	#endif	39	#endif
40	#ifdef HAVE_BIND
41	" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"	40	" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
42	" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"	41	" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
43	#endif
44	" --blacklist=filename - blacklist directory or file.\n"	42	" --blacklist=filename - blacklist directory or file.\n"
45	" --build - build a whitelisted profile for the application.\n"	43	" --build - build a whitelisted profile for the application.\n"
46	" --build=filename - build a whitelisted profile for the application.\n"	44	" --build=filename - build a whitelisted profile for the application.\n"
@@ -153,6 +151,7 @@ static char *usage_str =
153	" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"	151	" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
154	" --private - temporary home directory.\n"	152	" --private - temporary home directory.\n"
155	" --private=directory - use directory as user home.\n"	153	" --private=directory - use directory as user home.\n"
		154	" --private-cache - temporary ~/.cache directory.\n"
156	" --private-home=file,directory - build a new user home in a temporary\n"	155	" --private-home=file,directory - build a new user home in a temporary\n"
157	"\tfilesystem, and copy the files and directories in the list in\n"	156	"\tfilesystem, and copy the files and directories in the list in\n"
158	"\tthe new home.\n"	157	"\tthe new home.\n"