jailtest

15 files changed, 349 insertions, 129 deletions

diff --git a/src/jailtest/access.c b/src/jailtest/access.c
index e68227bd2..4e737dc7a 100644
--- a/src/jailtest/access.c
+++ b/src/jailtest/access.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <dirent.h>
 #include <sys/wait.h>
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c
new file mode 100644
index 000000000..43ab8fad0
--- /dev/null
+++ b/src/jailtest/apparmor.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+
+void apparmor_test(pid_t pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv == -1 || mode == NULL)
+                printf("   Warning: AppArmor not enabled\n");
+}
+
+
+#else
+void apparmor_test(uid_t pid) {
+        (void) pid;
+        return;
+}
+#endif
+
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h
index 678f94bef..10174cc9a 100644
--- a/src/jailtest/jailtest.h
+++ b/src/jailtest/jailtest.h
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #ifndef JAILTEST_H
 #define JAILTEST_H
 
@@ -8,6 +27,7 @@ extern uid_t user_uid;
 extern gid_t user_gid;
 extern char *user_name;
 extern char *user_home_dir;
+extern char *user_run_dir;
 
 // access.c
 void access_setup(const char *directory);
@@ -23,10 +43,16 @@ void virtual_setup(const char *directory);
 void virtual_destroy(void);
 void virtual_test(void);
 
+// apparmor.c
+void apparmor_test(pid_t pid);
+
+// seccomp.c
+void seccomp_test(pid_t pid);
+
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
-int find_child(pid_t parent, pid_t *child);
+int find_child(pid_t pid);
 pid_t switch_to_child(pid_t pid);
 
 #endif
\ No newline at end of file
diff --git a/src/jailtest/main.c b/src/jailtest/main.c
index 78f162706..850277bc5 100644
--- a/src/jailtest/main.c
+++ b/src/jailtest/main.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include "../include/firejail_user.h"
 #include "../include/pid.h"
@@ -7,6 +26,7 @@ uid_t user_uid = 0;
 gid_t user_gid = 0;
 char *user_name = NULL;
 char *user_home_dir = NULL;
+char *user_run_dir = NULL;
 int arg_debug = 0;
 
 static char *usage_str =
@@ -73,9 +93,13 @@ int main(int argc, char **argv) {
                 fprintf(stderr, "Error: root user not supported\n");
                 exit(1);
         }
+        if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1)
+                errExit("asprintf");
 
         // test setup
         atexit(cleanup);
+        access_setup("~/.ssh");
+        access_setup("~/.gnupg");
         if (findex > 0) {
                 for (i = findex; i < argc; i++)
                         access_setup(argv[i]);
@@ -88,6 +112,10 @@ int main(int argc, char **argv) {
         virtual_setup("/dev");
         virtual_setup("/etc");
         virtual_setup("/bin");
+        virtual_setup("/usr/share");
+        virtual_setup(user_run_dir);
+
+
 
         // print processes
         pid_read(0);
@@ -98,8 +126,12 @@ int main(int argc, char **argv) {
                                 continue;
 
                         // in case the pid is that of a firejail process, use the pid of the first child process
-                        uid_t pid = switch_to_child(i);
+                        uid_t pid = find_child(i);
+                        printf("\n");
                         pid_print_list(i, 0); //  no wrapping
+                        apparmor_test(pid);
+                        seccomp_test(pid);
+                        fflush(0);
 
                         pid_t child = fork();
                         if (child == -1)
@@ -111,6 +143,7 @@ int main(int argc, char **argv) {
                                         noexec_test(user_home_dir);
                                         noexec_test("/tmp");
                                         noexec_test("/var/tmp");
+                                        noexec_test(user_run_dir);
                                         access_test();
                                 }
                                 else {
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c
index d2f85514a..4347b7eef 100644
--- a/src/jailtest/noexec.c
+++ b/src/jailtest/noexec.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <sys/wait.h>
 #include <sys/stat.h>
diff --git a/src/jailtest/seccomp.c b/src/jailtest/seccomp.c
new file mode 100644
index 000000000..2cecb4b4d
--- /dev/null
+++ b/src/jailtest/seccomp.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#define MAXBUF 4096
+
+void seccomp_test(pid_t pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(file, "r");
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:", 8) == 0) {
+                        int val = -1;
+                        int rv = sscanf(buf + 8, "\t%d", &val);
+                        if (rv != 1 || val == 0)
+                                printf("   Warning: seccomp not enabled\n");
+                        break;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c
index b24783355..41c21b753 100644
--- a/src/jailtest/utils.c
+++ b/src/jailtest/utils.c
@@ -1,4 +1,24 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
+#include "../include/pid.h"
 #include <errno.h>
 #include <pwd.h>
 #include <dirent.h>
@@ -38,87 +58,45 @@ errexit:
         exit(1);
 }
 
-int find_child(pid_t parent, pid_t *child) {
-        *child = 0;                               // use it to flag a found child
+// find the second child process for the specified pid
+// return -1 if not found
+//
+// Example:
+//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//    14792:netblue:/usr/bin/transmission-qt
+// We need 14792, the first real sandboxed process
+// duplicate from src/firemon/main.c
+int find_child(int id) {
+        int i;
+        int first_child = -1;
 
-        DIR *dir;
-        if (!(dir = opendir("/proc"))) {
-                // sleep 2 seconds and try again
-                sleep(2);
-                if (!(dir = opendir("/proc"))) {
-                        fprintf(stderr, "Error: cannot open /proc directory\n");
-                        exit(1);
-                }
-        }
-
-        struct dirent *entry;
-        char *end;
-        while (*child == 0 && (entry = readdir(dir))) {
-                pid_t pid = strtol(entry->d_name, &end, 10);
-                if (end == entry->d_name || *end)
-                        continue;
-                if (pid == parent)
-                        continue;
-
-                // open stat file
-                char *file;
-                if (asprintf(&file, "/proc/%u/status", pid) == -1) {
-                        perror("asprintf");
-                        exit(1);
-                }
-                FILE *fp = fopen(file, "r");
-                if (!fp) {
-                        free(file);
-                        continue;
-                }
-
-                // look for firejail executable name
-                char buf[BUFLEN];
-                while (fgets(buf, BUFLEN - 1, fp)) {
-                        if (strncmp(buf, "PPid:", 5) == 0) {
-                                char *ptr = buf + 5;
-                                while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
-                                        ptr++;
-                                }
-                                if (*ptr == '\0') {
-                                        fprintf(stderr, "Error: cannot read /proc file\n");
-                                        exit(1);
-                                }
-                                if (parent == atoi(ptr)) {
-                                        // we don't want /usr/bin/xdg-dbus-proxy!
-                                        char *cmdline = pid_proc_cmdline(pid);
-                                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
-                                                *child = pid;
-                                        free(cmdline);
-                                }
-                                break;            // stop reading the file
+        // find the first child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 2 && pids[i].parent == id) {
+                        // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
+                        char *cmdline = pid_proc_cmdline(i);
+                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
+                                free(cmdline);
+                                continue;
                         }
+                        free(cmdline);
+                        first_child = i;
+                        break;
                 }
-                fclose(fp);
-                free(file);
         }
-        closedir(dir);
-        return (*child)? 0:1;                     // 0 = found, 1 = not found
-}
 
-pid_t switch_to_child(pid_t pid) {
-        pid_t rv = pid;
-        errno = 0;
-        char *comm = pid_proc_comm(pid);
-        if (!comm) {
-                if (errno == ENOENT)
-                        fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
-                else
-                        fprintf(stderr, "Error: cannot read /proc file\n");
-                exit(1);
-        }
+        if (first_child == -1)
+                return -1;
 
-        if (strcmp(comm, "firejail") == 0) {
-                if (find_child(pid, &rv) == 1) {
-                        fprintf(stderr, "Error: no valid sandbox\n");
-                        exit(1);
-                }
+        // find the second-level child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 3 && pids[i].parent == first_child)
+                        return i;
         }
-        free(comm);
-        return rv;
+
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
 }
+
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c
index 48296fdb1..fcdcf9720 100644
--- a/src/jailtest/virtual.c
+++ b/src/jailtest/virtual.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <dirent.h>
 #include <sys/wait.h>
@@ -64,7 +83,8 @@ void virtual_test(void) {
         assert(user_uid);
         int i;
 
-        printf("   Virtual dirs: "); fflush(0);
+        int cnt = 0;
+        cnt += printf("   Virtual dirs: "); fflush(0);
 
         for (i = 0; i < files_cnt; i++) {
                 assert(files[i]);
@@ -85,15 +105,21 @@ void virtual_test(void) {
                         FILE *fp = fopen(files[i], "r");
                         if (fp)
                                 fclose(fp);
-                        else
-                                printf("%s, ", dirs[i]);
+                        else {
+                                if (cnt == 0)
+                                        cnt += printf("\n                 ");
+                                cnt += printf("%s, ", dirs[i]);
+                                if (cnt > 60)
+                                        cnt = 0;
+                        }
                         fflush(0);
-                        exit(0);
+                        exit(cnt);
                 }
 
                 // wait for the child to finish
                 int status;
                 wait(&status);
+                cnt = WEXITSTATUS(status);
         }
         printf("\n");
 }
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 2c02aee47..dbb9397c6 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 430e86cc8..ce27729b7 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5e77b5f70..c7dc4c434 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-login\fR\|(5),
-\&\flfirejail-users\fR\|(5),
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
+
 .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
 .UE
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index 6fa09e05e..c5a9c1848 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-login\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR jailtest (1)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e85a02ee8..9e89d4e79 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -3332,11 +3332,13 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5),
-\&\flfirejail-users\fR\|(5),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
+
 .UR https://github.com/netblue30/firejail/wiki
 .UE ,
 .UR https://github.com/netblue30/firejail
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index cea6c0265..64f15a1f0 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt
index bc1999163..1b64097ea 100644
--- a/src/man/jailtest.txt
+++ b/src/man/jailtest.txt
@@ -19,9 +19,12 @@ and tries to run them form inside the sandbox, thus testing if the directory is
 \fB3. Read access test
 jailtest creates test files in the directories specified by the user and tries to read
 them from inside the sandbox.
-
 .TP
-The program is running as root exclusively under sudo.
+\fB4. AppArmor test
+.TP
+\fB5. Seccomp test
+.TP
+The program is started as root using sudo.
 
 .SH OPTIONS
 .TP
@@ -35,7 +38,7 @@ Print options end exit.
 Print program version and exit.
 .TP
 \fB[directory]
-One or more directories in user home to test for read access.
+One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default.
 
 .SH OUTPUT
 For each sandbox detected we print the following line:
@@ -46,37 +49,58 @@ It is followed by relevant sandbox information, such as the virtual directories
 
 .SH EXAMPLE
 
+$ sudo jailtest
 .br
-$ sudo jailtest ~/.ssh ~/.gnupg
+2014:netblue::firejail /usr/bin/gimp
 .br
-1429:netblue::/usr/bin/firejail /opt/firefox/firefox
+   Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
 .br
-   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc,
+   Warning: I can run programs in /home/netblue
+.br
+
 .br
-5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net
+2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
 .br
-   Virtual dirs: /var/tmp, /dev,
+   Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
 .br
    Warning: I can read ~/.ssh
 .br
-5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10
+
+.br
+2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
    Virtual dirs: /tmp, /var/tmp, /dev,
 .br
-   Warning: I can run programs in /home/netblue
+
 .br
-6394:netblue:libreoffice:/usr/bin/firejail libreoffice
+26090:netblue::/usr/bin/firejail /opt/firefox/firefox
 .br
-   Virtual dirs: /tmp, /var/tmp, /dev,
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
 .br
+                 /run/user/1000,
+.br
+
+.br
+26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+.br
+   Warning: AppArmor not enabled
+.br
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+.br
+                 /usr/share, /run/user/1000,
+.br
+   Warning: I can run programs in /home/netblue
+.br
+
 
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),