Add noblacklist command to firejail.

* Basic implementation
* Updates to standard profiles
* Update to firejail-profile manpage

1 files changed, 9 insertions, 0 deletions

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5167a4c42..64565ab0b 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -87,6 +87,7 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1"
 These profile entries define a chroot filesystem built on top of the existing
 host filesystem. Each line describes a file element that is removed from
 the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
+a filter for finer control of blacklisting (\fBnoblacklist\fR),
 a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
 or mount-bind a directory  or file on top of another directory or file (\fBbind\fR).
 Use \fBprivate\fR to set private mode.
@@ -117,6 +118,14 @@ Remove ifconfig command from the regular path directories.
 \f\blacklist ${HOME}/.ssh
 Remove .ssh directory from user home directory.
 .TP
+\f\ noblacklist ${HOME}/config/evince
+Prevent any new blacklist commands from blacklisting
+config/evince in the user home directory. Useful for defining
+exceptions before including a large blacklist from a file. Note
+that blacklisting ${HOME}/config can still make
+${HOME}/config/evince effectively unreachable through filesystem
+traversal.
+.TP
 \f\private
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is