diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-10-28 09:14:22 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-10-28 09:14:22 -0400 |
| commit | aac16b9d3659ac3831a4448c930db436852e586b (patch) | |
| tree | a0d7ca9e8918fbccf825591c4499685e320cd021 /src | |
| parent | vimperator, seccomp (diff) | |
| download | firejail-aac16b9d3659ac3831a4448c930db436852e586b.tar.gz firejail-aac16b9d3659ac3831a4448c930db436852e586b.tar.zst firejail-aac16b9d3659ac3831a4448c930db436852e586b.zip | |
cleanup
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/protocol.c | 5 | ||||
| -rw-r--r-- | src/firejail/usage.c | 9 | ||||
| -rw-r--r-- | src/man/firejail.txt | 22 |
3 files changed, 34 insertions, 2 deletions
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 5f730afef..8e75277c2 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
| @@ -74,6 +74,11 @@ static struct sock_filter *find_protocol_domain(const char *p) { | |||
| 74 | 74 | ||
| 75 | // --debug-protocols | 75 | // --debug-protocols |
| 76 | void protocol_list(void) { | 76 | void protocol_list(void) { |
| 77 | #ifndef SYS_socket | ||
| 78 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | ||
| 79 | return; | ||
| 80 | #endif | ||
| 81 | |||
| 77 | int i = 0; | 82 | int i = 0; |
| 78 | while (protocol[i] != NULL) { | 83 | while (protocol[i] != NULL) { |
| 79 | printf("%s, ", protocol[i]); | 84 | printf("%s, ", protocol[i]); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3cad1e63..c829b94f2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -70,6 +70,8 @@ void usage(void) { | |||
| 70 | printf("\t\tFirejail software build and exit.\n\n"); | 70 | printf("\t\tFirejail software build and exit.\n\n"); |
| 71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); | 71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); |
| 72 | printf("\t\tFirejail software build and exit.\n\n"); | 72 | printf("\t\tFirejail software build and exit.\n\n"); |
| 73 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); | ||
| 74 | printf("\t\tFirejail software build and exit.\n\n"); | ||
| 73 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); | 75 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); |
| 74 | printf("\t\tFirejail software build and exit.\n\n"); | 76 | printf("\t\tFirejail software build and exit.\n\n"); |
| 75 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 77 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
| @@ -192,6 +194,10 @@ void usage(void) { | |||
| 192 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); | 194 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); |
| 193 | 195 | ||
| 194 | printf("\t--profile=filename - use a custom profile.\n\n"); | 196 | printf("\t--profile=filename - use a custom profile.\n\n"); |
| 197 | |||
| 198 | printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); | ||
| 199 | printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); | ||
| 200 | |||
| 195 | printf("\t--quiet - turn off Firejail's output.\n\n"); | 201 | printf("\t--quiet - turn off Firejail's output.\n\n"); |
| 196 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); | 202 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); |
| 197 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); | 203 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); |
| @@ -218,7 +224,8 @@ void usage(void) { | |||
| 218 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); | 224 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); |
| 219 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); | 225 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); |
| 220 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); | 226 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); |
| 221 | printf("\t\tmigrate_pages, move_pages, vmsplice, and perf_event_open.\n\n"); | 227 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); |
| 228 | printf("\t\tkexec_file_load.\n\n"); | ||
| 222 | 229 | ||
| 223 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 230 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
| 224 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 231 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 12c32f4c7..52b75afaa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -23,7 +23,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree} | |||
| 23 | Miscellaneous: | 23 | Miscellaneous: |
| 24 | .PP | 24 | .PP |
| 25 | .RS | 25 | .RS |
| 26 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-help | \-\-version} | 26 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version} |
| 27 | .RE | 27 | .RE |
| 28 | .SH DESCRIPTION | 28 | .SH DESCRIPTION |
| 29 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 29 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
| @@ -258,6 +258,15 @@ Example: | |||
| 258 | .br | 258 | .br |
| 259 | $ firejail \-\-debug-errnos | 259 | $ firejail \-\-debug-errnos |
| 260 | .TP | 260 | .TP |
| 261 | \fB\-\-debug-protocols | ||
| 262 | Print all recognized protocols in the current Firejail software build and exit. | ||
| 263 | .br | ||
| 264 | |||
| 265 | .br | ||
| 266 | Example: | ||
| 267 | .br | ||
| 268 | $ firejail \-\-debug-protocols | ||
| 269 | .TP | ||
| 261 | \fB\-\-debug-syscalls | 270 | \fB\-\-debug-syscalls |
| 262 | Print all recognized system calls in the current Firejail software build and exit. | 271 | Print all recognized system calls in the current Firejail software build and exit. |
| 263 | .br | 272 | .br |
| @@ -842,6 +851,17 @@ For more information, see SECURITY PROFILES section below. | |||
| 842 | Example: | 851 | Example: |
| 843 | .br | 852 | .br |
| 844 | $ firejail \-\-profile=myprofile | 853 | $ firejail \-\-profile=myprofile |
| 854 | |||
| 855 | .TP | ||
| 856 | \fB\-\-protocol=protocol,protocol,protocol | ||
| 857 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | ||
| 858 | Recognized values: unix, inet, inet6, netlink and packet. | ||
| 859 | .br | ||
| 860 | |||
| 861 | .br | ||
| 862 | Example: | ||
| 863 | .br | ||
| 864 | $ firejail \-\-protocol=unix,inet,inet6 firefox | ||
| 845 | .TP | 865 | .TP |
| 846 | \fB\-\-quiet | 866 | \fB\-\-quiet |
| 847 | Turn off Firejail's output. | 867 | Turn off Firejail's output. |