aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-03-04 20:25:29 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2016-03-04 20:25:29 -0500
commit5b3f207558cb12a2ac15bded2c70214ffeb3a8fd (patch)
tree1e2231b1f6c72d758e675f8a25c8dd5341b793ce /src
parent--ls (diff)
downloadfirejail-5b3f207558cb12a2ac15bded2c70214ffeb3a8fd.tar.gz
firejail-5b3f207558cb12a2ac15bded2c70214ffeb3a8fd.tar.zst
firejail-5b3f207558cb12a2ac15bded2c70214ffeb3a8fd.zip
documentation
Diffstat (limited to 'src')
-rw-r--r--src/firejail/usage.c470
-rw-r--r--src/man/firejail.txt41
2 files changed, 228 insertions, 283 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b538f136b..58f9d2cf7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -33,267 +33,219 @@ void usage(void) {
33 printf("default in the sandbox.\n\n"); 33 printf("default in the sandbox.\n\n");
34 printf("\n"); 34 printf("\n");
35 printf("Options:\n\n"); 35 printf("Options:\n\n");
36 printf("\t-- - signal the end of options and disables further option processing.\n\n"); 36 printf(" -- - signal the end of options and disables further option processing.\n\n");
37#ifdef HAVE_NETWORK 37#ifdef HAVE_NETWORK
38 printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); 38 printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n");
39 printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); 39 printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
40 printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n");
41 printf("\t\tby PID, see Traffic Shaping section for more details.\n\n");
42#endif 40#endif
43#ifdef HAVE_BIND 41#ifdef HAVE_BIND
44 printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); 42 printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
45 printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); 43 printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n\n");
46#endif 44#endif
47 printf("\t--blacklist=dirname_or_filename - blacklist directory or file.\n\n"); 45 printf(" --blacklist=dirname_or_filename - blacklist directory or file.\n\n");
48 printf("\t-c - execute command and exit.\n\n"); 46 printf(" -c - execute command and exit.\n\n");
49 printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); 47 printf(" --caps - enable default Linux capabilities filter.\n\n");
50 printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); 48 printf(" --caps.drop=all - drop all capabilities.\n\n");
51#ifdef CAP_SYSLOG 49 printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n\n");
52 printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); 50 printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n\n");
53#else 51 printf(" --caps.print=name|pid - print the caps filter for the sandbox identified\n");
54 printf("\t\tCAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); 52 printf("\tby name or PID.\n\n");
55#endif 53 printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n");
56 printf("\t--caps.drop=all - drop all capabilities.\n\n"); 54 printf("\ttasks-file is the full path of cgroup tasks file.\n\n");
57 printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n");
58 printf("\t\tcapabilities filter.\n\n");
59 printf("\t--caps.keep=capability,capability,capability - whitelist Linux\n");
60 printf("\t\tcapabilities filter.\n\n");
61 printf("\t--caps.print=name - print the caps filter for the sandbox identified\n");
62 printf("\t\tby name.\n\n");
63 printf("\t--caps.print=pid - print the caps filter for the sandbox identified\n");
64 printf("\t\tby PID.\n\n");
65 printf("\t--cgroup=tasks-file - place the sandbox in the specified control group.\n");
66 printf("\t\ttasks-file is the full path of cgroup tasks file.\n");
67 printf("\t\tExample: --cgroup=/sys/fs/cgroup/g1/tasks\n\n");
68#ifdef HAVE_CHROOT 55#ifdef HAVE_CHROOT
69 printf("\t--chroot=dirname - chroot into dirname directory.\n\n"); 56 printf(" --chroot=dirname - chroot into directory.\n\n");
70#endif 57#endif
71 printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); 58 printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
72 printf("\t\tExample: cpu=0,1,2\n\n"); 59 printf(" --csh - use /bin/csh as default shell.\n\n");
73 printf("\t--csh - use /bin/csh as default shell.\n\n"); 60
74 61 printf(" --debug - print sandbox debug messages.\n\n");
75 printf("\t--debug - print sandbox debug messages.\n\n"); 62 printf(" --debug-blacklists - debug blacklisting.\n\n");
76 printf("\t--debug-blacklists - debug blacklisting.\n\n"); 63 printf(" --debug-caps - print all recognized capabilities in the current Firejail\n");
77 printf("\t--debug-caps - print all recognized capabilities in the current\n"); 64 printf("\tsoftware build.\n\n");
78 printf("\t\tFirejail software build and exit.\n\n"); 65 printf(" --debug-check-filename - debug filename checking.\n\n");
79 printf("\t--debug-check-filename - debug filename checking.\n\n"); 66 printf(" --debug-errnos - print all recognized error numbers in the current Firejail\n");
80 printf("\t--debug-errnos - print all recognized error numbers in the current\n"); 67 printf("\tsoftware build.\n\n");
81 printf("\t\tFirejail software build and exit.\n\n"); 68 printf(" --debug-protocols - print all recognized protocols in the current Firejail\n");
82 printf("\t--debug-protocols - print all recognized protocols in the current\n"); 69 printf("\tsoftware build.\n\n");
83 printf("\t\tFirejail software build and exit.\n\n"); 70 printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n");
84 printf("\t--debug-syscalls - print all recognized system calls in the current\n"); 71 printf("\tsoftware build.\n\n");
85 printf("\t\tFirejail software build and exit.\n\n"); 72 printf(" --debug-whitelists - debug whitelisting.\n\n");
86 printf("\t--debug-whitelists - debug whitelisting.\n\n");
87 73
88 74
89 75
90#ifdef HAVE_NETWORK 76#ifdef HAVE_NETWORK
91 printf("\t--defaultgw=address - use this address as default gateway in the new\n"); 77 printf(" --defaultgw=address - use this address as default gateway in the new network\n");
92 printf("\t\tnetwork namespace.\n\n"); 78 printf("\tnamespace.\n\n");
93#endif 79#endif
94 printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); 80 printf(" --dns=address - set a DNS server for the sandbox. Up to three DNS servers\n");
95 printf("\t\tservers can be defined.\n\n"); 81 printf("\tcan be defined.\n\n");
96 printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); 82 printf(" --dns.print=name|pid - print DNS configuration for the sandbox identified\n");
97 printf("\t\tby name.\n\n"); 83 printf("\tby name or PID.\n\n");
98 printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
99 printf("\t\tby PID.\n\n");
100 84
101 printf("\t--env=name=value - set environment variable in the new sandbox\n\n"); 85 printf(" --env=name=value - set environment variable in the new sandbox.\n\n");
102 printf("\t--fs.print=name - print the filesystem log for the sandbox identified\n"); 86 printf(" --fs.print=name|pid - print the filesystem log for the sandbox identified\n");
103 printf("\t\tby name.\n\n"); 87 printf("\tby name or PID.\n\n");
104 printf("\t--fs.print=pid - print the filesystem log for the sandbox identified\n");
105 printf("\t\tby PID.\n\n");
106 88
107 printf("\t--help, -? - this help screen.\n\n"); 89 printf(" --help, -? - this help screen.\n\n");
108 printf("\t--hostname=name - set sandbox hostname.\n\n"); 90 printf(" --hostname=name - set sandbox hostname.\n\n");
109 printf("\t--ignore=command - ignore command in profile files.\n\n"); 91 printf(" --ignore=command - ignore command in profile files.\n\n");
110#ifdef HAVE_NETWORK 92#ifdef HAVE_NETWORK
111 printf("\t--interface=name - move interface in a new network namespace. Up to\n"); 93 printf(" --interface=name - move interface in a new network namespace. Up to four\n");
112 printf("\t\tfour --interface options can be specified.\n\n"); 94 printf("\t--interface options can be specified.\n\n");
113 printf("\t--ip=address - set interface IP address.\n\n"); 95 printf(" --ip=address - set interface IP address.\n\n");
114 printf("\t--ip=none - no IP address and no default gateway address are configured\n"); 96 printf(" --ip=none - no IP address and no default gateway address are configured\n");
115 printf("\t\tin the new network namespace. Use this option in case you intend\n"); 97 printf("\tin the new network namespace. Use this option in case you intend to\n");
116 printf("\t\tto start an external DHCP client in the sandbox.\n\n"); 98 printf("\tstart an external DHCP client in the sandbox.\n\n");
117 printf("\t--ip6=address - set interface IPv6 address.\n\n"); 99 printf(" --ip6=address - set interface IPv6 address.\n\n");
118 printf("\t--iprange=address,address - configure an IP address in this range\n\n"); 100 printf(" --iprange=address,address - configure an IP address in this range.\n\n");
119#endif 101#endif
120 printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); 102 printf(" --ipc-namespace - enable a new IPC namespace if the sandbox was started as\n");
121 printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); 103 printf("\tregular user. IPC namespace is enabled by default only if the sandbox\n");
122 printf("\t\tthe sandbox is started as root.\n\n"); 104 printf("\tis started as root.\n\n");
123 printf("\t--join=name - join the sandbox identified by name.\n\n"); 105 printf(" --join=name|pid - join the sandbox identified by name or PID.\n\n");
124 printf("\t--join=pid - join the sandbox identified by PID.\n\n"); 106 printf(" --join-filesystem=name|pid - join the mount namespace of the sandbox\n");
125 printf("\t--join-filesystem=name - join the mount namespace of the sandbox\n"); 107 printf("\tidentified by name or PID.\n\n");
126 printf("\t\tidentified by name.\n\n");
127 printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
128 printf("\t\tidentified by PID.\n\n");
129#ifdef HAVE_NETWORK 108#ifdef HAVE_NETWORK
130 printf("\t--join-network=name - join the network namespace of the sandbox\n"); 109 printf(" --join-network=name|pid - join the network namespace of the sandbox\n");
131 printf("\t\tidentified by name.\n\n"); 110 printf("\tidentified by name or PID.\n\n");
132 printf("\t--join-network=pid - join the network namespace of the sandbox\n");
133 printf("\t\tidentified by PID.\n\n");
134#endif 111#endif
135 printf("\t--list - list all sandboxes.\n\n"); 112 printf(" --list - list all sandboxes.\n\n");
136#ifdef HAVE_NETWORK 113#ifdef HAVE_NETWORK
137 printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); 114 printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
138 printf("\t--mtu=number - set interface MTU.\n\n"); 115 printf(" --mtu=number - set interface MTU.\n\n");
139#endif 116#endif
140 printf("\t--name=name - set sandbox name.\n\n"); 117 printf(" --name=name - set sandbox name.\n\n");
141#ifdef HAVE_NETWORK 118#ifdef HAVE_NETWORK
142 printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); 119 printf(" --net=bridgename - enable network namespaces and connect to this bridge\n");
143 printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); 120 printf("\tdevice. Up to four --net devices can be defined.\n\n");
144 printf("\t\tIP address and a default gateway will be assigned automatically\n"); 121
145 printf("\t\tto the sandbox. The IP address is checked using ARP before\n"); 122 printf(" --net=ethernet_interface - enable network namespaces and connect to this\n");
146 printf("\t\tassignment. The IP address assigned as default gateway is the\n"); 123 printf("\tEthernet interface using the standard Linux macvlan driver. Up to four\n");
147 printf("\t\tbridge device IP address. Up to four --net devices can\n"); 124 printf("\t--net devices can be defined.\n\n");
148 printf("\t\tbe defined. Mixing bridge and macvlan devices is allowed.\n\n"); 125
149 printf("\t--net=ethernet_interface - enable network namespaces and connect\n"); 126 printf(" --net=none - enable a new, unconnected network namespace.\n\n");
150 printf("\t\tto this ethernet_interface using the standard Linux macvlan\n");
151 printf("\t\tdriver. Unless specified with option --ip and --defaultgw, an\n");
152 printf("\t\tIP address and a default gateway will be assigned automatically\n");
153 printf("\t\tto the sandbox. The IP address is checked using ARP before\n");
154 printf("\t\tassignment. The IP address assigned as default gateway is the\n");
155 printf("\t\tdefault gateway of the host. Up to four --net devices can\n");
156 printf("\t\tbe defined. Mixing bridge and macvlan devices is allowed.\n\n");
157 printf("\t--net=none - enable a new, unconnected network namespace.\n\n");
158 127
159 printf("\t--netfilter - enable the default client network filter in the new\n"); 128 printf(" --netfilter - enable the default client network filter in the new\n");
160 printf("\t\tnetwork namespace:\n\n"); 129 printf("\tnetwork namespace.\n\n");
161 printf("\t\t*filter\n"); 130 printf(" --netfilter=filename - enable the network filter specified by\n");
162 printf("\t\t:INPUT DROP [0:0]\n"); 131 printf("\tfilename in the new network namespace. The filter file format\n");
163 printf("\t\t:FORWARD DROP [0:0]\n"); 132 printf("\tis the format of iptables-save and iptable-restore commands.\n\n");
164 printf("\t\t:OUTPUT ACCEPT [0:0]\n"); 133 printf(" --netfilter6=filename - enable the IPv6 network filter specified by\n");
165 printf("\t\t-A INPUT -i lo -j ACCEPT\n"); 134 printf("\tfilename in the new network namespace. The filter file format\n");
166 printf("\t\t-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); 135 printf("\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
167 printf("\t\t-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n");
168 printf("\t\t-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n");
169 printf("\t\t-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n");
170 printf("\t\tCOMMIT\n\n");
171 printf("\t--netfilter=filename - enable the network filter specified by\n");
172 printf("\t\tfilename in the new network namespace. The filter file format\n");
173 printf("\t\tis the format of iptables-save and iptable-restore commands.\n\n");
174 printf("\t--netfilter6=filename - enable the IPv6 network filter specified by\n");
175 printf("\t\tfilename in the new network namespace. The filter file format\n");
176 printf("\t\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
177 136
178 printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); 137 printf(" --netstats - monitor network statistics for sandboxes creating a new\n");
179 printf("\t\tnetwork namespace.\n\n"); 138 printf("\tnetwork namespace.\n\n");
180#endif 139#endif
181 printf("\t--nice=value - set nice value\n\n"); 140 printf(" --nice=value - set nice value\n\n");
182 printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); 141 printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
183 printf("\t\tor file.\n\n"); 142 printf("\tfile.\n\n");
184 printf("\t--nogroups - disable supplementary groups. Without this option,\n"); 143 printf(" --nogroups - disable supplementary groups. Without this option,\n");
185 printf("\t\tsupplementary groups are enabled for the user starting the\n"); 144 printf("\tsupplementary groups are enabled for the user starting the sandbox.\n");
186 printf("\t\tsandbox. For root user supplementary groups are always\n"); 145 printf("\t For root, groups are always disabled.\n\n");
187 printf("\t\tdisabled.\n\n");
188 146
189 printf("\t--noprofile - do not use a profile. Profile priority is use the one\n"); 147 printf(" --noprofile - do not use a profile. Profile priority is use the one\n");
190 printf("\t\tspecified on the command line, next try to find one that\n"); 148 printf("\tspecified on the command line, next try to find one that\n");
191 printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); 149 printf("\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
192 printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); 150 printf("\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
193 printf("\t\troot.\n\n"); 151 printf("\troot.\n\n");
194#ifdef HAVE_USERNS 152#ifdef HAVE_USERNS
195 printf("\t--noroot - install a user namespace with a single user - the current\n"); 153 printf(" --noroot - install a user namespace with a single user - the current\n");
196 printf("\t\tuser. root user does not exist in the new namespace. This option\n"); 154 printf("\tuser. root user does not exist in the new namespace. This option\n");
197 printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); 155 printf("\tis not supported for --chroot and --overlay configurations.\n\n");
198#endif 156#endif
199 printf("\t--nosound - disable sound system\n\n"); 157 printf(" --nosound - disable sound system.\n\n");
200 158
201 printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); 159 printf(" --output=logfile - stdout logging and log rotation. Copy stdout to\n");
202 printf("\t\tlogfile, and keep the size of the file under 500KB using log\n"); 160 printf("\tlogfile, and keep the size of the file under 500KB using log\n");
203 printf("\t\trotation. Five files with prefixes .1 to .5 are used in\n"); 161 printf("\trotation. Five files with prefixes .1 to .5 are used in\n");
204 printf("\t\trotation.\n\n"); 162 printf("\trotation.\n\n");
205 163
206 printf("\t--overlay - mount a filesystem overlay on top of the current filesystem.\n"); 164 printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n");
207 printf("\t\tThe upper filesystem layer is persistent, and stored in\n"); 165 printf("\tThe upper filesystem layer is persistent, and stored in\n");
208 printf("\t\t$HOME/.firejail directory. (OverlayFS support is required in\n"); 166 printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n");
209 printf("\t\tLinux kernel for this option to work). \n\n"); 167 printf("\tLinux kernel for this option to work). \n\n");
210 168
211 printf("\t--overlay-tmpfs - mount a filesystem overlay on top of the current\n"); 169 printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n");
212 printf("\t\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); 170 printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
213 printf("\t\tand it is discarded when the sandbox is closed. (OverlayFS\n"); 171 printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n");
214 printf("\t\tsupport is required in Linux kernel for this option to work).\n\n"); 172 printf("\tsupport is required in Linux kernel for this option to work).\n\n");
215 173
216 printf("\t--private - mount new /root and /home/user directories in temporary\n"); 174 printf(" --private - mount new /root and /home/user directories in temporary\n");
217 printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n"); 175 printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
218 printf("\t\tclosed.\n\n"); 176 printf("\tclosed.\n\n");
219 printf("\t--private=directory - use directory as user home.\n\n"); 177 printf(" --private=directory - use directory as user home.\n\n");
220 178
221 printf("\t--private-bin=file,file - build a new /bin in a temporary filesystem,\n"); 179 printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
222 printf("\t\tand copy the programs in the list. The same directory is\n"); 180 printf("\tand copy the programs in the list. The same directory is\n");
223 printf("\t\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); 181 printf("\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n");
224 182
225 printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); 183 printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
226 printf("\t\tty, pst, ptms, random, urandom, log and shm devices are\n"); 184 printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n");
227 printf("\t\tavailable.\n\n");
228 185
229 printf("\t--private-etc=file,directory - build a new /etc in a temporary\n"); 186 printf(" --private-etc=file,directory - build a new /etc in a temporary\n");
230 printf("\t\tfilesystem, and copy the files and directories in the list.\n"); 187 printf("\tfilesystem, and copy the files and directories in the list.\n");
231 printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); 188 printf("\tAll modifications are discarded when the sandbox is closed.\n\n");
232 189
233 printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n"); 190 printf(" --private-tmp - mount a tmpfs on top of /tmp directory\n\n");
234 191
235 printf("\t--profile=filename - use a custom profile.\n\n"); 192 printf(" --profile=filename - use a custom profile.\n\n");
236 printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); 193 printf(" --profile-path=directory - use this directory to look for profile files.\n\n");
237 194
238 printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); 195 printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n");
239 printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); 196 printf("\tProtocol values: unix, inet, inet6, netlink, packet.\n\n");
240 printf("\t--protocol.print=name - print the protocol filter for the sandbox\n"); 197 printf(" --protocol.print=name|pid - print the protocol filter for the sandbox\n");
241 printf("\t\tidentified by name.\n\n"); 198 printf("\tidentified by name or PID.\n\n");
242 printf("\t--protocol.print=pid - print the protocol filter for the sandbox\n");
243 printf("\t\tidentified by PID.\n\n");
244 199
245 printf("\t--quiet - turn off Firejail's output.\n\n"); 200 printf(" --quiet - turn off Firejail's output.\n\n");
246 printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); 201 printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n");
247 printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); 202 printf(" --rlimit-fsize=number - set the maximum file size that can be created\n");
248 printf("\t\tby a process.\n\n"); 203 printf("\tby a process.\n\n");
249 printf("\t--rlimit-nofile=number - set the maximum number of files that can be\n"); 204 printf(" --rlimit-nofile=number - set the maximum number of files that can be\n");
250 printf("\t\topened by a process.\n\n"); 205 printf("\topened by a process.\n\n");
251 printf("\t--rlimit-nproc=number - set the maximum number of processes that can be\n"); 206 printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n");
252 printf("\t\tcreated for the real user ID of the calling process.\n\n"); 207 printf("\tcreated for the real user ID of the calling process.\n\n");
253 printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); 208 printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");
254 printf("\t\tfor a process.\n\n"); 209 printf("\tfor a process.\n\n");
255#ifdef HAVE_NETWORK 210#ifdef HAVE_NETWORK
256 printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); 211 printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");
257 printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); 212 printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
258 printf("\t\trunning on the current host.\n\n"); 213 printf("\trunning on the current host.\n\n");
259#endif 214#endif
260#ifdef HAVE_SECCOMP 215#ifdef HAVE_SECCOMP
261 printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n"); 216 printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n\n");
262 217
263 printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); 218 printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
264 printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); 219 printf("\tdefault syscall list and the syscalls specified by the command.\n\n");
265 220
266 printf("\t--seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); 221 printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
267 printf("\t\tblacklist the syscalls specified by the command.\n\n"); 222 printf("\tblacklist the syscalls specified by the command.\n\n");
268 223
269 printf("\t--seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); 224 printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
270 printf("\t\twhitelist the syscalls specified by the command.\n\n"); 225 printf("\twhitelist the syscalls specified by the command.\n\n");
271 226
272 printf("\t--seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n"); 227 printf(" --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n");
273 printf("\t\treturn errno for the syscalls specified by the command.\n\n"); 228 printf("\treturn errno for the syscalls specified by the command.\n\n");
274 229
275 printf("\t--seccomp.print=name - print the seccomp filter for the sandbox\n"); 230 printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
276 printf("\t\tidentified by name.\n\n"); 231 printf("\tidentified by name or PID.\n\n");
277 printf("\t--seccomp.print=pid - print the seccomp filter for the sandbox\n");
278 printf("\t\tidentified by PID.\n\n");
279#endif 232#endif
280 233
281 printf("\t--shell=none - run the program directly without a user shell.\n\n"); 234 printf(" --shell=none - run the program directly without a user shell.\n\n");
282 printf("\t--shell=program - set default user shell.\n\n"); 235 printf(" --shell=program - set default user shell.\n\n");
283 printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); 236 printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n\n");
284 printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); 237 printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
285 printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); 238 printf("\tThis option is available only when running the sandbox as root.\n\n");
286 printf("\t\tThis option is available only when running the sandbox as root.\n\n"); 239 printf(" --top - monitor the most CPU-intensive sandboxes.\n\n");
287 printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); 240 printf(" --trace - trace open, access and connect system calls.\n\n");
288 printf("\t--trace - trace open, access and connect system calls.\n\n"); 241 printf(" --tracelog - add a syslog message for every access to files or\n");
289 printf("\t--tracelog - add a syslog message for every access to files or\n"); 242 printf("\tdirectoires blacklisted by the security profile.\n\n");
290 printf("\t\tdirectoires blacklisted by the security profile.\n\n"); 243 printf(" --tree - print a tree of all sandboxed processes.\n\n");
291 printf("\t--tree - print a tree of all sandboxed processes.\n\n"); 244 printf(" --user=new_user - switch the user before starting the sandbox.\n\n");
292 printf("\t--user=new_user - switch the user before starting the sandbox.\n\n"); 245 printf(" --version - print program version and exit.\n\n");
293 printf("\t--version - print program version and exit.\n\n"); 246 printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
294 printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); 247 printf(" --x11 - enable x11 server.\n\n");
295 printf("\t--x11 - enable x11 server.\n\n"); 248 printf(" --zsh - use /usr/bin/zsh as default shell.\n\n");
296 printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n");
297 printf("\n"); 249 printf("\n");
298 printf("\n"); 250 printf("\n");
299 251
@@ -309,23 +261,23 @@ void usage(void) {
309 printf("sandboxes configured with new network namespaces.\n\n"); 261 printf("sandboxes configured with new network namespaces.\n\n");
310 262
311 printf("Set rate-limits:\n"); 263 printf("Set rate-limits:\n");
312 printf("\tfirejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n"); 264 printf(" firejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n");
313 printf("Clear rate-limits:\n"); 265 printf("Clear rate-limits:\n");
314 printf("\tfirejail --bandwidth={name|pid} clear network-name\n\n"); 266 printf(" firejail --bandwidth={name|pid} clear network-name\n\n");
315 printf("Status:\n"); 267 printf("Status:\n");
316 printf("\tfirejail --bandwidth={name|pid} status\n\n"); 268 printf(" firejail --bandwidth={name|pid} status\n\n");
317 printf("where:\n"); 269 printf("where:\n");
318 printf("\tname - sandbox name\n"); 270 printf(" name - sandbox name\n");
319 printf("\tpid - sandbox pid\n"); 271 printf(" pid - sandbox pid\n");
320 printf("\tnetwork-name - network name as used by --net option\n"); 272 printf(" network-name - network name as used by --net option\n");
321 printf("\tdown-speed - download speed in KB/s (decimal kilobyte per second)\n"); 273 printf(" down-speed - download speed in KB/s (decimal kilobyte per second)\n");
322 printf("\tup-speed - upload speed in KB/s (decimal kilobyte per second)\n"); 274 printf(" up-speed - upload speed in KB/s (decimal kilobyte per second)\n");
323 printf("\n"); 275 printf("\n");
324 printf("Example:\n"); 276 printf("Example:\n");
325 printf("\t$ firejail --name=mybrowser --net=eth0 firefox &\n"); 277 printf(" $ firejail --name=mybrowser --net=eth0 firefox &\n");
326 printf("\t$ firejail --bandwidth=mybrowser set eth0 80 20\n"); 278 printf(" $ firejail --bandwidth=mybrowser set eth0 80 20\n");
327 printf("\t$ firejail --bandwidth=mybrowser status\n"); 279 printf(" $ firejail --bandwidth=mybrowser status\n");
328 printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); 280 printf(" $ firejail --bandwidth=mybrowser clear eth0\n");
329 printf("\n"); 281 printf("\n");
330 printf("\n"); 282 printf("\n");
331#endif 283#endif
@@ -335,29 +287,29 @@ void usage(void) {
335 287
336 printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); 288 printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
337 printf("follows:\n\n"); 289 printf("follows:\n\n");
338 printf("\tPID:USER:Command\n\n"); 290 printf(" PID:USER:Command\n\n");
339 291
340 printf("Option --tree prints the tree of processes running in the sandbox. The format\n"); 292 printf("Option --tree prints the tree of processes running in the sandbox. The format\n");
341 printf("for each process entry is as follows:\n\n"); 293 printf("for each process entry is as follows:\n\n");
342 printf("\tPID:USER:Command\n\n"); 294 printf(" PID:USER:Command\n\n");
343 295
344 printf("Option --top is similar to the UNIX top command, however it applies only to\n"); 296 printf("Option --top is similar to the UNIX top command, however it applies only to\n");
345 printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n"); 297 printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n");
346 printf("order:\n\n"); 298 printf("order:\n\n");
347 printf("\tCommand - command used to start the sandbox.\n"); 299 printf(" Command - command used to start the sandbox.\n");
348 printf("\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"); 300 printf(" CPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n");
349 printf("\t last screen update\n"); 301 printf("\tlast screen update\n");
350 printf("\tPID - Unique process ID for the task controlling the sandbox.\n"); 302 printf(" PID - Unique process ID for the task controlling the sandbox.\n");
351 printf("\tPrcs - number of processes running in sandbox, including the controlling\n"); 303 printf(" Prcs - number of processes running in sandbox, including the controlling\n");
352 printf("\t process.\n"); 304 printf("\tprocess.\n");
353 printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); 305 printf(" RES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
354 printf("\t It is a sum of the RES values for all processes running in the\n"); 306 printf("\tIt is a sum of the RES values for all processes running in the\n");
355 printf("\t sandbox.\n"); 307 printf("\tsandbox.\n");
356 printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); 308 printf(" SHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
357 printf("\t processes. It is a sum of the SHR values for all processes running\n"); 309 printf("\tprocesses. It is a sum of the SHR values for all processes running\n");
358 printf("\t in the sandbox, including the controlling process.\n"); 310 printf("\tin the sandbox, including the controlling process.\n");
359 printf("\tUptime - sandbox running time in hours:minutes:seconds format.\n"); 311 printf(" Uptime - sandbox running time in hours:minutes:seconds format.\n");
360 printf("\tUser - The owner of the sandbox.\n"); 312 printf(" User - The owner of the sandbox.\n");
361 printf("\n"); 313 printf("\n");
362 printf("\n"); 314 printf("\n");
363 printf("Profile files\n\n"); 315 printf("Profile files\n\n");
@@ -375,23 +327,23 @@ void usage(void) {
375 printf("/etc/firejail/login.users file.\n\n"); 327 printf("/etc/firejail/login.users file.\n\n");
376 printf("\n"); 328 printf("\n");
377 printf("Examples:\n\n"); 329 printf("Examples:\n\n");
378 printf(" $ firejail\n"); 330 printf(" $ firejail\n");
379 printf(" start a regular /bin/bash session in sandbox\n"); 331 printf("\tstart a regular /bin/bash session in sandbox\n");
380 printf(" $ firejail firefox\n"); 332 printf(" $ firejail firefox\n");
381 printf(" start Mozilla Firefox\n"); 333 printf("\tstart Mozilla Firefox\n");
382 printf(" $ firejail --debug firefox\n"); 334 printf(" $ firejail --debug firefox\n");
383 printf(" debug Firefox sandbox\n"); 335 printf("\tdebug Firefox sandbox\n");
384 printf(" $ firejail --private\n"); 336 printf(" $ firejail --private firefox\n");
385 printf(" start a /bin/bash session with a new tmpfs home directory\n"); 337 printf("\tstart Firefox with a new, empty home directory\n");
386 printf(" $ firejail --net=br0 ip=10.10.20.10\n"); 338 printf(" $ firejail --net=br0 ip=10.10.20.10\n");
387 printf(" start a /bin/bash session in a new network namespace; the session is\n"); 339 printf("\tstart a /bin/bash session in a new network namespace; the session is\n");
388 printf(" connected to the main network using br0 bridge device, an IP address\n"); 340 printf("\tconnected to the main network using br0 bridge device, an IP address\n");
389 printf(" of 10.10.20.10 is assigned to the sandbox\n"); 341 printf("\tof 10.10.20.10 is assigned to the sandbox\n");
390 printf(" $ firejail --net=br0 --net=br1 --net=br2\n"); 342 printf(" $ firejail --net=br0 --net=br1 --net=br2\n");
391 printf(" start a /bin/bash session in a new network namespace and connect it\n"); 343 printf("\tstart a /bin/bash session in a new network namespace and connect it\n");
392 printf(" to br0, br1, and br2 host bridge devices\n"); 344 printf("\tto br0, br1, and br2 host bridge devices\n");
393 printf(" $ firejail --list\n"); 345 printf(" $ firejail --list\n");
394 printf(" list all running sandboxes\n"); 346 printf("\tlist all running sandboxes\n");
395 printf("\n"); 347 printf("\n");
396 printf("License GPL version 2 or later\n"); 348 printf("License GPL version 2 or later\n");
397 printf("Homepage: http://firejail.wordpress.com\n"); 349 printf("Homepage: http://firejail.wordpress.com\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3a9b41330..56a768614 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments]
11Network traffic shaping for an existing sandbox: 11Network traffic shaping for an existing sandbox:
12.PP 12.PP
13.RS 13.RS
14firejail \-\-bandwidth={<name>|<PID>} bandwidth-command 14firejail \-\-bandwidth={name|pid} bandwidth-command
15.RE 15.RE
16.PP 16.PP
17Monitoring: 17Monitoring:
@@ -68,20 +68,8 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
68\fB\-\- 68\fB\-\-
69Signal the end of options and disables further option processing. 69Signal the end of options and disables further option processing.
70.TP 70.TP
71\fB\-\-bandwidth=name 71\fB\-\-bandwidth=name|pid
72Set bandwidth limits for the sandbox identified by name, see \fBTRAFFIC SHAPING\fR section for more details. 72Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
73.TP
74\fB\-\-bandwidth=pid
75Set bandwidth limits for the sandbox identified by PID, see \fBTRAFFIC SHAPING\fR section for more details.
76.TP
77\fB\-\-bind=dirname1,dirname2
78Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root.
79.br
80
81.br
82Example:
83.br
84# firejail \-\-bind=/config/www,/var/www
85.TP 73.TP
86\fB\-\-bind=filename1,filename2 74\fB\-\-bind=filename1,filename2
87Mount-bind filename1 on top of filename2. This option is only available when running as root. 75Mount-bind filename1 on top of filename2. This option is only available when running as root.
@@ -104,6 +92,8 @@ $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
104$ firejail \-\-blacklist=~/.mozilla 92$ firejail \-\-blacklist=~/.mozilla
105.br 93.br
106$ firejail "\-\-blacklist=/home/username/My Virtual Machines" 94$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
95.br
96$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
107.TP 97.TP
108\fB\-c 98\fB\-c
109Execute command and exit. 99Execute command and exit.
@@ -1699,7 +1689,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
1699.SH EXAMPLES 1689.SH EXAMPLES
1700.TP 1690.TP
1701\f\firejail 1691\f\firejail
1702Start a regular /bin/bash session in sandbox. 1692Sandbox a regular /bin/bash session.
1703.TP 1693.TP
1704\f\firejail firefox 1694\f\firejail firefox
1705Start Mozilla Firefox. 1695Start Mozilla Firefox.
@@ -1707,17 +1697,20 @@ Start Mozilla Firefox.
1707\f\firejail \-\-debug firefox 1697\f\firejail \-\-debug firefox
1708Debug Firefox sandbox. 1698Debug Firefox sandbox.
1709.TP 1699.TP
1710\f\firejail \-\-private 1700\f\firejail \-\-private firefox
1711Start a /bin/bash session with a new tmpfs home directory. 1701Start Firefox with a new, empty home directory.
1702.TP
1703\f\firejail --net=none vlc
1704Start VLC in an unconnected network namespace.
1712.TP 1705.TP
1713\f\firejail \-\-net=br0 ip=10.10.20.10 1706\f\firejail \-\-net=eth0 firefox
1714Start a /bin/bash session in a new network namespace. The session is 1707Start Firefox in a new network namespace. An IP address is
1715connected to the main network using br0 bridge device. An IP address 1708assigned automatically.
1716of 10.10.20.10 is assigned to the sandbox.
1717.TP 1709.TP
1718\f\firejail \-\-net=br0 \-\-net=br1 \-\-net=br2 1710\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
1719Start a /bin/bash session in a new network namespace and connect it 1711Start a /bin/bash session in a new network namespace and connect it
1720to br0, br1, and br2 host bridge devices. 1712to br0, br1, and br2 host bridge devices. IP addresses are assigned
1713automatically for the interfaces connected to br1 and b2
1721.TP 1714.TP
1722\f\firejail \-\-list 1715\f\firejail \-\-list
1723List all sandboxed processes. 1716List all sandboxed processes.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-09 07:09:12 +0000