diff options
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 10 | ||||
-rwxr-xr-x | gcov.sh | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 60 | ||||
-rw-r--r-- | src/firejail/fs_lib2.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 5 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 5 |
11 files changed, 89 insertions, 30 deletions
@@ -641,6 +641,7 @@ HAVE_USERNS | |||
641 | HAVE_NETWORK | 641 | HAVE_NETWORK |
642 | HAVE_GLOBALCFG | 642 | HAVE_GLOBALCFG |
643 | HAVE_CHROOT | 643 | HAVE_CHROOT |
644 | HAVE_PRIVATE_LIB | ||
644 | HAVE_PRIVATE_HOME | 645 | HAVE_PRIVATE_HOME |
645 | HAVE_FIRETUNNEL | 646 | HAVE_FIRETUNNEL |
646 | HAVE_GAWK | 647 | HAVE_GAWK |
@@ -719,6 +720,7 @@ enable_usertmpfs | |||
719 | enable_man | 720 | enable_man |
720 | enable_firetunnel | 721 | enable_firetunnel |
721 | enable_private_home | 722 | enable_private_home |
723 | enable_private_lib | ||
722 | enable_chroot | 724 | enable_chroot |
723 | enable_globalcfg | 725 | enable_globalcfg |
724 | enable_network | 726 | enable_network |
@@ -1380,6 +1382,7 @@ Optional Features: | |||
1380 | --disable-man disable man pages | 1382 | --disable-man disable man pages |
1381 | --enable-firetunnel enable firetunnel | 1383 | --enable-firetunnel enable firetunnel |
1382 | --disable-private-home disable private home feature | 1384 | --disable-private-home disable private home feature |
1385 | --disable-private-lib disable private lib feature | ||
1383 | --disable-chroot disable chroot | 1386 | --disable-chroot disable chroot |
1384 | --disable-globalcfg if the global config file firejail.config is not | 1387 | --disable-globalcfg if the global config file firejail.config is not |
1385 | present, continue the program using defaults | 1388 | present, continue the program using defaults |
@@ -3485,6 +3488,19 @@ if test "x$enable_private_home" != "xno"; then : | |||
3485 | 3488 | ||
3486 | fi | 3489 | fi |
3487 | 3490 | ||
3491 | HAVE_PRIVATE_LIB="" | ||
3492 | |||
3493 | # Check whether --enable-private-lib was given. | ||
3494 | if test "${enable_private_lib+set}" = set; then : | ||
3495 | enableval=$enable_private_lib; | ||
3496 | fi | ||
3497 | |||
3498 | if test "x$enable_private_lib" = "xyes"; then : | ||
3499 | |||
3500 | HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB" | ||
3501 | |||
3502 | fi | ||
3503 | |||
3488 | HAVE_CHROOT="" | 3504 | HAVE_CHROOT="" |
3489 | 3505 | ||
3490 | # Check whether --enable-chroot was given. | 3506 | # Check whether --enable-chroot was given. |
@@ -3674,6 +3690,7 @@ if test "x$enable_lts" = "xyes"; then : | |||
3674 | HAVE_MAN="-DHAVE_MAN" | 3690 | HAVE_MAN="-DHAVE_MAN" |
3675 | HAVE_FIRETUNNEL="" | 3691 | HAVE_FIRETUNNEL="" |
3676 | HAVE_PRIVATE_HOME="" | 3692 | HAVE_PRIVATE_HOME="" |
3693 | HAVE_PRIVATE_LIB="" | ||
3677 | HAVE_CHROOT="" | 3694 | HAVE_CHROOT="" |
3678 | HAVE_GLOBALCFG="" | 3695 | HAVE_GLOBALCFG="" |
3679 | HAVE_USERNS="" | 3696 | HAVE_USERNS="" |
@@ -5291,6 +5308,7 @@ Features: | |||
5291 | network: $HAVE_NETWORK | 5308 | network: $HAVE_NETWORK |
5292 | overlayfs support: $HAVE_OVERLAYFS | 5309 | overlayfs support: $HAVE_OVERLAYFS |
5293 | private home support: $HAVE_PRIVATE_HOME | 5310 | private home support: $HAVE_PRIVATE_HOME |
5311 | private lib support: $HAVE_PRIVATE_LIB | ||
5294 | SELinux labeling support: $HAVE_SELINUX | 5312 | SELinux labeling support: $HAVE_SELINUX |
5295 | user namespace: $HAVE_USERNS | 5313 | user namespace: $HAVE_USERNS |
5296 | X11 sandboxing support: $HAVE_X11 | 5314 | X11 sandboxing support: $HAVE_X11 |
diff --git a/configure.ac b/configure.ac index 2dd49bcb2..357d1da45 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -147,6 +147,14 @@ AS_IF([test "x$enable_private_home" != "xno"], [ | |||
147 | HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" | 147 | HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" |
148 | ]) | 148 | ]) |
149 | 149 | ||
150 | HAVE_PRIVATE_LIB="" | ||
151 | AC_SUBST([HAVE_PRIVATE_LIB]) | ||
152 | AC_ARG_ENABLE([private-lib], | ||
153 | [AS_HELP_STRING([--disable-private-lib], [disable private lib feature])]) | ||
154 | AS_IF([test "x$enable_private_lib" = "xyes"], [ | ||
155 | HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB" | ||
156 | ]) | ||
157 | |||
150 | HAVE_CHROOT="" | 158 | HAVE_CHROOT="" |
151 | AC_SUBST([HAVE_CHROOT]) | 159 | AC_SUBST([HAVE_CHROOT]) |
152 | AC_ARG_ENABLE([chroot], | 160 | AC_ARG_ENABLE([chroot], |
@@ -268,6 +276,7 @@ AS_IF([test "x$enable_lts" = "xyes"], [ | |||
268 | HAVE_MAN="-DHAVE_MAN" | 276 | HAVE_MAN="-DHAVE_MAN" |
269 | HAVE_FIRETUNNEL="" | 277 | HAVE_FIRETUNNEL="" |
270 | HAVE_PRIVATE_HOME="" | 278 | HAVE_PRIVATE_HOME="" |
279 | HAVE_PRIVATE_LIB="" | ||
271 | HAVE_CHROOT="" | 280 | HAVE_CHROOT="" |
272 | HAVE_GLOBALCFG="" | 281 | HAVE_GLOBALCFG="" |
273 | HAVE_USERNS="" | 282 | HAVE_USERNS="" |
@@ -324,6 +333,7 @@ Features: | |||
324 | network: $HAVE_NETWORK | 333 | network: $HAVE_NETWORK |
325 | overlayfs support: $HAVE_OVERLAYFS | 334 | overlayfs support: $HAVE_OVERLAYFS |
326 | private home support: $HAVE_PRIVATE_HOME | 335 | private home support: $HAVE_PRIVATE_HOME |
336 | private lib support: $HAVE_PRIVATE_LIB | ||
327 | SELinux labeling support: $HAVE_SELINUX | 337 | SELinux labeling support: $HAVE_SELINUX |
328 | user namespace: $HAVE_USERNS | 338 | user namespace: $HAVE_USERNS |
329 | X11 sandboxing support: $HAVE_X11 | 339 | X11 sandboxing support: $HAVE_X11 |
@@ -5,7 +5,7 @@ | |||
5 | 5 | ||
6 | # GCOV test setup | 6 | # GCOV test setup |
7 | # required: sudo, lcov (apt-get install lcov) | 7 | # required: sudo, lcov (apt-get install lcov) |
8 | # setup: make distclean && ./configure --prefix=/usr --enable-apparmor --enable-gcov && make -j4 && sudo make install | 8 | # setup: modify ./configure line below if necessary |
9 | # run as regular user: ./gcov.sh | 9 | # run as regular user: ./gcov.sh |
10 | # result in gcov-dir/index.html | 10 | # result in gcov-dir/index.html |
11 | 11 | ||
@@ -17,6 +17,7 @@ gcov_generate() { | |||
17 | genhtml -q gcov-file --output-directory gcov-dir | 17 | genhtml -q gcov-file --output-directory gcov-dir |
18 | } | 18 | } |
19 | 19 | ||
20 | make distclean && ./configure --prefix=/usr --enable-apparmor --enable-gcov --enable-fatal-warnings && make -j4 && sudo make install | ||
20 | rm -fr gcov-dir gcov-file | 21 | rm -fr gcov-dir gcov-file |
21 | firejail --version | 22 | firejail --version |
22 | gcov_generate | 23 | gcov_generate |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 56f983854..a39e8c667 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -409,6 +409,14 @@ void print_compiletime_support(void) { | |||
409 | #endif | 409 | #endif |
410 | ); | 410 | ); |
411 | 411 | ||
412 | printf("\t- private-lib support is %s\n", | ||
413 | #ifdef HAVE_PRIVATE_LIB | ||
414 | "enabled" | ||
415 | #else | ||
416 | "disabled" | ||
417 | #endif | ||
418 | ); | ||
419 | |||
412 | printf("\t- private-cache and tmpfs as user %s\n", | 420 | printf("\t- private-cache and tmpfs as user %s\n", |
413 | #ifdef HAVE_USERTMPFS | 421 | #ifdef HAVE_USERTMPFS |
414 | "enabled" | 422 | "enabled" |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index e349941fa..ba7a291ee 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -32,35 +32,6 @@ extern void fslib_install_stdc(void); | |||
32 | extern void fslib_install_firejail(void); | 32 | extern void fslib_install_firejail(void); |
33 | extern void fslib_install_system(void); | 33 | extern void fslib_install_system(void); |
34 | 34 | ||
35 | static int lib_cnt = 0; | ||
36 | static int dir_cnt = 0; | ||
37 | |||
38 | static const char *masked_lib_dirs[] = { | ||
39 | "/usr/lib64", | ||
40 | "/lib64", | ||
41 | "/usr/lib", | ||
42 | "/lib", | ||
43 | "/usr/local/lib64", | ||
44 | "/usr/local/lib", | ||
45 | NULL, | ||
46 | }; | ||
47 | |||
48 | // return 1 if the file is in masked_lib_dirs[] | ||
49 | static int valid_full_path(const char *full_path) { | ||
50 | if (strstr(full_path, "..")) | ||
51 | return 0; | ||
52 | |||
53 | int i = 0; | ||
54 | while (masked_lib_dirs[i]) { | ||
55 | size_t len = strlen(masked_lib_dirs[i]); | ||
56 | if (strncmp(full_path, masked_lib_dirs[i], len) == 0 && | ||
57 | full_path[len] == '/') | ||
58 | return 1; | ||
59 | i++; | ||
60 | } | ||
61 | return 0; | ||
62 | } | ||
63 | |||
64 | // return 1 if symlink to firejail executable | 35 | // return 1 if symlink to firejail executable |
65 | int is_firejail_link(const char *fname) { | 36 | int is_firejail_link(const char *fname) { |
66 | EUID_ASSERT(); | 37 | EUID_ASSERT(); |
@@ -116,6 +87,36 @@ char *find_in_path(const char *program) { | |||
116 | return NULL; | 87 | return NULL; |
117 | } | 88 | } |
118 | 89 | ||
90 | #ifdef HAVE_PRIVATE_LIB | ||
91 | static int lib_cnt = 0; | ||
92 | static int dir_cnt = 0; | ||
93 | |||
94 | static const char *masked_lib_dirs[] = { | ||
95 | "/usr/lib64", | ||
96 | "/lib64", | ||
97 | "/usr/lib", | ||
98 | "/lib", | ||
99 | "/usr/local/lib64", | ||
100 | "/usr/local/lib", | ||
101 | NULL, | ||
102 | }; | ||
103 | |||
104 | // return 1 if the file is in masked_lib_dirs[] | ||
105 | static int valid_full_path(const char *full_path) { | ||
106 | if (strstr(full_path, "..")) | ||
107 | return 0; | ||
108 | |||
109 | int i = 0; | ||
110 | while (masked_lib_dirs[i]) { | ||
111 | size_t len = strlen(masked_lib_dirs[i]); | ||
112 | if (strncmp(full_path, masked_lib_dirs[i], len) == 0 && | ||
113 | full_path[len] == '/') | ||
114 | return 1; | ||
115 | i++; | ||
116 | } | ||
117 | return 0; | ||
118 | } | ||
119 | |||
119 | static char *build_dest_dir(const char *full_path) { | 120 | static char *build_dest_dir(const char *full_path) { |
120 | assert(full_path); | 121 | assert(full_path); |
121 | if (strstr(full_path, "/x86_64-linux-gnu/")) | 122 | if (strstr(full_path, "/x86_64-linux-gnu/")) |
@@ -465,3 +466,4 @@ void fs_private_lib(void) { | |||
465 | // mount lib filesystem | 466 | // mount lib filesystem |
466 | mount_directories(); | 467 | mount_directories(); |
467 | } | 468 | } |
469 | #endif \ No newline at end of file | ||
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index 540c3286f..583888e0e 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -36,6 +36,7 @@ typedef struct liblist_t { | |||
36 | int len; | 36 | int len; |
37 | } LibList; | 37 | } LibList; |
38 | 38 | ||
39 | #ifdef HAVE_PRIVATE_LIB | ||
39 | static LibList libc_list[] = { | 40 | static LibList libc_list[] = { |
40 | { "libselinux.so.", 0 }, | 41 | { "libselinux.so.", 0 }, |
41 | { "libpcre2-8.so.", 0 }, | 42 | { "libpcre2-8.so.", 0 }, |
@@ -356,3 +357,4 @@ void fslib_install_system(void) { | |||
356 | ptr++; | 357 | ptr++; |
357 | } | 358 | } |
358 | } | 359 | } |
360 | #endif | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 62035ff04..7e23cdc63 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1355,8 +1355,10 @@ int main(int argc, char **argv, char **envp) { | |||
1355 | arg_debug_blacklists = 1; | 1355 | arg_debug_blacklists = 1; |
1356 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 1356 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
1357 | arg_debug_whitelists = 1; | 1357 | arg_debug_whitelists = 1; |
1358 | #ifdef HAVE_PRIVATE_LIB | ||
1358 | else if (strcmp(argv[i], "--debug-private-lib") == 0) | 1359 | else if (strcmp(argv[i], "--debug-private-lib") == 0) |
1359 | arg_debug_private_lib = 1; | 1360 | arg_debug_private_lib = 1; |
1361 | #endif | ||
1360 | else if (strcmp(argv[i], "--quiet") == 0) { | 1362 | else if (strcmp(argv[i], "--quiet") == 0) { |
1361 | if (!arg_debug) | 1363 | if (!arg_debug) |
1362 | arg_quiet = 1; | 1364 | arg_quiet = 1; |
@@ -2137,6 +2139,7 @@ int main(int argc, char **argv, char **envp) { | |||
2137 | else | 2139 | else |
2138 | exit_err_feature("private-bin"); | 2140 | exit_err_feature("private-bin"); |
2139 | } | 2141 | } |
2142 | #ifdef HAVE_PRIVATE_LIB | ||
2140 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { | 2143 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { |
2141 | if (checkcfg(CFG_PRIVATE_LIB)) { | 2144 | if (checkcfg(CFG_PRIVATE_LIB)) { |
2142 | // extract private lib list (if any) | 2145 | // extract private lib list (if any) |
@@ -2152,6 +2155,7 @@ int main(int argc, char **argv, char **envp) { | |||
2152 | else | 2155 | else |
2153 | exit_err_feature("private-lib"); | 2156 | exit_err_feature("private-lib"); |
2154 | } | 2157 | } |
2158 | #endif | ||
2155 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 2159 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
2156 | arg_private_tmp = 1; | 2160 | arg_private_tmp = 1; |
2157 | } | 2161 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 648fc2248..19ac8d9ec 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -949,6 +949,7 @@ int sandbox(void* sandbox_arg) { | |||
949 | } | 949 | } |
950 | } | 950 | } |
951 | 951 | ||
952 | #ifdef HAVE_PRIVATE_LIB | ||
952 | // private-lib is disabled for appimages | 953 | // private-lib is disabled for appimages |
953 | if (arg_private_lib && !arg_appimage) { | 954 | if (arg_private_lib && !arg_appimage) { |
954 | if (cfg.chrootdir) | 955 | if (cfg.chrootdir) |
@@ -959,6 +960,7 @@ int sandbox(void* sandbox_arg) { | |||
959 | fs_private_lib(); | 960 | fs_private_lib(); |
960 | } | 961 | } |
961 | } | 962 | } |
963 | #endif | ||
962 | 964 | ||
963 | #ifdef HAVE_USERTMPFS | 965 | #ifdef HAVE_USERTMPFS |
964 | if (arg_private_cache) { | 966 | if (arg_private_cache) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 965d09992..b6b60d85c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -81,7 +81,9 @@ static char *usage_str = | |||
81 | " --debug-blacklists - debug blacklisting.\n" | 81 | " --debug-blacklists - debug blacklisting.\n" |
82 | " --debug-caps - print all recognized capabilities.\n" | 82 | " --debug-caps - print all recognized capabilities.\n" |
83 | " --debug-errnos - print all recognized error numbers.\n" | 83 | " --debug-errnos - print all recognized error numbers.\n" |
84 | #ifdef HAVE_PRIVATE_LIB | ||
84 | " --debug-private-lib - debug for --private-lib option.\n" | 85 | " --debug-private-lib - debug for --private-lib option.\n" |
86 | #endif | ||
85 | " --debug-protocols - print all recognized protocols.\n" | 87 | " --debug-protocols - print all recognized protocols.\n" |
86 | " --debug-syscalls - print all recognized system calls.\n" | 88 | " --debug-syscalls - print all recognized system calls.\n" |
87 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 89 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
@@ -208,6 +210,9 @@ static char *usage_str = | |||
208 | "\tcommon device files.\n" | 210 | "\tcommon device files.\n" |
209 | " --private-etc=file,directory - build a new /etc in a temporary\n" | 211 | " --private-etc=file,directory - build a new /etc in a temporary\n" |
210 | "\tfilesystem, and copy the files and directories in the list.\n" | 212 | "\tfilesystem, and copy the files and directories in the list.\n" |
213 | #ifdef HAVE_PRIVATE_LIB | ||
214 | " --private-lib - create a private /lib directory\n" | ||
215 | #endif | ||
211 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 216 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
212 | " --private-cwd - do not inherit working directory inside jail.\n" | 217 | " --private-cwd - do not inherit working directory inside jail.\n" |
213 | " --private-cwd=directory - set working directory inside jail.\n" | 218 | " --private-cwd=directory - set working directory inside jail.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3fa07d1ee..fa294d888 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -407,12 +407,14 @@ the current user's home directory. | |||
407 | All modifications are discarded when the sandbox is | 407 | All modifications are discarded when the sandbox is |
408 | closed. | 408 | closed. |
409 | #endif | 409 | #endif |
410 | #ifdef HAVE_PRIVATE_LIB | ||
410 | .TP | 411 | .TP |
411 | \fBprivate-lib file,directory | 412 | \fBprivate-lib file,directory |
412 | Build a new /lib directory and bring in the libraries required by the application to run. | 413 | Build a new /lib directory and bring in the libraries required by the application to run. |
413 | The files and directories in the list must be expressed as relative to | 414 | The files and directories in the list must be expressed as relative to |
414 | the /lib directory. | 415 | the /lib directory. |
415 | This feature is still under development, see \fBman 1 firejail\fR for some examples. | 416 | This feature is still under development, see \fBman 1 firejail\fR for some examples. |
417 | #endif | ||
416 | .TP | 418 | .TP |
417 | \fBprivate-opt file,directory | 419 | \fBprivate-opt file,directory |
418 | Build a new /opt in a temporary | 420 | Build a new /opt in a temporary |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6068c9ff4..ec6da6f13 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -684,9 +684,11 @@ Print all recognized error numbers in the current Firejail software build and ex | |||
684 | Example: | 684 | Example: |
685 | .br | 685 | .br |
686 | $ firejail \-\-debug-errnos | 686 | $ firejail \-\-debug-errnos |
687 | #ifdef HAVE_PRIVATE_LIB | ||
687 | .TP | 688 | .TP |
688 | \fB\-\-debug-private-lib | 689 | \fB\-\-debug-private-lib |
689 | Debug messages for --private-lib option. | 690 | Debug messages for --private-lib option. |
691 | #endif | ||
690 | .TP | 692 | .TP |
691 | \fB\-\-debug-protocols | 693 | \fB\-\-debug-protocols |
692 | Print all recognized protocols in the current Firejail software build and exit. | 694 | Print all recognized protocols in the current Firejail software build and exit. |
@@ -696,6 +698,7 @@ Print all recognized protocols in the current Firejail software build and exit. | |||
696 | Example: | 698 | Example: |
697 | .br | 699 | .br |
698 | $ firejail \-\-debug-protocols | 700 | $ firejail \-\-debug-protocols |
701 | #endif | ||
699 | .TP | 702 | .TP |
700 | \fB\-\-debug-syscalls | 703 | \fB\-\-debug-syscalls |
701 | Print all recognized system calls in the current Firejail software build and exit. | 704 | Print all recognized system calls in the current Firejail software build and exit. |
@@ -2179,6 +2182,7 @@ Example: | |||
2179 | .br | 2182 | .br |
2180 | $ firejail \-\-private-home=.mozilla firefox | 2183 | $ firejail \-\-private-home=.mozilla firefox |
2181 | #endif | 2184 | #endif |
2185 | #ifdef HAVE_PRIVATE_LIB | ||
2182 | .TP | 2186 | .TP |
2183 | \fB\-\-private-lib=file,directory | 2187 | \fB\-\-private-lib=file,directory |
2184 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. | 2188 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. |
@@ -2234,6 +2238,7 @@ $ | |||
2234 | .br | 2238 | .br |
2235 | Note: Support for this command is controlled in firejail.config with the | 2239 | Note: Support for this command is controlled in firejail.config with the |
2236 | \fBprivate-lib\fR option. | 2240 | \fBprivate-lib\fR option. |
2241 | #endif | ||
2237 | .TP | 2242 | .TP |
2238 | \fB\-\-private-opt=file,directory | 2243 | \fB\-\-private-opt=file,directory |
2239 | Build a new /opt in a temporary | 2244 | Build a new /opt in a temporary |