diff options
-rw-r--r-- | src/man/firejail.txt | 193 |
1 files changed, 26 insertions, 167 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 54d2b1e73..60c53378a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -161,8 +161,8 @@ make the whitelist read-only. Example: | |||
161 | .br | 161 | .br |
162 | $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work | 162 | $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work |
163 | .TP | 163 | .TP |
164 | \fB\-\-caps.print=name | 164 | \fB\-\-caps.print=name|pid |
165 | Print the caps filter for the sandbox identified by name. | 165 | Print the caps filter for the sandbox identified by name or by PID. |
166 | .br | 166 | .br |
167 | 167 | ||
168 | .br | 168 | .br |
@@ -170,13 +170,7 @@ Example: | |||
170 | .br | 170 | .br |
171 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 171 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
172 | .br | 172 | .br |
173 | [...] | ||
174 | .br | ||
175 | $ firejail \-\-caps.print=mygame | 173 | $ firejail \-\-caps.print=mygame |
176 | |||
177 | .TP | ||
178 | \fB\-\-caps.print=pid | ||
179 | Print the caps filter for a sandbox identified by PID. | ||
180 | .br | 174 | .br |
181 | 175 | ||
182 | .br | 176 | .br |
@@ -221,8 +215,8 @@ Example: | |||
221 | $ firejail \-\-cpu=0,1 handbrake | 215 | $ firejail \-\-cpu=0,1 handbrake |
222 | 216 | ||
223 | .TP | 217 | .TP |
224 | \fB\-\-cpu.print=name | 218 | \fB\-\-cpu.print=name|pid |
225 | Print the CPU cores in use by the sandbox identified by name. | 219 | Print the CPU cores in use by the sandbox identified by name or by PID. |
226 | .br | 220 | .br |
227 | 221 | ||
228 | .br | 222 | .br |
@@ -230,13 +224,7 @@ Example: | |||
230 | .br | 224 | .br |
231 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 225 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
232 | .br | 226 | .br |
233 | [...] | ||
234 | .br | ||
235 | $ firejail \-\-cpu.print=mygame | 227 | $ firejail \-\-cpu.print=mygame |
236 | |||
237 | .TP | ||
238 | \fB\-\-caps.print=pid | ||
239 | Print the CPU cores in use by the sandbox identified by PID. | ||
240 | .br | 228 | .br |
241 | 229 | ||
242 | .br | 230 | .br |
@@ -355,8 +343,8 @@ Example: | |||
355 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox | 343 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox |
356 | 344 | ||
357 | .TP | 345 | .TP |
358 | \fB\-\-dns.print=name | 346 | \fB\-\-dns.print=name|pid |
359 | Print DNS configuration for a sandbox identified by name. | 347 | Print DNS configuration for a sandbox identified by name or by PID. |
360 | .br | 348 | .br |
361 | 349 | ||
362 | .br | 350 | .br |
@@ -364,13 +352,7 @@ Example: | |||
364 | .br | 352 | .br |
365 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 353 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
366 | .br | 354 | .br |
367 | [...] | ||
368 | .br | ||
369 | $ firejail \-\-dns.print=mygame | 355 | $ firejail \-\-dns.print=mygame |
370 | |||
371 | .TP | ||
372 | \fB\-\-dns.print=pid | ||
373 | Print DNS configuration for a sandbox identified by PID. | ||
374 | .br | 356 | .br |
375 | 357 | ||
376 | .br | 358 | .br |
@@ -400,8 +382,8 @@ There could be lots of reasons for it to fail, for example if the existing sandb | |||
400 | admin capabilities, SUID binaries, or if it runs seccomp. | 382 | admin capabilities, SUID binaries, or if it runs seccomp. |
401 | 383 | ||
402 | .TP | 384 | .TP |
403 | \fB\-\-fs.print=name | 385 | \fB\-\-fs.print=name|print |
404 | Print the filesystem log for the sandbox identified by name. | 386 | Print the filesystem log for the sandbox identified by name or by PID. |
405 | .br | 387 | .br |
406 | 388 | ||
407 | .br | 389 | .br |
@@ -409,13 +391,7 @@ Example: | |||
409 | .br | 391 | .br |
410 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 392 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
411 | .br | 393 | .br |
412 | [...] | ||
413 | .br | ||
414 | $ firejail \-\-fs.print=mygame | 394 | $ firejail \-\-fs.print=mygame |
415 | |||
416 | .TP | ||
417 | \fB\-\-fs.print=pid | ||
418 | Print the filesystem log for a sandbox identified by PID. | ||
419 | .br | 395 | .br |
420 | 396 | ||
421 | .br | 397 | .br |
@@ -524,13 +500,12 @@ Example: | |||
524 | .br | 500 | .br |
525 | $ firejail \-\-ipc-namespace firefox | 501 | $ firejail \-\-ipc-namespace firefox |
526 | .TP | 502 | .TP |
527 | \fB\-\-join=name | 503 | \fB\-\-join=name|pid |
528 | Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 504 | Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. |
529 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, | 505 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, |
530 | all security filters are configured for the new process the same they are configured in the sandbox. | 506 | all security filters are configured for the new process the same they are configured in the sandbox. |
531 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | 507 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied |
532 | to the process joining the sandbox. | 508 | to the process joining the sandbox. |
533 | |||
534 | .br | 509 | .br |
535 | 510 | ||
536 | .br | 511 | .br |
@@ -538,18 +513,7 @@ Example: | |||
538 | .br | 513 | .br |
539 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 514 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
540 | .br | 515 | .br |
541 | [...] | ||
542 | .br | ||
543 | $ firejail \-\-join=mygame | 516 | $ firejail \-\-join=mygame |
544 | |||
545 | |||
546 | .TP | ||
547 | \fB\-\-join=pid | ||
548 | Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
549 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, | ||
550 | all security filters are configured for the new process the same they are configured in the sandbox. | ||
551 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | ||
552 | to the process joining the sandbox. | ||
553 | .br | 517 | .br |
554 | 518 | ||
555 | .br | 519 | .br |
@@ -562,19 +526,13 @@ $ firejail \-\-list | |||
562 | $ firejail \-\-join=3272 | 526 | $ firejail \-\-join=3272 |
563 | 527 | ||
564 | .TP | 528 | .TP |
565 | \fB\-\-join-filesystem=name | 529 | \fB\-\-join-filesystem=name|pid |
566 | Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 530 | Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. |
567 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 531 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
568 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | 532 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. |
569 | 533 | ||
570 | .TP | 534 | .TP |
571 | \fB\-\-join-filesystem=pid | 535 | \fB\-\-join-network=name|PID |
572 | Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
573 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | ||
574 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | ||
575 | |||
576 | .TP | ||
577 | \fB\-\-join-network=name | ||
578 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 536 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. |
579 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 537 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
580 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example: | 538 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example: |
@@ -630,19 +588,9 @@ Switching to pid 1932, the first child process inside the sandbox | |||
630 | valid_lft forever preferred_lft forever | 588 | valid_lft forever preferred_lft forever |
631 | 589 | ||
632 | .TP | 590 | .TP |
633 | \fB\-\-join-network=pid | ||
634 | Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
635 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | ||
636 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | ||
637 | |||
638 | |||
639 | |||
640 | .TP | ||
641 | \fB\-\-ls=name|pid dir_or_filename | 591 | \fB\-\-ls=name|pid dir_or_filename |
642 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | 592 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. |
643 | 593 | ||
644 | \fB | ||
645 | |||
646 | .TP | 594 | .TP |
647 | \fB\-\-list | 595 | \fB\-\-list |
648 | List all sandboxes, see \fBMONITORING\fR section for more details. | 596 | List all sandboxes, see \fBMONITORING\fR section for more details. |
@@ -1147,8 +1095,8 @@ Example: | |||
1147 | .br | 1095 | .br |
1148 | $ firejail \-\-protocol=unix,inet,inet6 firefox | 1096 | $ firejail \-\-protocol=unix,inet,inet6 firefox |
1149 | .TP | 1097 | .TP |
1150 | \fB\-\-protocol.print=name | 1098 | \fB\-\-protocol.print=name|pid |
1151 | Print the protocol filter for the sandbox identified by name. | 1099 | Print the protocol filter for the sandbox identified by name or PID. |
1152 | .br | 1100 | .br |
1153 | 1101 | ||
1154 | .br | 1102 | .br |
@@ -1156,15 +1104,9 @@ Example: | |||
1156 | .br | 1104 | .br |
1157 | $ firejail \-\-name=mybrowser firefox & | 1105 | $ firejail \-\-name=mybrowser firefox & |
1158 | .br | 1106 | .br |
1159 | [...] | ||
1160 | .br | ||
1161 | $ firejail \-\-protocol.print=mybrowser | 1107 | $ firejail \-\-protocol.print=mybrowser |
1162 | .br | 1108 | .br |
1163 | unix,inet,inet6,netlink | 1109 | unix,inet,inet6,netlink |
1164 | |||
1165 | .TP | ||
1166 | \fB\-\-protocol.print=pid | ||
1167 | Print the protocol filter for a sandbox identified by PID. | ||
1168 | .br | 1110 | .br |
1169 | 1111 | ||
1170 | .br | 1112 | .br |
@@ -1284,8 +1226,8 @@ $ rm testfile | |||
1284 | rm: cannot remove `testfile': Operation not permitted | 1226 | rm: cannot remove `testfile': Operation not permitted |
1285 | 1227 | ||
1286 | .TP | 1228 | .TP |
1287 | \fB\-\-seccomp.print=name | 1229 | \fB\-\-seccomp.print=name|PID |
1288 | Print the seccomp filter for the sandbox started using \-\-name option. | 1230 | Print the seccomp filter for the sandbox identified by name or PID. |
1289 | .br | 1231 | .br |
1290 | 1232 | ||
1291 | .br | 1233 | .br |
@@ -1349,72 +1291,6 @@ SECCOMP Filter: | |||
1349 | .br | 1291 | .br |
1350 | $ | 1292 | $ |
1351 | .TP | 1293 | .TP |
1352 | \fB\-\-seccomp.print=pid | ||
1353 | Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
1354 | .br | ||
1355 | |||
1356 | .br | ||
1357 | Example: | ||
1358 | .br | ||
1359 | $ firejail \-\-list | ||
1360 | .br | ||
1361 | 10786:netblue:firejail \-\-name=browser firefox | ||
1362 | $ firejail \-\-seccomp.print=10786 | ||
1363 | .br | ||
1364 | SECCOMP Filter: | ||
1365 | .br | ||
1366 | VALIDATE_ARCHITECTURE | ||
1367 | .br | ||
1368 | EXAMINE_SYSCAL | ||
1369 | .br | ||
1370 | BLACKLIST 165 mount | ||
1371 | .br | ||
1372 | BLACKLIST 166 umount2 | ||
1373 | .br | ||
1374 | BLACKLIST 101 ptrace | ||
1375 | .br | ||
1376 | BLACKLIST 246 kexec_load | ||
1377 | .br | ||
1378 | BLACKLIST 304 open_by_handle_at | ||
1379 | .br | ||
1380 | BLACKLIST 175 init_module | ||
1381 | .br | ||
1382 | BLACKLIST 176 delete_module | ||
1383 | .br | ||
1384 | BLACKLIST 172 iopl | ||
1385 | .br | ||
1386 | BLACKLIST 173 ioperm | ||
1387 | .br | ||
1388 | BLACKLIST 167 swapon | ||
1389 | .br | ||
1390 | BLACKLIST 168 swapoff | ||
1391 | .br | ||
1392 | BLACKLIST 103 syslog | ||
1393 | .br | ||
1394 | BLACKLIST 310 process_vm_readv | ||
1395 | .br | ||
1396 | BLACKLIST 311 process_vm_writev | ||
1397 | .br | ||
1398 | BLACKLIST 133 mknod | ||
1399 | .br | ||
1400 | BLACKLIST 139 sysfs | ||
1401 | .br | ||
1402 | BLACKLIST 156 _sysctl | ||
1403 | .br | ||
1404 | BLACKLIST 159 adjtimex | ||
1405 | .br | ||
1406 | BLACKLIST 305 clock_adjtime | ||
1407 | .br | ||
1408 | BLACKLIST 212 lookup_dcookie | ||
1409 | .br | ||
1410 | BLACKLIST 298 perf_event_open | ||
1411 | .br | ||
1412 | BLACKLIST 300 fanotify_init | ||
1413 | .br | ||
1414 | RETURN_ALLOW | ||
1415 | .br | ||
1416 | $ | ||
1417 | .TP | ||
1418 | \fB\-\-shell=none | 1294 | \fB\-\-shell=none |
1419 | Run the program directly, without a user shell. | 1295 | Run the program directly, without a user shell. |
1420 | .br | 1296 | .br |
@@ -1435,8 +1311,8 @@ shell. | |||
1435 | Example: | 1311 | Example: |
1436 | $firejail \-\-shell=/bin/dash script.sh | 1312 | $firejail \-\-shell=/bin/dash script.sh |
1437 | .TP | 1313 | .TP |
1438 | \fB\-\-shutdown=name | 1314 | \fB\-\-shutdown=name|PID |
1439 | Shutdown the sandbox started using \-\-name option. | 1315 | Shutdown the sandbox identified by name or PID. |
1440 | .br | 1316 | .br |
1441 | 1317 | ||
1442 | .br | 1318 | .br |
@@ -1444,12 +1320,7 @@ Example: | |||
1444 | .br | 1320 | .br |
1445 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 1321 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
1446 | .br | 1322 | .br |
1447 | [...] | ||
1448 | .br | ||
1449 | $ firejail \-\-shutdown=mygame | 1323 | $ firejail \-\-shutdown=mygame |
1450 | .TP | ||
1451 | \fB\-\-shutdown=pid | ||
1452 | Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
1453 | .br | 1324 | .br |
1454 | 1325 | ||
1455 | .br | 1326 | .br |
@@ -1710,25 +1581,13 @@ These features allow the user to inspect the filesystem container of an existing | |||
1710 | and transfer files from the container to the host filesystem. | 1581 | and transfer files from the container to the host filesystem. |
1711 | 1582 | ||
1712 | .TP | 1583 | .TP |
1713 | \fB\-\-get=name filename | 1584 | \fB\-\-get=name|pid filename |
1714 | Retrieve the container file and store it on the host in the current working directory. | ||
1715 | The container is specified by name (\-\-name option). Full path is needed for filename. | ||
1716 | |||
1717 | .TP | ||
1718 | \fB\-\-get=pid filename | ||
1719 | Retrieve the container file and store it on the host in the current working directory. | 1585 | Retrieve the container file and store it on the host in the current working directory. |
1720 | The container is specified by process ID. Full path is needed for filename. | 1586 | The container is specified by name or PID. Full path is needed for filename. |
1721 | 1587 | ||
1722 | .TP | 1588 | .TP |
1723 | \fB\-\-ls=name dir_or_filename | 1589 | \fB\-\-ls=name|pid dir_or_filename |
1724 | List container files. | 1590 | List container files. The container is specified by name or PID. |
1725 | The container is specified by name (\-\-name option). | ||
1726 | Full path is needed for dir_or_filename. | ||
1727 | |||
1728 | .TP | ||
1729 | \fB\-\-ls=pid dir_or_filename | ||
1730 | List container files. | ||
1731 | The container is specified by process ID. | ||
1732 | Full path is needed for dir_or_filename. | 1591 | Full path is needed for dir_or_filename. |
1733 | 1592 | ||
1734 | .TP | 1593 | .TP |
@@ -1767,15 +1626,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured | |||
1767 | 1626 | ||
1768 | Set rate-limits: | 1627 | Set rate-limits: |
1769 | 1628 | ||
1770 | firejail --bandwidth={name|pid} set network download upload | 1629 | firejail --bandwidth=name|pid set network download upload |
1771 | 1630 | ||
1772 | Clear rate-limits: | 1631 | Clear rate-limits: |
1773 | 1632 | ||
1774 | firejail --bandwidth={name|pid} clear network | 1633 | firejail --bandwidth=name|pid clear network |
1775 | 1634 | ||
1776 | Status: | 1635 | Status: |
1777 | 1636 | ||
1778 | firejail --bandwidth={name|pid} status | 1637 | firejail --bandwidth=name|pid status |
1779 | 1638 | ||
1780 | where: | 1639 | where: |
1781 | .br | 1640 | .br |