diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 21 | ||||
-rw-r--r-- | src/man/firejail.txt | 27 |
4 files changed, 34 insertions, 16 deletions
@@ -6,6 +6,7 @@ firejail (0.9.40-rc1) baseline; urgency=low | |||
6 | * added --cpu.print option | 6 | * added --cpu.print option |
7 | * added filetransfer options --ls and --get | 7 | * added filetransfer options --ls and --get |
8 | * added --writable-etc and --writable-var options | 8 | * added --writable-etc and --writable-var options |
9 | * added --read-only option | ||
9 | * added mkdir, ipc-namespace, and nosound profile commands | 10 | * added mkdir, ipc-namespace, and nosound profile commands |
10 | * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands | 11 | * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands |
11 | * --version also prints compile options | 12 | * --version also prints compile options |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 8b61629f4..8c738a0fc 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -209,6 +209,7 @@ void usage(void) { | |||
209 | printf("\tcreated for the real user ID of the calling process.\n\n"); | 209 | printf("\tcreated for the real user ID of the calling process.\n\n"); |
210 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); | 210 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); |
211 | printf("\tfor a process.\n\n"); | 211 | printf("\tfor a process.\n\n"); |
212 | printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); | ||
212 | #ifdef HAVE_NETWORK | 213 | #ifdef HAVE_NETWORK |
213 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); | 214 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); |
214 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); | 215 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8ad2eefad..19063f5ef 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -122,12 +122,6 @@ blacklist ${PATH}/ifconfig | |||
122 | blacklist ${HOME}/.ssh | 122 | blacklist ${HOME}/.ssh |
123 | 123 | ||
124 | .TP | 124 | .TP |
125 | \fBread-only file_or_directory | ||
126 | Make directory or file read-only. | ||
127 | .TP | ||
128 | \fBtmpfs directory | ||
129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
130 | .TP | ||
131 | \fBbind directory1,directory2 | 125 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 126 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
133 | .TP | 127 | .TP |
@@ -182,6 +176,18 @@ All modifications are discarded when the sandbox is closed. | |||
182 | \fBprivate-tmp | 176 | \fBprivate-tmp |
183 | Mount an empty temporary filesystem on top of /tmp directory. | 177 | Mount an empty temporary filesystem on top of /tmp directory. |
184 | .TP | 178 | .TP |
179 | \fBread-only file_or_directory | ||
180 | Make directory or file read-only. | ||
181 | .TP | ||
182 | \fBread-write file_or_directory | ||
183 | Make directory or file read-write. | ||
184 | .TP | ||
185 | \fBtmpfs directory | ||
186 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
187 | .TP | ||
188 | \fBtracelog | ||
189 | Blacklist violations logged to syslog. | ||
190 | .TP | ||
185 | \fBwhitelist file_or_directory | 191 | \fBwhitelist file_or_directory |
186 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 192 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. |
187 | The modifications to file_or_directory are persistent, everything else is discarded | 193 | The modifications to file_or_directory are persistent, everything else is discarded |
@@ -194,9 +200,6 @@ when running the sandbox as root user. | |||
194 | \fBwritable-var | 200 | \fBwritable-var |
195 | Mount /var directory read-write. This option is available only | 201 | Mount /var directory read-write. This option is available only |
196 | when running the sandbox as root user. | 202 | when running the sandbox as root user. |
197 | .TP | ||
198 | \fBtracelog | ||
199 | Blacklist violations logged to syslog. | ||
200 | .SH Security filters | 203 | .SH Security filters |
201 | The following security filters are currently implemented: | 204 | The following security filters are currently implemented: |
202 | 205 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 51abaef28..19415a332 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co | |||
50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
51 | 51 | ||
52 | .SH USAGE | 52 | .SH USAGE |
53 | Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, | 53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, |
54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. | 54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the |
55 | The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. | 55 | command line options. The default Firejail filesystem is based on the host filesystem with the main |
56 | Only /home and /tmp are writable. | 56 | system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, |
57 | /libx32 and /lib64. Only /home and /tmp are writable. | ||
57 | .PP | 58 | .PP |
58 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 59 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
59 | If an appropriate profile is not found, Firejail will use a default profile. | 60 | If an appropriate profile is not found, Firejail will use a default profile. |
60 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 61 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
61 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section. | 62 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
62 | .PP | 63 | .PP |
63 | If a program argument is not specified, Firejail starts /bin/bash shell. | 64 | If a program argument is not specified, Firejail starts /bin/bash shell. |
64 | Examples: | 65 | Examples: |
@@ -194,7 +195,8 @@ Example: | |||
194 | 195 | ||
195 | .TP | 196 | .TP |
196 | \fB\-\-chroot=dirname | 197 | \fB\-\-chroot=dirname |
197 | Chroot the sandbox into a root filesystem. If the sandbox is started as a | 198 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, |
199 | the system directories are mounted read-write. If the sandbox is started as a | ||
198 | regular user, default seccomp and capabilities filters are enabled. This | 200 | regular user, default seccomp and capabilities filters are enabled. This |
199 | option is not available on Grsecurity systems. | 201 | option is not available on Grsecurity systems. |
200 | .br | 202 | .br |
@@ -946,7 +948,8 @@ $ ls -l sandboxlog* | |||
946 | 948 | ||
947 | .TP | 949 | .TP |
948 | \fB\-\-overlay | 950 | \fB\-\-overlay |
949 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. | 951 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
952 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
950 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. | 953 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. |
951 | .br | 954 | .br |
952 | 955 | ||
@@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of | |||
1143 | .TP | 1146 | .TP |
1144 | \fB\-\-rlimit-sigpending=number | 1147 | \fB\-\-rlimit-sigpending=number |
1145 | Set the maximum number of pending signals for a process. | 1148 | Set the maximum number of pending signals for a process. |
1149 | |||
1150 | .TP | ||
1151 | \fB\-\-read-write=dirname_or_filename | ||
1152 | By default, the sandbox mounts system directories read-only. | ||
1153 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | ||
1154 | Use this option to mount read-write files or directories inside the system directories. | ||
1155 | |||
1156 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1157 | cases the system directories are mounted read-write. | ||
1158 | |||
1146 | .TP | 1159 | .TP |
1147 | \fB\-\-scan | 1160 | \fB\-\-scan |
1148 | ARP-scan all the networks from inside a network namespace. | 1161 | ARP-scan all the networks from inside a network namespace. |