aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/firejail/firejail.h8
-rw-r--r--src/firejail/fs_logger.c8
-rw-r--r--src/firejail/join.c7
-rw-r--r--src/firejail/ls.c307
-rw-r--r--src/firejail/main.c35
-rw-r--r--src/firejail/usage.c470
-rw-r--r--src/firemon/procevent.c7
-rw-r--r--src/lib/pid.c5
-rw-r--r--src/man/firejail.txt41
9 files changed, 587 insertions, 301 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 3097a7a0e..b526b5e00 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -324,8 +324,8 @@ void netstats(void);
324void usage(void); 324void usage(void);
325 325
326// join.c 326// join.c
327void join(pid_t pid, const char *homedir, int argc, char **argv, int index); 327void join(pid_t pid, int argc, char **argv, int index);
328void join_name(const char *name, const char *homedir, int argc, char **argv, int index); 328void join_name(const char *name, int argc, char **argv, int index);
329void shut(pid_t pid); 329void shut(pid_t pid);
330void shut_name(const char *name); 330void shut_name(const char *name);
331 331
@@ -530,5 +530,9 @@ int x11_display(void);
530// return 1 if xpra is installed on the system 530// return 1 if xpra is installed on the system
531int x11_check_xpra(void); 531int x11_check_xpra(void);
532 532
533// ls.c
534void ls_name(const char *name, const char *path);
535void ls(pid_t pid, const char *path);
536
533#endif 537#endif
534 538
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 058bcc1c9..227a66cd7 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -157,27 +157,27 @@ void fs_logger_print_log(pid_t pid) {
157 if (uid != 0) { 157 if (uid != 0) {
158 uid_t sandbox_uid = pid_get_uid(pid); 158 uid_t sandbox_uid = pid_get_uid(pid);
159 if (uid != sandbox_uid) { 159 if (uid != sandbox_uid) {
160 fprintf(stderr, "Error: permission denied.\n"); 160 fprintf(stderr, "Error: permission denied\n");
161 exit(1); 161 exit(1);
162 } 162 }
163 } 163 }
164 164
165 // print RUN_FSLOGGER_FILE 165 // print RUN_FSLOGGER_FILE
166 EUID_ROOT();
167 char *fname; 166 char *fname;
168 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_FSLOGGER_FILE) == -1) 167 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_FSLOGGER_FILE) == -1)
169 errExit("asprintf"); 168 errExit("asprintf");
170 169
170 EUID_ROOT();
171 struct stat s; 171 struct stat s;
172 if (stat(fname, &s) == -1) { 172 if (stat(fname, &s) == -1) {
173 printf("Cannot access filesystem log.\n"); 173 fprintf(stderr, "Error: Cannot access filesystem log\n");
174 exit(1); 174 exit(1);
175 } 175 }
176 176
177 /* coverity[toctou] */ 177 /* coverity[toctou] */
178 FILE *fp = fopen(fname, "r"); 178 FILE *fp = fopen(fname, "r");
179 if (!fp) { 179 if (!fp) {
180 printf("Cannot open filesystem log.\n"); 180 fprintf(stderr, "Error: Cannot open filesystem log\n");
181 exit(1); 181 exit(1);
182 } 182 }
183 183
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 21bb56e9d..251260091 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -179,7 +179,7 @@ static void extract_user_namespace(pid_t pid) {
179 free(uidmap); 179 free(uidmap);
180} 180}
181 181
182void join_name(const char *name, const char *homedir, int argc, char **argv, int index) { 182void join_name(const char *name, int argc, char **argv, int index) {
183 EUID_ASSERT(); 183 EUID_ASSERT();
184 if (!name || strlen(name) == 0) { 184 if (!name || strlen(name) == 0) {
185 fprintf(stderr, "Error: invalid sandbox name\n"); 185 fprintf(stderr, "Error: invalid sandbox name\n");
@@ -191,11 +191,12 @@ void join_name(const char *name, const char *homedir, int argc, char **argv, int
191 fprintf(stderr, "Error: cannot find sandbox %s\n", name); 191 fprintf(stderr, "Error: cannot find sandbox %s\n", name);
192 exit(1); 192 exit(1);
193 } 193 }
194 join(pid, homedir, argc, argv, index); 194 join(pid, argc, argv, index);
195} 195}
196 196
197void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { 197void join(pid_t pid, int argc, char **argv, int index) {
198 EUID_ASSERT(); 198 EUID_ASSERT();
199 char *homedir = cfg.homedir;
199 200
200 extract_command(argc, argv, index); 201 extract_command(argc, argv, index);
201 202
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
new file mode 100644
index 000000000..bd4a4e347
--- /dev/null
+++ b/src/firejail/ls.c
@@ -0,0 +1,307 @@
1/*
2 * Copyright (C) 2014-2016 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20
21#include "firejail.h"
22#include <sys/types.h>
23#include <sys/stat.h>
24#include <unistd.h>
25#include <dirent.h>
26#include <pwd.h>
27#include <grp.h>
28
29// uid/gid cache
30static uid_t c_uid = 0;
31static char *c_uid_name = NULL;
32static gid_t c_gid = 0;
33static char *g_uid_name = NULL;
34
35static void print_file_or_dir(const char *path, const char *fname, int separator) {
36 assert(fname);
37
38 char *name;
39 if (separator) {
40 if (asprintf(&name, "%s/%s", path, fname) == -1)
41 errExit("asprintf");
42 }
43 else {
44 if (asprintf(&name, "%s%s", path, fname) == -1)
45 errExit("asprintf");
46 }
47
48 struct stat s;
49 int is_broken_link = 0;
50 if (stat(name, &s) == -1) {
51 is_broken_link = 1;
52 if (lstat(name, &s) == -1) {
53 printf("Error: cannot access %s\n", name);
54 return;
55 }
56 }
57
58 // permissions
59 if (S_ISLNK(s.st_mode))
60 printf("l");
61 else if (S_ISDIR(s.st_mode))
62 printf("d");
63 else if (S_ISCHR(s.st_mode))
64 printf("c");
65 else if (S_ISBLK(s.st_mode))
66 printf("b");
67 else if (S_ISSOCK(s.st_mode))
68 printf("s");
69 else
70 printf("-");
71 printf( (s.st_mode & S_IRUSR) ? "r" : "-");
72 printf( (s.st_mode & S_IWUSR) ? "w" : "-");
73 printf( (s.st_mode & S_IXUSR) ? "x" : "-");
74 printf( (s.st_mode & S_IRGRP) ? "r" : "-");
75 printf( (s.st_mode & S_IWGRP) ? "w" : "-");
76 printf( (s.st_mode & S_IXGRP) ? "x" : "-");
77 printf( (s.st_mode & S_IROTH) ? "r" : "-");
78 printf( (s.st_mode & S_IWOTH) ? "w" : "-");
79 printf( (s.st_mode & S_IXOTH) ? "x" : "-");
80 printf(" ");
81
82 // user name
83 char *username;
84 int allocated = 0;
85 if (s.st_uid == 0)
86 username = "root";
87 else if (s.st_uid == c_uid) {
88 assert(c_uid_name);
89 username = c_uid_name;
90 }
91 else {
92 struct passwd *pw = getpwuid(s.st_uid);
93 allocated = 1;
94 if (!pw) {
95 if (asprintf(&username, "%d", s.st_uid) == -1)
96 errExit("asprintf");
97 }
98 else {
99 username = strdup(pw->pw_name);
100 if (!username)
101 errExit("asprintf");
102 }
103
104 if (c_uid == 0) {
105 c_uid = s.st_uid;
106 c_uid_name = strdup(username);
107 if (!c_uid_name)
108 errExit("asprintf");
109 }
110 }
111
112 // print user name, 8 chars maximum
113 int len = strlen(username);
114 if (len > 8) {
115 username[8] = '\0';
116 len = 8;
117 }
118 printf("%s ", username);
119 int i;
120 for (i = len; i < 8; i++)
121 printf(" ");
122 if (allocated)
123 free(username);
124
125
126 // group name
127 char *groupname;
128 allocated = 0;
129 if (s.st_uid == 0)
130 groupname = "root";
131 else {
132 struct group *g = getgrgid(s.st_gid);
133 allocated = 1;
134 if (!g) {
135 if (asprintf(&groupname, "%d", s.st_gid) == -1)
136 errExit("asprintf");
137 }
138 else {
139 groupname = strdup(g->gr_name);
140 if (!groupname)
141 errExit("asprintf");
142 }
143 }
144
145 // print grup name, 8 chars maximum
146 len = strlen(groupname);
147 if (len > 8) {
148 groupname[8] = '\0';
149 len = 8;
150 }
151 printf("%s ", groupname);
152 for (i = len; i < 8; i++)
153 printf(" ");
154 if (allocated)
155 free(groupname);
156
157 char *sz;
158 if (asprintf(&sz, "%d", (int) s.st_size) == -1)
159 errExit("asprintf");
160 printf("%11.10s %s\n", sz, fname);
161 free(sz);
162
163}
164
165static void print_directory(const char *path) {
166 assert(path);
167 struct stat s;
168 if (stat(path, &s) == -1)
169 return;
170 assert(S_ISDIR(s.st_mode));
171
172 DIR *dir;
173 if (!(dir = opendir(path))) {
174 // sleep 2 seconds and try again
175 sleep(2);
176 if (!(dir = opendir(path))) {
177 fprintf(stderr, "Error: cannot open directory %s\n", path);
178 exit(1);
179 }
180 }
181
182 struct dirent *entry;
183 while ((entry = readdir(dir))) {
184 if (strcmp(entry->d_name, ".") == 0)
185 continue;
186 if (strcmp(entry->d_name, "..") == 0)
187 continue;
188
189 print_file_or_dir(path, entry->d_name, 0);
190 }
191
192 closedir(dir);
193}
194
195void ls_name(const char *name, const char *path) {
196 EUID_ASSERT();
197
198 if (!name || strlen(name) == 0) {
199 fprintf(stderr, "Error: invalid sandbox name\n");
200 exit(1);
201 }
202 pid_t pid;
203 if (name2pid(name, &pid)) {
204 fprintf(stderr, "Error: cannot find sandbox %s\n", name);
205 exit(1);
206 }
207
208 ls(pid, path);
209}
210
211void ls(pid_t pid, const char *path) {
212 EUID_ASSERT();
213
214 // if the pid is that of a firejail process, use the pid of the first child process
215 char *comm = pid_proc_comm(pid);
216 if (comm) {
217 if (strcmp(comm, "firejail") == 0) {
218 pid_t child;
219 if (find_child(pid, &child) == 0) {
220 pid = child;
221 }
222 }
223 free(comm);
224 }
225
226 // check privileges for non-root users
227 uid_t uid = getuid();
228 if (uid != 0) {
229 uid_t sandbox_uid = pid_get_uid(pid);
230 if (uid != sandbox_uid) {
231 fprintf(stderr, "Error: permission denied.\n");
232 exit(1);
233 }
234 }
235
236 EUID_ROOT();
237 // chroot
238 char *rootdir;
239 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
240 errExit("asprintf");
241 if (chroot(rootdir) < 0)
242 errExit("chroot");
243 if (chdir("/") < 0)
244 errExit("chdir");
245
246 // full path or file in current directory?
247 char *fname;
248 if (*path == '/') {
249 fname = strdup(path);
250 if (!fname)
251 errExit("strdup");
252 }
253 else if (*path == '~') {
254 if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
255 errExit("asprintf");
256 }
257 else {
258 fprintf(stderr, "Error: Cannot access file %s\n", path);
259 exit(1);
260 }
261
262 // list directory contents
263 struct stat s;
264 if (stat(fname, &s) == -1) {
265 fprintf(stderr, "Error: Cannot access file %s\n", fname);
266 exit(1);
267 }
268 if (S_ISDIR(s.st_mode)) {
269 char *rp = realpath(fname, NULL);
270 if (!rp) {
271 fprintf(stderr, "Error: Cannot access file %s\n", fname);
272 exit(1);
273 }
274 if (arg_debug)
275 printf("realpath %s\n", rp);
276
277 char *dir;
278 if (asprintf(&dir, "%s/", rp) == -1)
279 errExit("asprintf");
280
281 print_directory(dir);
282 free(rp);
283 free(dir);
284 }
285 else {
286 char *rp = realpath(fname, NULL);
287 if (!rp) {
288 fprintf(stderr, "Error: Cannot access file %s\n", fname);
289 exit(1);
290 }
291 if (arg_debug)
292 printf("realpath %s\n", rp);
293 char *split = strrchr(rp, '/');
294 if (split) {
295 *split = '\0';
296 char *rp2 = split + 1;
297 if (arg_debug)
298 printf("path %s, file %s\n", rp, rp2);
299 print_file_or_dir(rp, rp2, 1);
300 }
301 free(rp);
302 }
303
304 free(fname);
305
306 exit(0);
307}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a9fe13c78..68606a313 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -426,15 +426,38 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
426 exit(0); 426 exit(0);
427 } 427 }
428#endif 428#endif
429 else if (strncmp(argv[i], "--ls=", 5) == 0) {
430 logargs(argc, argv);
431
432 // verify path
433 if ((i + 2) != argc) {
434 fprintf(stderr, "Error: invalid --ls option, path expected\n");
435 exit(1);
436 }
437 char *path = argv[i + 1];
438 invalid_filename(path);
439 if (strstr(path, "..")) {
440 fprintf(stderr, "Error: invalid file name %s\n", path);
441 exit(1);
442 }
443
444 // list directory contents
445 pid_t pid;
446 if (read_pid(argv[i] + 5, &pid) == 0)
447 ls(pid, path);
448 else
449 ls_name(argv[i] + 5, path);
450 exit(0);
451 }
429 else if (strncmp(argv[i], "--join=", 7) == 0) { 452 else if (strncmp(argv[i], "--join=", 7) == 0) {
430 logargs(argc, argv); 453 logargs(argc, argv);
431 454
432 // join sandbox by pid or by name 455 // join sandbox by pid or by name
433 pid_t pid; 456 pid_t pid;
434 if (read_pid(argv[i] + 7, &pid) == 0) 457 if (read_pid(argv[i] + 7, &pid) == 0)
435 join(pid, cfg.homedir, argc, argv, i + 1); 458 join(pid, argc, argv, i + 1);
436 else 459 else
437 join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1); 460 join_name(argv[i] + 7, argc, argv, i + 1);
438 exit(0); 461 exit(0);
439 } 462 }
440#ifdef HAVE_NETWORK 463#ifdef HAVE_NETWORK
@@ -449,9 +472,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
449 // join sandbox by pid or by name 472 // join sandbox by pid or by name
450 pid_t pid; 473 pid_t pid;
451 if (read_pid(argv[i] + 15, &pid) == 0) 474 if (read_pid(argv[i] + 15, &pid) == 0)
452 join(pid, cfg.homedir, argc, argv, i + 1); 475 join(pid, argc, argv, i + 1);
453 else 476 else
454 join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1); 477 join_name(argv[i] + 15, argc, argv, i + 1);
455 exit(0); 478 exit(0);
456 } 479 }
457#endif 480#endif
@@ -466,9 +489,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
466 // join sandbox by pid or by name 489 // join sandbox by pid or by name
467 pid_t pid; 490 pid_t pid;
468 if (read_pid(argv[i] + 18, &pid) == 0) 491 if (read_pid(argv[i] + 18, &pid) == 0)
469 join(pid, cfg.homedir, argc, argv, i + 1); 492 join(pid, argc, argv, i + 1);
470 else 493 else
471 join_name(argv[i] + 18, cfg.homedir, argc, argv, i + 1); 494 join_name(argv[i] + 18, argc, argv, i + 1);
472 exit(0); 495 exit(0);
473 } 496 }
474 else if (strncmp(argv[i], "--shutdown=", 11) == 0) { 497 else if (strncmp(argv[i], "--shutdown=", 11) == 0) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b538f136b..58f9d2cf7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -33,267 +33,219 @@ void usage(void) {
33 printf("default in the sandbox.\n\n"); 33 printf("default in the sandbox.\n\n");
34 printf("\n"); 34 printf("\n");
35 printf("Options:\n\n"); 35 printf("Options:\n\n");
36 printf("\t-- - signal the end of options and disables further option processing.\n\n"); 36 printf(" -- - signal the end of options and disables further option processing.\n\n");
37#ifdef HAVE_NETWORK 37#ifdef HAVE_NETWORK
38 printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); 38 printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n");
39 printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); 39 printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
40 printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n");
41 printf("\t\tby PID, see Traffic Shaping section for more details.\n\n");
42#endif 40#endif
43#ifdef HAVE_BIND 41#ifdef HAVE_BIND
44 printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); 42 printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
45 printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); 43 printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n\n");
46#endif 44#endif
47 printf("\t--blacklist=dirname_or_filename - blacklist directory or file.\n\n"); 45 printf(" --blacklist=dirname_or_filename - blacklist directory or file.\n\n");
48 printf("\t-c - execute command and exit.\n\n"); 46 printf(" -c - execute command and exit.\n\n");
49 printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); 47 printf(" --caps - enable default Linux capabilities filter.\n\n");
50 printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); 48 printf(" --caps.drop=all - drop all capabilities.\n\n");
51#ifdef CAP_SYSLOG 49 printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n\n");
52 printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); 50 printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n\n");
53#else 51 printf(" --caps.print=name|pid - print the caps filter for the sandbox identified\n");
54 printf("\t\tCAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); 52 printf("\tby name or PID.\n\n");
55#endif 53 printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n");
56 printf("\t--caps.drop=all - drop all capabilities.\n\n"); 54 printf("\ttasks-file is the full path of cgroup tasks file.\n\n");
57 printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n");
58 printf("\t\tcapabilities filter.\n\n");
59 printf("\t--caps.keep=capability,capability,capability - whitelist Linux\n");
60 printf("\t\tcapabilities filter.\n\n");
61 printf("\t--caps.print=name - print the caps filter for the sandbox identified\n");
62 printf("\t\tby name.\n\n");
63 printf("\t--caps.print=pid - print the caps filter for the sandbox identified\n");
64 printf("\t\tby PID.\n\n");
65 printf("\t--cgroup=tasks-file - place the sandbox in the specified control group.\n");
66 printf("\t\ttasks-file is the full path of cgroup tasks file.\n");
67 printf("\t\tExample: --cgroup=/sys/fs/cgroup/g1/tasks\n\n");
68#ifdef HAVE_CHROOT 55#ifdef HAVE_CHROOT
69 printf("\t--chroot=dirname - chroot into dirname directory.\n\n"); 56 printf(" --chroot=dirname - chroot into directory.\n\n");
70#endif 57#endif
71 printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); 58 printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
72 printf("\t\tExample: cpu=0,1,2\n\n"); 59 printf(" --csh - use /bin/csh as default shell.\n\n");
73 printf("\t--csh - use /bin/csh as default shell.\n\n"); 60
74 61 printf(" --debug - print sandbox debug messages.\n\n");
75 printf("\t--debug - print sandbox debug messages.\n\n"); 62 printf(" --debug-blacklists - debug blacklisting.\n\n");
76 printf("\t--debug-blacklists - debug blacklisting.\n\n"); 63 printf(" --debug-caps - print all recognized capabilities in the current Firejail\n");
77 printf("\t--debug-caps - print all recognized capabilities in the current\n"); 64 printf("\tsoftware build.\n\n");
78 printf("\t\tFirejail software build and exit.\n\n"); 65 printf(" --debug-check-filename - debug filename checking.\n\n");
79 printf("\t--debug-check-filename - debug filename checking.\n\n"); 66 printf(" --debug-errnos - print all recognized error numbers in the current Firejail\n");
80 printf("\t--debug-errnos - print all recognized error numbers in the current\n"); 67 printf("\tsoftware build.\n\n");
81 printf("\t\tFirejail software build and exit.\n\n"); 68 printf(" --debug-protocols - print all recognized protocols in the current Firejail\n");
82 printf("\t--debug-protocols - print all recognized protocols in the current\n"); 69 printf("\tsoftware build.\n\n");
83 printf("\t\tFirejail software build and exit.\n\n"); 70 printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n");
84 printf("\t--debug-syscalls - print all recognized system calls in the current\n"); 71 printf("\tsoftware build.\n\n");
85 printf("\t\tFirejail software build and exit.\n\n"); 72 printf(" --debug-whitelists - debug whitelisting.\n\n");
86 printf("\t--debug-whitelists - debug whitelisting.\n\n");
87 73
88 74
89 75
90#ifdef HAVE_NETWORK 76#ifdef HAVE_NETWORK
91 printf("\t--defaultgw=address - use this address as default gateway in the new\n"); 77 printf(" --defaultgw=address - use this address as default gateway in the new network\n");
92 printf("\t\tnetwork namespace.\n\n"); 78 printf("\tnamespace.\n\n");
93#endif 79#endif
94 printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); 80 printf(" --dns=address - set a DNS server for the sandbox. Up to three DNS servers\n");
95 printf("\t\tservers can be defined.\n\n"); 81 printf("\tcan be defined.\n\n");
96 printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); 82 printf(" --dns.print=name|pid - print DNS configuration for the sandbox identified\n");
97 printf("\t\tby name.\n\n"); 83 printf("\tby name or PID.\n\n");
98 printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
99 printf("\t\tby PID.\n\n");
100 84
101 printf("\t--env=name=value - set environment variable in the new sandbox\n\n"); 85 printf(" --env=name=value - set environment variable in the new sandbox.\n\n");
102 printf("\t--fs.print=name - print the filesystem log for the sandbox identified\n"); 86 printf(" --fs.print=name|pid - print the filesystem log for the sandbox identified\n");
103 printf("\t\tby name.\n\n"); 87 printf("\tby name or PID.\n\n");
104 printf("\t--fs.print=pid - print the filesystem log for the sandbox identified\n");
105 printf("\t\tby PID.\n\n");
106 88
107 printf("\t--help, -? - this help screen.\n\n"); 89 printf(" --help, -? - this help screen.\n\n");
108 printf("\t--hostname=name - set sandbox hostname.\n\n"); 90 printf(" --hostname=name - set sandbox hostname.\n\n");
109 printf("\t--ignore=command - ignore command in profile files.\n\n"); 91 printf(" --ignore=command - ignore command in profile files.\n\n");
110#ifdef HAVE_NETWORK 92#ifdef HAVE_NETWORK
111 printf("\t--interface=name - move interface in a new network namespace. Up to\n"); 93 printf(" --interface=name - move interface in a new network namespace. Up to four\n");
112 printf("\t\tfour --interface options can be specified.\n\n"); 94 printf("\t--interface options can be specified.\n\n");
113 printf("\t--ip=address - set interface IP address.\n\n"); 95 printf(" --ip=address - set interface IP address.\n\n");
114 printf("\t--ip=none - no IP address and no default gateway address are configured\n"); 96 printf(" --ip=none - no IP address and no default gateway address are configured\n");
115 printf("\t\tin the new network namespace. Use this option in case you intend\n"); 97 printf("\tin the new network namespace. Use this option in case you intend to\n");
116 printf("\t\tto start an external DHCP client in the sandbox.\n\n"); 98 printf("\tstart an external DHCP client in the sandbox.\n\n");
117 printf("\t--ip6=address - set interface IPv6 address.\n\n"); 99 printf(" --ip6=address - set interface IPv6 address.\n\n");
118 printf("\t--iprange=address,address - configure an IP address in this range\n\n"); 100 printf(" --iprange=address,address - configure an IP address in this range.\n\n");
119#endif 101#endif
120 printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); 102 printf(" --ipc-namespace - enable a new IPC namespace if the sandbox was started as\n");
121 printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); 103 printf("\tregular user. IPC namespace is enabled by default only if the sandbox\n");
122 printf("\t\tthe sandbox is started as root.\n\n"); 104 printf("\tis started as root.\n\n");
123 printf("\t--join=name - join the sandbox identified by name.\n\n"); 105 printf(" --join=name|pid - join the sandbox identified by name or PID.\n\n");
124 printf("\t--join=pid - join the sandbox identified by PID.\n\n"); 106 printf(" --join-filesystem=name|pid - join the mount namespace of the sandbox\n");
125 printf("\t--join-filesystem=name - join the mount namespace of the sandbox\n"); 107 printf("\tidentified by name or PID.\n\n");
126 printf("\t\tidentified by name.\n\n");
127 printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
128 printf("\t\tidentified by PID.\n\n");
129#ifdef HAVE_NETWORK 108#ifdef HAVE_NETWORK
130 printf("\t--join-network=name - join the network namespace of the sandbox\n"); 109 printf(" --join-network=name|pid - join the network namespace of the sandbox\n");
131 printf("\t\tidentified by name.\n\n"); 110 printf("\tidentified by name or PID.\n\n");
132 printf("\t--join-network=pid - join the network namespace of the sandbox\n");
133 printf("\t\tidentified by PID.\n\n");
134#endif 111#endif
135 printf("\t--list - list all sandboxes.\n\n"); 112 printf(" --list - list all sandboxes.\n\n");
136#ifdef HAVE_NETWORK 113#ifdef HAVE_NETWORK
137 printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); 114 printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
138 printf("\t--mtu=number - set interface MTU.\n\n"); 115 printf(" --mtu=number - set interface MTU.\n\n");
139#endif 116#endif
140 printf("\t--name=name - set sandbox name.\n\n"); 117 printf(" --name=name - set sandbox name.\n\n");
141#ifdef HAVE_NETWORK 118#ifdef HAVE_NETWORK
142 printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); 119 printf(" --net=bridgename - enable network namespaces and connect to this bridge\n");
143 printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); 120 printf("\tdevice. Up to four --net devices can be defined.\n\n");
144 printf("\t\tIP address and a default gateway will be assigned automatically\n"); 121
145 printf("\t\tto the sandbox. The IP address is checked using ARP before\n"); 122 printf(" --net=ethernet_interface - enable network namespaces and connect to this\n");
146 printf("\t\tassignment. The IP address assigned as default gateway is the\n"); 123 printf("\tEthernet interface using the standard Linux macvlan driver. Up to four\n");
147 printf("\t\tbridge device IP address. Up to four --net devices can\n"); 124 printf("\t--net devices can be defined.\n\n");
148 printf("\t\tbe defined. Mixing bridge and macvlan devices is allowed.\n\n"); 125
149 printf("\t--net=ethernet_interface - enable network namespaces and connect\n"); 126 printf(" --net=none - enable a new, unconnected network namespace.\n\n");
150 printf("\t\tto this ethernet_interface using the standard Linux macvlan\n");
151 printf("\t\tdriver. Unless specified with option --ip and --defaultgw, an\n");
152 printf("\t\tIP address and a default gateway will be assigned automatically\n");
153 printf("\t\tto the sandbox. The IP address is checked using ARP before\n");
154 printf("\t\tassignment. The IP address assigned as default gateway is the\n");
155 printf("\t\tdefault gateway of the host. Up to four --net devices can\n");
156 printf("\t\tbe defined. Mixing bridge and macvlan devices is allowed.\n\n");
157 printf("\t--net=none - enable a new, unconnected network namespace.\n\n");
158 127
159 printf("\t--netfilter - enable the default client network filter in the new\n"); 128 printf(" --netfilter - enable the default client network filter in the new\n");
160 printf("\t\tnetwork namespace:\n\n"); 129 printf("\tnetwork namespace.\n\n");
161 printf("\t\t*filter\n"); 130 printf(" --netfilter=filename - enable the network filter specified by\n");
162 printf("\t\t:INPUT DROP [0:0]\n"); 131 printf("\tfilename in the new network namespace. The filter file format\n");
163 printf("\t\t:FORWARD DROP [0:0]\n"); 132 printf("\tis the format of iptables-save and iptable-restore commands.\n\n");
164 printf("\t\t:OUTPUT ACCEPT [0:0]\n"); 133 printf(" --netfilter6=filename - enable the IPv6 network filter specified by\n");
165 printf("\t\t-A INPUT -i lo -j ACCEPT\n"); 134 printf("\tfilename in the new network namespace. The filter file format\n");
166 printf("\t\t-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); 135 printf("\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
167 printf("\t\t-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n");
168 printf("\t\t-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n");
169 printf("\t\t-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n");
170 printf("\t\tCOMMIT\n\n");
171 printf("\t--netfilter=filename - enable the network filter specified by\n");
172 printf("\t\tfilename in the new network namespace. The filter file format\n");
173 printf("\t\tis the format of iptables-save and iptable-restore commands.\n\n");
174 printf("\t--netfilter6=filename - enable the IPv6 network filter specified by\n");
175 printf("\t\tfilename in the new network namespace. The filter file format\n");
176 printf("\t\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
177 136
178 printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); 137 printf(" --netstats - monitor network statistics for sandboxes creating a new\n");
179 printf("\t\tnetwork namespace.\n\n"); 138 printf("\tnetwork namespace.\n\n");
180#endif 139#endif
181 printf("\t--nice=value - set nice value\n\n"); 140 printf(" --nice=value - set nice value\n\n");
182 printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); 141 printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
183 printf("\t\tor file.\n\n"); 142 printf("\tfile.\n\n");
184 printf("\t--nogroups - disable supplementary groups. Without this option,\n"); 143 printf(" --nogroups - disable supplementary groups. Without this option,\n");
185 printf("\t\tsupplementary groups are enabled for the user starting the\n"); 144 printf("\tsupplementary groups are enabled for the user starting the sandbox.\n");
186 printf("\t\tsandbox. For root user supplementary groups are always\n"); 145 printf("\t For root, groups are always disabled.\n\n");
187 printf("\t\tdisabled.\n\n");
188 146
189 printf("\t--noprofile - do not use a profile. Profile priority is use the one\n"); 147 printf(" --noprofile - do not use a profile. Profile priority is use the one\n");
190 printf("\t\tspecified on the command line, next try to find one that\n"); 148 printf("\tspecified on the command line, next try to find one that\n");
191 printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); 149 printf("\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
192 printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); 150 printf("\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
193 printf("\t\troot.\n\n"); 151 printf("\troot.\n\n");
194#ifdef HAVE_USERNS 152#ifdef HAVE_USERNS
195 printf("\t--noroot - install a user namespace with a single user - the current\n"); 153 printf(" --noroot - install a user namespace with a single user - the current\n");
196 printf("\t\tuser. root user does not exist in the new namespace. This option\n"); 154 printf("\tuser. root user does not exist in the new namespace. This option\n");
197 printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); 155 printf("\tis not supported for --chroot and --overlay configurations.\n\n");
198#endif 156#endif
199 printf("\t--nosound - disable sound system\n\n"); 157 printf(" --nosound - disable sound system.\n\n");
200 158
201 printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); 159 printf(" --output=logfile - stdout logging and log rotation. Copy stdout to\n");
202 printf("\t\tlogfile, and keep the size of the file under 500KB using log\n"); 160 printf("\tlogfile, and keep the size of the file under 500KB using log\n");
203 printf("\t\trotation. Five files with prefixes .1 to .5 are used in\n"); 161 printf("\trotation. Five files with prefixes .1 to .5 are used in\n");
204 printf("\t\trotation.\n\n"); 162 printf("\trotation.\n\n");
205 163
206 printf("\t--overlay - mount a filesystem overlay on top of the current filesystem.\n"); 164 printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n");
207 printf("\t\tThe upper filesystem layer is persistent, and stored in\n"); 165 printf("\tThe upper filesystem layer is persistent, and stored in\n");
208 printf("\t\t$HOME/.firejail directory. (OverlayFS support is required in\n"); 166 printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n");
209 printf("\t\tLinux kernel for this option to work). \n\n"); 167 printf("\tLinux kernel for this option to work). \n\n");
210 168
211 printf("\t--overlay-tmpfs - mount a filesystem overlay on top of the current\n"); 169 printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n");
212 printf("\t\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); 170 printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
213 printf("\t\tand it is discarded when the sandbox is closed. (OverlayFS\n"); 171 printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n");
214 printf("\t\tsupport is required in Linux kernel for this option to work).\n\n"); 172 printf("\tsupport is required in Linux kernel for this option to work).\n\n");
215 173
216 printf("\t--private - mount new /root and /home/user directories in temporary\n"); 174 printf(" --private - mount new /root and /home/user directories in temporary\n");
217 printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n"); 175 printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
218 printf("\t\tclosed.\n\n"); 176 printf("\tclosed.\n\n");
219 printf("\t--private=directory - use directory as user home.\n\n"); 177 printf(" --private=directory - use directory as user home.\n\n");
220 178
221 printf("\t--private-bin=file,file - build a new /bin in a temporary filesystem,\n"); 179 printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
222 printf("\t\tand copy the programs in the list. The same directory is\n"); 180 printf("\tand copy the programs in the list. The same directory is\n");
223 printf("\t\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); 181 printf("\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n");
224 182
225 printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); 183 printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
226 printf("\t\tty, pst, ptms, random, urandom, log and shm devices are\n"); 184 printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n");
227 printf("\t\tavailable.\n\n");
228 185
229 printf("\t--private-etc=file,directory - build a new /etc in a temporary\n"); 186 printf(" --private-etc=file,directory - build a new /etc in a temporary\n");
230 printf("\t\tfilesystem, and copy the files and directories in the list.\n"); 187 printf("\tfilesystem, and copy the files and directories in the list.\n");
231 printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); 188 printf("\tAll modifications are discarded when the sandbox is closed.\n\n");
232 189
233 printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n"); 190 printf(" --private-tmp - mount a tmpfs on top of /tmp directory\n\n");
234 191
235 printf("\t--profile=filename - use a custom profile.\n\n"); 192 printf(" --profile=filename - use a custom profile.\n\n");
236 printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); 193 printf(" --profile-path=directory - use this directory to look for profile files.\n\n");
237 194
238 printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); 195 printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n");
239 printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); 196 printf("\tProtocol values: unix, inet, inet6, netlink, packet.\n\n");
240 printf("\t--protocol.print=name - print the protocol filter for the sandbox\n"); 197 printf(" --protocol.print=name|pid - print the protocol filter for the sandbox\n");
241 printf("\t\tidentified by name.\n\n"); 198 printf("\tidentified by name or PID.\n\n");
242 printf("\t--protocol.print=pid - print the protocol filter for the sandbox\n");
243 printf("\t\tidentified by PID.\n\n");
244 199
245 printf("\t--quiet - turn off Firejail's output.\n\n"); 200 printf(" --quiet - turn off Firejail's output.\n\n");
246 printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); 201 printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n");
247 printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); 202 printf(" --rlimit-fsize=number - set the maximum file size that can be created\n");
248 printf("\t\tby a process.\n\n"); 203 printf("\tby a process.\n\n");
249 printf("\t--rlimit-nofile=number - set the maximum number of files that can be\n"); 204 printf(" --rlimit-nofile=number - set the maximum number of files that can be\n");
250 printf("\t\topened by a process.\n\n"); 205 printf("\topened by a process.\n\n");
251 printf("\t--rlimit-nproc=number - set the maximum number of processes that can be\n"); 206 printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n");
252 printf("\t\tcreated for the real user ID of the calling process.\n\n"); 207 printf("\tcreated for the real user ID of the calling process.\n\n");
253 printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); 208 printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");
254 printf("\t\tfor a process.\n\n"); 209 printf("\tfor a process.\n\n");
255#ifdef HAVE_NETWORK 210#ifdef HAVE_NETWORK
256 printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); 211 printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");
257 printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); 212 printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
258 printf("\t\trunning on the current host.\n\n"); 213 printf("\trunning on the current host.\n\n");
259#endif 214#endif
260#ifdef HAVE_SECCOMP 215#ifdef HAVE_SECCOMP
261 printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n"); 216 printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n\n");
262 217
263 printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); 218 printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
264 printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); 219 printf("\tdefault syscall list and the syscalls specified by the command.\n\n");
265 220
266 printf("\t--seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); 221 printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
267 printf("\t\tblacklist the syscalls specified by the command.\n\n"); 222 printf("\tblacklist the syscalls specified by the command.\n\n");
268 223
269 printf("\t--seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); 224 printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
270 printf("\t\twhitelist the syscalls specified by the command.\n\n"); 225 printf("\twhitelist the syscalls specified by the command.\n\n");
271 226
272 printf("\t--seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n"); 227 printf(" --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n");
273 printf("\t\treturn errno for the syscalls specified by the command.\n\n"); 228 printf("\treturn errno for the syscalls specified by the command.\n\n");
274 229
275 printf("\t--seccomp.print=name - print the seccomp filter for the sandbox\n"); 230 printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
276 printf("\t\tidentified by name.\n\n"); 231 printf("\tidentified by name or PID.\n\n");
277 printf("\t--seccomp.print=pid - print the seccomp filter for the sandbox\n");
278 printf("\t\tidentified by PID.\n\n");
279#endif 232#endif
280 233
281 printf("\t--shell=none - run the program directly without a user shell.\n\n"); 234 printf(" --shell=none - run the program directly without a user shell.\n\n");
282 printf("\t--shell=program - set default user shell.\n\n"); 235 printf(" --shell=program - set default user shell.\n\n");
283 printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); 236 printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n\n");
284 printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); 237 printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
285 printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); 238 printf("\tThis option is available only when running the sandbox as root.\n\n");
286 printf("\t\tThis option is available only when running the sandbox as root.\n\n"); 239 printf(" --top - monitor the most CPU-intensive sandboxes.\n\n");
287 printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); 240 printf(" --trace - trace open, access and connect system calls.\n\n");
288 printf("\t--trace - trace open, access and connect system calls.\n\n"); 241 printf(" --tracelog - add a syslog message for every access to files or\n");
289 printf("\t--tracelog - add a syslog message for every access to files or\n"); 242 printf("\tdirectoires blacklisted by the security profile.\n\n");
290 printf("\t\tdirectoires blacklisted by the security profile.\n\n"); 243 printf(" --tree - print a tree of all sandboxed processes.\n\n");
291 printf("\t--tree - print a tree of all sandboxed processes.\n\n"); 244 printf(" --user=new_user - switch the user before starting the sandbox.\n\n");
292 printf("\t--user=new_user - switch the user before starting the sandbox.\n\n"); 245 printf(" --version - print program version and exit.\n\n");
293 printf("\t--version - print program version and exit.\n\n"); 246 printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
294 printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); 247 printf(" --x11 - enable x11 server.\n\n");
295 printf("\t--x11 - enable x11 server.\n\n"); 248 printf(" --zsh - use /usr/bin/zsh as default shell.\n\n");
296 printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n");
297 printf("\n"); 249 printf("\n");
298 printf("\n"); 250 printf("\n");
299 251
@@ -309,23 +261,23 @@ void usage(void) {
309 printf("sandboxes configured with new network namespaces.\n\n"); 261 printf("sandboxes configured with new network namespaces.\n\n");
310 262
311 printf("Set rate-limits:\n"); 263 printf("Set rate-limits:\n");
312 printf("\tfirejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n"); 264 printf(" firejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n");
313 printf("Clear rate-limits:\n"); 265 printf("Clear rate-limits:\n");
314 printf("\tfirejail --bandwidth={name|pid} clear network-name\n\n"); 266 printf(" firejail --bandwidth={name|pid} clear network-name\n\n");
315 printf("Status:\n"); 267 printf("Status:\n");
316 printf("\tfirejail --bandwidth={name|pid} status\n\n"); 268 printf(" firejail --bandwidth={name|pid} status\n\n");
317 printf("where:\n"); 269 printf("where:\n");
318 printf("\tname - sandbox name\n"); 270 printf(" name - sandbox name\n");
319 printf("\tpid - sandbox pid\n"); 271 printf(" pid - sandbox pid\n");
320 printf("\tnetwork-name - network name as used by --net option\n"); 272 printf(" network-name - network name as used by --net option\n");
321 printf("\tdown-speed - download speed in KB/s (decimal kilobyte per second)\n"); 273 printf(" down-speed - download speed in KB/s (decimal kilobyte per second)\n");
322 printf("\tup-speed - upload speed in KB/s (decimal kilobyte per second)\n"); 274 printf(" up-speed - upload speed in KB/s (decimal kilobyte per second)\n");
323 printf("\n"); 275 printf("\n");
324 printf("Example:\n"); 276 printf("Example:\n");
325 printf("\t$ firejail --name=mybrowser --net=eth0 firefox &\n"); 277 printf(" $ firejail --name=mybrowser --net=eth0 firefox &\n");
326 printf("\t$ firejail --bandwidth=mybrowser set eth0 80 20\n"); 278 printf(" $ firejail --bandwidth=mybrowser set eth0 80 20\n");
327 printf("\t$ firejail --bandwidth=mybrowser status\n"); 279 printf(" $ firejail --bandwidth=mybrowser status\n");
328 printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); 280 printf(" $ firejail --bandwidth=mybrowser clear eth0\n");
329 printf("\n"); 281 printf("\n");
330 printf("\n"); 282 printf("\n");
331#endif 283#endif
@@ -335,29 +287,29 @@ void usage(void) {
335 287
336 printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); 288 printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
337 printf("follows:\n\n"); 289 printf("follows:\n\n");
338 printf("\tPID:USER:Command\n\n"); 290 printf(" PID:USER:Command\n\n");
339 291
340 printf("Option --tree prints the tree of processes running in the sandbox. The format\n"); 292 printf("Option --tree prints the tree of processes running in the sandbox. The format\n");
341 printf("for each process entry is as follows:\n\n"); 293 printf("for each process entry is as follows:\n\n");
342 printf("\tPID:USER:Command\n\n"); 294 printf(" PID:USER:Command\n\n");
343 295
344 printf("Option --top is similar to the UNIX top command, however it applies only to\n"); 296 printf("Option --top is similar to the UNIX top command, however it applies only to\n");
345 printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n"); 297 printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n");
346 printf("order:\n\n"); 298 printf("order:\n\n");
347 printf("\tCommand - command used to start the sandbox.\n"); 299 printf(" Command - command used to start the sandbox.\n");
348 printf("\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"); 300 printf(" CPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n");
349 printf("\t last screen update\n"); 301 printf("\tlast screen update\n");
350 printf("\tPID - Unique process ID for the task controlling the sandbox.\n"); 302 printf(" PID - Unique process ID for the task controlling the sandbox.\n");
351 printf("\tPrcs - number of processes running in sandbox, including the controlling\n"); 303 printf(" Prcs - number of processes running in sandbox, including the controlling\n");
352 printf("\t process.\n"); 304 printf("\tprocess.\n");
353 printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); 305 printf(" RES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
354 printf("\t It is a sum of the RES values for all processes running in the\n"); 306 printf("\tIt is a sum of the RES values for all processes running in the\n");
355 printf("\t sandbox.\n"); 307 printf("\tsandbox.\n");
356 printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); 308 printf(" SHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
357 printf("\t processes. It is a sum of the SHR values for all processes running\n"); 309 printf("\tprocesses. It is a sum of the SHR values for all processes running\n");
358 printf("\t in the sandbox, including the controlling process.\n"); 310 printf("\tin the sandbox, including the controlling process.\n");
359 printf("\tUptime - sandbox running time in hours:minutes:seconds format.\n"); 311 printf(" Uptime - sandbox running time in hours:minutes:seconds format.\n");
360 printf("\tUser - The owner of the sandbox.\n"); 312 printf(" User - The owner of the sandbox.\n");
361 printf("\n"); 313 printf("\n");
362 printf("\n"); 314 printf("\n");
363 printf("Profile files\n\n"); 315 printf("Profile files\n\n");
@@ -375,23 +327,23 @@ void usage(void) {
375 printf("/etc/firejail/login.users file.\n\n"); 327 printf("/etc/firejail/login.users file.\n\n");
376 printf("\n"); 328 printf("\n");
377 printf("Examples:\n\n"); 329 printf("Examples:\n\n");
378 printf(" $ firejail\n"); 330 printf(" $ firejail\n");
379 printf(" start a regular /bin/bash session in sandbox\n"); 331 printf("\tstart a regular /bin/bash session in sandbox\n");
380 printf(" $ firejail firefox\n"); 332 printf(" $ firejail firefox\n");
381 printf(" start Mozilla Firefox\n"); 333 printf("\tstart Mozilla Firefox\n");
382 printf(" $ firejail --debug firefox\n"); 334 printf(" $ firejail --debug firefox\n");
383 printf(" debug Firefox sandbox\n"); 335 printf("\tdebug Firefox sandbox\n");
384 printf(" $ firejail --private\n"); 336 printf(" $ firejail --private firefox\n");
385 printf(" start a /bin/bash session with a new tmpfs home directory\n"); 337 printf("\tstart Firefox with a new, empty home directory\n");
386 printf(" $ firejail --net=br0 ip=10.10.20.10\n"); 338 printf(" $ firejail --net=br0 ip=10.10.20.10\n");
387 printf(" start a /bin/bash session in a new network namespace; the session is\n"); 339 printf("\tstart a /bin/bash session in a new network namespace; the session is\n");
388 printf(" connected to the main network using br0 bridge device, an IP address\n"); 340 printf("\tconnected to the main network using br0 bridge device, an IP address\n");
389 printf(" of 10.10.20.10 is assigned to the sandbox\n"); 341 printf("\tof 10.10.20.10 is assigned to the sandbox\n");
390 printf(" $ firejail --net=br0 --net=br1 --net=br2\n"); 342 printf(" $ firejail --net=br0 --net=br1 --net=br2\n");
391 printf(" start a /bin/bash session in a new network namespace and connect it\n"); 343 printf("\tstart a /bin/bash session in a new network namespace and connect it\n");
392 printf(" to br0, br1, and br2 host bridge devices\n"); 344 printf("\tto br0, br1, and br2 host bridge devices\n");
393 printf(" $ firejail --list\n"); 345 printf(" $ firejail --list\n");
394 printf(" list all running sandboxes\n"); 346 printf("\tlist all running sandboxes\n");
395 printf("\n"); 347 printf("\n");
396 printf("License GPL version 2 or later\n"); 348 printf("License GPL version 2 or later\n");
397 printf("Homepage: http://firejail.wordpress.com\n"); 349 printf("Homepage: http://firejail.wordpress.com\n");
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 02425a7ee..e2dd5aaa2 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -89,7 +89,7 @@ static int pid_is_firejail(pid_t pid) {
89 89
90 // list of firejail arguments that don't trigger sandbox creation 90 // list of firejail arguments that don't trigger sandbox creation
91 // the initial -- is not included 91 // the initial -- is not included
92 char *firejail_args = "list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols"; 92 char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols";
93 93
94 int i; 94 int i;
95 char *start; 95 char *start;
@@ -105,6 +105,11 @@ static int pid_is_firejail(pid_t pid) {
105 if (strncmp(start, "--", 2) != 0) 105 if (strncmp(start, "--", 2) != 0)
106 break; 106 break;
107 107
108 // clan starting with =
109 char *ptr = strchr(start + 2, '=');
110 if (ptr)
111 *ptr = '\0';
112
108 if (strstr(firejail_args, start + 2)) { 113 if (strstr(firejail_args, start + 2)) {
109 rv = 0; 114 rv = 0;
110 break; 115 break;
diff --git a/src/lib/pid.c b/src/lib/pid.c
index 6251f8b61..a89ac434b 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -136,13 +136,14 @@ char *pid_get_user_name(uid_t uid) {
136 136
137uid_t pid_get_uid(pid_t pid) { 137uid_t pid_get_uid(pid_t pid) {
138 uid_t rv = 0; 138 uid_t rv = 0;
139 139
140 // open statua file 140 // open status file
141 char *file; 141 char *file;
142 if (asprintf(&file, "/proc/%u/status", pid) == -1) { 142 if (asprintf(&file, "/proc/%u/status", pid) == -1) {
143 perror("asprintf"); 143 perror("asprintf");
144 exit(1); 144 exit(1);
145 } 145 }
146
146 FILE *fp = fopen(file, "r"); 147 FILE *fp = fopen(file, "r");
147 if (!fp) { 148 if (!fp) {
148 free(file); 149 free(file);
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3a9b41330..56a768614 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments]
11Network traffic shaping for an existing sandbox: 11Network traffic shaping for an existing sandbox:
12.PP 12.PP
13.RS 13.RS
14firejail \-\-bandwidth={<name>|<PID>} bandwidth-command 14firejail \-\-bandwidth={name|pid} bandwidth-command
15.RE 15.RE
16.PP 16.PP
17Monitoring: 17Monitoring:
@@ -68,20 +68,8 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
68\fB\-\- 68\fB\-\-
69Signal the end of options and disables further option processing. 69Signal the end of options and disables further option processing.
70.TP 70.TP
71\fB\-\-bandwidth=name 71\fB\-\-bandwidth=name|pid
72Set bandwidth limits for the sandbox identified by name, see \fBTRAFFIC SHAPING\fR section for more details. 72Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
73.TP
74\fB\-\-bandwidth=pid
75Set bandwidth limits for the sandbox identified by PID, see \fBTRAFFIC SHAPING\fR section for more details.
76.TP
77\fB\-\-bind=dirname1,dirname2
78Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root.
79.br
80
81.br
82Example:
83.br
84# firejail \-\-bind=/config/www,/var/www
85.TP 73.TP
86\fB\-\-bind=filename1,filename2 74\fB\-\-bind=filename1,filename2
87Mount-bind filename1 on top of filename2. This option is only available when running as root. 75Mount-bind filename1 on top of filename2. This option is only available when running as root.
@@ -104,6 +92,8 @@ $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
104$ firejail \-\-blacklist=~/.mozilla 92$ firejail \-\-blacklist=~/.mozilla
105.br 93.br
106$ firejail "\-\-blacklist=/home/username/My Virtual Machines" 94$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
95.br
96$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
107.TP 97.TP
108\fB\-c 98\fB\-c
109Execute command and exit. 99Execute command and exit.
@@ -1699,7 +1689,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
1699.SH EXAMPLES 1689.SH EXAMPLES
1700.TP 1690.TP
1701\f\firejail 1691\f\firejail
1702Start a regular /bin/bash session in sandbox. 1692Sandbox a regular /bin/bash session.
1703.TP 1693.TP
1704\f\firejail firefox 1694\f\firejail firefox
1705Start Mozilla Firefox. 1695Start Mozilla Firefox.
@@ -1707,17 +1697,20 @@ Start Mozilla Firefox.
1707\f\firejail \-\-debug firefox 1697\f\firejail \-\-debug firefox
1708Debug Firefox sandbox. 1698Debug Firefox sandbox.
1709.TP 1699.TP
1710\f\firejail \-\-private 1700\f\firejail \-\-private firefox
1711Start a /bin/bash session with a new tmpfs home directory. 1701Start Firefox with a new, empty home directory.
1702.TP
1703\f\firejail --net=none vlc
1704Start VLC in an unconnected network namespace.
1712.TP 1705.TP
1713\f\firejail \-\-net=br0 ip=10.10.20.10 1706\f\firejail \-\-net=eth0 firefox
1714Start a /bin/bash session in a new network namespace. The session is 1707Start Firefox in a new network namespace. An IP address is
1715connected to the main network using br0 bridge device. An IP address 1708assigned automatically.
1716of 10.10.20.10 is assigned to the sandbox.
1717.TP 1709.TP
1718\f\firejail \-\-net=br0 \-\-net=br1 \-\-net=br2 1710\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
1719Start a /bin/bash session in a new network namespace and connect it 1711Start a /bin/bash session in a new network namespace and connect it
1720to br0, br1, and br2 host bridge devices. 1712to br0, br1, and br2 host bridge devices. IP addresses are assigned
1713automatically for the interfaces connected to br1 and b2
1721.TP 1714.TP
1722\f\firejail \-\-list 1715\f\firejail \-\-list
1723List all sandboxed processes. 1716List all sandboxed processes.
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-31 13:01:20 +0000