4 files changed, 55 insertions, 64 deletions
diff --git a/RELNOTES b/RELNOTES
index 8d70eac10..b804f2f81 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -14,7 +14,7 @@ firejail (0.9.36-rc1) baseline; urgency=low
  * added /etc/firejail/nolocal.net network filter
  * added /etc/firejail/webserver.net network filter
  * blacklisting firejail configuration by default
-  * alow default gateway configuration for --interface option
+  * allow default gateway configuration for --interface option
  * --debug enhancements: --debug-check-filenames, --debug-blacklists,
    --debug-whitelists
  * filesystem log
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 600b82d3d..e9cb1aa49 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -10,7 +10,7 @@ firejail \-\-profile=filename.profile
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
-1. If a profile file is provided by the user with \-\-profile option, the profile file is loaded.
+\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded.
 Example:
 .PP
 .RS
@@ -21,7 +21,7 @@ Reading profile /home/netblue/icecat.profile
 [...]
 .RE
-2. If a profile file with the same name as the application is present in ~/.config/firejail directory or
+\fB2.\fR If a profile file with the same name as the application is present in ~/.config/firejail directory or
 in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example:
 .PP
 .RS
@@ -36,7 +36,7 @@ Reading profile /home/netblue/.config/firejail/icecat.profile
 [...]
 .RE
-3. Use a default.profile file if the sandbox
+\fB3.\fR Use a default.profile file if the sandbox
 is started by a regular user, or a server.profile file if the sandbox
 is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory.
 To disable default profile loading, use --noroot command option. Example:
@@ -67,10 +67,10 @@ Child process initialized
 Scripting commands:
 .TP
-# this is a comment
+\fB# this is a comment
 .TP
-\f\include other.profile
+\fBinclude other.profile
 Include other.profile file.
 Example: "include /etc/firejail/disable-common.inc"
@@ -81,13 +81,13 @@ file in user home directory.
 Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
 .TP
-\f\ noblacklist file_name
+\fBnoblacklist file_name
 If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
 Example: "noblacklist ${HOME}/.mozilla"
 .TP
-\f\ignore command
+\fBignore command
 Ignore command.
 Example: "ignore seccomp"
@@ -102,7 +102,7 @@ Use \fBprivate\fR to set private mode.
 File globbing is supported, and PATH and HOME directories are searched.
 Examples:
 .TP
-\f\blacklist file_or_directory
+\fBblacklist file_or_directory
 Blacklist directory or file. Examples:
 .br
@@ -116,118 +116,117 @@ blacklist ${PATH}/ifconfig
 blacklist ${HOME}/.ssh
 .TP
-\f\read-only file_or_directory
+\fBread-only file_or_directory
 Make directory or file read-only.
 .TP
-\f\ tmpfs directory
+\fBtmpfs directory
 Mount an empty tmpfs filesystem on top of directory.
 .TP
-\f\bind directory1,directory2
+\fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
 .TP
-\f\bind file1,file2
+\fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
-\f\private
+\fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
 closed.
 .TP
-\f\private-bin file,file
+\fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
-\f\private directory
+\fBprivate directory
 Use directory as user home.
 .TP
-\f\private-home file,directory
+\fBprivate-home file,directory
 Build a new user home in a temporary
 filesystem, and copy the files and directories in the list in the
 new home. All modifications are discarded when the sandbox is
 closed.
 .TP
-\f\private-dev
+\fBprivate-dev
 Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
 .TP
-\f\private-etc file,directory
+\fBprivate-etc file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
-\f\whitelist file_or_directory
+\fBwhitelist file_or_directory
 Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
 The modifications to file_or_directory are persistent, everything else is discarded
 when the sandbox is closed.
 .TP
-\f\ tracelog
+\fBtracelog
 Blacklist violations logged to syslog.
-.SH Filters
+.SH Security filters
-\fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:
+The following security filters are currently implemented:
 .TP
-caps
+\fBcaps
 Enable default Linux capabilities filter.
 .TP
-caps.drop all
+\fBcaps.drop all
 Blacklist all Linux capabilities.
 .TP
-caps.drop capability,capability,capability
+\fBcaps.drop capability,capability,capability
 Blacklist given Linux capabilities.
 .TP
-caps.keep capability,capability,capability
+\fBcaps.keep capability,capability,capability
 Whitelist given Linux capabilities.
 .TP
-\f\seccomp
+\fBprotocol protocol1,protocol2,protocol3
+Enable protocol filter. The filter is based on seccomp and  checks the
+first argument to socket system call. Recognized values: \fBunix\fR,
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
+.TP
+\fBseccomp
 Enable default seccomp filter.  The default list is as follows:
 mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
 iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
-\f\seccomp syscall,syscall,syscall
+\fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
 .TP
-\f\seccomp.drop syscall,syscall,syscall
+\fBseccomp.drop syscall,syscall,syscall
 Enable seccomp filter and blacklist  the system calls in the list.
 .TP
-\f\seccomp.keep syscall,syscall,syscall
+\fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
-.SH User Namespace
-Use \fBnoroot\fR to enable an user namespace. The namespace has only one user, the current user.
-There is no root account defined in the namespace.
 .TP
-noroot
+\fBnoroot
-Enable an user namespace without root user defined.
+Use this command  to enable an user namespace. The namespace has only one user, the current user.
+There is no root account (uid 0) defined in the namespace.
 .SH Resource limits
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
-The limits can be modified inside the sandbox using the regular \fBulimit\fR command. Examples:
+The limits can be modified inside the sandbox using the regular \fBulimit\fR command. Example:
 .TP
-\f\rlimit-fsize 1024
+\fBrlimit-fsize 1024
 Set the maximum file size that can be created by a process to 1024 bytes.
 .TP
-\f\rlimit-nproc 1000
+\fBrlimit-nproc 1000
 Set the maximum number of processes that can be created for the real user ID of the calling process to 1000.
 .TP
-\f\rlimit-nofile 500
+\fBrlimit-nofile 500
 Set the maximum number of files that can be opened by a process to 500.
 .TP
-\f\rlimit-sigpending 200
+\fBrlimit-sigpending 200
 Set the maximum number of processes that can be created for the real user ID of the calling process to 200.
 .SH CPU Affinity
-Set the CPU cores available for this sandbox. Examples:
+Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples:
 .TP
 cpu 1,2,3
 Use only CPU cores 0, 1 and 2.
 .SH Control Groups
-Place the sandbox in an existing control group specified by the full path of the task file. Example:
+Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example:
 .TP
 cgroup /sys/fs/cgroup/g1/tasks
@@ -236,7 +235,7 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 .TP
-env name=value
+\fBenv name=value
 Set environment variable. Examples:
 .br
@@ -246,36 +245,36 @@ env LD_LIBRARY_PATH=/opt/test/lib
 env CFLAGS="-W -Wall -Werror"
 .TP
-nogroups
+\fBnogroups
 Disable supplementary user groups
 .TP
-shell none
+\fBshell none
 Run the program directly, without a shell.
 .SH Networking
 Networking features available in profile files.
 .TP
-netfilter
+\fBnetfilter
 If a new network namespace is created, enabled default network filter.
 .TP
-netfilter filename
+\fBnetfilter filename
 If a new network namespace is created, enabled the network filter in filename.
 .TP
-net none
+\fBnet none
 Enable  a new, unconnected network namespace. The only interface
 available in the new namespace is a new loopback interface (lo).
 Use  this  option  to deny network access to programs that don't
 really need network access.
 .TP
-dns address
+\fBdns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 .TP
-hostname name
+\fBhostname name
 Set a hostname for the sandbox.
 .SH RELOCATING PROFILES
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 57b169e89..cd36bead6 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -973,7 +973,7 @@ $ firejail \-\-profile-path=/home/netblue/myprofiles
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
-Enable protocol filter. The filter is based on seccomp and the first argument to socket system call.
+Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
 Recognized values: unix, inet, inet6, netlink and packet.
 .br
diff --git a/todo b/todo
index e87280f5e..cfc75787f 100644
--- a/todo
+++ b/todo
@@ -114,11 +114,3 @@ rework the calls to invalid_filename(), depending if globing is allowed or not,
 The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, <period>, <underscore>, and <hyphen>
 http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276
-22. Fix manpage:
-W: firejail: manpage-has-errors-from-man usr/share/man/man5/firejail-profile.5.gz 84: `\ ' is not allowed in an escape name
-if building a 32bit package, rename the deb file manually
-23. transmission-gtk when using tracelog:
-Dec 12 07:32:36 debian kernel: [ 1564.772297] transmission-gt[3680]: segfault at 0 ip 00007f44ba515348 
-sp 00007ffee7154288 error 4 in libc-2.13.so[7f44ba400000+

diff --git a/RELNOTES b/RELNOTES index 8d70eac10..b804f2f81 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -14,7 +14,7 @@ firejail (0.9.36-rc1) baseline; urgency=low
14	* added /etc/firejail/nolocal.net network filter	14	* added /etc/firejail/nolocal.net network filter
15	* added /etc/firejail/webserver.net network filter	15	* added /etc/firejail/webserver.net network filter
16	* blacklisting firejail configuration by default	16	* blacklisting firejail configuration by default
17	* alow default gateway configuration for --interface option	17	* allow default gateway configuration for --interface option
18	* --debug enhancements: --debug-check-filenames, --debug-blacklists,	18	* --debug enhancements: --debug-check-filenames, --debug-blacklists,
19	--debug-whitelists	19	--debug-whitelists
20	* filesystem log	20	* filesystem log


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 600b82d3d..e9cb1aa49 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -10,7 +10,7 @@ firejail \-\-profile=filename.profile
10	Several command line options can be passed to the program using	10	Several command line options can be passed to the program using
11	profile files. Firejail chooses the profile file as follows:	11	profile files. Firejail chooses the profile file as follows:
12		12
13	1. If a profile file is provided by the user with \-\-profile option, the profile file is loaded.	13	\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded.
14	Example:	14	Example:
15	.PP	15	.PP
16	.RS	16	.RS
@@ -21,7 +21,7 @@ Reading profile /home/netblue/icecat.profile
21	[...]	21	[...]
22	.RE	22	.RE
23		23
24	2. If a profile file with the same name as the application is present in ~/.config/firejail directory or	24	\fB2.\fR If a profile file with the same name as the application is present in ~/.config/firejail directory or
25	in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example:	25	in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example:
26	.PP	26	.PP
27	.RS	27	.RS
@@ -36,7 +36,7 @@ Reading profile /home/netblue/.config/firejail/icecat.profile
36	[...]	36	[...]
37	.RE	37	.RE
38		38
39	3. Use a default.profile file if the sandbox	39	\fB3.\fR Use a default.profile file if the sandbox
40	is started by a regular user, or a server.profile file if the sandbox	40	is started by a regular user, or a server.profile file if the sandbox
41	is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory.	41	is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory.
42	To disable default profile loading, use --noroot command option. Example:	42	To disable default profile loading, use --noroot command option. Example:
@@ -67,10 +67,10 @@ Child process initialized
67	Scripting commands:	67	Scripting commands:
68		68
69	.TP	69	.TP
70	# this is a comment	70	\fB# this is a comment
71		71
72	.TP	72	.TP
73	\f\include other.profile	73	\fBinclude other.profile
74	Include other.profile file.	74	Include other.profile file.
75		75
76	Example: "include /etc/firejail/disable-common.inc"	76	Example: "include /etc/firejail/disable-common.inc"
@@ -81,13 +81,13 @@ file in user home directory.
81	Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.	81	Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
82		82
83	.TP	83	.TP
84	\f\ noblacklist file_name	84	\fBnoblacklist file_name
85	If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.	85	If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
86		86
87	Example: "noblacklist ${HOME}/.mozilla"	87	Example: "noblacklist ${HOME}/.mozilla"
88		88
89	.TP	89	.TP
90	\f\ignore command	90	\fBignore command
91	Ignore command.	91	Ignore command.
92		92
93	Example: "ignore seccomp"	93	Example: "ignore seccomp"
@@ -102,7 +102,7 @@ Use \fBprivate\fR to set private mode.
102	File globbing is supported, and PATH and HOME directories are searched.	102	File globbing is supported, and PATH and HOME directories are searched.
103	Examples:	103	Examples:
104	.TP	104	.TP
105	\f\blacklist file_or_directory	105	\fBblacklist file_or_directory
106	Blacklist directory or file. Examples:	106	Blacklist directory or file. Examples:
107	.br	107	.br
108		108
@@ -116,118 +116,117 @@ blacklist ${PATH}/ifconfig
116	blacklist ${HOME}/.ssh	116	blacklist ${HOME}/.ssh
117		117
118	.TP	118	.TP
119	\f\read-only file_or_directory	119	\fBread-only file_or_directory
120	Make directory or file read-only.	120	Make directory or file read-only.
121	.TP	121	.TP
122	\f\ tmpfs directory	122	\fBtmpfs directory
123	Mount an empty tmpfs filesystem on top of directory.	123	Mount an empty tmpfs filesystem on top of directory.
124	.TP	124	.TP
125	\f\bind directory1,directory2	125	\fBbind directory1,directory2
126	Mount-bind directory1 on top of directory2. This option is only available when running as root.	126	Mount-bind directory1 on top of directory2. This option is only available when running as root.
127	.TP	127	.TP
128	\f\bind file1,file2	128	\fBbind file1,file2
129	Mount-bind file1 on top of file2. This option is only available when running as root.	129	Mount-bind file1 on top of file2. This option is only available when running as root.
130	.TP	130	.TP
131	\f\private	131	\fBprivate
132	Mount new /root and /home/user directories in temporary	132	Mount new /root and /home/user directories in temporary
133	filesystems. All modifications are discarded when the sandbox is	133	filesystems. All modifications are discarded when the sandbox is
134	closed.	134	closed.
135	.TP	135	.TP
136	\f\private-bin file,file	136	\fBprivate-bin file,file
137	Build a new /bin in a temporary filesystem, and copy the programs in the list.	137	Build a new /bin in a temporary filesystem, and copy the programs in the list.
138	The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.	138	The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
139	.TP	139	.TP
140	\f\private directory	140	\fBprivate directory
141	Use directory as user home.	141	Use directory as user home.
142	.TP	142	.TP
143	\f\private-home file,directory	143	\fBprivate-home file,directory
144	Build a new user home in a temporary	144	Build a new user home in a temporary
145	filesystem, and copy the files and directories in the list in the	145	filesystem, and copy the files and directories in the list in the
146	new home. All modifications are discarded when the sandbox is	146	new home. All modifications are discarded when the sandbox is
147	closed.	147	closed.
148	.TP	148	.TP
149	\f\private-dev	149	\fBprivate-dev
150	Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.	150	Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
151	.TP	151	.TP
152	\f\private-etc file,directory	152	\fBprivate-etc file,directory
153	Build a new /etc in a temporary	153	Build a new /etc in a temporary
154	filesystem, and copy the files and directories in the list.	154	filesystem, and copy the files and directories in the list.
155	All modifications are discarded when the sandbox is closed.	155	All modifications are discarded when the sandbox is closed.
156	.TP	156	.TP
157	\f\whitelist file_or_directory	157	\fBwhitelist file_or_directory
158	Build a new user home in a temporary filesystem, and mount-bind file_or_directory.	158	Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
159	The modifications to file_or_directory are persistent, everything else is discarded	159	The modifications to file_or_directory are persistent, everything else is discarded
160	when the sandbox is closed.	160	when the sandbox is closed.
161	.TP	161	.TP
162	\f\ tracelog	162	\fBtracelog
163	Blacklist violations logged to syslog.	163	Blacklist violations logged to syslog.
164	.SH Filters	164	.SH Security filters
165	\fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:	165	The following security filters are currently implemented:
166		166
167	.TP	167	.TP
168	caps	168	\fBcaps
169	Enable default Linux capabilities filter.	169	Enable default Linux capabilities filter.
170	.TP	170	.TP
171	caps.drop all	171	\fBcaps.drop all
172	Blacklist all Linux capabilities.	172	Blacklist all Linux capabilities.
173	.TP	173	.TP
174	caps.drop capability,capability,capability	174	\fBcaps.drop capability,capability,capability
175	Blacklist given Linux capabilities.	175	Blacklist given Linux capabilities.
176	.TP	176	.TP
177	caps.keep capability,capability,capability	177	\fBcaps.keep capability,capability,capability
178	Whitelist given Linux capabilities.	178	Whitelist given Linux capabilities.
179	.TP	179	.TP
180	\f\seccomp	180	\fBprotocol protocol1,protocol2,protocol3
		181	Enable protocol filter. The filter is based on seccomp and checks the
		182	first argument to socket system call. Recognized values: \fBunix\fR,
		183	\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
		184	.TP
		185	\fBseccomp
181	Enable default seccomp filter. The default list is as follows:	186	Enable default seccomp filter. The default list is as follows:
182	mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,	187	mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
183	iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,	188	iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
184	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.	189	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
185	.TP	190	.TP
186	\f\seccomp syscall,syscall,syscall	191	\fBseccomp syscall,syscall,syscall
187	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.	192	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
188	.TP	193	.TP
189	\f\seccomp.drop syscall,syscall,syscall	194	\fBseccomp.drop syscall,syscall,syscall
190	Enable seccomp filter and blacklist the system calls in the list.	195	Enable seccomp filter and blacklist the system calls in the list.
191	.TP	196	.TP
192	\f\seccomp.keep syscall,syscall,syscall	197	\fBseccomp.keep syscall,syscall,syscall
193	Enable seccomp filter and whitelist the system calls in the list.	198	Enable seccomp filter and whitelist the system calls in the list.
194
195
196	.SH User Namespace
197	Use \fBnoroot\fR to enable an user namespace. The namespace has only one user, the current user.
198	There is no root account defined in the namespace.
199
200	.TP	199	.TP
201	noroot	200	\fBnoroot
202	Enable an user namespace without root user defined.	201	Use this command to enable an user namespace. The namespace has only one user, the current user.
203		202	There is no root account (uid 0) defined in the namespace.
204		203
205	.SH Resource limits	204	.SH Resource limits
206	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.	205	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
207	The limits can be modified inside the sandbox using the regular \fBulimit\fR command. Examples:	206	The limits can be modified inside the sandbox using the regular \fBulimit\fR command. Example:
208		207
209	.TP	208	.TP
210	\f\rlimit-fsize 1024	209	\fBrlimit-fsize 1024
211	Set the maximum file size that can be created by a process to 1024 bytes.	210	Set the maximum file size that can be created by a process to 1024 bytes.
212	.TP	211	.TP
213	\f\rlimit-nproc 1000	212	\fBrlimit-nproc 1000
214	Set the maximum number of processes that can be created for the real user ID of the calling process to 1000.	213	Set the maximum number of processes that can be created for the real user ID of the calling process to 1000.
215	.TP	214	.TP
216	\f\rlimit-nofile 500	215	\fBrlimit-nofile 500
217	Set the maximum number of files that can be opened by a process to 500.	216	Set the maximum number of files that can be opened by a process to 500.
218	.TP	217	.TP
219	\f\rlimit-sigpending 200	218	\fBrlimit-sigpending 200
220	Set the maximum number of processes that can be created for the real user ID of the calling process to 200.	219	Set the maximum number of processes that can be created for the real user ID of the calling process to 200.
221		220
222	.SH CPU Affinity	221	.SH CPU Affinity
223	Set the CPU cores available for this sandbox. Examples:	222	Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples:
224		223
225	.TP	224	.TP
226	cpu 1,2,3	225	cpu 1,2,3
227	Use only CPU cores 0, 1 and 2.	226	Use only CPU cores 0, 1 and 2.
228		227
229	.SH Control Groups	228	.SH Control Groups
230	Place the sandbox in an existing control group specified by the full path of the task file. Example:	229	Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example:
231		230
232	.TP	231	.TP
233	cgroup /sys/fs/cgroup/g1/tasks	232	cgroup /sys/fs/cgroup/g1/tasks
@@ -236,7 +235,7 @@ The sandbox is placed in g1 control group.
236	.SH User Environment	235	.SH User Environment
237		236
238	.TP	237	.TP
239	env name=value	238	\fBenv name=value
240	Set environment variable. Examples:	239	Set environment variable. Examples:
241	.br	240	.br
242		241
@@ -246,36 +245,36 @@ env LD_LIBRARY_PATH=/opt/test/lib
246	env CFLAGS="-W -Wall -Werror"	245	env CFLAGS="-W -Wall -Werror"
247		246
248	.TP	247	.TP
249	nogroups	248	\fBnogroups
250	Disable supplementary user groups	249	Disable supplementary user groups
251	.TP	250	.TP
252	shell none	251	\fBshell none
253	Run the program directly, without a shell.	252	Run the program directly, without a shell.
254		253
255	.SH Networking	254	.SH Networking
256	Networking features available in profile files.	255	Networking features available in profile files.
257		256
258	.TP	257	.TP
259	netfilter	258	\fBnetfilter
260	If a new network namespace is created, enabled default network filter.	259	If a new network namespace is created, enabled default network filter.
261		260
262	.TP	261	.TP
263	netfilter filename	262	\fBnetfilter filename
264	If a new network namespace is created, enabled the network filter in filename.	263	If a new network namespace is created, enabled the network filter in filename.
265		264
266	.TP	265	.TP
267	net none	266	\fBnet none
268	Enable a new, unconnected network namespace. The only interface	267	Enable a new, unconnected network namespace. The only interface
269	available in the new namespace is a new loopback interface (lo).	268	available in the new namespace is a new loopback interface (lo).
270	Use this option to deny network access to programs that don't	269	Use this option to deny network access to programs that don't
271	really need network access.	270	really need network access.
272		271
273	.TP	272	.TP
274	dns address	273	\fBdns address
275	Set a DNS server for the sandbox. Up to three DNS servers can be defined.	274	Set a DNS server for the sandbox. Up to three DNS servers can be defined.
276		275
277	.TP	276	.TP
278	hostname name	277	\fBhostname name
279	Set a hostname for the sandbox.	278	Set a hostname for the sandbox.
280		279
281	.SH RELOCATING PROFILES	280	.SH RELOCATING PROFILES


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 57b169e89..cd36bead6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -973,7 +973,7 @@ $ firejail \-\-profile-path=/home/netblue/myprofiles
973		973
974	.TP	974	.TP
975	\fB\-\-protocol=protocol,protocol,protocol	975	\fB\-\-protocol=protocol,protocol,protocol
976	Enable protocol filter. The filter is based on seccomp and the first argument to socket system call.	976	Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
977	Recognized values: unix, inet, inet6, netlink and packet.	977	Recognized values: unix, inet, inet6, netlink and packet.
978	.br	978	.br
979		979


diff --git a/todo b/todo index e87280f5e..cfc75787f 100644 --- a/todo +++ b/todo
@@ -114,11 +114,3 @@ rework the calls to invalid_filename(), depending if globing is allowed or not,
114	The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, <period>, <underscore>, and <hyphen>	114	The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, <period>, <underscore>, and <hyphen>
115	http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276	115	http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276
116		116
117	22. Fix manpage:
118	W: firejail: manpage-has-errors-from-man usr/share/man/man5/firejail-profile.5.gz 84: `\ ' is not allowed in an escape name
119	if building a 32bit package, rename the deb file manually
120
121	23. transmission-gtk when using tracelog:
122
123	Dec 12 07:32:36 debian kernel: [ 1564.772297] transmission-gt[3680]: segfault at 0 ip 00007f44ba515348
124	sp 00007ffee7154288 error 4 in libc-2.13.so[7f44ba400000+