aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.github/pull_request_template.md1
-rw-r--r--.github/workflows/sort.yml1
-rw-r--r--README22
-rw-r--r--RELNOTES8
-rwxr-xr-xcontrib/gdb-firejail.sh2
-rw-r--r--etc-fixes/0.9.58/atom.profile1
-rw-r--r--etc-fixes/seccomp-join-bug/README1
-rw-r--r--etc/apparmor/firejail-default2
-rw-r--r--etc/inc/disable-devel.inc2
-rw-r--r--etc/profile-a-l/email-common.profile2
-rw-r--r--etc/profile-a-l/kdiff3.profile2
-rw-r--r--etc/profile-a-l/links-common.profile2
-rw-r--r--etc/profile-m-z/spectacle.profile2
-rw-r--r--etc/profile-m-z/sway.profile2
-rwxr-xr-xgcov.sh6
-rwxr-xr-xlinecnt.sh4
-rw-r--r--src/bash_completion/firejail.bash_completion.in8
-rw-r--r--src/man/firejail-profile.txt22
-rw-r--r--src/man/firejail.txt18
-rw-r--r--src/man/firemon.txt2
20 files changed, 52 insertions, 58 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 57ac2e9c4..7cb92a938 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,3 @@
1
2If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. 1If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
3 2
4If you submit a PR for new profiles or changing profiles, please do the following: 3If you submit a PR for new profiles or changing profiles, please do the following:
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
index f3ded0f22..cfa40d2d2 100644
--- a/.github/workflows/sort.yml
+++ b/.github/workflows/sort.yml
@@ -19,4 +19,3 @@ jobs:
19 - uses: actions/checkout@v2 19 - uses: actions/checkout@v2
20 - name: check profiles 20 - name: check profiles
21 run: ./contrib/sort.py etc/*/{*.inc,*.profile} 21 run: ./contrib/sort.py etc/*/{*.inc,*.profile}
22
diff --git a/README b/README
index e205031bd..3f8eb6136 100644
--- a/README
+++ b/README
@@ -1,13 +1,13 @@
1Firejail is a SUID sandbox program that reduces the risk of security 1Firejail is a SUID sandbox program that reduces the risk of security
2breaches by restricting the running environment of untrusted applications 2breaches by restricting the running environment of untrusted applications
3using Linux namespaces and seccomp-bpf. It includes sandbox profiles for 3using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
4Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, 4Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
5VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. 5VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
6DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, 6DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
7Pidgin, Quassel, and XChat. 7Pidgin, Quassel, and XChat.
8 8
9Firejail also expands the restricted shell facility found in bash by adding 9Firejail also expands the restricted shell facility found in bash by adding
10Linux namespace support. It supports sandboxing specific users upon login. 10Linux namespace support. It supports sandboxing specific users upon login.
11 11
12Download: https://sourceforge.net/projects/firejail/files/ 12Download: https://sourceforge.net/projects/firejail/files/
13Build and install: ./configure && make && sudo make install 13Build and install: ./configure && make && sudo make install
@@ -460,7 +460,7 @@ hawkey116477 (https://github.com/hawkeye116477)
460Helmut Grohne (https://github.com/helmutg) 460Helmut Grohne (https://github.com/helmutg)
461 - compiler support in the build system - Debian bug #869707 461 - compiler support in the build system - Debian bug #869707
462hhzek0014 (https://github.com/hhzek0014) 462hhzek0014 (https://github.com/hhzek0014)
463 - updated bibletime.profile 463 - updated bibletime.profile
464hlein (https://github.com/hlein) 464hlein (https://github.com/hlein)
465 - strip out \r's from jail prober 465 - strip out \r's from jail prober
466Holger Heinz (https://github.com/hheinz) 466Holger Heinz (https://github.com/hheinz)
@@ -579,7 +579,7 @@ Kishore96in (https://github.com/Kishore96in)
579 - added falkon profile 579 - added falkon profile
580 - kxmlgui fixes 580 - kxmlgui fixes
581 - okular profile fixes 581 - okular profile fixes
582 - jitsi-meet-desktop profile 582 - jitsi-meet-desktop profile
583 - konversatin profile fix 583 - konversatin profile fix
584 - added Neochat profile 584 - added Neochat profile
585 - added whitelist-1793-workaround.inc 585 - added whitelist-1793-workaround.inc
@@ -715,7 +715,7 @@ Ondra Nekola (https://github.com/satai)
715OndrejMalek (https://github.com/OndrejMalek) 715OndrejMalek (https://github.com/OndrejMalek)
716 - various manpage fixes 716 - various manpage fixes
717Ondřej Nový (https://github.com/onovy) 717Ondřej Nový (https://github.com/onovy)
718 - allow video for Signal profile 718 - allow video for Signal profile
719 - added Mattermost desktop profile 719 - added Mattermost desktop profile
720 - hardened Zoom profile 720 - hardened Zoom profile
721 - hardened Signal desktop profile 721 - hardened Signal desktop profile
@@ -732,7 +732,7 @@ Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
732Paul Moore <pmoore@redhat.com> 732Paul Moore <pmoore@redhat.com>
733 -src/fsec-print/print.c extracted from libseccomp software package 733 -src/fsec-print/print.c extracted from libseccomp software package
734Paupiah Yash (https://github.com/CaffeinatedStud) 734Paupiah Yash (https://github.com/CaffeinatedStud)
735 - gzip profile 735 - gzip profile
736Pawel (https://github.com/grimskies) 736Pawel (https://github.com/grimskies)
737 - make --join return exit code of the invoked program 737 - make --join return exit code of the invoked program
738Peter Millerchip (https://github.com/pmillerchip) 738Peter Millerchip (https://github.com/pmillerchip)
@@ -960,7 +960,7 @@ SYN-cook (https://github.com/SYN-cook)
960 - gnome-calculator changes 960 - gnome-calculator changes
961startx2017 (https://github.com/startx2017) 961startx2017 (https://github.com/startx2017)
962 - syscall list update 962 - syscall list update
963 - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, 963 - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
964 settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old 964 settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
965 - enable/disable join support in /etc/firejail/firejail.config 965 - enable/disable join support in /etc/firejail/firejail.config
966 - firecfg fix: create ~/.local/share/applications directory if it doesn't exist 966 - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
@@ -1011,7 +1011,7 @@ Topi Miettinen (https://github.com/topimiettinen)
1011 - improve loading of seccomp filter and memory-deny-write-execute feature 1011 - improve loading of seccomp filter and memory-deny-write-execute feature
1012 - private-lib feature 1012 - private-lib feature
1013 - make --nodbus block also system D-Bus socket 1013 - make --nodbus block also system D-Bus socket
1014Ted Robertson (https://github.com/tredondo) 1014Ted Robertson (https://github.com/tredondo)
1015 - webstorm profile fixes 1015 - webstorm profile fixes
1016 - added bcompare profile 1016 - added bcompare profile
1017 - various documentation fixes 1017 - various documentation fixes
@@ -1071,7 +1071,7 @@ vismir2 (https://github.com/vismir2)
1071 - feh, ranger, 7z, keepass, keepassx and zathura profiles 1071 - feh, ranger, 7z, keepass, keepassx and zathura profiles
1072 - claws-mail, mutt, git, emacs, vim profiles 1072 - claws-mail, mutt, git, emacs, vim profiles
1073 - lots of profile fixes 1073 - lots of profile fixes
1074 - support for truecrypt and zuluCrypt 1074 - support for truecrypt and zuluCrypt
1075viq (https://github.com/viq) 1075viq (https://github.com/viq)
1076 - discord-canary profile 1076 - discord-canary profile
1077Vladimir Gorelov (https://github.com/larkvirtual) 1077Vladimir Gorelov (https://github.com/larkvirtual)
diff --git a/RELNOTES b/RELNOTES
index 86c4a6104..f52ce09f1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -59,7 +59,7 @@ firejail (0.9.64.4) baseline; urgency=low
59 59
60firejail (0.9.64.2) baseline; urgency=low 60firejail (0.9.64.2) baseline; urgency=low
61 * allow --tmpfs inside $HOME for unprivileged users 61 * allow --tmpfs inside $HOME for unprivileged users
62 * --disable-usertmpfs compile time option 62 * --disable-usertmpfs compile time option
63 * allow AF_BLUETOOTH via --protocol=bluetooth 63 * allow AF_BLUETOOTH via --protocol=bluetooth
64 * Setup guide for new users: contrib/firejail-welcome.sh 64 * Setup guide for new users: contrib/firejail-welcome.sh
65 * implement netns in profiles 65 * implement netns in profiles
@@ -566,7 +566,7 @@ firejail (0.9.44) baseline; urgency=low
566 * feature: disable 3D hardware acceleration (--no3d) 566 * feature: disable 3D hardware acceleration (--no3d)
567 * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands 567 * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
568 * feature: move files in sandbox (--put) 568 * feature: move files in sandbox (--put)
569 * feature: accept wildcard patterns in user name field of restricted 569 * feature: accept wildcard patterns in user name field of restricted
570 shell login feature 570 shell login feature
571 * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape 571 * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
572 * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, 572 * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
@@ -608,7 +608,7 @@ firejail (0.9.42) baseline; urgency=low
608 * compile time: disable whitelisting (--disable-whitelist) 608 * compile time: disable whitelisting (--disable-whitelist)
609 * compile time: disable global config (--disable-globalcfg) 609 * compile time: disable global config (--disable-globalcfg)
610 * run time: enable/disable overlayfs (overlayfs yes/no) 610 * run time: enable/disable overlayfs (overlayfs yes/no)
611 * run time: enable/disable quiet as default (quiet-by-default yes/no) 611 * run time: enable/disable quiet as default (quiet-by-default yes/no)
612 * run time: user-defined network filter (netfilter-default) 612 * run time: user-defined network filter (netfilter-default)
613 * run time: enable/disable whitelisting (whitelist yes/no) 613 * run time: enable/disable whitelisting (whitelist yes/no)
614 * run time: enable/disable remounting of /proc and /sys 614 * run time: enable/disable remounting of /proc and /sys
@@ -706,7 +706,7 @@ firejail (0.9.38) baseline; urgency=low
706 -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 706 -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500
707 707
708firejail (0.9.36) baseline; urgency=low 708firejail (0.9.36) baseline; urgency=low
709 * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, 709 * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
710 parole and rtorrent profiles 710 parole and rtorrent profiles
711 * Google Chrome profile rework 711 * Google Chrome profile rework
712 * added google-chrome-stable profile 712 * added google-chrome-stable profile
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh
index 941fc45ef..686bdc2c0 100755
--- a/contrib/gdb-firejail.sh
+++ b/contrib/gdb-firejail.sh
@@ -21,4 +21,4 @@ else
21fi 21fi
22 22
23bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & 23bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
24sudo gdb -e "$FIREJAIL" -p "$!" 24sudo gdb -e "$FIREJAIL" -p "$!"
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
index 9bc35da5a..1cc9b0116 100644
--- a/etc-fixes/0.9.58/atom.profile
+++ b/etc-fixes/0.9.58/atom.profile
@@ -1,4 +1,3 @@
1
2# Firejail profile for atom 1# Firejail profile for atom
3# Description: A hackable text editor for the 21st Century 2# Description: A hackable text editor for the 21st Century
4# This file is overwritten after every install/update 3# This file is overwritten after every install/update
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
index 9f85a0e00..15596eca7 100644
--- a/etc-fixes/seccomp-join-bug/README
+++ b/etc-fixes/seccomp-join-bug/README
@@ -8,4 +8,3 @@ on May 21, 2019:
8 8
9The original discussion thread: https://github.com/netblue30/firejail/issues/2718 9The original discussion thread: https://github.com/netblue30/firejail/issues/2718
10The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 10The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
11
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index ca32f5b0d..a7044152e 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -129,7 +129,7 @@ signal (receive),
129########## 129##########
130# The list of recognized capabilities varies from one apparmor version to another. 130# The list of recognized capabilities varies from one apparmor version to another.
131# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available 131# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
132# We allow all caps by default and remove the ones we don't like: 132# We allow all caps by default and remove the ones we don't like:
133capability, 133capability,
134deny capability audit_write, 134deny capability audit_write,
135deny capability audit_control, 135deny capability audit_control,
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e74b1b40b..98bf5ecc8 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc
60blacklist ${PATH}/valgrind* 60blacklist ${PATH}/valgrind*
61blacklist /usr/lib/valgrind 61blacklist /usr/lib/valgrind
62 62
63
64# Source-Code 63# Source-Code
65
66blacklist /usr/src 64blacklist /usr/src
67blacklist /usr/local/src 65blacklist /usr/local/src
68blacklist /usr/include 66blacklist /usr/include
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index fe8d4e9cb..8673b65ca 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.gnupg
12noblacklist ${HOME}/.mozilla 12noblacklist ${HOME}/.mozilla
13noblacklist ${HOME}/.signature 13noblacklist ${HOME}/.signature
14# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local 14# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
15# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications 15# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
16noblacklist ${HOME}/Mail 16noblacklist ${HOME}/Mail
17 17
18noblacklist ${DOCUMENTS} 18noblacklist ${DOCUMENTS}
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 7c9be2bcc..fa50b0a20 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -48,7 +48,7 @@ shell none
48tracelog 48tracelog
49 49
50disable-mnt 50disable-mnt
51private-bin kdiff3 51private-bin kdiff3
52private-cache 52private-cache
53private-dev 53private-dev
54 54
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 9606671bb..dac3eaee3 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -47,7 +47,7 @@ shell none
47tracelog 47tracelog
48 48
49disable-mnt 49disable-mnt
50# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. 50# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs.
51private-bin sh 51private-bin sh
52private-cache 52private-cache
53private-dev 53private-dev
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index f6bb15b30..fc4ae2b04 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -22,7 +22,7 @@ include disable-interpreters.inc
22include disable-programs.inc 22include disable-programs.inc
23include disable-xdg.inc 23include disable-xdg.inc
24 24
25mkfile ${HOME}/.config/spectaclerc 25mkfile ${HOME}/.config/spectaclerc
26whitelist ${HOME}/.config/spectaclerc 26whitelist ${HOME}/.config/spectaclerc
27whitelist ${PICTURES} 27whitelist ${PICTURES}
28whitelist /usr/share/kconf_update/spectacle_newConfig.upd 28whitelist /usr/share/kconf_update/spectacle_newConfig.upd
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
index 4637419bf..046d1b4be 100644
--- a/etc/profile-m-z/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -1,5 +1,5 @@
1# Firejail profile for Sway 1# Firejail profile for Sway
2# Description: i3-compatible Wayland compositor 2# Description: i3-compatible Wayland compositor
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include sway.local 5include sway.local
diff --git a/gcov.sh b/gcov.sh
index 65f06a4d4..9bb2596f6 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -24,8 +24,8 @@ gcov_init() {
24} 24}
25 25
26generate() { 26generate() {
27 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new 27 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
28 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file 28 lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
29 rm -fr gcov-dir 29 rm -fr gcov-dir
30 genhtml -q gcov-file --output-directory gcov-dir 30 genhtml -q gcov-file --output-directory gcov-dir
31 sudo rm `find . -name *.gcda` 31 sudo rm `find . -name *.gcda`
@@ -35,7 +35,7 @@ generate() {
35 35
36 36
37gcov_init 37gcov_init
38lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old 38lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
39 39
40#make test-utils 40#make test-utils
41#generate 41#generate
diff --git a/linecnt.sh b/linecnt.sh
index ccce2da82..86bccbc07 100755
--- a/linecnt.sh
+++ b/linecnt.sh
@@ -26,6 +26,6 @@ gcov_init() {
26rm -fr gcov-dir 26rm -fr gcov-dir
27gcov_init 27gcov_init
28lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ 28lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \
29 -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ 29 -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
30 -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file 30 -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file
31genhtml -q gcov-file --output-directory gcov-dir 31genhtml -q gcov-file --output-directory gcov-dir
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index f68edf380..ff411c807 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -5,7 +5,7 @@
5# http://bash-completion.alioth.debian.org 5# http://bash-completion.alioth.debian.org
6#******************************************************************* 6#*******************************************************************
7 7
8__interfaces(){ 8__interfaces() {
9 cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs 9 cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
10} 10}
11 11
@@ -90,11 +90,11 @@ _firejail()
90 _filedir 90 _filedir
91 return 0 91 return 0
92 ;; 92 ;;
93 --net) 93 --net)
94 comps=$(__interfaces) 94 comps=$(__interfaces)
95 COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) 95 COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
96 return 0 96 return 0
97 ;; 97 ;;
98 esac 98 esac
99 99
100 $split && return 0 100 $split && return 0
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index a768829a1..a76fd3765 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director
78Several command line options can be passed to the program using 78Several command line options can be passed to the program using
79profile files. Firejail chooses the profile file as follows: 79profile files. Firejail chooses the profile file as follows:
80 80
81\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. 81\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix.
82Example: 82Example:
83.PP 83.PP
84.RS 84.RS
@@ -324,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid.
324#ifdef HAVE_OVERLAYFS 324#ifdef HAVE_OVERLAYFS
325.TP 325.TP
326\fBoverlay 326\fBoverlay
327Mount a filesystem overlay on top of the current filesystem. 327Mount a filesystem overlay on top of the current filesystem.
328The overlay is stored in $HOME/.firejail/<PID> directory. 328The overlay is stored in $HOME/.firejail/<PID> directory.
329.TP 329.TP
330\fBoverlay-named name 330\fBoverlay-named name
331Mount a filesystem overlay on top of the current filesystem. 331Mount a filesystem overlay on top of the current filesystem.
332The overlay is stored in $HOME/.firejail/name directory. 332The overlay is stored in $HOME/.firejail/name directory.
333.TP 333.TP
334\fBoverlay-tmpfs 334\fBoverlay-tmpfs
335Mount a filesystem overlay on top of the current filesystem. 335Mount a filesystem overlay on top of the current filesystem.
336All filesystem modifications are discarded when the sandbox is closed. 336All filesystem modifications are discarded when the sandbox is closed.
337#endif 337#endif
338.TP 338.TP
339\fBprivate 339\fBprivate
@@ -487,12 +487,12 @@ does not result in an increase of privilege.
487#ifdef HAVE_USERNS 487#ifdef HAVE_USERNS
488.TP 488.TP
489\fBnoroot 489\fBnoroot
490Use this command to enable an user namespace. The namespace has only one user, the current user. 490Use this command to enable an user namespace. The namespace has only one user, the current user.
491There is no root account (uid 0) defined in the namespace. 491There is no root account (uid 0) defined in the namespace.
492#endif 492#endif
493.TP 493.TP
494\fBprotocol protocol1,protocol2,protocol3 494\fBprotocol protocol1,protocol2,protocol3
495Enable protocol filter. The filter is based on seccomp and checks the 495Enable protocol filter. The filter is based on seccomp and checks the
496first argument to socket system call. Recognized values: \fBunix\fR, 496first argument to socket system call. Recognized values: \fBunix\fR,
497\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. 497\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
498.TP 498.TP
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually.
873 873
874.TP 874.TP
875\fBiprange address,address 875\fBiprange address,address
876Assign an IP address in the provided range to the last network 876Assign an IP address in the provided range to the last network
877interface defined by a net command. A default gateway is assigned by default. 877interface defined by a net command. A default gateway is assigned by default.
878.br 878.br
879 879
880.br 880.br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0462705c0..2883ab257 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb
45#ifdef HAVE_LTS 45#ifdef HAVE_LTS
46This is Firejail long-term support (LTS), an enterprise focused version of the software, 46This is Firejail long-term support (LTS), an enterprise focused version of the software,
47LTS is usually supported for two or three years. 47LTS is usually supported for two or three years.
48During this time only bugs and the occasional documentation problems are fixed. 48During this time only bugs and the occasional documentation problems are fixed.
49The attack surface of the SUID executable was greatly reduced by removing some of the features. 49The attack surface of the SUID executable was greatly reduced by removing some of the features.
50.br 50.br
51 51
@@ -109,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter.
109.br 109.br
110Example: 110Example:
111.br 111.br
112$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox 112$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
113.TP 113.TP
114\fB\-\-allusers 114\fB\-\-allusers
115All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. 115All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -947,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
947 947
948.TP 948.TP
949\fB\-\-ipc-namespace 949\fB\-\-ipc-namespace
950Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default 950Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
951for sandboxes started as root. 951for sandboxes started as root.
952.br 952.br
953 953
@@ -1014,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL
1014.br 1014.br
1015 1015
1016.br 1016.br
1017# verify IP addresses 1017# verify IP addresses
1018.br 1018.br
1019$ sudo firejail --join-network=browser ip addr 1019$ sudo firejail --join-network=browser ip addr
1020.br 1020.br
@@ -2134,7 +2134,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
2134.TP 2134.TP
2135\fB\-\-rlimit-cpu=number 2135\fB\-\-rlimit-cpu=number
2136Set the maximum limit, in seconds, for the amount of CPU time each 2136Set the maximum limit, in seconds, for the amount of CPU time each
2137sandboxed process can consume. When the limit is reached, the processes are killed. 2137sandboxed process can consume. When the limit is reached, the processes are killed.
2138 2138
2139The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds 2139The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
2140the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps 2140the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
2178.TP 2178.TP
2179\fB\-\-seccomp 2179\fB\-\-seccomp
2180Enable seccomp filter and blacklist the syscalls in the default list, 2180Enable seccomp filter and blacklist the syscalls in the default list,
2181which is @default-nodebuggers unless \-\-allow-debuggers is specified, 2181which is @default-nodebuggers unless \-\-allow-debuggers is specified,
2182then it is @default. 2182then it is @default.
2183 2183
2184.br 2184.br
@@ -2865,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support
2865connection model. Untrusted clients are restricted in certain ways to prevent them from reading window 2865connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
2866contents of other clients, stealing input events, etc. 2866contents of other clients, stealing input events, etc.
2867 2867
2868The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients 2868The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
2869and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. 2869and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
2870Firefox and transmission-gtk seem to be working fine. 2870Firefox and transmission-gtk seem to be working fine.
2871A network namespace is not required for this option. 2871A network namespace is not required for this option.
@@ -3256,7 +3256,7 @@ The owner of the sandbox.
3256.SH RESTRICTED SHELL 3256.SH RESTRICTED SHELL
3257To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in 3257To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
3258/etc/passwd file for each user that needs to be restricted. Alternatively, 3258/etc/passwd file for each user that needs to be restricted. Alternatively,
3259you can specify /usr/bin/firejail in adduser command: 3259you can specify /usr/bin/firejail in adduser command:
3260 3260
3261adduser \-\-shell /usr/bin/firejail username 3261adduser \-\-shell /usr/bin/firejail username
3262 3262
@@ -3266,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
3266Several command line options can be passed to the program using 3266Several command line options can be passed to the program using
3267profile files. Firejail chooses the profile file as follows: 3267profile files. Firejail chooses the profile file as follows:
3268 3268
32691. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. 32691. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
3270Example: 3270Example:
3271.PP 3271.PP
3272.RS 3272.RS
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 76b2f7be2..c4e6e15b3 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -56,7 +56,7 @@ Print route table for each sandbox.
56Print seccomp configuration for each sandbox. 56Print seccomp configuration for each sandbox.
57.TP 57.TP
58\fB\-\-top 58\fB\-\-top
59Monitor the most CPU-intensive sandboxes. This command is similar to 59Monitor the most CPU-intensive sandboxes. This command is similar to
60the regular UNIX top command, however it applies only to sandboxes. 60the regular UNIX top command, however it applies only to sandboxes.
61.TP 61.TP
62\fB\-\-tree 62\fB\-\-tree