diff options
-rw-r--r-- | src/man/firejail-profile.5.in | 60 | ||||
-rw-r--r-- | src/man/firejail.1.in | 148 |
2 files changed, 105 insertions, 103 deletions
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 89784a984..4d725ed99 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -668,20 +668,20 @@ Enable filtered access to the system DBus. Filters can be specified with the dbu | |||
668 | \fBdbus-system none | 668 | \fBdbus-system none |
669 | Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering. | 669 | Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering. |
670 | .TP | 670 | .TP |
671 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
672 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
673 | .TP | ||
674 | \fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
675 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
676 | .TP | ||
671 | \fBdbus-system.own org.gnome.ghex.* | 677 | \fBdbus-system.own org.gnome.ghex.* |
672 | Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. | 678 | Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. |
673 | .TP | 679 | .TP |
674 | \fBdbus-system.talk org.freedesktop.Notifications | ||
675 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. | ||
676 | .TP | ||
677 | \fBdbus-system.see org.freedesktop.Notifications | 680 | \fBdbus-system.see org.freedesktop.Notifications |
678 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. | 681 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. |
679 | .TP | 682 | .TP |
680 | \fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 683 | \fBdbus-system.talk org.freedesktop.Notifications |
681 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 684 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. |
682 | .TP | ||
683 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
684 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
685 | .TP | 685 | .TP |
686 | \fBdbus-user filter | 686 | \fBdbus-user filter |
687 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 687 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
@@ -689,20 +689,20 @@ Enable filtered access to the session DBus. Filters can be specified with the db | |||
689 | \fBdbus-user none | 689 | \fBdbus-user none |
690 | Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering. | 690 | Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering. |
691 | .TP | 691 | .TP |
692 | \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
693 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
694 | .TP | ||
695 | \fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
696 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
697 | .TP | ||
692 | \fBdbus-user.own org.gnome.ghex.* | 698 | \fBdbus-user.own org.gnome.ghex.* |
693 | Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. | 699 | Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. |
694 | .TP | 700 | .TP |
695 | \fBdbus-user.talk org.freedesktop.Notifications | ||
696 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. | ||
697 | .TP | ||
698 | \fBdbus-user.see org.freedesktop.Notifications | 701 | \fBdbus-user.see org.freedesktop.Notifications |
699 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. | 702 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. |
700 | .TP | 703 | .TP |
701 | \fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 704 | \fBdbus-user.talk org.freedesktop.Notifications |
702 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | 705 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. |
703 | .TP | ||
704 | \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
705 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
706 | .TP | 706 | .TP |
707 | \fBnodbus \fR(deprecated) | 707 | \fBnodbus \fR(deprecated) |
708 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. | 708 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. |
@@ -867,20 +867,6 @@ net eth0 | |||
867 | ip 10.10.20.56 | 867 | ip 10.10.20.56 |
868 | 868 | ||
869 | .TP | 869 | .TP |
870 | \fBip none | ||
871 | No IP address and no default gateway are configured for the last interface | ||
872 | defined by a net command. Use this option | ||
873 | in case you intend to start an external DHCP client in the sandbox. | ||
874 | .br | ||
875 | |||
876 | .br | ||
877 | Example: | ||
878 | .br | ||
879 | net eth0 | ||
880 | .br | ||
881 | ip none | ||
882 | |||
883 | .TP | ||
884 | \fBip dhcp | 870 | \fBip dhcp |
885 | Acquire an IP address and default gateway for the last interface defined by a | 871 | Acquire an IP address and default gateway for the last interface defined by a |
886 | net command, as well as set the DNS servers according to the DHCP response. | 872 | net command, as well as set the DNS servers according to the DHCP response. |
@@ -908,6 +894,20 @@ a DHCP client and releasing the lease manually in conjunction with the | |||
908 | net none command. | 894 | net none command. |
909 | 895 | ||
910 | .TP | 896 | .TP |
897 | \fBip none | ||
898 | No IP address and no default gateway are configured for the last interface | ||
899 | defined by a net command. Use this option | ||
900 | in case you intend to start an external DHCP client in the sandbox. | ||
901 | .br | ||
902 | |||
903 | .br | ||
904 | Example: | ||
905 | .br | ||
906 | net eth0 | ||
907 | .br | ||
908 | ip none | ||
909 | |||
910 | .TP | ||
911 | \fBip6 address | 911 | \fBip6 address |
912 | Assign IPv6 addresses to the last network interface defined by a net command. | 912 | Assign IPv6 addresses to the last network interface defined by a net command. |
913 | .br | 913 | .br |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 16ea26288..bf447be93 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -611,8 +611,9 @@ Example: | |||
611 | $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* | 611 | $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* |
612 | 612 | ||
613 | .TP | 613 | .TP |
614 | \fB\-\-dbus-user.talk=name | 614 | \fB\-\-dbus-user.see=name |
615 | Allows the application to talk to the specified well-known name on the session DBus. | 615 | Allows the application to see, but not talk to the specified well-known name on |
616 | the session DBus. | ||
616 | The name may have a .* suffix to match all names underneath it, including itself | 617 | The name may have a .* suffix to match all names underneath it, including itself |
617 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | 618 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but |
618 | not "foobar"). | 619 | not "foobar"). |
@@ -621,14 +622,13 @@ not "foobar"). | |||
621 | .br | 622 | .br |
622 | Example: | 623 | Example: |
623 | .br | 624 | .br |
624 | $ firejail --dbus-user=filter --dbus-user.talk=\\ | 625 | $ firejail --dbus-user=filter --dbus-user.see=\\ |
625 | .br | 626 | .br |
626 | org.freedesktop.Notifications | 627 | org.freedesktop.Notifications |
627 | 628 | ||
628 | .TP | 629 | .TP |
629 | \fB\-\-dbus-user.see=name | 630 | \fB\-\-dbus-user.talk=name |
630 | Allows the application to see, but not talk to the specified well-known name on | 631 | Allows the application to talk to the specified well-known name on the session DBus. |
631 | the session DBus. | ||
632 | The name may have a .* suffix to match all names underneath it, including itself | 632 | The name may have a .* suffix to match all names underneath it, including itself |
633 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | 633 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but |
634 | not "foobar"). | 634 | not "foobar"). |
@@ -637,7 +637,7 @@ not "foobar"). | |||
637 | .br | 637 | .br |
638 | Example: | 638 | Example: |
639 | .br | 639 | .br |
640 | $ firejail --dbus-user=filter --dbus-user.see=\\ | 640 | $ firejail --dbus-user=filter --dbus-user.talk=\\ |
641 | .br | 641 | .br |
642 | org.freedesktop.Notifications | 642 | org.freedesktop.Notifications |
643 | #endif | 643 | #endif |
@@ -888,6 +888,32 @@ Example: | |||
888 | .br | 888 | .br |
889 | $ firejail \-\-hosts-file=~/myhosts firefox | 889 | $ firejail \-\-hosts-file=~/myhosts firefox |
890 | 890 | ||
891 | .TP | ||
892 | \fB\-\-icmptrace[=name|pid] | ||
893 | Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes | ||
894 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
895 | .br | ||
896 | |||
897 | .br | ||
898 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
899 | .br | ||
900 | |||
901 | .br | ||
902 | Example | ||
903 | .br | ||
904 | $ sudo firejail --icmptrace | ||
905 | .br | ||
906 | 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
907 | .br | ||
908 | 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
909 | .br | ||
910 | 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
911 | .br | ||
912 | 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
913 | .br | ||
914 | 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable | ||
915 | .br | ||
916 | |||
891 | #ifdef HAVE_IDS | 917 | #ifdef HAVE_IDS |
892 | .TP | 918 | .TP |
893 | \fB\-\-ids-check | 919 | \fB\-\-ids-check |
@@ -925,32 +951,6 @@ $ firejail \-\-ignore="net eth0" firefox | |||
925 | #endif | 951 | #endif |
926 | 952 | ||
927 | .TP | 953 | .TP |
928 | \fB\-\-icmptrace[=name|pid] | ||
929 | Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes | ||
930 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
931 | .br | ||
932 | |||
933 | .br | ||
934 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
935 | .br | ||
936 | |||
937 | .br | ||
938 | Example | ||
939 | .br | ||
940 | $ sudo firejail --icmptrace | ||
941 | .br | ||
942 | 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
943 | .br | ||
944 | 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
945 | .br | ||
946 | 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
947 | .br | ||
948 | 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
949 | .br | ||
950 | 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable | ||
951 | .br | ||
952 | |||
953 | .TP | ||
954 | \fB\-\-\include=file.profile | 954 | \fB\-\-\include=file.profile |
955 | Include a profile file before the regular profiles are used. | 955 | Include a profile file before the regular profiles are used. |
956 | .br | 956 | .br |
@@ -984,23 +984,6 @@ Example: | |||
984 | $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox | 984 | $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox |
985 | 985 | ||
986 | .TP | 986 | .TP |
987 | \fB\-\-ip=none | ||
988 | No IP address and no default gateway are configured for the last interface | ||
989 | defined by a \-\-net option. Use this option | ||
990 | in case you intend to start an external DHCP client in the sandbox. | ||
991 | .br | ||
992 | |||
993 | .br | ||
994 | Example: | ||
995 | .br | ||
996 | $ firejail \-\-net=eth0 \-\-\ip=none | ||
997 | .br | ||
998 | |||
999 | .br | ||
1000 | If the corresponding interface doesn't have an IP address configured, this | ||
1001 | option is enabled by default. | ||
1002 | |||
1003 | .TP | ||
1004 | \fB\-\-ip=dhcp | 987 | \fB\-\-ip=dhcp |
1005 | Acquire an IP address and default gateway for the last interface defined by a | 988 | Acquire an IP address and default gateway for the last interface defined by a |
1006 | \-\-net option, as well as set the DNS servers according to the DHCP response. | 989 | \-\-net option, as well as set the DNS servers according to the DHCP response. |
@@ -1026,6 +1009,23 @@ a DHCP client and releasing the lease manually in conjunction with the | |||
1026 | \-\-net=none option. | 1009 | \-\-net=none option. |
1027 | 1010 | ||
1028 | .TP | 1011 | .TP |
1012 | \fB\-\-ip=none | ||
1013 | No IP address and no default gateway are configured for the last interface | ||
1014 | defined by a \-\-net option. Use this option | ||
1015 | in case you intend to start an external DHCP client in the sandbox. | ||
1016 | .br | ||
1017 | |||
1018 | .br | ||
1019 | Example: | ||
1020 | .br | ||
1021 | $ firejail \-\-net=eth0 \-\-\ip=none | ||
1022 | .br | ||
1023 | |||
1024 | .br | ||
1025 | If the corresponding interface doesn't have an IP address configured, this | ||
1026 | option is enabled by default. | ||
1027 | |||
1028 | .TP | ||
1029 | \fB\-\-ip6=address | 1029 | \fB\-\-ip6=address |
1030 | Assign IPv6 addresses to the last network interface defined by a \-\-net option. | 1030 | Assign IPv6 addresses to the last network interface defined by a \-\-net option. |
1031 | .br | 1031 | .br |
@@ -1324,6 +1324,21 @@ Example: | |||
1324 | $ firejail \-\-machine-id | 1324 | $ firejail \-\-machine-id |
1325 | 1325 | ||
1326 | .TP | 1326 | .TP |
1327 | \fB\-\-memory-deny-write-execute | ||
1328 | Install a seccomp filter to block attempts to create memory mappings | ||
1329 | that are both writable and executable, to change mappings to be | ||
1330 | executable, or to create executable shared memory. The filter examines | ||
1331 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | ||
1332 | and shmat system calls and returns error EPERM to the process (or | ||
1333 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. | ||
1334 | .br | ||
1335 | |||
1336 | .br | ||
1337 | Note: shmat is not implemented | ||
1338 | as a system call on some platforms including i386, and it cannot be | ||
1339 | handled by seccomp-bpf. | ||
1340 | |||
1341 | .TP | ||
1327 | \fB\-\-mkdir=dirname | 1342 | \fB\-\-mkdir=dirname |
1328 | Create a directory in user home. Parent directories are created as needed. | 1343 | Create a directory in user home. Parent directories are created as needed. |
1329 | .br | 1344 | .br |
@@ -1343,20 +1358,6 @@ Example: | |||
1343 | .br | 1358 | .br |
1344 | $ firejail --mkfile=~/work/project/readme | 1359 | $ firejail --mkfile=~/work/project/readme |
1345 | 1360 | ||
1346 | .TP | ||
1347 | \fB\-\-memory-deny-write-execute | ||
1348 | Install a seccomp filter to block attempts to create memory mappings | ||
1349 | that are both writable and executable, to change mappings to be | ||
1350 | executable, or to create executable shared memory. The filter examines | ||
1351 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | ||
1352 | and shmat system calls and returns error EPERM to the process (or | ||
1353 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. | ||
1354 | .br | ||
1355 | |||
1356 | .br | ||
1357 | Note: shmat is not implemented | ||
1358 | as a system call on some platforms including i386, and it cannot be | ||
1359 | handled by seccomp-bpf. | ||
1360 | #ifdef HAVE_NETWORK | 1361 | #ifdef HAVE_NETWORK |
1361 | .TP | 1362 | .TP |
1362 | \fB\-\-mtu=number | 1363 | \fB\-\-mtu=number |
@@ -1792,15 +1793,6 @@ Example: | |||
1792 | .br | 1793 | .br |
1793 | $ firejail \-\-nodvd | 1794 | $ firejail \-\-nodvd |
1794 | .TP | 1795 | .TP |
1795 | \fB\-\-noinput | ||
1796 | Disable input devices. | ||
1797 | .br | ||
1798 | |||
1799 | .br | ||
1800 | Example: | ||
1801 | .br | ||
1802 | $ firejail \-\-noinput | ||
1803 | .TP | ||
1804 | \fB\-\-noexec=dirname_or_filename | 1796 | \fB\-\-noexec=dirname_or_filename |
1805 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 1797 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1806 | .br | 1798 | .br |
@@ -1845,6 +1837,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) | |||
1845 | $ | 1837 | $ |
1846 | 1838 | ||
1847 | .TP | 1839 | .TP |
1840 | \fB\-\-noinput | ||
1841 | Disable input devices. | ||
1842 | .br | ||
1843 | |||
1844 | .br | ||
1845 | Example: | ||
1846 | .br | ||
1847 | $ firejail \-\-noinput | ||
1848 | |||
1849 | .TP | ||
1848 | \fB\-\-nonewprivs | 1850 | \fB\-\-nonewprivs |
1849 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | 1851 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes |
1850 | cannot acquire new privileges using execve(2); in particular, | 1852 | cannot acquire new privileges using execve(2); in particular, |