diff options
Diffstat (limited to 'src/firejail/usage.c')
-rw-r--r-- | src/firejail/usage.c | 42 |
1 files changed, 22 insertions, 20 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2093a4ed3..b4f3021c7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -28,6 +28,7 @@ static char *usage_str = | |||
28 | "\n" | 28 | "\n" |
29 | "Options:\n" | 29 | "Options:\n" |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow=filename - allow file system access.\n" | ||
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 32 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allusers - all user home directories are visible inside the sandbox.\n" | 33 | " --allusers - all user home directories are visible inside the sandbox.\n" |
33 | " --apparmor - enable AppArmor confinement.\n" | 34 | " --apparmor - enable AppArmor confinement.\n" |
@@ -38,13 +39,12 @@ static char *usage_str = | |||
38 | #endif | 39 | #endif |
39 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
40 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
41 | " --blacklist=filename - blacklist directory or file.\n" | 42 | " --build - build a profile for the application.\n" |
42 | " --build - build a whitelisted profile for the application.\n" | 43 | " --build=filename - build a profile for the application.\n" |
43 | " --build=filename - build a whitelisted profile for the application.\n" | ||
44 | " --caps - enable default Linux capabilities filter.\n" | 44 | " --caps - enable default Linux capabilities filter.\n" |
45 | " --caps.drop=all - drop all capabilities.\n" | 45 | " --caps.drop=all - drop all capabilities.\n" |
46 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" | 46 | " --caps.drop=capability,capability - drop capabilities.\n" |
47 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" | 47 | " --caps.keep=capability,capability - allow capabilities.\n" |
48 | " --caps.print=name|pid - print the caps filter.\n" | 48 | " --caps.print=name|pid - print the caps filter.\n" |
49 | #ifdef HAVE_FILE_TRANSFER | 49 | #ifdef HAVE_FILE_TRANSFER |
50 | " --cat=name|pid filename - print content of file from sandbox container.\n" | 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" |
@@ -58,32 +58,35 @@ static char *usage_str = | |||
58 | #ifdef HAVE_DBUSPROXY | 58 | #ifdef HAVE_DBUSPROXY |
59 | " --dbus-log=file - set DBus log file location.\n" | 59 | " --dbus-log=file - set DBus log file location.\n" |
60 | " --dbus-system=filter|none - set system DBus access policy.\n" | 60 | " --dbus-system=filter|none - set system DBus access policy.\n" |
61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" | 61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according\n" |
62 | "\tto rule.\n" | ||
62 | " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" | 63 | " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" |
63 | " --dbus-system.log - turn on logging for the system DBus." | 64 | " --dbus-system.log - turn on logging for the system DBus.\n" |
64 | " --dbus-system.own=name - allow ownership of name on the system DBus.\n" | 65 | " --dbus-system.own=name - allow ownership of name on the system DBus.\n" |
65 | " --dbus-system.see=name - allow seeing name on the system DBus.\n" | 66 | " --dbus-system.see=name - allow seeing name on the system DBus.\n" |
66 | " --dbus-system.talk=name - allow talking to name on the system DBus.\n" | 67 | " --dbus-system.talk=name - allow talking to name on the system DBus.\n" |
67 | " --dbus-user=filter|none - set session DBus access policy.\n" | 68 | " --dbus-user=filter|none - set session DBus access policy.\n" |
68 | " --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n" | 69 | " --dbus-user.broadcast=rule - allow signals on the session DBus according\n" |
70 | "\tto rule.\n" | ||
69 | " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" | 71 | " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" |
70 | " --dbus-user.log - turn on logging for the user DBus." | 72 | " --dbus-user.log - turn on logging for the user DBus.\n" |
71 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" | 73 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" |
72 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" | 74 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" |
73 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
74 | #endif | 76 | #endif |
75 | " --debug - print sandbox debug messages.\n" | 77 | " --debug - print sandbox debug messages.\n" |
76 | " --debug-blacklists - debug blacklisting.\n" | 78 | " --debug-allow - debug file system access.\n" |
79 | " --debug-deny - debug file system access.\n" | ||
77 | " --debug-caps - print all recognized capabilities.\n" | 80 | " --debug-caps - print all recognized capabilities.\n" |
78 | " --debug-errnos - print all recognized error numbers.\n" | 81 | " --debug-errnos - print all recognized error numbers.\n" |
79 | " --debug-private-lib - debug for --private-lib option.\n" | 82 | " --debug-private-lib - debug for --private-lib option.\n" |
80 | " --debug-protocols - print all recognized protocols.\n" | 83 | " --debug-protocols - print all recognized protocols.\n" |
81 | " --debug-syscalls - print all recognized system calls.\n" | 84 | " --debug-syscalls - print all recognized system calls.\n" |
82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 85 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
83 | " --debug-whitelists - debug whitelisting.\n" | ||
84 | #ifdef HAVE_NETWORK | 86 | #ifdef HAVE_NETWORK |
85 | " --defaultgw=address - configure default gateway.\n" | 87 | " --defaultgw=address - configure default gateway.\n" |
86 | #endif | 88 | #endif |
89 | " --deny=filename - deny access to directory or file.\n" | ||
87 | " --deterministic-exit-code - always exit with first child's status code.\n" | 90 | " --deterministic-exit-code - always exit with first child's status code.\n" |
88 | " --dns=address - set DNS server.\n" | 91 | " --dns=address - set DNS server.\n" |
89 | " --dns.print=name|pid - print DNS configuration.\n" | 92 | " --dns.print=name|pid - print DNS configuration.\n" |
@@ -141,14 +144,15 @@ static char *usage_str = | |||
141 | " --netfilter.print=name|pid - print the firewall.\n" | 144 | " --netfilter.print=name|pid - print the firewall.\n" |
142 | " --netfilter6=filename - enable IPv6 firewall.\n" | 145 | " --netfilter6=filename - enable IPv6 firewall.\n" |
143 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" | 146 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" |
144 | " --netmask=address - define a network mask when dealing with unconfigured" | 147 | " --netmask=address - define a network mask when dealing with unconfigured\n" |
145 | "\tparrent interfaces.\n" | 148 | "\tparrent interfaces.\n" |
146 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 149 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
147 | " --netstats - monitor network statistics.\n" | 150 | " --netstats - monitor network statistics.\n" |
148 | #endif | 151 | #endif |
149 | " --nice=value - set nice value.\n" | 152 | " --nice=value - set nice value.\n" |
150 | " --no3d - disable 3D hardware acceleration.\n" | 153 | " --no3d - disable 3D hardware acceleration.\n" |
151 | " --noblacklist=filename - disable blacklist for file or directory.\n" | 154 | " --noallow=filename - disable allow command for file or directory.\n" |
155 | " --nodeny=filename - disable deny command for file or directory.\n" | ||
152 | " --nodbus - disable D-Bus access.\n" | 156 | " --nodbus - disable D-Bus access.\n" |
153 | " --nodvd - disable DVD and audio CD devices.\n" | 157 | " --nodvd - disable DVD and audio CD devices.\n" |
154 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 158 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
@@ -163,7 +167,6 @@ static char *usage_str = | |||
163 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | 167 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
164 | " --novideo - disable video devices.\n" | 168 | " --novideo - disable video devices.\n" |
165 | " --nou2f - disable U2F devices.\n" | 169 | " --nou2f - disable U2F devices.\n" |
166 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | ||
167 | #ifdef HAVE_OUTPUT | 170 | #ifdef HAVE_OUTPUT |
168 | " --output=logfile - stdout logging and log rotation.\n" | 171 | " --output=logfile - stdout logging and log rotation.\n" |
169 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 172 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
@@ -220,14 +223,14 @@ static char *usage_str = | |||
220 | #ifdef HAVE_NETWORK | 223 | #ifdef HAVE_NETWORK |
221 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 224 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
222 | #endif | 225 | #endif |
223 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" | 226 | " --seccomp - enable seccomp filter and drop the default syscalls.\n" |
224 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" | 227 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" |
225 | "\tdefault syscall list and the syscalls specified by the command.\n" | 228 | "\tdefault syscall list and the syscalls specified by the command.\n" |
226 | " --seccomp.block-secondary - build only the native architecture filters.\n" | 229 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
227 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" | 230 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
228 | "\tblacklist the syscalls specified by the command.\n" | 231 | "\tdrop the syscalls specified by the command.\n" |
229 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" | 232 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
230 | "\twhitelist the syscalls specified by the command.\n" | 233 | "\tallow the syscalls specified by the command.\n" |
231 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 234 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
232 | "\tidentified by name or PID.\n" | 235 | "\tidentified by name or PID.\n" |
233 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 236 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
@@ -242,7 +245,7 @@ static char *usage_str = | |||
242 | " --top - monitor the most CPU-intensive sandboxes.\n" | 245 | " --top - monitor the most CPU-intensive sandboxes.\n" |
243 | " --trace - trace open, access and connect system calls.\n" | 246 | " --trace - trace open, access and connect system calls.\n" |
244 | " --tracelog - add a syslog message for every access to files or\n" | 247 | " --tracelog - add a syslog message for every access to files or\n" |
245 | "\tdirectories blacklisted by the security profile.\n" | 248 | "\tdirectories dropped by the security profile.\n" |
246 | " --tree - print a tree of all sandboxed processes.\n" | 249 | " --tree - print a tree of all sandboxed processes.\n" |
247 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | 250 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" |
248 | "\tfiretunnel utility.\n" | 251 | "\tfiretunnel utility.\n" |
@@ -250,7 +253,6 @@ static char *usage_str = | |||
250 | #ifdef HAVE_NETWORK | 253 | #ifdef HAVE_NETWORK |
251 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 254 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
252 | #endif | 255 | #endif |
253 | " --whitelist=filename - whitelist directory or file.\n" | ||
254 | " --writable-etc - /etc directory is mounted read-write.\n" | 256 | " --writable-etc - /etc directory is mounted read-write.\n" |
255 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 257 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
256 | "\t/run/user/$UID/gnupg.\n" | 258 | "\t/run/user/$UID/gnupg.\n" |