diff options
Diffstat (limited to 'src/firejail/usage.c')
| -rw-r--r-- | src/firejail/usage.c | 42 |
1 files changed, 22 insertions, 20 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2093a4ed3..b4f3021c7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -28,6 +28,7 @@ static char *usage_str = | |||
| 28 | "\n" | 28 | "\n" |
| 29 | "Options:\n" | 29 | "Options:\n" |
| 30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
| 31 | " --allow=filename - allow file system access.\n" | ||
| 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 32 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
| 32 | " --allusers - all user home directories are visible inside the sandbox.\n" | 33 | " --allusers - all user home directories are visible inside the sandbox.\n" |
| 33 | " --apparmor - enable AppArmor confinement.\n" | 34 | " --apparmor - enable AppArmor confinement.\n" |
| @@ -38,13 +39,12 @@ static char *usage_str = | |||
| 38 | #endif | 39 | #endif |
| 39 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
| 40 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
| 41 | " --blacklist=filename - blacklist directory or file.\n" | 42 | " --build - build a profile for the application.\n" |
| 42 | " --build - build a whitelisted profile for the application.\n" | 43 | " --build=filename - build a profile for the application.\n" |
| 43 | " --build=filename - build a whitelisted profile for the application.\n" | ||
| 44 | " --caps - enable default Linux capabilities filter.\n" | 44 | " --caps - enable default Linux capabilities filter.\n" |
| 45 | " --caps.drop=all - drop all capabilities.\n" | 45 | " --caps.drop=all - drop all capabilities.\n" |
| 46 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" | 46 | " --caps.drop=capability,capability - drop capabilities.\n" |
| 47 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" | 47 | " --caps.keep=capability,capability - allow capabilities.\n" |
| 48 | " --caps.print=name|pid - print the caps filter.\n" | 48 | " --caps.print=name|pid - print the caps filter.\n" |
| 49 | #ifdef HAVE_FILE_TRANSFER | 49 | #ifdef HAVE_FILE_TRANSFER |
| 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" | 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" |
| @@ -58,32 +58,35 @@ static char *usage_str = | |||
| 58 | #ifdef HAVE_DBUSPROXY | 58 | #ifdef HAVE_DBUSPROXY |
| 59 | " --dbus-log=file - set DBus log file location.\n" | 59 | " --dbus-log=file - set DBus log file location.\n" |
| 60 | " --dbus-system=filter|none - set system DBus access policy.\n" | 60 | " --dbus-system=filter|none - set system DBus access policy.\n" |
| 61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" | 61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according\n" |
| 62 | "\tto rule.\n" | ||
| 62 | " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" | 63 | " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" |
| 63 | " --dbus-system.log - turn on logging for the system DBus." | 64 | " --dbus-system.log - turn on logging for the system DBus.\n" |
| 64 | " --dbus-system.own=name - allow ownership of name on the system DBus.\n" | 65 | " --dbus-system.own=name - allow ownership of name on the system DBus.\n" |
| 65 | " --dbus-system.see=name - allow seeing name on the system DBus.\n" | 66 | " --dbus-system.see=name - allow seeing name on the system DBus.\n" |
| 66 | " --dbus-system.talk=name - allow talking to name on the system DBus.\n" | 67 | " --dbus-system.talk=name - allow talking to name on the system DBus.\n" |
| 67 | " --dbus-user=filter|none - set session DBus access policy.\n" | 68 | " --dbus-user=filter|none - set session DBus access policy.\n" |
| 68 | " --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n" | 69 | " --dbus-user.broadcast=rule - allow signals on the session DBus according\n" |
| 70 | "\tto rule.\n" | ||
| 69 | " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" | 71 | " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" |
| 70 | " --dbus-user.log - turn on logging for the user DBus." | 72 | " --dbus-user.log - turn on logging for the user DBus.\n" |
| 71 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" | 73 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" |
| 72 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" | 74 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" |
| 73 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
| 74 | #endif | 76 | #endif |
| 75 | " --debug - print sandbox debug messages.\n" | 77 | " --debug - print sandbox debug messages.\n" |
| 76 | " --debug-blacklists - debug blacklisting.\n" | 78 | " --debug-allow - debug file system access.\n" |
| 79 | " --debug-deny - debug file system access.\n" | ||
| 77 | " --debug-caps - print all recognized capabilities.\n" | 80 | " --debug-caps - print all recognized capabilities.\n" |
| 78 | " --debug-errnos - print all recognized error numbers.\n" | 81 | " --debug-errnos - print all recognized error numbers.\n" |
| 79 | " --debug-private-lib - debug for --private-lib option.\n" | 82 | " --debug-private-lib - debug for --private-lib option.\n" |
| 80 | " --debug-protocols - print all recognized protocols.\n" | 83 | " --debug-protocols - print all recognized protocols.\n" |
| 81 | " --debug-syscalls - print all recognized system calls.\n" | 84 | " --debug-syscalls - print all recognized system calls.\n" |
| 82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 85 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
| 83 | " --debug-whitelists - debug whitelisting.\n" | ||
| 84 | #ifdef HAVE_NETWORK | 86 | #ifdef HAVE_NETWORK |
| 85 | " --defaultgw=address - configure default gateway.\n" | 87 | " --defaultgw=address - configure default gateway.\n" |
| 86 | #endif | 88 | #endif |
| 89 | " --deny=filename - deny access to directory or file.\n" | ||
| 87 | " --deterministic-exit-code - always exit with first child's status code.\n" | 90 | " --deterministic-exit-code - always exit with first child's status code.\n" |
| 88 | " --dns=address - set DNS server.\n" | 91 | " --dns=address - set DNS server.\n" |
| 89 | " --dns.print=name|pid - print DNS configuration.\n" | 92 | " --dns.print=name|pid - print DNS configuration.\n" |
| @@ -141,14 +144,15 @@ static char *usage_str = | |||
| 141 | " --netfilter.print=name|pid - print the firewall.\n" | 144 | " --netfilter.print=name|pid - print the firewall.\n" |
| 142 | " --netfilter6=filename - enable IPv6 firewall.\n" | 145 | " --netfilter6=filename - enable IPv6 firewall.\n" |
| 143 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" | 146 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" |
| 144 | " --netmask=address - define a network mask when dealing with unconfigured" | 147 | " --netmask=address - define a network mask when dealing with unconfigured\n" |
| 145 | "\tparrent interfaces.\n" | 148 | "\tparrent interfaces.\n" |
| 146 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 149 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
| 147 | " --netstats - monitor network statistics.\n" | 150 | " --netstats - monitor network statistics.\n" |
| 148 | #endif | 151 | #endif |
| 149 | " --nice=value - set nice value.\n" | 152 | " --nice=value - set nice value.\n" |
| 150 | " --no3d - disable 3D hardware acceleration.\n" | 153 | " --no3d - disable 3D hardware acceleration.\n" |
| 151 | " --noblacklist=filename - disable blacklist for file or directory.\n" | 154 | " --noallow=filename - disable allow command for file or directory.\n" |
| 155 | " --nodeny=filename - disable deny command for file or directory.\n" | ||
| 152 | " --nodbus - disable D-Bus access.\n" | 156 | " --nodbus - disable D-Bus access.\n" |
| 153 | " --nodvd - disable DVD and audio CD devices.\n" | 157 | " --nodvd - disable DVD and audio CD devices.\n" |
| 154 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 158 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
| @@ -163,7 +167,6 @@ static char *usage_str = | |||
| 163 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | 167 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
| 164 | " --novideo - disable video devices.\n" | 168 | " --novideo - disable video devices.\n" |
| 165 | " --nou2f - disable U2F devices.\n" | 169 | " --nou2f - disable U2F devices.\n" |
| 166 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | ||
| 167 | #ifdef HAVE_OUTPUT | 170 | #ifdef HAVE_OUTPUT |
| 168 | " --output=logfile - stdout logging and log rotation.\n" | 171 | " --output=logfile - stdout logging and log rotation.\n" |
| 169 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 172 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
| @@ -220,14 +223,14 @@ static char *usage_str = | |||
| 220 | #ifdef HAVE_NETWORK | 223 | #ifdef HAVE_NETWORK |
| 221 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 224 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
| 222 | #endif | 225 | #endif |
| 223 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" | 226 | " --seccomp - enable seccomp filter and drop the default syscalls.\n" |
| 224 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" | 227 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" |
| 225 | "\tdefault syscall list and the syscalls specified by the command.\n" | 228 | "\tdefault syscall list and the syscalls specified by the command.\n" |
| 226 | " --seccomp.block-secondary - build only the native architecture filters.\n" | 229 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
| 227 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" | 230 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
| 228 | "\tblacklist the syscalls specified by the command.\n" | 231 | "\tdrop the syscalls specified by the command.\n" |
| 229 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" | 232 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
| 230 | "\twhitelist the syscalls specified by the command.\n" | 233 | "\tallow the syscalls specified by the command.\n" |
| 231 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 234 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
| 232 | "\tidentified by name or PID.\n" | 235 | "\tidentified by name or PID.\n" |
| 233 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 236 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
| @@ -242,7 +245,7 @@ static char *usage_str = | |||
| 242 | " --top - monitor the most CPU-intensive sandboxes.\n" | 245 | " --top - monitor the most CPU-intensive sandboxes.\n" |
| 243 | " --trace - trace open, access and connect system calls.\n" | 246 | " --trace - trace open, access and connect system calls.\n" |
| 244 | " --tracelog - add a syslog message for every access to files or\n" | 247 | " --tracelog - add a syslog message for every access to files or\n" |
| 245 | "\tdirectories blacklisted by the security profile.\n" | 248 | "\tdirectories dropped by the security profile.\n" |
| 246 | " --tree - print a tree of all sandboxed processes.\n" | 249 | " --tree - print a tree of all sandboxed processes.\n" |
| 247 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | 250 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" |
| 248 | "\tfiretunnel utility.\n" | 251 | "\tfiretunnel utility.\n" |
| @@ -250,7 +253,6 @@ static char *usage_str = | |||
| 250 | #ifdef HAVE_NETWORK | 253 | #ifdef HAVE_NETWORK |
| 251 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 254 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
| 252 | #endif | 255 | #endif |
| 253 | " --whitelist=filename - whitelist directory or file.\n" | ||
| 254 | " --writable-etc - /etc directory is mounted read-write.\n" | 256 | " --writable-etc - /etc directory is mounted read-write.\n" |
| 255 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 257 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
| 256 | "\t/run/user/$UID/gnupg.\n" | 258 | "\t/run/user/$UID/gnupg.\n" |