diff options
Diffstat (limited to 'src/firejail/usage.c')
| -rw-r--r-- | src/firejail/usage.c | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d843c74ae..082a0b306 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -28,7 +28,6 @@ static char *usage_str = | |||
| 28 | "\n" | 28 | "\n" |
| 29 | "Options:\n" | 29 | "Options:\n" |
| 30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
| 31 | " --allow=filename - allow file system access.\n" | ||
| 32 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
| 33 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
| 34 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
| @@ -39,12 +38,13 @@ static char *usage_str = | |||
| 39 | #endif | 38 | #endif |
| 40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 39 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
| 41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 40 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
| 42 | " --build - build a profile for the application.\n" | 41 | " --blacklist=filename - blacklist directory or file.\n" |
| 43 | " --build=filename - build a profile for the application.\n" | 42 | " --build - build a whitelisted profile for the application.\n" |
| 43 | " --build=filename - build a whitelisted profile for the application.\n" | ||
| 44 | " --caps - enable default Linux capabilities filter.\n" | 44 | " --caps - enable default Linux capabilities filter.\n" |
| 45 | " --caps.drop=all - drop all capabilities.\n" | 45 | " --caps.drop=all - drop all capabilities.\n" |
| 46 | " --caps.drop=capability,capability - drop capabilities.\n" | 46 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" |
| 47 | " --caps.keep=capability,capability - allow capabilities.\n" | 47 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" |
| 48 | " --caps.print=name|pid - print the caps filter.\n" | 48 | " --caps.print=name|pid - print the caps filter.\n" |
| 49 | #ifdef HAVE_FILE_TRANSFER | 49 | #ifdef HAVE_FILE_TRANSFER |
| 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" | 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" |
| @@ -75,18 +75,17 @@ static char *usage_str = | |||
| 75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
| 76 | #endif | 76 | #endif |
| 77 | " --debug - print sandbox debug messages.\n" | 77 | " --debug - print sandbox debug messages.\n" |
| 78 | " --debug-allow - debug file system access.\n" | 78 | " --debug-blacklists - debug blacklisting.\n" |
| 79 | " --debug-deny - debug file system access.\n" | ||
| 80 | " --debug-caps - print all recognized capabilities.\n" | 79 | " --debug-caps - print all recognized capabilities.\n" |
| 81 | " --debug-errnos - print all recognized error numbers.\n" | 80 | " --debug-errnos - print all recognized error numbers.\n" |
| 82 | " --debug-private-lib - debug for --private-lib option.\n" | 81 | " --debug-private-lib - debug for --private-lib option.\n" |
| 83 | " --debug-protocols - print all recognized protocols.\n" | 82 | " --debug-protocols - print all recognized protocols.\n" |
| 84 | " --debug-syscalls - print all recognized system calls.\n" | 83 | " --debug-syscalls - print all recognized system calls.\n" |
| 85 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 84 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
| 85 | " --debug-whitelists - debug whitelisting.\n" | ||
| 86 | #ifdef HAVE_NETWORK | 86 | #ifdef HAVE_NETWORK |
| 87 | " --defaultgw=address - configure default gateway.\n" | 87 | " --defaultgw=address - configure default gateway.\n" |
| 88 | #endif | 88 | #endif |
| 89 | " --deny=filename - deny access to directory or file.\n" | ||
| 90 | " --deterministic-exit-code - always exit with first child's status code.\n" | 89 | " --deterministic-exit-code - always exit with first child's status code.\n" |
| 91 | " --dns=address - set DNS server.\n" | 90 | " --dns=address - set DNS server.\n" |
| 92 | " --dns.print=name|pid - print DNS configuration.\n" | 91 | " --dns.print=name|pid - print DNS configuration.\n" |
| @@ -153,8 +152,7 @@ static char *usage_str = | |||
| 153 | #endif | 152 | #endif |
| 154 | " --nice=value - set nice value.\n" | 153 | " --nice=value - set nice value.\n" |
| 155 | " --no3d - disable 3D hardware acceleration.\n" | 154 | " --no3d - disable 3D hardware acceleration.\n" |
| 156 | " --noallow=filename - disable allow command for file or directory.\n" | 155 | " --noblacklist=filename - disable blacklist for file or directory.\n" |
| 157 | " --nodeny=filename - disable deny command for file or directory.\n" | ||
| 158 | " --nodbus - disable D-Bus access.\n" | 156 | " --nodbus - disable D-Bus access.\n" |
| 159 | " --nodvd - disable DVD and audio CD devices.\n" | 157 | " --nodvd - disable DVD and audio CD devices.\n" |
| 160 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 158 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
| @@ -169,6 +167,7 @@ static char *usage_str = | |||
| 169 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | 167 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
| 170 | " --novideo - disable video devices.\n" | 168 | " --novideo - disable video devices.\n" |
| 171 | " --nou2f - disable U2F devices.\n" | 169 | " --nou2f - disable U2F devices.\n" |
| 170 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | ||
| 172 | #ifdef HAVE_OUTPUT | 171 | #ifdef HAVE_OUTPUT |
| 173 | " --output=logfile - stdout logging and log rotation.\n" | 172 | " --output=logfile - stdout logging and log rotation.\n" |
| 174 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 173 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
| @@ -225,14 +224,14 @@ static char *usage_str = | |||
| 225 | #ifdef HAVE_NETWORK | 224 | #ifdef HAVE_NETWORK |
| 226 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 225 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
| 227 | #endif | 226 | #endif |
| 228 | " --seccomp - enable seccomp filter and drop the default syscalls.\n" | 227 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" |
| 229 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" | 228 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" |
| 230 | "\tdefault syscall list and the syscalls specified by the command.\n" | 229 | "\tdefault syscall list and the syscalls specified by the command.\n" |
| 231 | " --seccomp.block-secondary - build only the native architecture filters.\n" | 230 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
| 232 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" | 231 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
| 233 | "\tdrop the syscalls specified by the command.\n" | 232 | "\tblacklist the syscalls specified by the command.\n" |
| 234 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" | 233 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
| 235 | "\tallow the syscalls specified by the command.\n" | 234 | "\twhitelist the syscalls specified by the command.\n" |
| 236 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 235 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
| 237 | "\tidentified by name or PID.\n" | 236 | "\tidentified by name or PID.\n" |
| 238 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 237 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
| @@ -247,7 +246,7 @@ static char *usage_str = | |||
| 247 | " --top - monitor the most CPU-intensive sandboxes.\n" | 246 | " --top - monitor the most CPU-intensive sandboxes.\n" |
| 248 | " --trace - trace open, access and connect system calls.\n" | 247 | " --trace - trace open, access and connect system calls.\n" |
| 249 | " --tracelog - add a syslog message for every access to files or\n" | 248 | " --tracelog - add a syslog message for every access to files or\n" |
| 250 | "\tdirectories dropped by the security profile.\n" | 249 | "\tdirectories blacklisted by the security profile.\n" |
| 251 | " --tree - print a tree of all sandboxed processes.\n" | 250 | " --tree - print a tree of all sandboxed processes.\n" |
| 252 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | 251 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" |
| 253 | "\tfiretunnel utility.\n" | 252 | "\tfiretunnel utility.\n" |
| @@ -255,6 +254,7 @@ static char *usage_str = | |||
| 255 | #ifdef HAVE_NETWORK | 254 | #ifdef HAVE_NETWORK |
| 256 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 255 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
| 257 | #endif | 256 | #endif |
| 257 | " --whitelist=filename - whitelist directory or file.\n" | ||
| 258 | " --writable-etc - /etc directory is mounted read-write.\n" | 258 | " --writable-etc - /etc directory is mounted read-write.\n" |
| 259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
| 260 | "\t/run/user/$UID/gnupg.\n" | 260 | "\t/run/user/$UID/gnupg.\n" |