diff options
Diffstat (limited to 'src/firejail/usage.c')
-rw-r--r-- | src/firejail/usage.c | 41 |
1 files changed, 21 insertions, 20 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index a21633349..76930e1de 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -36,10 +36,10 @@ void usage(void) { | |||
36 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | printf(" --apparmor - enable AppArmor confinement.\n"); |
37 | printf(" --appimage - sandbox an AppImage application.\n"); | 37 | printf(" --appimage - sandbox an AppImage application.\n"); |
38 | printf(" --audit[=test-program] - audit the sandbox.\n"); | 38 | printf(" --audit[=test-program] - audit the sandbox.\n"); |
39 | #ifdef HAVE_NETWORK | 39 | #ifdef HAVE_NETWORK |
40 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); | 40 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); |
41 | #endif | 41 | #endif |
42 | #ifdef HAVE_BIND | 42 | #ifdef HAVE_BIND |
43 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); | 43 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); |
44 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); | 44 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); |
45 | #endif | 45 | #endif |
@@ -51,7 +51,7 @@ void usage(void) { | |||
51 | printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n"); | 51 | printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n"); |
52 | printf(" --caps.print=name|pid - print the caps filter.\n"); | 52 | printf(" --caps.print=name|pid - print the caps filter.\n"); |
53 | printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n"); | 53 | printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n"); |
54 | #ifdef HAVE_CHROOT | 54 | #ifdef HAVE_CHROOT |
55 | printf(" --chroot=dirname - chroot into directory.\n"); | 55 | printf(" --chroot=dirname - chroot into directory.\n"); |
56 | #endif | 56 | #endif |
57 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n"); | 57 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n"); |
@@ -64,15 +64,15 @@ void usage(void) { | |||
64 | printf(" --debug-errnos - print all recognized error numbers.\n"); | 64 | printf(" --debug-errnos - print all recognized error numbers.\n"); |
65 | printf(" --debug-protocols - print all recognized protocols.\n"); | 65 | printf(" --debug-protocols - print all recognized protocols.\n"); |
66 | printf(" --debug-syscalls - print all recognized system calls.\n"); | 66 | printf(" --debug-syscalls - print all recognized system calls.\n"); |
67 | #ifdef HAVE_WHITELIST | 67 | #ifdef HAVE_WHITELIST |
68 | printf(" --debug-whitelists - debug whitelisting.\n"); | 68 | printf(" --debug-whitelists - debug whitelisting.\n"); |
69 | #endif | 69 | #endif |
70 | #ifdef HAVE_NETWORK | 70 | #ifdef HAVE_NETWORK |
71 | printf(" --defaultgw=address - configure default gateway.\n"); | 71 | printf(" --defaultgw=address - configure default gateway.\n"); |
72 | #endif | 72 | #endif |
73 | printf(" --dns=address - set DNS server.\n"); | 73 | printf(" --dns=address - set DNS server.\n"); |
74 | printf(" --dns.print=name|pid - print DNS configuration.\n"); | 74 | printf(" --dns.print=name|pid - print DNS configuration.\n"); |
75 | 75 | ||
76 | printf(" --env=name=value - set environment variable.\n"); | 76 | printf(" --env=name=value - set environment variable.\n"); |
77 | printf(" --force - attempt to start a new sandbox inside the existing sandbox.\n"); | 77 | printf(" --force - attempt to start a new sandbox inside the existing sandbox.\n"); |
78 | printf(" --fs.print=name|pid - print the filesystem log.\n"); | 78 | printf(" --fs.print=name|pid - print the filesystem log.\n"); |
@@ -86,7 +86,7 @@ void usage(void) { | |||
86 | printf(" --hostname=name - set sandbox hostname.\n"); | 86 | printf(" --hostname=name - set sandbox hostname.\n"); |
87 | printf(" --hosts-file=file - use file as /etc/hosts.\n"); | 87 | printf(" --hosts-file=file - use file as /etc/hosts.\n"); |
88 | printf(" --ignore=command - ignore command in profile files.\n"); | 88 | printf(" --ignore=command - ignore command in profile files.\n"); |
89 | #ifdef HAVE_NETWORK | 89 | #ifdef HAVE_NETWORK |
90 | printf(" --interface=name - move interface in sandbox.\n"); | 90 | printf(" --interface=name - move interface in sandbox.\n"); |
91 | printf(" --ip=address - set interface IP address.\n"); | 91 | printf(" --ip=address - set interface IP address.\n"); |
92 | printf(" --ip=none - no IP address and no default gateway are configured.\n"); | 92 | printf(" --ip=none - no IP address and no default gateway are configured.\n"); |
@@ -96,21 +96,21 @@ void usage(void) { | |||
96 | printf(" --ipc-namespace - enable a new IPC namespace.\n"); | 96 | printf(" --ipc-namespace - enable a new IPC namespace.\n"); |
97 | printf(" --join=name|pid - join the sandbox.\n"); | 97 | printf(" --join=name|pid - join the sandbox.\n"); |
98 | printf(" --join-filesystem=name|pid - join the mount namespace.\n"); | 98 | printf(" --join-filesystem=name|pid - join the mount namespace.\n"); |
99 | #ifdef HAVE_NETWORK | 99 | #ifdef HAVE_NETWORK |
100 | printf(" --join-network=name|pid - join the network namespace.\n"); | 100 | printf(" --join-network=name|pid - join the network namespace.\n"); |
101 | #endif | 101 | #endif |
102 | printf(" --join-or-start=name|pid - join the sandbox or start a new one.\n"); | 102 | printf(" --join-or-start=name|pid - join the sandbox or start a new one.\n"); |
103 | printf(" --list - list all sandboxes.\n"); | 103 | printf(" --list - list all sandboxes.\n"); |
104 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); | 104 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); |
105 | #ifdef HAVE_NETWORK | 105 | #ifdef HAVE_NETWORK |
106 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); | 106 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); |
107 | #endif | 107 | #endif |
108 | printf(" --machine-id - preserve /etc/machine-id\n"); | 108 | printf(" --machine-id - preserve /etc/machine-id\n"); |
109 | #ifdef HAVE_NETWORK | 109 | #ifdef HAVE_NETWORK |
110 | printf(" --mtu=number - set interface MTU.\n"); | 110 | printf(" --mtu=number - set interface MTU.\n"); |
111 | #endif | 111 | #endif |
112 | printf(" --name=name - set sandbox name.\n"); | 112 | printf(" --name=name - set sandbox name.\n"); |
113 | #ifdef HAVE_NETWORK | 113 | #ifdef HAVE_NETWORK |
114 | printf(" --net=bridgename - enable network namespaces and connect to this bridge.\n"); | 114 | printf(" --net=bridgename - enable network namespaces and connect to this bridge.\n"); |
115 | printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); | 115 | printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); |
116 | printf("\tEthernet interface.\n"); | 116 | printf("\tEthernet interface.\n"); |
@@ -127,17 +127,18 @@ void usage(void) { | |||
127 | printf(" --nogroups - disable supplementary groups.\n"); | 127 | printf(" --nogroups - disable supplementary groups.\n"); |
128 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); | 128 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); |
129 | printf(" --noprofile - do not use a security profile.\n"); | 129 | printf(" --noprofile - do not use a security profile.\n"); |
130 | #ifdef HAVE_USERNS | 130 | #ifdef HAVE_USERNS |
131 | printf(" --noroot - install a user namespace with only the current user.\n"); | 131 | printf(" --noroot - install a user namespace with only the current user.\n"); |
132 | #endif | 132 | #endif |
133 | printf(" --nosound - disable sound system.\n"); | 133 | printf(" --nosound - disable sound system.\n"); |
134 | printf(" --novideo - disable video devices.\n"); | ||
134 | printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); | 135 | printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); |
135 | printf(" --output=logfile - stdout logging and log rotation.\n"); | 136 | printf(" --output=logfile - stdout logging and log rotation.\n"); |
136 | printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); | 137 | printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); |
137 | printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); | 138 | printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); |
138 | printf("\tfilesystem, and store it in name directory.\n"); | 139 | printf("\tfilesystem, and store it in name directory.\n"); |
139 | printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the current\n"); | 140 | printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the current\n"); |
140 | printf("\tfilesystem.\n"); | 141 | printf("\tfilesystem.\n"); |
141 | printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"); | 142 | printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"); |
142 | printf(" --private - temporary home directory.\n"); | 143 | printf(" --private - temporary home directory.\n"); |
143 | printf(" --private=directory - use directory as user home.\n"); | 144 | printf(" --private=directory - use directory as user home.\n"); |
@@ -169,9 +170,9 @@ void usage(void) { | |||
169 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); | 170 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); |
170 | printf("\tfor a process.\n"); | 171 | printf("\tfor a process.\n"); |
171 | printf(" --rmenv=name - remove environment variable in the new sandbox.\n"); | 172 | printf(" --rmenv=name - remove environment variable in the new sandbox.\n"); |
172 | #ifdef HAVE_NETWORK | 173 | #ifdef HAVE_NETWORK |
173 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); | 174 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); |
174 | #endif | 175 | #endif |
175 | #ifdef HAVE_SECCOMP | 176 | #ifdef HAVE_SECCOMP |
176 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); | 177 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); |
177 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 178 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
@@ -195,12 +196,12 @@ void usage(void) { | |||
195 | printf("\tdirectoires blacklisted by the security profile.\n"); | 196 | printf("\tdirectoires blacklisted by the security profile.\n"); |
196 | printf(" --tree - print a tree of all sandboxed processes.\n"); | 197 | printf(" --tree - print a tree of all sandboxed processes.\n"); |
197 | printf(" --version - print program version and exit.\n"); | 198 | printf(" --version - print program version and exit.\n"); |
198 | #ifdef HAVE_NETWORK | 199 | #ifdef HAVE_NETWORK |
199 | printf(" --veth-name=name - use this name for the interface connected to the bridge.\n"); | 200 | printf(" --veth-name=name - use this name for the interface connected to the bridge.\n"); |
200 | #endif | 201 | #endif |
201 | #ifdef HAVE_WHITELIST | 202 | #ifdef HAVE_WHITELIST |
202 | printf(" --whitelist=filename - whitelist directory or file.\n"); | 203 | printf(" --whitelist=filename - whitelist directory or file.\n"); |
203 | #endif | 204 | #endif |
204 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); | 205 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); |
205 | printf(" --writable-var - /var directory is mounted read-write.\n"); | 206 | printf(" --writable-var - /var directory is mounted read-write.\n"); |
206 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); | 207 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); |