diff options
Diffstat (limited to 'src/firejail/usage.c')
-rw-r--r-- | src/firejail/usage.c | 470 |
1 files changed, 211 insertions, 259 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b538f136b..58f9d2cf7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -33,267 +33,219 @@ void usage(void) { | |||
33 | printf("default in the sandbox.\n\n"); | 33 | printf("default in the sandbox.\n\n"); |
34 | printf("\n"); | 34 | printf("\n"); |
35 | printf("Options:\n\n"); | 35 | printf("Options:\n\n"); |
36 | printf("\t-- - signal the end of options and disables further option processing.\n\n"); | 36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); |
37 | #ifdef HAVE_NETWORK | 37 | #ifdef HAVE_NETWORK |
38 | printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); | 38 | printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); |
39 | printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); | 39 | printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n"); |
40 | printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n"); | ||
41 | printf("\t\tby PID, see Traffic Shaping section for more details.\n\n"); | ||
42 | #endif | 40 | #endif |
43 | #ifdef HAVE_BIND | 41 | #ifdef HAVE_BIND |
44 | printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); | 42 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); |
45 | printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); | 43 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n\n"); |
46 | #endif | 44 | #endif |
47 | printf("\t--blacklist=dirname_or_filename - blacklist directory or file.\n\n"); | 45 | printf(" --blacklist=dirname_or_filename - blacklist directory or file.\n\n"); |
48 | printf("\t-c - execute command and exit.\n\n"); | 46 | printf(" -c - execute command and exit.\n\n"); |
49 | printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); | 47 | printf(" --caps - enable default Linux capabilities filter.\n\n"); |
50 | printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); | 48 | printf(" --caps.drop=all - drop all capabilities.\n\n"); |
51 | #ifdef CAP_SYSLOG | 49 | printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n\n"); |
52 | printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); | 50 | printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n\n"); |
53 | #else | 51 | printf(" --caps.print=name|pid - print the caps filter for the sandbox identified\n"); |
54 | printf("\t\tCAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); | 52 | printf("\tby name or PID.\n\n"); |
55 | #endif | 53 | printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n"); |
56 | printf("\t--caps.drop=all - drop all capabilities.\n\n"); | 54 | printf("\ttasks-file is the full path of cgroup tasks file.\n\n"); |
57 | printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n"); | ||
58 | printf("\t\tcapabilities filter.\n\n"); | ||
59 | printf("\t--caps.keep=capability,capability,capability - whitelist Linux\n"); | ||
60 | printf("\t\tcapabilities filter.\n\n"); | ||
61 | printf("\t--caps.print=name - print the caps filter for the sandbox identified\n"); | ||
62 | printf("\t\tby name.\n\n"); | ||
63 | printf("\t--caps.print=pid - print the caps filter for the sandbox identified\n"); | ||
64 | printf("\t\tby PID.\n\n"); | ||
65 | printf("\t--cgroup=tasks-file - place the sandbox in the specified control group.\n"); | ||
66 | printf("\t\ttasks-file is the full path of cgroup tasks file.\n"); | ||
67 | printf("\t\tExample: --cgroup=/sys/fs/cgroup/g1/tasks\n\n"); | ||
68 | #ifdef HAVE_CHROOT | 55 | #ifdef HAVE_CHROOT |
69 | printf("\t--chroot=dirname - chroot into dirname directory.\n\n"); | 56 | printf(" --chroot=dirname - chroot into directory.\n\n"); |
70 | #endif | 57 | #endif |
71 | printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); | 58 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n"); |
72 | printf("\t\tExample: cpu=0,1,2\n\n"); | 59 | printf(" --csh - use /bin/csh as default shell.\n\n"); |
73 | printf("\t--csh - use /bin/csh as default shell.\n\n"); | 60 | |
74 | 61 | printf(" --debug - print sandbox debug messages.\n\n"); | |
75 | printf("\t--debug - print sandbox debug messages.\n\n"); | 62 | printf(" --debug-blacklists - debug blacklisting.\n\n"); |
76 | printf("\t--debug-blacklists - debug blacklisting.\n\n"); | 63 | printf(" --debug-caps - print all recognized capabilities in the current Firejail\n"); |
77 | printf("\t--debug-caps - print all recognized capabilities in the current\n"); | 64 | printf("\tsoftware build.\n\n"); |
78 | printf("\t\tFirejail software build and exit.\n\n"); | 65 | printf(" --debug-check-filename - debug filename checking.\n\n"); |
79 | printf("\t--debug-check-filename - debug filename checking.\n\n"); | 66 | printf(" --debug-errnos - print all recognized error numbers in the current Firejail\n"); |
80 | printf("\t--debug-errnos - print all recognized error numbers in the current\n"); | 67 | printf("\tsoftware build.\n\n"); |
81 | printf("\t\tFirejail software build and exit.\n\n"); | 68 | printf(" --debug-protocols - print all recognized protocols in the current Firejail\n"); |
82 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); | 69 | printf("\tsoftware build.\n\n"); |
83 | printf("\t\tFirejail software build and exit.\n\n"); | 70 | printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); |
84 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); | 71 | printf("\tsoftware build.\n\n"); |
85 | printf("\t\tFirejail software build and exit.\n\n"); | 72 | printf(" --debug-whitelists - debug whitelisting.\n\n"); |
86 | printf("\t--debug-whitelists - debug whitelisting.\n\n"); | ||
87 | 73 | ||
88 | 74 | ||
89 | 75 | ||
90 | #ifdef HAVE_NETWORK | 76 | #ifdef HAVE_NETWORK |
91 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 77 | printf(" --defaultgw=address - use this address as default gateway in the new network\n"); |
92 | printf("\t\tnetwork namespace.\n\n"); | 78 | printf("\tnamespace.\n\n"); |
93 | #endif | 79 | #endif |
94 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); | 80 | printf(" --dns=address - set a DNS server for the sandbox. Up to three DNS servers\n"); |
95 | printf("\t\tservers can be defined.\n\n"); | 81 | printf("\tcan be defined.\n\n"); |
96 | printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); | 82 | printf(" --dns.print=name|pid - print DNS configuration for the sandbox identified\n"); |
97 | printf("\t\tby name.\n\n"); | 83 | printf("\tby name or PID.\n\n"); |
98 | printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n"); | ||
99 | printf("\t\tby PID.\n\n"); | ||
100 | 84 | ||
101 | printf("\t--env=name=value - set environment variable in the new sandbox\n\n"); | 85 | printf(" --env=name=value - set environment variable in the new sandbox.\n\n"); |
102 | printf("\t--fs.print=name - print the filesystem log for the sandbox identified\n"); | 86 | printf(" --fs.print=name|pid - print the filesystem log for the sandbox identified\n"); |
103 | printf("\t\tby name.\n\n"); | 87 | printf("\tby name or PID.\n\n"); |
104 | printf("\t--fs.print=pid - print the filesystem log for the sandbox identified\n"); | ||
105 | printf("\t\tby PID.\n\n"); | ||
106 | 88 | ||
107 | printf("\t--help, -? - this help screen.\n\n"); | 89 | printf(" --help, -? - this help screen.\n\n"); |
108 | printf("\t--hostname=name - set sandbox hostname.\n\n"); | 90 | printf(" --hostname=name - set sandbox hostname.\n\n"); |
109 | printf("\t--ignore=command - ignore command in profile files.\n\n"); | 91 | printf(" --ignore=command - ignore command in profile files.\n\n"); |
110 | #ifdef HAVE_NETWORK | 92 | #ifdef HAVE_NETWORK |
111 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); | 93 | printf(" --interface=name - move interface in a new network namespace. Up to four\n"); |
112 | printf("\t\tfour --interface options can be specified.\n\n"); | 94 | printf("\t--interface options can be specified.\n\n"); |
113 | printf("\t--ip=address - set interface IP address.\n\n"); | 95 | printf(" --ip=address - set interface IP address.\n\n"); |
114 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); | 96 | printf(" --ip=none - no IP address and no default gateway address are configured\n"); |
115 | printf("\t\tin the new network namespace. Use this option in case you intend\n"); | 97 | printf("\tin the new network namespace. Use this option in case you intend to\n"); |
116 | printf("\t\tto start an external DHCP client in the sandbox.\n\n"); | 98 | printf("\tstart an external DHCP client in the sandbox.\n\n"); |
117 | printf("\t--ip6=address - set interface IPv6 address.\n\n"); | 99 | printf(" --ip6=address - set interface IPv6 address.\n\n"); |
118 | printf("\t--iprange=address,address - configure an IP address in this range\n\n"); | 100 | printf(" --iprange=address,address - configure an IP address in this range.\n\n"); |
119 | #endif | 101 | #endif |
120 | printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); | 102 | printf(" --ipc-namespace - enable a new IPC namespace if the sandbox was started as\n"); |
121 | printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); | 103 | printf("\tregular user. IPC namespace is enabled by default only if the sandbox\n"); |
122 | printf("\t\tthe sandbox is started as root.\n\n"); | 104 | printf("\tis started as root.\n\n"); |
123 | printf("\t--join=name - join the sandbox identified by name.\n\n"); | 105 | printf(" --join=name|pid - join the sandbox identified by name or PID.\n\n"); |
124 | printf("\t--join=pid - join the sandbox identified by PID.\n\n"); | 106 | printf(" --join-filesystem=name|pid - join the mount namespace of the sandbox\n"); |
125 | printf("\t--join-filesystem=name - join the mount namespace of the sandbox\n"); | 107 | printf("\tidentified by name or PID.\n\n"); |
126 | printf("\t\tidentified by name.\n\n"); | ||
127 | printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n"); | ||
128 | printf("\t\tidentified by PID.\n\n"); | ||
129 | #ifdef HAVE_NETWORK | 108 | #ifdef HAVE_NETWORK |
130 | printf("\t--join-network=name - join the network namespace of the sandbox\n"); | 109 | printf(" --join-network=name|pid - join the network namespace of the sandbox\n"); |
131 | printf("\t\tidentified by name.\n\n"); | 110 | printf("\tidentified by name or PID.\n\n"); |
132 | printf("\t--join-network=pid - join the network namespace of the sandbox\n"); | ||
133 | printf("\t\tidentified by PID.\n\n"); | ||
134 | #endif | 111 | #endif |
135 | printf("\t--list - list all sandboxes.\n\n"); | 112 | printf(" --list - list all sandboxes.\n\n"); |
136 | #ifdef HAVE_NETWORK | 113 | #ifdef HAVE_NETWORK |
137 | printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); | 114 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); |
138 | printf("\t--mtu=number - set interface MTU.\n\n"); | 115 | printf(" --mtu=number - set interface MTU.\n\n"); |
139 | #endif | 116 | #endif |
140 | printf("\t--name=name - set sandbox name.\n\n"); | 117 | printf(" --name=name - set sandbox name.\n\n"); |
141 | #ifdef HAVE_NETWORK | 118 | #ifdef HAVE_NETWORK |
142 | printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); | 119 | printf(" --net=bridgename - enable network namespaces and connect to this bridge\n"); |
143 | printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); | 120 | printf("\tdevice. Up to four --net devices can be defined.\n\n"); |
144 | printf("\t\tIP address and a default gateway will be assigned automatically\n"); | 121 | |
145 | printf("\t\tto the sandbox. The IP address is checked using ARP before\n"); | 122 | printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); |
146 | printf("\t\tassignment. The IP address assigned as default gateway is the\n"); | 123 | printf("\tEthernet interface using the standard Linux macvlan driver. Up to four\n"); |
147 | printf("\t\tbridge device IP address. Up to four --net devices can\n"); | 124 | printf("\t--net devices can be defined.\n\n"); |
148 | printf("\t\tbe defined. Mixing bridge and macvlan devices is allowed.\n\n"); | 125 | |
149 | printf("\t--net=ethernet_interface - enable network namespaces and connect\n"); | 126 | printf(" --net=none - enable a new, unconnected network namespace.\n\n"); |
150 | printf("\t\tto this ethernet_interface using the standard Linux macvlan\n"); | ||
151 | printf("\t\tdriver. Unless specified with option --ip and --defaultgw, an\n"); | ||
152 | printf("\t\tIP address and a default gateway will be assigned automatically\n"); | ||
153 | printf("\t\tto the sandbox. The IP address is checked using ARP before\n"); | ||
154 | printf("\t\tassignment. The IP address assigned as default gateway is the\n"); | ||
155 | printf("\t\tdefault gateway of the host. Up to four --net devices can\n"); | ||
156 | printf("\t\tbe defined. Mixing bridge and macvlan devices is allowed.\n\n"); | ||
157 | printf("\t--net=none - enable a new, unconnected network namespace.\n\n"); | ||
158 | 127 | ||
159 | printf("\t--netfilter - enable the default client network filter in the new\n"); | 128 | printf(" --netfilter - enable the default client network filter in the new\n"); |
160 | printf("\t\tnetwork namespace:\n\n"); | 129 | printf("\tnetwork namespace.\n\n"); |
161 | printf("\t\t*filter\n"); | 130 | printf(" --netfilter=filename - enable the network filter specified by\n"); |
162 | printf("\t\t:INPUT DROP [0:0]\n"); | 131 | printf("\tfilename in the new network namespace. The filter file format\n"); |
163 | printf("\t\t:FORWARD DROP [0:0]\n"); | 132 | printf("\tis the format of iptables-save and iptable-restore commands.\n\n"); |
164 | printf("\t\t:OUTPUT ACCEPT [0:0]\n"); | 133 | printf(" --netfilter6=filename - enable the IPv6 network filter specified by\n"); |
165 | printf("\t\t-A INPUT -i lo -j ACCEPT\n"); | 134 | printf("\tfilename in the new network namespace. The filter file format\n"); |
166 | printf("\t\t-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); | 135 | printf("\tis the format of ip6tables-save and ip6table-restore commands.\n\n"); |
167 | printf("\t\t-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"); | ||
168 | printf("\t\t-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"); | ||
169 | printf("\t\t-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"); | ||
170 | printf("\t\tCOMMIT\n\n"); | ||
171 | printf("\t--netfilter=filename - enable the network filter specified by\n"); | ||
172 | printf("\t\tfilename in the new network namespace. The filter file format\n"); | ||
173 | printf("\t\tis the format of iptables-save and iptable-restore commands.\n\n"); | ||
174 | printf("\t--netfilter6=filename - enable the IPv6 network filter specified by\n"); | ||
175 | printf("\t\tfilename in the new network namespace. The filter file format\n"); | ||
176 | printf("\t\tis the format of ip6tables-save and ip6table-restore commands.\n\n"); | ||
177 | 136 | ||
178 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); | 137 | printf(" --netstats - monitor network statistics for sandboxes creating a new\n"); |
179 | printf("\t\tnetwork namespace.\n\n"); | 138 | printf("\tnetwork namespace.\n\n"); |
180 | #endif | 139 | #endif |
181 | printf("\t--nice=value - set nice value\n\n"); | 140 | printf(" --nice=value - set nice value\n\n"); |
182 | printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); | 141 | printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); |
183 | printf("\t\tor file.\n\n"); | 142 | printf("\tfile.\n\n"); |
184 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); | 143 | printf(" --nogroups - disable supplementary groups. Without this option,\n"); |
185 | printf("\t\tsupplementary groups are enabled for the user starting the\n"); | 144 | printf("\tsupplementary groups are enabled for the user starting the sandbox.\n"); |
186 | printf("\t\tsandbox. For root user supplementary groups are always\n"); | 145 | printf("\t For root, groups are always disabled.\n\n"); |
187 | printf("\t\tdisabled.\n\n"); | ||
188 | 146 | ||
189 | printf("\t--noprofile - do not use a profile. Profile priority is use the one\n"); | 147 | printf(" --noprofile - do not use a profile. Profile priority is use the one\n"); |
190 | printf("\t\tspecified on the command line, next try to find one that\n"); | 148 | printf("\tspecified on the command line, next try to find one that\n"); |
191 | printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); | 149 | printf("\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); |
192 | printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); | 150 | printf("\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); |
193 | printf("\t\troot.\n\n"); | 151 | printf("\troot.\n\n"); |
194 | #ifdef HAVE_USERNS | 152 | #ifdef HAVE_USERNS |
195 | printf("\t--noroot - install a user namespace with a single user - the current\n"); | 153 | printf(" --noroot - install a user namespace with a single user - the current\n"); |
196 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); | 154 | printf("\tuser. root user does not exist in the new namespace. This option\n"); |
197 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); | 155 | printf("\tis not supported for --chroot and --overlay configurations.\n\n"); |
198 | #endif | 156 | #endif |
199 | printf("\t--nosound - disable sound system\n\n"); | 157 | printf(" --nosound - disable sound system.\n\n"); |
200 | 158 | ||
201 | printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); | 159 | printf(" --output=logfile - stdout logging and log rotation. Copy stdout to\n"); |
202 | printf("\t\tlogfile, and keep the size of the file under 500KB using log\n"); | 160 | printf("\tlogfile, and keep the size of the file under 500KB using log\n"); |
203 | printf("\t\trotation. Five files with prefixes .1 to .5 are used in\n"); | 161 | printf("\trotation. Five files with prefixes .1 to .5 are used in\n"); |
204 | printf("\t\trotation.\n\n"); | 162 | printf("\trotation.\n\n"); |
205 | 163 | ||
206 | printf("\t--overlay - mount a filesystem overlay on top of the current filesystem.\n"); | 164 | printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); |
207 | printf("\t\tThe upper filesystem layer is persistent, and stored in\n"); | 165 | printf("\tThe upper filesystem layer is persistent, and stored in\n"); |
208 | printf("\t\t$HOME/.firejail directory. (OverlayFS support is required in\n"); | 166 | printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n"); |
209 | printf("\t\tLinux kernel for this option to work). \n\n"); | 167 | printf("\tLinux kernel for this option to work). \n\n"); |
210 | 168 | ||
211 | printf("\t--overlay-tmpfs - mount a filesystem overlay on top of the current\n"); | 169 | printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); |
212 | printf("\t\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); | 170 | printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); |
213 | printf("\t\tand it is discarded when the sandbox is closed. (OverlayFS\n"); | 171 | printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n"); |
214 | printf("\t\tsupport is required in Linux kernel for this option to work).\n\n"); | 172 | printf("\tsupport is required in Linux kernel for this option to work).\n\n"); |
215 | 173 | ||
216 | printf("\t--private - mount new /root and /home/user directories in temporary\n"); | 174 | printf(" --private - mount new /root and /home/user directories in temporary\n"); |
217 | printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n"); | 175 | printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); |
218 | printf("\t\tclosed.\n\n"); | 176 | printf("\tclosed.\n\n"); |
219 | printf("\t--private=directory - use directory as user home.\n\n"); | 177 | printf(" --private=directory - use directory as user home.\n\n"); |
220 | 178 | ||
221 | printf("\t--private-bin=file,file - build a new /bin in a temporary filesystem,\n"); | 179 | printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); |
222 | printf("\t\tand copy the programs in the list. The same directory is\n"); | 180 | printf("\tand copy the programs in the list. The same directory is\n"); |
223 | printf("\t\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); | 181 | printf("\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); |
224 | 182 | ||
225 | printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); | 183 | printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); |
226 | printf("\t\tty, pst, ptms, random, urandom, log and shm devices are\n"); | 184 | printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n"); |
227 | printf("\t\tavailable.\n\n"); | ||
228 | 185 | ||
229 | printf("\t--private-etc=file,directory - build a new /etc in a temporary\n"); | 186 | printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); |
230 | printf("\t\tfilesystem, and copy the files and directories in the list.\n"); | 187 | printf("\tfilesystem, and copy the files and directories in the list.\n"); |
231 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); | 188 | printf("\tAll modifications are discarded when the sandbox is closed.\n\n"); |
232 | 189 | ||
233 | printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n"); | 190 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory\n\n"); |
234 | 191 | ||
235 | printf("\t--profile=filename - use a custom profile.\n\n"); | 192 | printf(" --profile=filename - use a custom profile.\n\n"); |
236 | printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); | 193 | printf(" --profile-path=directory - use this directory to look for profile files.\n\n"); |
237 | 194 | ||
238 | printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); | 195 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); |
239 | printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); | 196 | printf("\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); |
240 | printf("\t--protocol.print=name - print the protocol filter for the sandbox\n"); | 197 | printf(" --protocol.print=name|pid - print the protocol filter for the sandbox\n"); |
241 | printf("\t\tidentified by name.\n\n"); | 198 | printf("\tidentified by name or PID.\n\n"); |
242 | printf("\t--protocol.print=pid - print the protocol filter for the sandbox\n"); | ||
243 | printf("\t\tidentified by PID.\n\n"); | ||
244 | 199 | ||
245 | printf("\t--quiet - turn off Firejail's output.\n\n"); | 200 | printf(" --quiet - turn off Firejail's output.\n\n"); |
246 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); | 201 | printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n"); |
247 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); | 202 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); |
248 | printf("\t\tby a process.\n\n"); | 203 | printf("\tby a process.\n\n"); |
249 | printf("\t--rlimit-nofile=number - set the maximum number of files that can be\n"); | 204 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); |
250 | printf("\t\topened by a process.\n\n"); | 205 | printf("\topened by a process.\n\n"); |
251 | printf("\t--rlimit-nproc=number - set the maximum number of processes that can be\n"); | 206 | printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n"); |
252 | printf("\t\tcreated for the real user ID of the calling process.\n\n"); | 207 | printf("\tcreated for the real user ID of the calling process.\n\n"); |
253 | printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); | 208 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); |
254 | printf("\t\tfor a process.\n\n"); | 209 | printf("\tfor a process.\n\n"); |
255 | #ifdef HAVE_NETWORK | 210 | #ifdef HAVE_NETWORK |
256 | printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); | 211 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); |
257 | printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); | 212 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); |
258 | printf("\t\trunning on the current host.\n\n"); | 213 | printf("\trunning on the current host.\n\n"); |
259 | #endif | 214 | #endif |
260 | #ifdef HAVE_SECCOMP | 215 | #ifdef HAVE_SECCOMP |
261 | printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n"); | 216 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n\n"); |
262 | 217 | ||
263 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 218 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
264 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 219 | printf("\tdefault syscall list and the syscalls specified by the command.\n\n"); |
265 | 220 | ||
266 | printf("\t--seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); | 221 | printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); |
267 | printf("\t\tblacklist the syscalls specified by the command.\n\n"); | 222 | printf("\tblacklist the syscalls specified by the command.\n\n"); |
268 | 223 | ||
269 | printf("\t--seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); | 224 | printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); |
270 | printf("\t\twhitelist the syscalls specified by the command.\n\n"); | 225 | printf("\twhitelist the syscalls specified by the command.\n\n"); |
271 | 226 | ||
272 | printf("\t--seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n"); | 227 | printf(" --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n"); |
273 | printf("\t\treturn errno for the syscalls specified by the command.\n\n"); | 228 | printf("\treturn errno for the syscalls specified by the command.\n\n"); |
274 | 229 | ||
275 | printf("\t--seccomp.print=name - print the seccomp filter for the sandbox\n"); | 230 | printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); |
276 | printf("\t\tidentified by name.\n\n"); | 231 | printf("\tidentified by name or PID.\n\n"); |
277 | printf("\t--seccomp.print=pid - print the seccomp filter for the sandbox\n"); | ||
278 | printf("\t\tidentified by PID.\n\n"); | ||
279 | #endif | 232 | #endif |
280 | 233 | ||
281 | printf("\t--shell=none - run the program directly without a user shell.\n\n"); | 234 | printf(" --shell=none - run the program directly without a user shell.\n\n"); |
282 | printf("\t--shell=program - set default user shell.\n\n"); | 235 | printf(" --shell=program - set default user shell.\n\n"); |
283 | printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); | 236 | printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n\n"); |
284 | printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); | 237 | printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); |
285 | printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); | 238 | printf("\tThis option is available only when running the sandbox as root.\n\n"); |
286 | printf("\t\tThis option is available only when running the sandbox as root.\n\n"); | 239 | printf(" --top - monitor the most CPU-intensive sandboxes.\n\n"); |
287 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); | 240 | printf(" --trace - trace open, access and connect system calls.\n\n"); |
288 | printf("\t--trace - trace open, access and connect system calls.\n\n"); | 241 | printf(" --tracelog - add a syslog message for every access to files or\n"); |
289 | printf("\t--tracelog - add a syslog message for every access to files or\n"); | 242 | printf("\tdirectoires blacklisted by the security profile.\n\n"); |
290 | printf("\t\tdirectoires blacklisted by the security profile.\n\n"); | 243 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); |
291 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); | 244 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); |
292 | printf("\t--user=new_user - switch the user before starting the sandbox.\n\n"); | 245 | printf(" --version - print program version and exit.\n\n"); |
293 | printf("\t--version - print program version and exit.\n\n"); | 246 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
294 | printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 247 | printf(" --x11 - enable x11 server.\n\n"); |
295 | printf("\t--x11 - enable x11 server.\n\n"); | 248 | printf(" --zsh - use /usr/bin/zsh as default shell.\n\n"); |
296 | printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n"); | ||
297 | printf("\n"); | 249 | printf("\n"); |
298 | printf("\n"); | 250 | printf("\n"); |
299 | 251 | ||
@@ -309,23 +261,23 @@ void usage(void) { | |||
309 | printf("sandboxes configured with new network namespaces.\n\n"); | 261 | printf("sandboxes configured with new network namespaces.\n\n"); |
310 | 262 | ||
311 | printf("Set rate-limits:\n"); | 263 | printf("Set rate-limits:\n"); |
312 | printf("\tfirejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n"); | 264 | printf(" firejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n"); |
313 | printf("Clear rate-limits:\n"); | 265 | printf("Clear rate-limits:\n"); |
314 | printf("\tfirejail --bandwidth={name|pid} clear network-name\n\n"); | 266 | printf(" firejail --bandwidth={name|pid} clear network-name\n\n"); |
315 | printf("Status:\n"); | 267 | printf("Status:\n"); |
316 | printf("\tfirejail --bandwidth={name|pid} status\n\n"); | 268 | printf(" firejail --bandwidth={name|pid} status\n\n"); |
317 | printf("where:\n"); | 269 | printf("where:\n"); |
318 | printf("\tname - sandbox name\n"); | 270 | printf(" name - sandbox name\n"); |
319 | printf("\tpid - sandbox pid\n"); | 271 | printf(" pid - sandbox pid\n"); |
320 | printf("\tnetwork-name - network name as used by --net option\n"); | 272 | printf(" network-name - network name as used by --net option\n"); |
321 | printf("\tdown-speed - download speed in KB/s (decimal kilobyte per second)\n"); | 273 | printf(" down-speed - download speed in KB/s (decimal kilobyte per second)\n"); |
322 | printf("\tup-speed - upload speed in KB/s (decimal kilobyte per second)\n"); | 274 | printf(" up-speed - upload speed in KB/s (decimal kilobyte per second)\n"); |
323 | printf("\n"); | 275 | printf("\n"); |
324 | printf("Example:\n"); | 276 | printf("Example:\n"); |
325 | printf("\t$ firejail --name=mybrowser --net=eth0 firefox &\n"); | 277 | printf(" $ firejail --name=mybrowser --net=eth0 firefox &\n"); |
326 | printf("\t$ firejail --bandwidth=mybrowser set eth0 80 20\n"); | 278 | printf(" $ firejail --bandwidth=mybrowser set eth0 80 20\n"); |
327 | printf("\t$ firejail --bandwidth=mybrowser status\n"); | 279 | printf(" $ firejail --bandwidth=mybrowser status\n"); |
328 | printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); | 280 | printf(" $ firejail --bandwidth=mybrowser clear eth0\n"); |
329 | printf("\n"); | 281 | printf("\n"); |
330 | printf("\n"); | 282 | printf("\n"); |
331 | #endif | 283 | #endif |
@@ -335,29 +287,29 @@ void usage(void) { | |||
335 | 287 | ||
336 | printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); | 288 | printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); |
337 | printf("follows:\n\n"); | 289 | printf("follows:\n\n"); |
338 | printf("\tPID:USER:Command\n\n"); | 290 | printf(" PID:USER:Command\n\n"); |
339 | 291 | ||
340 | printf("Option --tree prints the tree of processes running in the sandbox. The format\n"); | 292 | printf("Option --tree prints the tree of processes running in the sandbox. The format\n"); |
341 | printf("for each process entry is as follows:\n\n"); | 293 | printf("for each process entry is as follows:\n\n"); |
342 | printf("\tPID:USER:Command\n\n"); | 294 | printf(" PID:USER:Command\n\n"); |
343 | 295 | ||
344 | printf("Option --top is similar to the UNIX top command, however it applies only to\n"); | 296 | printf("Option --top is similar to the UNIX top command, however it applies only to\n"); |
345 | printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n"); | 297 | printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n"); |
346 | printf("order:\n\n"); | 298 | printf("order:\n\n"); |
347 | printf("\tCommand - command used to start the sandbox.\n"); | 299 | printf(" Command - command used to start the sandbox.\n"); |
348 | printf("\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"); | 300 | printf(" CPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"); |
349 | printf("\t last screen update\n"); | 301 | printf("\tlast screen update\n"); |
350 | printf("\tPID - Unique process ID for the task controlling the sandbox.\n"); | 302 | printf(" PID - Unique process ID for the task controlling the sandbox.\n"); |
351 | printf("\tPrcs - number of processes running in sandbox, including the controlling\n"); | 303 | printf(" Prcs - number of processes running in sandbox, including the controlling\n"); |
352 | printf("\t process.\n"); | 304 | printf("\tprocess.\n"); |
353 | printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); | 305 | printf(" RES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); |
354 | printf("\t It is a sum of the RES values for all processes running in the\n"); | 306 | printf("\tIt is a sum of the RES values for all processes running in the\n"); |
355 | printf("\t sandbox.\n"); | 307 | printf("\tsandbox.\n"); |
356 | printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); | 308 | printf(" SHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); |
357 | printf("\t processes. It is a sum of the SHR values for all processes running\n"); | 309 | printf("\tprocesses. It is a sum of the SHR values for all processes running\n"); |
358 | printf("\t in the sandbox, including the controlling process.\n"); | 310 | printf("\tin the sandbox, including the controlling process.\n"); |
359 | printf("\tUptime - sandbox running time in hours:minutes:seconds format.\n"); | 311 | printf(" Uptime - sandbox running time in hours:minutes:seconds format.\n"); |
360 | printf("\tUser - The owner of the sandbox.\n"); | 312 | printf(" User - The owner of the sandbox.\n"); |
361 | printf("\n"); | 313 | printf("\n"); |
362 | printf("\n"); | 314 | printf("\n"); |
363 | printf("Profile files\n\n"); | 315 | printf("Profile files\n\n"); |
@@ -375,23 +327,23 @@ void usage(void) { | |||
375 | printf("/etc/firejail/login.users file.\n\n"); | 327 | printf("/etc/firejail/login.users file.\n\n"); |
376 | printf("\n"); | 328 | printf("\n"); |
377 | printf("Examples:\n\n"); | 329 | printf("Examples:\n\n"); |
378 | printf(" $ firejail\n"); | 330 | printf(" $ firejail\n"); |
379 | printf(" start a regular /bin/bash session in sandbox\n"); | 331 | printf("\tstart a regular /bin/bash session in sandbox\n"); |
380 | printf(" $ firejail firefox\n"); | 332 | printf(" $ firejail firefox\n"); |
381 | printf(" start Mozilla Firefox\n"); | 333 | printf("\tstart Mozilla Firefox\n"); |
382 | printf(" $ firejail --debug firefox\n"); | 334 | printf(" $ firejail --debug firefox\n"); |
383 | printf(" debug Firefox sandbox\n"); | 335 | printf("\tdebug Firefox sandbox\n"); |
384 | printf(" $ firejail --private\n"); | 336 | printf(" $ firejail --private firefox\n"); |
385 | printf(" start a /bin/bash session with a new tmpfs home directory\n"); | 337 | printf("\tstart Firefox with a new, empty home directory\n"); |
386 | printf(" $ firejail --net=br0 ip=10.10.20.10\n"); | 338 | printf(" $ firejail --net=br0 ip=10.10.20.10\n"); |
387 | printf(" start a /bin/bash session in a new network namespace; the session is\n"); | 339 | printf("\tstart a /bin/bash session in a new network namespace; the session is\n"); |
388 | printf(" connected to the main network using br0 bridge device, an IP address\n"); | 340 | printf("\tconnected to the main network using br0 bridge device, an IP address\n"); |
389 | printf(" of 10.10.20.10 is assigned to the sandbox\n"); | 341 | printf("\tof 10.10.20.10 is assigned to the sandbox\n"); |
390 | printf(" $ firejail --net=br0 --net=br1 --net=br2\n"); | 342 | printf(" $ firejail --net=br0 --net=br1 --net=br2\n"); |
391 | printf(" start a /bin/bash session in a new network namespace and connect it\n"); | 343 | printf("\tstart a /bin/bash session in a new network namespace and connect it\n"); |
392 | printf(" to br0, br1, and br2 host bridge devices\n"); | 344 | printf("\tto br0, br1, and br2 host bridge devices\n"); |
393 | printf(" $ firejail --list\n"); | 345 | printf(" $ firejail --list\n"); |
394 | printf(" list all running sandboxes\n"); | 346 | printf("\tlist all running sandboxes\n"); |
395 | printf("\n"); | 347 | printf("\n"); |
396 | printf("License GPL version 2 or later\n"); | 348 | printf("License GPL version 2 or later\n"); |
397 | printf("Homepage: http://firejail.wordpress.com\n"); | 349 | printf("Homepage: http://firejail.wordpress.com\n"); |