aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/usage.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/usage.c')
-rw-r--r--src/firejail/usage.c470
1 files changed, 211 insertions, 259 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b538f136b..58f9d2cf7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -33,267 +33,219 @@ void usage(void) {
33 printf("default in the sandbox.\n\n"); 33 printf("default in the sandbox.\n\n");
34 printf("\n"); 34 printf("\n");
35 printf("Options:\n\n"); 35 printf("Options:\n\n");
36 printf("\t-- - signal the end of options and disables further option processing.\n\n"); 36 printf(" -- - signal the end of options and disables further option processing.\n\n");
37#ifdef HAVE_NETWORK 37#ifdef HAVE_NETWORK
38 printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); 38 printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n");
39 printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); 39 printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
40 printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n");
41 printf("\t\tby PID, see Traffic Shaping section for more details.\n\n");
42#endif 40#endif
43#ifdef HAVE_BIND 41#ifdef HAVE_BIND
44 printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); 42 printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
45 printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); 43 printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n\n");
46#endif 44#endif
47 printf("\t--blacklist=dirname_or_filename - blacklist directory or file.\n\n"); 45 printf(" --blacklist=dirname_or_filename - blacklist directory or file.\n\n");
48 printf("\t-c - execute command and exit.\n\n"); 46 printf(" -c - execute command and exit.\n\n");
49 printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); 47 printf(" --caps - enable default Linux capabilities filter.\n\n");
50 printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); 48 printf(" --caps.drop=all - drop all capabilities.\n\n");
51#ifdef CAP_SYSLOG 49 printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n\n");
52 printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); 50 printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n\n");
53#else 51 printf(" --caps.print=name|pid - print the caps filter for the sandbox identified\n");
54 printf("\t\tCAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); 52 printf("\tby name or PID.\n\n");
55#endif 53 printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n");
56 printf("\t--caps.drop=all - drop all capabilities.\n\n"); 54 printf("\ttasks-file is the full path of cgroup tasks file.\n\n");
57 printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n");
58 printf("\t\tcapabilities filter.\n\n");
59 printf("\t--caps.keep=capability,capability,capability - whitelist Linux\n");
60 printf("\t\tcapabilities filter.\n\n");
61 printf("\t--caps.print=name - print the caps filter for the sandbox identified\n");
62 printf("\t\tby name.\n\n");
63 printf("\t--caps.print=pid - print the caps filter for the sandbox identified\n");
64 printf("\t\tby PID.\n\n");
65 printf("\t--cgroup=tasks-file - place the sandbox in the specified control group.\n");
66 printf("\t\ttasks-file is the full path of cgroup tasks file.\n");
67 printf("\t\tExample: --cgroup=/sys/fs/cgroup/g1/tasks\n\n");
68#ifdef HAVE_CHROOT 55#ifdef HAVE_CHROOT
69 printf("\t--chroot=dirname - chroot into dirname directory.\n\n"); 56 printf(" --chroot=dirname - chroot into directory.\n\n");
70#endif 57#endif
71 printf("\t--cpu=cpu-number,cpu-number - set cpu affinity.\n"); 58 printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
72 printf("\t\tExample: cpu=0,1,2\n\n"); 59 printf(" --csh - use /bin/csh as default shell.\n\n");
73 printf("\t--csh - use /bin/csh as default shell.\n\n"); 60
74 61 printf(" --debug - print sandbox debug messages.\n\n");
75 printf("\t--debug - print sandbox debug messages.\n\n"); 62 printf(" --debug-blacklists - debug blacklisting.\n\n");
76 printf("\t--debug-blacklists - debug blacklisting.\n\n"); 63 printf(" --debug-caps - print all recognized capabilities in the current Firejail\n");
77 printf("\t--debug-caps - print all recognized capabilities in the current\n"); 64 printf("\tsoftware build.\n\n");
78 printf("\t\tFirejail software build and exit.\n\n"); 65 printf(" --debug-check-filename - debug filename checking.\n\n");
79 printf("\t--debug-check-filename - debug filename checking.\n\n"); 66 printf(" --debug-errnos - print all recognized error numbers in the current Firejail\n");
80 printf("\t--debug-errnos - print all recognized error numbers in the current\n"); 67 printf("\tsoftware build.\n\n");
81 printf("\t\tFirejail software build and exit.\n\n"); 68 printf(" --debug-protocols - print all recognized protocols in the current Firejail\n");
82 printf("\t--debug-protocols - print all recognized protocols in the current\n"); 69 printf("\tsoftware build.\n\n");
83 printf("\t\tFirejail software build and exit.\n\n"); 70 printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n");
84 printf("\t--debug-syscalls - print all recognized system calls in the current\n"); 71 printf("\tsoftware build.\n\n");
85 printf("\t\tFirejail software build and exit.\n\n"); 72 printf(" --debug-whitelists - debug whitelisting.\n\n");
86 printf("\t--debug-whitelists - debug whitelisting.\n\n");
87 73
88 74
89 75
90#ifdef HAVE_NETWORK 76#ifdef HAVE_NETWORK
91 printf("\t--defaultgw=address - use this address as default gateway in the new\n"); 77 printf(" --defaultgw=address - use this address as default gateway in the new network\n");
92 printf("\t\tnetwork namespace.\n\n"); 78 printf("\tnamespace.\n\n");
93#endif 79#endif
94 printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); 80 printf(" --dns=address - set a DNS server for the sandbox. Up to three DNS servers\n");
95 printf("\t\tservers can be defined.\n\n"); 81 printf("\tcan be defined.\n\n");
96 printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); 82 printf(" --dns.print=name|pid - print DNS configuration for the sandbox identified\n");
97 printf("\t\tby name.\n\n"); 83 printf("\tby name or PID.\n\n");
98 printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
99 printf("\t\tby PID.\n\n");
100 84
101 printf("\t--env=name=value - set environment variable in the new sandbox\n\n"); 85 printf(" --env=name=value - set environment variable in the new sandbox.\n\n");
102 printf("\t--fs.print=name - print the filesystem log for the sandbox identified\n"); 86 printf(" --fs.print=name|pid - print the filesystem log for the sandbox identified\n");
103 printf("\t\tby name.\n\n"); 87 printf("\tby name or PID.\n\n");
104 printf("\t--fs.print=pid - print the filesystem log for the sandbox identified\n");
105 printf("\t\tby PID.\n\n");
106 88
107 printf("\t--help, -? - this help screen.\n\n"); 89 printf(" --help, -? - this help screen.\n\n");
108 printf("\t--hostname=name - set sandbox hostname.\n\n"); 90 printf(" --hostname=name - set sandbox hostname.\n\n");
109 printf("\t--ignore=command - ignore command in profile files.\n\n"); 91 printf(" --ignore=command - ignore command in profile files.\n\n");
110#ifdef HAVE_NETWORK 92#ifdef HAVE_NETWORK
111 printf("\t--interface=name - move interface in a new network namespace. Up to\n"); 93 printf(" --interface=name - move interface in a new network namespace. Up to four\n");
112 printf("\t\tfour --interface options can be specified.\n\n"); 94 printf("\t--interface options can be specified.\n\n");
113 printf("\t--ip=address - set interface IP address.\n\n"); 95 printf(" --ip=address - set interface IP address.\n\n");
114 printf("\t--ip=none - no IP address and no default gateway address are configured\n"); 96 printf(" --ip=none - no IP address and no default gateway address are configured\n");
115 printf("\t\tin the new network namespace. Use this option in case you intend\n"); 97 printf("\tin the new network namespace. Use this option in case you intend to\n");
116 printf("\t\tto start an external DHCP client in the sandbox.\n\n"); 98 printf("\tstart an external DHCP client in the sandbox.\n\n");
117 printf("\t--ip6=address - set interface IPv6 address.\n\n"); 99 printf(" --ip6=address - set interface IPv6 address.\n\n");
118 printf("\t--iprange=address,address - configure an IP address in this range\n\n"); 100 printf(" --iprange=address,address - configure an IP address in this range.\n\n");
119#endif 101#endif
120 printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); 102 printf(" --ipc-namespace - enable a new IPC namespace if the sandbox was started as\n");
121 printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); 103 printf("\tregular user. IPC namespace is enabled by default only if the sandbox\n");
122 printf("\t\tthe sandbox is started as root.\n\n"); 104 printf("\tis started as root.\n\n");
123 printf("\t--join=name - join the sandbox identified by name.\n\n"); 105 printf(" --join=name|pid - join the sandbox identified by name or PID.\n\n");
124 printf("\t--join=pid - join the sandbox identified by PID.\n\n"); 106 printf(" --join-filesystem=name|pid - join the mount namespace of the sandbox\n");
125 printf("\t--join-filesystem=name - join the mount namespace of the sandbox\n"); 107 printf("\tidentified by name or PID.\n\n");
126 printf("\t\tidentified by name.\n\n");
127 printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
128 printf("\t\tidentified by PID.\n\n");
129#ifdef HAVE_NETWORK 108#ifdef HAVE_NETWORK
130 printf("\t--join-network=name - join the network namespace of the sandbox\n"); 109 printf(" --join-network=name|pid - join the network namespace of the sandbox\n");
131 printf("\t\tidentified by name.\n\n"); 110 printf("\tidentified by name or PID.\n\n");
132 printf("\t--join-network=pid - join the network namespace of the sandbox\n");
133 printf("\t\tidentified by PID.\n\n");
134#endif 111#endif
135 printf("\t--list - list all sandboxes.\n\n"); 112 printf(" --list - list all sandboxes.\n\n");
136#ifdef HAVE_NETWORK 113#ifdef HAVE_NETWORK
137 printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); 114 printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
138 printf("\t--mtu=number - set interface MTU.\n\n"); 115 printf(" --mtu=number - set interface MTU.\n\n");
139#endif 116#endif
140 printf("\t--name=name - set sandbox name.\n\n"); 117 printf(" --name=name - set sandbox name.\n\n");
141#ifdef HAVE_NETWORK 118#ifdef HAVE_NETWORK
142 printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); 119 printf(" --net=bridgename - enable network namespaces and connect to this bridge\n");
143 printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); 120 printf("\tdevice. Up to four --net devices can be defined.\n\n");
144 printf("\t\tIP address and a default gateway will be assigned automatically\n"); 121
145 printf("\t\tto the sandbox. The IP address is checked using ARP before\n"); 122 printf(" --net=ethernet_interface - enable network namespaces and connect to this\n");
146 printf("\t\tassignment. The IP address assigned as default gateway is the\n"); 123 printf("\tEthernet interface using the standard Linux macvlan driver. Up to four\n");
147 printf("\t\tbridge device IP address. Up to four --net devices can\n"); 124 printf("\t--net devices can be defined.\n\n");
148 printf("\t\tbe defined. Mixing bridge and macvlan devices is allowed.\n\n"); 125
149 printf("\t--net=ethernet_interface - enable network namespaces and connect\n"); 126 printf(" --net=none - enable a new, unconnected network namespace.\n\n");
150 printf("\t\tto this ethernet_interface using the standard Linux macvlan\n");
151 printf("\t\tdriver. Unless specified with option --ip and --defaultgw, an\n");
152 printf("\t\tIP address and a default gateway will be assigned automatically\n");
153 printf("\t\tto the sandbox. The IP address is checked using ARP before\n");
154 printf("\t\tassignment. The IP address assigned as default gateway is the\n");
155 printf("\t\tdefault gateway of the host. Up to four --net devices can\n");
156 printf("\t\tbe defined. Mixing bridge and macvlan devices is allowed.\n\n");
157 printf("\t--net=none - enable a new, unconnected network namespace.\n\n");
158 127
159 printf("\t--netfilter - enable the default client network filter in the new\n"); 128 printf(" --netfilter - enable the default client network filter in the new\n");
160 printf("\t\tnetwork namespace:\n\n"); 129 printf("\tnetwork namespace.\n\n");
161 printf("\t\t*filter\n"); 130 printf(" --netfilter=filename - enable the network filter specified by\n");
162 printf("\t\t:INPUT DROP [0:0]\n"); 131 printf("\tfilename in the new network namespace. The filter file format\n");
163 printf("\t\t:FORWARD DROP [0:0]\n"); 132 printf("\tis the format of iptables-save and iptable-restore commands.\n\n");
164 printf("\t\t:OUTPUT ACCEPT [0:0]\n"); 133 printf(" --netfilter6=filename - enable the IPv6 network filter specified by\n");
165 printf("\t\t-A INPUT -i lo -j ACCEPT\n"); 134 printf("\tfilename in the new network namespace. The filter file format\n");
166 printf("\t\t-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); 135 printf("\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
167 printf("\t\t-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n");
168 printf("\t\t-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n");
169 printf("\t\t-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n");
170 printf("\t\tCOMMIT\n\n");
171 printf("\t--netfilter=filename - enable the network filter specified by\n");
172 printf("\t\tfilename in the new network namespace. The filter file format\n");
173 printf("\t\tis the format of iptables-save and iptable-restore commands.\n\n");
174 printf("\t--netfilter6=filename - enable the IPv6 network filter specified by\n");
175 printf("\t\tfilename in the new network namespace. The filter file format\n");
176 printf("\t\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
177 136
178 printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); 137 printf(" --netstats - monitor network statistics for sandboxes creating a new\n");
179 printf("\t\tnetwork namespace.\n\n"); 138 printf("\tnetwork namespace.\n\n");
180#endif 139#endif
181 printf("\t--nice=value - set nice value\n\n"); 140 printf(" --nice=value - set nice value\n\n");
182 printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); 141 printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
183 printf("\t\tor file.\n\n"); 142 printf("\tfile.\n\n");
184 printf("\t--nogroups - disable supplementary groups. Without this option,\n"); 143 printf(" --nogroups - disable supplementary groups. Without this option,\n");
185 printf("\t\tsupplementary groups are enabled for the user starting the\n"); 144 printf("\tsupplementary groups are enabled for the user starting the sandbox.\n");
186 printf("\t\tsandbox. For root user supplementary groups are always\n"); 145 printf("\t For root, groups are always disabled.\n\n");
187 printf("\t\tdisabled.\n\n");
188 146
189 printf("\t--noprofile - do not use a profile. Profile priority is use the one\n"); 147 printf(" --noprofile - do not use a profile. Profile priority is use the one\n");
190 printf("\t\tspecified on the command line, next try to find one that\n"); 148 printf("\tspecified on the command line, next try to find one that\n");
191 printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); 149 printf("\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
192 printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); 150 printf("\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
193 printf("\t\troot.\n\n"); 151 printf("\troot.\n\n");
194#ifdef HAVE_USERNS 152#ifdef HAVE_USERNS
195 printf("\t--noroot - install a user namespace with a single user - the current\n"); 153 printf(" --noroot - install a user namespace with a single user - the current\n");
196 printf("\t\tuser. root user does not exist in the new namespace. This option\n"); 154 printf("\tuser. root user does not exist in the new namespace. This option\n");
197 printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); 155 printf("\tis not supported for --chroot and --overlay configurations.\n\n");
198#endif 156#endif
199 printf("\t--nosound - disable sound system\n\n"); 157 printf(" --nosound - disable sound system.\n\n");
200 158
201 printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); 159 printf(" --output=logfile - stdout logging and log rotation. Copy stdout to\n");
202 printf("\t\tlogfile, and keep the size of the file under 500KB using log\n"); 160 printf("\tlogfile, and keep the size of the file under 500KB using log\n");
203 printf("\t\trotation. Five files with prefixes .1 to .5 are used in\n"); 161 printf("\trotation. Five files with prefixes .1 to .5 are used in\n");
204 printf("\t\trotation.\n\n"); 162 printf("\trotation.\n\n");
205 163
206 printf("\t--overlay - mount a filesystem overlay on top of the current filesystem.\n"); 164 printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n");
207 printf("\t\tThe upper filesystem layer is persistent, and stored in\n"); 165 printf("\tThe upper filesystem layer is persistent, and stored in\n");
208 printf("\t\t$HOME/.firejail directory. (OverlayFS support is required in\n"); 166 printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n");
209 printf("\t\tLinux kernel for this option to work). \n\n"); 167 printf("\tLinux kernel for this option to work). \n\n");
210 168
211 printf("\t--overlay-tmpfs - mount a filesystem overlay on top of the current\n"); 169 printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n");
212 printf("\t\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); 170 printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
213 printf("\t\tand it is discarded when the sandbox is closed. (OverlayFS\n"); 171 printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n");
214 printf("\t\tsupport is required in Linux kernel for this option to work).\n\n"); 172 printf("\tsupport is required in Linux kernel for this option to work).\n\n");
215 173
216 printf("\t--private - mount new /root and /home/user directories in temporary\n"); 174 printf(" --private - mount new /root and /home/user directories in temporary\n");
217 printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n"); 175 printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
218 printf("\t\tclosed.\n\n"); 176 printf("\tclosed.\n\n");
219 printf("\t--private=directory - use directory as user home.\n\n"); 177 printf(" --private=directory - use directory as user home.\n\n");
220 178
221 printf("\t--private-bin=file,file - build a new /bin in a temporary filesystem,\n"); 179 printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
222 printf("\t\tand copy the programs in the list. The same directory is\n"); 180 printf("\tand copy the programs in the list. The same directory is\n");
223 printf("\t\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); 181 printf("\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n");
224 182
225 printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); 183 printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
226 printf("\t\tty, pst, ptms, random, urandom, log and shm devices are\n"); 184 printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n");
227 printf("\t\tavailable.\n\n");
228 185
229 printf("\t--private-etc=file,directory - build a new /etc in a temporary\n"); 186 printf(" --private-etc=file,directory - build a new /etc in a temporary\n");
230 printf("\t\tfilesystem, and copy the files and directories in the list.\n"); 187 printf("\tfilesystem, and copy the files and directories in the list.\n");
231 printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); 188 printf("\tAll modifications are discarded when the sandbox is closed.\n\n");
232 189
233 printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n"); 190 printf(" --private-tmp - mount a tmpfs on top of /tmp directory\n\n");
234 191
235 printf("\t--profile=filename - use a custom profile.\n\n"); 192 printf(" --profile=filename - use a custom profile.\n\n");
236 printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); 193 printf(" --profile-path=directory - use this directory to look for profile files.\n\n");
237 194
238 printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); 195 printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n");
239 printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); 196 printf("\tProtocol values: unix, inet, inet6, netlink, packet.\n\n");
240 printf("\t--protocol.print=name - print the protocol filter for the sandbox\n"); 197 printf(" --protocol.print=name|pid - print the protocol filter for the sandbox\n");
241 printf("\t\tidentified by name.\n\n"); 198 printf("\tidentified by name or PID.\n\n");
242 printf("\t--protocol.print=pid - print the protocol filter for the sandbox\n");
243 printf("\t\tidentified by PID.\n\n");
244 199
245 printf("\t--quiet - turn off Firejail's output.\n\n"); 200 printf(" --quiet - turn off Firejail's output.\n\n");
246 printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); 201 printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n");
247 printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); 202 printf(" --rlimit-fsize=number - set the maximum file size that can be created\n");
248 printf("\t\tby a process.\n\n"); 203 printf("\tby a process.\n\n");
249 printf("\t--rlimit-nofile=number - set the maximum number of files that can be\n"); 204 printf(" --rlimit-nofile=number - set the maximum number of files that can be\n");
250 printf("\t\topened by a process.\n\n"); 205 printf("\topened by a process.\n\n");
251 printf("\t--rlimit-nproc=number - set the maximum number of processes that can be\n"); 206 printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n");
252 printf("\t\tcreated for the real user ID of the calling process.\n\n"); 207 printf("\tcreated for the real user ID of the calling process.\n\n");
253 printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); 208 printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");
254 printf("\t\tfor a process.\n\n"); 209 printf("\tfor a process.\n\n");
255#ifdef HAVE_NETWORK 210#ifdef HAVE_NETWORK
256 printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); 211 printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");
257 printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); 212 printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
258 printf("\t\trunning on the current host.\n\n"); 213 printf("\trunning on the current host.\n\n");
259#endif 214#endif
260#ifdef HAVE_SECCOMP 215#ifdef HAVE_SECCOMP
261 printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n"); 216 printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n\n");
262 217
263 printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); 218 printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
264 printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); 219 printf("\tdefault syscall list and the syscalls specified by the command.\n\n");
265 220
266 printf("\t--seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); 221 printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
267 printf("\t\tblacklist the syscalls specified by the command.\n\n"); 222 printf("\tblacklist the syscalls specified by the command.\n\n");
268 223
269 printf("\t--seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); 224 printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
270 printf("\t\twhitelist the syscalls specified by the command.\n\n"); 225 printf("\twhitelist the syscalls specified by the command.\n\n");
271 226
272 printf("\t--seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n"); 227 printf(" --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n");
273 printf("\t\treturn errno for the syscalls specified by the command.\n\n"); 228 printf("\treturn errno for the syscalls specified by the command.\n\n");
274 229
275 printf("\t--seccomp.print=name - print the seccomp filter for the sandbox\n"); 230 printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
276 printf("\t\tidentified by name.\n\n"); 231 printf("\tidentified by name or PID.\n\n");
277 printf("\t--seccomp.print=pid - print the seccomp filter for the sandbox\n");
278 printf("\t\tidentified by PID.\n\n");
279#endif 232#endif
280 233
281 printf("\t--shell=none - run the program directly without a user shell.\n\n"); 234 printf(" --shell=none - run the program directly without a user shell.\n\n");
282 printf("\t--shell=program - set default user shell.\n\n"); 235 printf(" --shell=program - set default user shell.\n\n");
283 printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n"); 236 printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n\n");
284 printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n"); 237 printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
285 printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); 238 printf("\tThis option is available only when running the sandbox as root.\n\n");
286 printf("\t\tThis option is available only when running the sandbox as root.\n\n"); 239 printf(" --top - monitor the most CPU-intensive sandboxes.\n\n");
287 printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); 240 printf(" --trace - trace open, access and connect system calls.\n\n");
288 printf("\t--trace - trace open, access and connect system calls.\n\n"); 241 printf(" --tracelog - add a syslog message for every access to files or\n");
289 printf("\t--tracelog - add a syslog message for every access to files or\n"); 242 printf("\tdirectoires blacklisted by the security profile.\n\n");
290 printf("\t\tdirectoires blacklisted by the security profile.\n\n"); 243 printf(" --tree - print a tree of all sandboxed processes.\n\n");
291 printf("\t--tree - print a tree of all sandboxed processes.\n\n"); 244 printf(" --user=new_user - switch the user before starting the sandbox.\n\n");
292 printf("\t--user=new_user - switch the user before starting the sandbox.\n\n"); 245 printf(" --version - print program version and exit.\n\n");
293 printf("\t--version - print program version and exit.\n\n"); 246 printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
294 printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n"); 247 printf(" --x11 - enable x11 server.\n\n");
295 printf("\t--x11 - enable x11 server.\n\n"); 248 printf(" --zsh - use /usr/bin/zsh as default shell.\n\n");
296 printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n");
297 printf("\n"); 249 printf("\n");
298 printf("\n"); 250 printf("\n");
299 251
@@ -309,23 +261,23 @@ void usage(void) {
309 printf("sandboxes configured with new network namespaces.\n\n"); 261 printf("sandboxes configured with new network namespaces.\n\n");
310 262
311 printf("Set rate-limits:\n"); 263 printf("Set rate-limits:\n");
312 printf("\tfirejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n"); 264 printf(" firejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n");
313 printf("Clear rate-limits:\n"); 265 printf("Clear rate-limits:\n");
314 printf("\tfirejail --bandwidth={name|pid} clear network-name\n\n"); 266 printf(" firejail --bandwidth={name|pid} clear network-name\n\n");
315 printf("Status:\n"); 267 printf("Status:\n");
316 printf("\tfirejail --bandwidth={name|pid} status\n\n"); 268 printf(" firejail --bandwidth={name|pid} status\n\n");
317 printf("where:\n"); 269 printf("where:\n");
318 printf("\tname - sandbox name\n"); 270 printf(" name - sandbox name\n");
319 printf("\tpid - sandbox pid\n"); 271 printf(" pid - sandbox pid\n");
320 printf("\tnetwork-name - network name as used by --net option\n"); 272 printf(" network-name - network name as used by --net option\n");
321 printf("\tdown-speed - download speed in KB/s (decimal kilobyte per second)\n"); 273 printf(" down-speed - download speed in KB/s (decimal kilobyte per second)\n");
322 printf("\tup-speed - upload speed in KB/s (decimal kilobyte per second)\n"); 274 printf(" up-speed - upload speed in KB/s (decimal kilobyte per second)\n");
323 printf("\n"); 275 printf("\n");
324 printf("Example:\n"); 276 printf("Example:\n");
325 printf("\t$ firejail --name=mybrowser --net=eth0 firefox &\n"); 277 printf(" $ firejail --name=mybrowser --net=eth0 firefox &\n");
326 printf("\t$ firejail --bandwidth=mybrowser set eth0 80 20\n"); 278 printf(" $ firejail --bandwidth=mybrowser set eth0 80 20\n");
327 printf("\t$ firejail --bandwidth=mybrowser status\n"); 279 printf(" $ firejail --bandwidth=mybrowser status\n");
328 printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); 280 printf(" $ firejail --bandwidth=mybrowser clear eth0\n");
329 printf("\n"); 281 printf("\n");
330 printf("\n"); 282 printf("\n");
331#endif 283#endif
@@ -335,29 +287,29 @@ void usage(void) {
335 287
336 printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); 288 printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
337 printf("follows:\n\n"); 289 printf("follows:\n\n");
338 printf("\tPID:USER:Command\n\n"); 290 printf(" PID:USER:Command\n\n");
339 291
340 printf("Option --tree prints the tree of processes running in the sandbox. The format\n"); 292 printf("Option --tree prints the tree of processes running in the sandbox. The format\n");
341 printf("for each process entry is as follows:\n\n"); 293 printf("for each process entry is as follows:\n\n");
342 printf("\tPID:USER:Command\n\n"); 294 printf(" PID:USER:Command\n\n");
343 295
344 printf("Option --top is similar to the UNIX top command, however it applies only to\n"); 296 printf("Option --top is similar to the UNIX top command, however it applies only to\n");
345 printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n"); 297 printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n");
346 printf("order:\n\n"); 298 printf("order:\n\n");
347 printf("\tCommand - command used to start the sandbox.\n"); 299 printf(" Command - command used to start the sandbox.\n");
348 printf("\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"); 300 printf(" CPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n");
349 printf("\t last screen update\n"); 301 printf("\tlast screen update\n");
350 printf("\tPID - Unique process ID for the task controlling the sandbox.\n"); 302 printf(" PID - Unique process ID for the task controlling the sandbox.\n");
351 printf("\tPrcs - number of processes running in sandbox, including the controlling\n"); 303 printf(" Prcs - number of processes running in sandbox, including the controlling\n");
352 printf("\t process.\n"); 304 printf("\tprocess.\n");
353 printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); 305 printf(" RES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
354 printf("\t It is a sum of the RES values for all processes running in the\n"); 306 printf("\tIt is a sum of the RES values for all processes running in the\n");
355 printf("\t sandbox.\n"); 307 printf("\tsandbox.\n");
356 printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); 308 printf(" SHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
357 printf("\t processes. It is a sum of the SHR values for all processes running\n"); 309 printf("\tprocesses. It is a sum of the SHR values for all processes running\n");
358 printf("\t in the sandbox, including the controlling process.\n"); 310 printf("\tin the sandbox, including the controlling process.\n");
359 printf("\tUptime - sandbox running time in hours:minutes:seconds format.\n"); 311 printf(" Uptime - sandbox running time in hours:minutes:seconds format.\n");
360 printf("\tUser - The owner of the sandbox.\n"); 312 printf(" User - The owner of the sandbox.\n");
361 printf("\n"); 313 printf("\n");
362 printf("\n"); 314 printf("\n");
363 printf("Profile files\n\n"); 315 printf("Profile files\n\n");
@@ -375,23 +327,23 @@ void usage(void) {
375 printf("/etc/firejail/login.users file.\n\n"); 327 printf("/etc/firejail/login.users file.\n\n");
376 printf("\n"); 328 printf("\n");
377 printf("Examples:\n\n"); 329 printf("Examples:\n\n");
378 printf(" $ firejail\n"); 330 printf(" $ firejail\n");
379 printf(" start a regular /bin/bash session in sandbox\n"); 331 printf("\tstart a regular /bin/bash session in sandbox\n");
380 printf(" $ firejail firefox\n"); 332 printf(" $ firejail firefox\n");
381 printf(" start Mozilla Firefox\n"); 333 printf("\tstart Mozilla Firefox\n");
382 printf(" $ firejail --debug firefox\n"); 334 printf(" $ firejail --debug firefox\n");
383 printf(" debug Firefox sandbox\n"); 335 printf("\tdebug Firefox sandbox\n");
384 printf(" $ firejail --private\n"); 336 printf(" $ firejail --private firefox\n");
385 printf(" start a /bin/bash session with a new tmpfs home directory\n"); 337 printf("\tstart Firefox with a new, empty home directory\n");
386 printf(" $ firejail --net=br0 ip=10.10.20.10\n"); 338 printf(" $ firejail --net=br0 ip=10.10.20.10\n");
387 printf(" start a /bin/bash session in a new network namespace; the session is\n"); 339 printf("\tstart a /bin/bash session in a new network namespace; the session is\n");
388 printf(" connected to the main network using br0 bridge device, an IP address\n"); 340 printf("\tconnected to the main network using br0 bridge device, an IP address\n");
389 printf(" of 10.10.20.10 is assigned to the sandbox\n"); 341 printf("\tof 10.10.20.10 is assigned to the sandbox\n");
390 printf(" $ firejail --net=br0 --net=br1 --net=br2\n"); 342 printf(" $ firejail --net=br0 --net=br1 --net=br2\n");
391 printf(" start a /bin/bash session in a new network namespace and connect it\n"); 343 printf("\tstart a /bin/bash session in a new network namespace and connect it\n");
392 printf(" to br0, br1, and br2 host bridge devices\n"); 344 printf("\tto br0, br1, and br2 host bridge devices\n");
393 printf(" $ firejail --list\n"); 345 printf(" $ firejail --list\n");
394 printf(" list all running sandboxes\n"); 346 printf("\tlist all running sandboxes\n");
395 printf("\n"); 347 printf("\n");
396 printf("License GPL version 2 or later\n"); 348 printf("License GPL version 2 or later\n");
397 printf("Homepage: http://firejail.wordpress.com\n"); 349 printf("Homepage: http://firejail.wordpress.com\n");
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-17 16:20:26 +0000