diff options
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 122 |
1 files changed, 61 insertions, 61 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index adb79234b..a1eccaa5e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director | |||
78 | Several command line options can be passed to the program using | 78 | Several command line options can be passed to the program using |
79 | profile files. Firejail chooses the profile file as follows: | 79 | profile files. Firejail chooses the profile file as follows: |
80 | 80 | ||
81 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. | 81 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. |
82 | Example: | 82 | Example: |
83 | .PP | 83 | .PP |
84 | .RS | 84 | .RS |
@@ -156,7 +156,7 @@ Scripting commands: | |||
156 | \fBFile and directory names | 156 | \fBFile and directory names |
157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. | 157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. |
158 | 158 | ||
159 | Example: "deny ~/My Virtual Machines" | 159 | Example: "blacklist ~/My Virtual Machines" |
160 | 160 | ||
161 | .TP | 161 | .TP |
162 | \fB# this is a comment | 162 | \fB# this is a comment |
@@ -170,9 +170,9 @@ net none # this command creates an empty network namespace | |||
170 | \fB?CONDITIONAL: profile line | 170 | \fB?CONDITIONAL: profile line |
171 | Conditionally add profile line. | 171 | Conditionally add profile line. |
172 | 172 | ||
173 | Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir" | 173 | Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" |
174 | 174 | ||
175 | This example will load the profile line only if the \-\-appimage option has been specified on the command line. | 175 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
176 | 176 | ||
177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
178 | can be enabled or disabled globally in Firejail's configuration file. | 178 | can be enabled or disabled globally in Firejail's configuration file. |
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files | |||
205 | are included at the start of regular profile files. | 205 | are included at the start of regular profile files. |
206 | 206 | ||
207 | .TP | 207 | .TP |
208 | \fBnoallow file_name | 208 | \fBnoblacklist file_name |
209 | If the file name matches file_name, the file will not be allowed in any allow commands that follow. | 209 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. |
210 | 210 | ||
211 | Example: "nowhitelist ~/.config" | 211 | Example: "noblacklist ${HOME}/.mozilla" |
212 | 212 | ||
213 | .TP | 213 | .TP |
214 | \fBnodeny file_name | 214 | \fBnowhitelist file_name |
215 | If the file name matches file_name, the file will not be denied any deny commands that follow. | 215 | If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow. |
216 | 216 | ||
217 | Example: "nodeny ${HOME}/.mozilla" | 217 | Example: "nowhitelist ~/.config" |
218 | 218 | ||
219 | .TP | 219 | .TP |
220 | \fBignore | 220 | \fBignore |
@@ -242,17 +242,19 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect | |||
242 | for more details. | 242 | for more details. |
243 | Examples: | 243 | Examples: |
244 | .TP | 244 | .TP |
245 | \fBallow file_or_directory | 245 | \fBblacklist file_or_directory |
246 | Allow directory or file. A temporary file system is mounted on the top directory, and the | 246 | Blacklist directory or file. Examples: |
247 | allowed files are mount-binded inside. Modifications to allowd files are persistent, | ||
248 | everything else is discarded when the sandbox is closed. The top directory can be | ||
249 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
250 | all directories in /usr. | ||
251 | .br | 247 | .br |
252 | 248 | ||
253 | .br | 249 | .br |
254 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 250 | blacklist /usr/bin |
255 | the same top directory. For user home, both the link and the real file should be owned by the user. | 251 | .br |
252 | blacklist /usr/bin/gcc* | ||
253 | .br | ||
254 | blacklist ${PATH}/ifconfig | ||
255 | .br | ||
256 | blacklist ${HOME}/.ssh | ||
257 | |||
256 | .TP | 258 | .TP |
257 | \fBblacklist-nolog file_or_directory | 259 | \fBblacklist-nolog file_or_directory |
258 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. | 260 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. |
@@ -271,20 +273,6 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
271 | \fBbind file1,file2 | 273 | \fBbind file1,file2 |
272 | Mount-bind file1 on top of file2. This option is only available when running as root. | 274 | Mount-bind file1 on top of file2. This option is only available when running as root. |
273 | .TP | 275 | .TP |
274 | \fBdeny file_or_directory | ||
275 | Deny access to directory or file. Examples: | ||
276 | .br | ||
277 | |||
278 | .br | ||
279 | deny /usr/bin | ||
280 | .br | ||
281 | deny /usr/bin/gcc* | ||
282 | .br | ||
283 | deny ${PATH}/ifconfig | ||
284 | .br | ||
285 | deny ${HOME}/.ssh | ||
286 | |||
287 | .TP | ||
288 | \fBdisable-mnt | 276 | \fBdisable-mnt |
289 | Disable /mnt, /media, /run/mount and /run/media access. | 277 | Disable /mnt, /media, /run/mount and /run/media access. |
290 | .TP | 278 | .TP |
@@ -304,7 +292,7 @@ The directory is created if it doesn't already exist. | |||
304 | .br | 292 | .br |
305 | 293 | ||
306 | .br | 294 | .br |
307 | Use this command for allowed directories you need to preserve | 295 | Use this command for whitelisted directories you need to preserve |
308 | when the sandbox is closed. Without it, the application will create the directory, and the directory | 296 | when the sandbox is closed. Without it, the application will create the directory, and the directory |
309 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from | 297 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from |
310 | firefox profile: | 298 | firefox profile: |
@@ -317,7 +305,7 @@ whitelist ~/.mozilla | |||
317 | .br | 305 | .br |
318 | mkdir ~/.cache/mozilla/firefox | 306 | mkdir ~/.cache/mozilla/firefox |
319 | .br | 307 | .br |
320 | allow ~/.cache/mozilla/firefox | 308 | whitelist ~/.cache/mozilla/firefox |
321 | .br | 309 | .br |
322 | 310 | ||
323 | .br | 311 | .br |
@@ -336,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid. | |||
336 | #ifdef HAVE_OVERLAYFS | 324 | #ifdef HAVE_OVERLAYFS |
337 | .TP | 325 | .TP |
338 | \fBoverlay | 326 | \fBoverlay |
339 | Mount a filesystem overlay on top of the current filesystem. | 327 | Mount a filesystem overlay on top of the current filesystem. |
340 | The overlay is stored in $HOME/.firejail/<PID> directory. | 328 | The overlay is stored in $HOME/.firejail/<PID> directory. |
341 | .TP | 329 | .TP |
342 | \fBoverlay-named name | 330 | \fBoverlay-named name |
343 | Mount a filesystem overlay on top of the current filesystem. | 331 | Mount a filesystem overlay on top of the current filesystem. |
344 | The overlay is stored in $HOME/.firejail/name directory. | 332 | The overlay is stored in $HOME/.firejail/name directory. |
345 | .TP | 333 | .TP |
346 | \fBoverlay-tmpfs | 334 | \fBoverlay-tmpfs |
347 | Mount a filesystem overlay on top of the current filesystem. | 335 | Mount a filesystem overlay on top of the current filesystem. |
348 | All filesystem modifications are discarded when the sandbox is closed. | 336 | All filesystem modifications are discarded when the sandbox is closed. |
349 | #endif | 337 | #endif |
350 | .TP | 338 | .TP |
351 | \fBprivate | 339 | \fBprivate |
@@ -423,7 +411,7 @@ expressed as foo/bar -- is disallowed). | |||
423 | All modifications are discarded when the sandbox is closed. | 411 | All modifications are discarded when the sandbox is closed. |
424 | .TP | 412 | .TP |
425 | \fBprivate-tmp | 413 | \fBprivate-tmp |
426 | Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix. | 414 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
427 | .TP | 415 | .TP |
428 | \fBread-only file_or_directory | 416 | \fBread-only file_or_directory |
429 | Make directory or file read-only. | 417 | Make directory or file read-only. |
@@ -435,13 +423,25 @@ Make directory or file read-write. | |||
435 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. | 423 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. |
436 | .TP | 424 | .TP |
437 | \fBtracelog | 425 | \fBtracelog |
438 | File system deny violations logged to syslog. | 426 | Blacklist violations logged to syslog. |
427 | .TP | ||
428 | \fBwhitelist file_or_directory | ||
429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
431 | everything else is discarded when the sandbox is closed. The top directory can be | ||
432 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
433 | all directories in /usr. | ||
434 | .br | ||
435 | |||
436 | .br | ||
437 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
438 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
439 | .TP | 439 | .TP |
440 | \fBwritable-etc | 440 | \fBwritable-etc |
441 | Mount /etc directory read-write. | 441 | Mount /etc directory read-write. |
442 | .TP | 442 | .TP |
443 | \fBwritable-run-user | 443 | \fBwritable-run-user |
444 | Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg. | 444 | Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg. |
445 | .TP | 445 | .TP |
446 | \fBwritable-var | 446 | \fBwritable-var |
447 | Mount /var directory read-write. | 447 | Mount /var directory read-write. |
@@ -455,7 +455,7 @@ The following security filters are currently implemented: | |||
455 | 455 | ||
456 | .TP | 456 | .TP |
457 | \fBallow-debuggers | 457 | \fBallow-debuggers |
458 | Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv. | 458 | Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. |
459 | #ifdef HAVE_APPARMOR | 459 | #ifdef HAVE_APPARMOR |
460 | .TP | 460 | .TP |
461 | \fBapparmor | 461 | \fBapparmor |
@@ -466,13 +466,13 @@ Enable AppArmor confinement. | |||
466 | Enable default Linux capabilities filter. | 466 | Enable default Linux capabilities filter. |
467 | .TP | 467 | .TP |
468 | \fBcaps.drop capability,capability,capability | 468 | \fBcaps.drop capability,capability,capability |
469 | Deny given Linux capabilities. | 469 | Blacklist given Linux capabilities. |
470 | .TP | 470 | .TP |
471 | \fBcaps.drop all | 471 | \fBcaps.drop all |
472 | Deny all Linux capabilities. | 472 | Blacklist all Linux capabilities. |
473 | .TP | 473 | .TP |
474 | \fBcaps.keep capability,capability,capability | 474 | \fBcaps.keep capability,capability,capability |
475 | Allow given Linux capabilities. | 475 | Whitelist given Linux capabilities. |
476 | .TP | 476 | .TP |
477 | \fBmemory-deny-write-execute | 477 | \fBmemory-deny-write-execute |
478 | Install a seccomp filter to block attempts to create memory mappings | 478 | Install a seccomp filter to block attempts to create memory mappings |
@@ -487,42 +487,42 @@ does not result in an increase of privilege. | |||
487 | #ifdef HAVE_USERNS | 487 | #ifdef HAVE_USERNS |
488 | .TP | 488 | .TP |
489 | \fBnoroot | 489 | \fBnoroot |
490 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 490 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
491 | There is no root account (uid 0) defined in the namespace. | 491 | There is no root account (uid 0) defined in the namespace. |
492 | #endif | 492 | #endif |
493 | .TP | 493 | .TP |
494 | \fBprotocol protocol1,protocol2,protocol3 | 494 | \fBprotocol protocol1,protocol2,protocol3 |
495 | Enable protocol filter. The filter is based on seccomp and checks the | 495 | Enable protocol filter. The filter is based on seccomp and checks the |
496 | first argument to socket system call. Recognized values: \fBunix\fR, | 496 | first argument to socket system call. Recognized values: \fBunix\fR, |
497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. | 497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. |
498 | .TP | 498 | .TP |
499 | \fBseccomp | 499 | \fBseccomp |
500 | Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details. | 500 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
501 | .TP | 501 | .TP |
502 | \fBseccomp.32 | 502 | \fBseccomp.32 |
503 | Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. | 503 | Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. |
504 | .TP | 504 | .TP |
505 | \fBseccomp syscall,syscall,syscall | 505 | \fBseccomp syscall,syscall,syscall |
506 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter. | 506 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
507 | .TP | 507 | .TP |
508 | \fBseccomp.32 syscall,syscall,syscall | 508 | \fBseccomp.32 syscall,syscall,syscall |
509 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. | 509 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. |
510 | .TP | 510 | .TP |
511 | \fBseccomp.block-secondary | 511 | \fBseccomp.block-secondary |
512 | Enable seccomp filter and filter system call architectures | 512 | Enable seccomp filter and filter system call architectures |
513 | so that only the native architecture is allowed. | 513 | so that only the native architecture is allowed. |
514 | .TP | 514 | .TP |
515 | \fBseccomp.drop syscall,syscall,syscall | 515 | \fBseccomp.drop syscall,syscall,syscall |
516 | Enable seccomp filter and deny the system calls in the list. | 516 | Enable seccomp filter and blacklist the system calls in the list. |
517 | .TP | 517 | .TP |
518 | \fBseccomp.32.drop syscall,syscall,syscall | 518 | \fBseccomp.32.drop syscall,syscall,syscall |
519 | Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 519 | Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
520 | .TP | 520 | .TP |
521 | \fBseccomp.keep syscall,syscall,syscall | 521 | \fBseccomp.keep syscall,syscall,syscall |
522 | Enable seccomp filter and allow the system calls in the list. | 522 | Enable seccomp filter and whitelist the system calls in the list. |
523 | .TP | 523 | .TP |
524 | \fBseccomp.32.keep syscall,syscall,syscall | 524 | \fBseccomp.32.keep syscall,syscall,syscall |
525 | Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 525 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
526 | .TP | 526 | .TP |
527 | \fBseccomp-error-action kill | log | ERRNO | 527 | \fBseccomp-error-action kill | log | ERRNO |
528 | Return a different error instead of EPERM to the process, kill it when | 528 | Return a different error instead of EPERM to the process, kill it when |
@@ -534,7 +534,7 @@ attempt. | |||
534 | Enable X11 sandboxing. | 534 | Enable X11 sandboxing. |
535 | .TP | 535 | .TP |
536 | \fBx11 none | 536 | \fBx11 none |
537 | Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 537 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. |
538 | Remove DISPLAY and XAUTHORITY environment variables. | 538 | Remove DISPLAY and XAUTHORITY environment variables. |
539 | Stop with error message if X11 abstract socket will be accessible in jail. | 539 | Stop with error message if X11 abstract socket will be accessible in jail. |
540 | .TP | 540 | .TP |
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati | |||
606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
607 | .TP | 607 | .TP |
608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications |
609 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 609 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
610 | .TP | 610 | .TP |
611 | \fBdbus-user filter | 611 | \fBdbus-user filter |
612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually. | |||
873 | 873 | ||
874 | .TP | 874 | .TP |
875 | \fBiprange address,address | 875 | \fBiprange address,address |
876 | Assign an IP address in the provided range to the last network | 876 | Assign an IP address in the provided range to the last network |
877 | interface defined by a net command. A default gateway is assigned by default. | 877 | interface defined by a net command. A default gateway is assigned by default. |
878 | .br | 878 | .br |
879 | 879 | ||
880 | .br | 880 | .br |