diff options
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 171 |
1 files changed, 86 insertions, 85 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3db8c782d..82ca103c9 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -202,6 +202,9 @@ Mount-bind file1 on top of file2. This option is only available when running as | |||
202 | \fBdisable-mnt | 202 | \fBdisable-mnt |
203 | Disable /mnt, /media, /run/mount and /run/media access. | 203 | Disable /mnt, /media, /run/mount and /run/media access. |
204 | .TP | 204 | .TP |
205 | \fBkeep-dev-shm | ||
206 | /dev/shm directory is untouched (even with private-dev). | ||
207 | .TP | ||
205 | \fBkeep-var-tmp | 208 | \fBkeep-var-tmp |
206 | /var/tmp directory is untouched. | 209 | /var/tmp directory is untouched. |
207 | .TP | 210 | .TP |
@@ -253,33 +256,37 @@ closed. | |||
253 | \fBprivate directory | 256 | \fBprivate directory |
254 | Use directory as user home. | 257 | Use directory as user home. |
255 | .TP | 258 | .TP |
256 | \fBprivate-home file,directory | 259 | \fBprivate-bin file,file |
257 | Build a new user home in a temporary | 260 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
258 | filesystem, and copy the files and directories in the list in the | 261 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
259 | new home. All modifications are discarded when the sandbox is | ||
260 | closed. | ||
261 | .TP | 262 | .TP |
262 | \fBprivate-cache | 263 | \fBprivate-cache |
263 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | 264 | Mount an empty temporary filesystem on top of the .cache directory in user home. All |
264 | modifications are discarded when the sandbox is closed. | 265 | modifications are discarded when the sandbox is closed. |
265 | .TP | 266 | .TP |
266 | \fBprivate-bin file,file | 267 | \fBprivate-cwd |
267 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 268 | Set working directory inside jail to the home directory, and failing that, the root directory. |
268 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 269 | .TP |
270 | \fBprivate-cwd directory | ||
271 | Set working directory inside the jail. | ||
269 | .TP | 272 | .TP |
270 | \fBprivate-dev | 273 | \fBprivate-dev |
271 | Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, | 274 | Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, |
272 | random, snd, urandom, video, log, shm and usb devices are available. | 275 | random, snd, urandom, video, log, shm and usb devices are available. |
273 | Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional restrictions. | 276 | Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional restrictions. |
274 | .TP | 277 | |
275 | \fBkeep-dev-shm | ||
276 | /dev/shm directory is untouched (even with private-dev). | ||
277 | .TP | 278 | .TP |
278 | \fBprivate-etc file,directory | 279 | \fBprivate-etc file,directory |
279 | Build a new /etc in a temporary | 280 | Build a new /etc in a temporary |
280 | filesystem, and copy the files and directories in the list. | 281 | filesystem, and copy the files and directories in the list. |
281 | All modifications are discarded when the sandbox is closed. | 282 | All modifications are discarded when the sandbox is closed. |
282 | .TP | 283 | .TP |
284 | \fBprivate-home file,directory | ||
285 | Build a new user home in a temporary | ||
286 | filesystem, and copy the files and directories in the list in the | ||
287 | new home. All modifications are discarded when the sandbox is | ||
288 | closed. | ||
289 | .TP | ||
283 | \fBprivate-lib file,directory | 290 | \fBprivate-lib file,directory |
284 | Build a new /lib directory and bring in the libraries required by the application to run. | 291 | Build a new /lib directory and bring in the libraries required by the application to run. |
285 | This feature is still under development, see \fBman 1 firejail\fR for some examples. | 292 | This feature is still under development, see \fBman 1 firejail\fR for some examples. |
@@ -297,12 +304,6 @@ All modifications are discarded when the sandbox is closed. | |||
297 | \fBprivate-tmp | 304 | \fBprivate-tmp |
298 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 305 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
299 | .TP | 306 | .TP |
300 | \fBprivate-cwd | ||
301 | Set working directory inside jail to the home directory, and failing that, the root directory. | ||
302 | .TP | ||
303 | \fBprivate-cwd directory | ||
304 | Set working directory inside the jail. | ||
305 | .TP | ||
306 | \fBread-only file_or_directory | 307 | \fBread-only file_or_directory |
307 | Make directory or file read-only. | 308 | Make directory or file read-only. |
308 | .TP | 309 | .TP |
@@ -352,15 +353,30 @@ Enable AppArmor confinement. | |||
352 | \fBcaps | 353 | \fBcaps |
353 | Enable default Linux capabilities filter. | 354 | Enable default Linux capabilities filter. |
354 | .TP | 355 | .TP |
355 | \fBcaps.drop all | ||
356 | Blacklist all Linux capabilities. | ||
357 | .TP | ||
358 | \fBcaps.drop capability,capability,capability | 356 | \fBcaps.drop capability,capability,capability |
359 | Blacklist given Linux capabilities. | 357 | Blacklist given Linux capabilities. |
360 | .TP | 358 | .TP |
359 | \fBcaps.drop all | ||
360 | Blacklist all Linux capabilities. | ||
361 | .TP | ||
361 | \fBcaps.keep capability,capability,capability | 362 | \fBcaps.keep capability,capability,capability |
362 | Whitelist given Linux capabilities. | 363 | Whitelist given Linux capabilities. |
363 | .TP | 364 | .TP |
365 | \fBmemory-deny-write-execute | ||
366 | Install a seccomp filter to block attempts to create memory mappings | ||
367 | that are both writable and executable, to change mappings to be | ||
368 | executable or to create executable shared memory. | ||
369 | .TP | ||
370 | \fBnonewprivs | ||
371 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | ||
372 | cannot acquire new privileges using execve(2); in particular, | ||
373 | this means that calling a suid binary (or one with file capabilities) | ||
374 | does not result in an increase of privilege. | ||
375 | .TP | ||
376 | \fBnoroot | ||
377 | Use this command to enable an user namespace. The namespace has only one user, the current user. | ||
378 | There is no root account (uid 0) defined in the namespace. | ||
379 | .TP | ||
364 | \fBprotocol protocol1,protocol2,protocol3 | 380 | \fBprotocol protocol1,protocol2,protocol3 |
365 | Enable protocol filter. The filter is based on seccomp and checks the | 381 | Enable protocol filter. The filter is based on seccomp and checks the |
366 | first argument to socket system call. Recognized values: \fBunix\fR, | 382 | first argument to socket system call. Recognized values: \fBunix\fR, |
@@ -382,21 +398,6 @@ Enable seccomp filter and blacklist the system calls in the list. | |||
382 | \fBseccomp.keep syscall,syscall,syscall | 398 | \fBseccomp.keep syscall,syscall,syscall |
383 | Enable seccomp filter and whitelist the system calls in the list. | 399 | Enable seccomp filter and whitelist the system calls in the list. |
384 | .TP | 400 | .TP |
385 | \fBmemory-deny-write-execute | ||
386 | Install a seccomp filter to block attempts to create memory mappings | ||
387 | that are both writable and executable, to change mappings to be | ||
388 | executable or to create executable shared memory. | ||
389 | .TP | ||
390 | \fBnonewprivs | ||
391 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | ||
392 | cannot acquire new privileges using execve(2); in particular, | ||
393 | this means that calling a suid binary (or one with file capabilities) | ||
394 | does not result in an increase of privilege. | ||
395 | .TP | ||
396 | \fBnoroot | ||
397 | Use this command to enable an user namespace. The namespace has only one user, the current user. | ||
398 | There is no root account (uid 0) defined in the namespace. | ||
399 | .TP | ||
400 | \fBx11 | 401 | \fBx11 |
401 | Enable X11 sandboxing. | 402 | Enable X11 sandboxing. |
402 | .TP | 403 | .TP |
@@ -441,6 +442,15 @@ place the sandbox in an existing control group. | |||
441 | Examples: | 442 | Examples: |
442 | 443 | ||
443 | .TP | 444 | .TP |
445 | \fBcgroup /sys/fs/cgroup/g1/tasks | ||
446 | The sandbox is placed in g1 control group. | ||
447 | .TP | ||
448 | \fBcpu 0,1,2 | ||
449 | Use only CPU cores 0, 1 and 2. | ||
450 | .TP | ||
451 | \fBnice -5 | ||
452 | Set a nice value of -5 to all processes running inside the sandbox. | ||
453 | .TP | ||
444 | \fBrlimit-as 123456789012 | 454 | \fBrlimit-as 123456789012 |
445 | Set the maximum size of the process's virtual memory to 123456789012 bytes. | 455 | Set the maximum size of the process's virtual memory to 123456789012 bytes. |
446 | .TP | 456 | .TP |
@@ -459,15 +469,6 @@ Set the maximum number of files that can be opened by a process to 500. | |||
459 | \fBrlimit-sigpending 200 | 469 | \fBrlimit-sigpending 200 |
460 | Set the maximum number of processes that can be created for the real user ID of the calling process to 200. | 470 | Set the maximum number of processes that can be created for the real user ID of the calling process to 200. |
461 | .TP | 471 | .TP |
462 | \fBcpu 0,1,2 | ||
463 | Use only CPU cores 0, 1 and 2. | ||
464 | .TP | ||
465 | \fBnice -5 | ||
466 | Set a nice value of -5 to all processes running inside the sandbox. | ||
467 | .TP | ||
468 | \fBcgroup /sys/fs/cgroup/g1/tasks | ||
469 | The sandbox is placed in g1 control group. | ||
470 | .TP | ||
471 | \fBtimeout hh:mm:ss | 472 | \fBtimeout hh:mm:ss |
472 | Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. | 473 | Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. |
473 | 474 | ||
@@ -477,14 +478,6 @@ Kill the sandbox automatically after the time has elapsed. The time is specified | |||
477 | All user home directories are visible inside the sandbox. By default, only current user home directory is visible. | 478 | All user home directories are visible inside the sandbox. By default, only current user home directory is visible. |
478 | 479 | ||
479 | .TP | 480 | .TP |
480 | \fBname sandboxname | ||
481 | Set sandbox name. Example: | ||
482 | .br | ||
483 | |||
484 | .br | ||
485 | name browser | ||
486 | |||
487 | .TP | ||
488 | \fBenv name=value | 481 | \fBenv name=value |
489 | Set environment variable. Examples: | 482 | Set environment variable. Examples: |
490 | .br | 483 | .br |
@@ -495,17 +488,23 @@ env LD_LIBRARY_PATH=/opt/test/lib | |||
495 | env CFLAGS="-W -Wall -Werror" | 488 | env CFLAGS="-W -Wall -Werror" |
496 | 489 | ||
497 | .TP | 490 | .TP |
498 | \fBnodvd | 491 | \fBipc-namespace |
499 | Disable DVD and audio CD devices. | 492 | Enable IPC namespace. |
500 | .TP | 493 | .TP |
501 | \fBnogroups | 494 | \fBname sandboxname |
502 | Disable supplementary user groups | 495 | Set sandbox name. Example: |
496 | .br | ||
497 | |||
498 | .br | ||
499 | name browser | ||
500 | |||
503 | .TP | 501 | .TP |
504 | \fBshell none | 502 | \fBno3d |
505 | Run the program directly, without a shell. | 503 | Disable 3D hardware acceleration. |
506 | .TP | 504 | .TP |
507 | \fBipc-namespace | 505 | \fBnoautopulse |
508 | Enable IPC namespace. | 506 | Disable automatic ~/.config/pulse init, for complex setups such as remote |
507 | pulse servers or non-standard socket paths. | ||
509 | .TP | 508 | .TP |
510 | \fBnodbus | 509 | \fBnodbus |
511 | Disable D-Bus access. Only the regular UNIX socket is handled by | 510 | Disable D-Bus access. Only the regular UNIX socket is handled by |
@@ -513,13 +512,15 @@ this command. To disable the abstract socket, you would need to | |||
513 | request a new network namespace using the net command. Another | 512 | request a new network namespace using the net command. Another |
514 | option is to remove unix from protocol set. | 513 | option is to remove unix from protocol set. |
515 | .TP | 514 | .TP |
515 | \fBnodvd | ||
516 | Disable DVD and audio CD devices. | ||
517 | .TP | ||
518 | \fBnogroups | ||
519 | Disable supplementary user groups | ||
520 | .TP | ||
516 | \fBnosound | 521 | \fBnosound |
517 | Disable sound system. | 522 | Disable sound system. |
518 | .TP | 523 | .TP |
519 | \fBnoautopulse | ||
520 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
521 | pulse servers or non-standard socket paths. | ||
522 | .TP | ||
523 | \fBnotv | 524 | \fBnotv |
524 | Disable DVB (Digital Video Broadcasting) TV devices. | 525 | Disable DVB (Digital Video Broadcasting) TV devices. |
525 | .TP | 526 | .TP |
@@ -529,8 +530,9 @@ Disable U2F devices. | |||
529 | \fBnovideo | 530 | \fBnovideo |
530 | Disable video devices. | 531 | Disable video devices. |
531 | .TP | 532 | .TP |
532 | \fBno3d | 533 | \fBshell none |
533 | Disable 3D hardware acceleration. | 534 | Run the program directly, without a shell. |
535 | |||
534 | 536 | ||
535 | .SH Networking | 537 | .SH Networking |
536 | Networking features available in profile files. | 538 | Networking features available in profile files. |
@@ -618,16 +620,6 @@ Spoof id number in /etc/machine-id file - a new random id is generated inside th | |||
618 | \fBmtu number | 620 | \fBmtu number |
619 | Assign a MTU value to the last network interface defined by a net command. | 621 | Assign a MTU value to the last network interface defined by a net command. |
620 | 622 | ||
621 | |||
622 | |||
623 | .TP | ||
624 | \fBnetfilter | ||
625 | If a new network namespace is created, enabled default network filter. | ||
626 | |||
627 | .TP | ||
628 | \fBnetfilter filename | ||
629 | If a new network namespace is created, enabled the network filter in filename. | ||
630 | |||
631 | .TP | 623 | .TP |
632 | \fBnet bridge_interface | 624 | \fBnet bridge_interface |
633 | Enable a new network namespace and connect it to this bridge interface. | 625 | Enable a new network namespace and connect it to this bridge interface. |
@@ -648,6 +640,13 @@ default gateway of the host. Up to four \-\-net devices can | |||
648 | be defined. Mixing bridge and macvlan devices is allowed. | 640 | be defined. Mixing bridge and macvlan devices is allowed. |
649 | 641 | ||
650 | .TP | 642 | .TP |
643 | \fBnet none | ||
644 | Enable a new, unconnected network namespace. The only interface | ||
645 | available in the new namespace is a new loopback interface (lo). | ||
646 | Use this option to deny network access to programs that don't | ||
647 | really need network access. | ||
648 | |||
649 | .TP | ||
651 | \fBnet tap_interface | 650 | \fBnet tap_interface |
652 | Enable a new network namespace and connect it | 651 | Enable a new network namespace and connect it |
653 | to this ethernet tap interface using the standard Linux macvlan | 652 | to this ethernet tap interface using the standard Linux macvlan |
@@ -656,11 +655,13 @@ will not try to configure the interface inside the sandbox. | |||
656 | Please use ip, netmask and defaultgw to specify the configuration. | 655 | Please use ip, netmask and defaultgw to specify the configuration. |
657 | 656 | ||
658 | .TP | 657 | .TP |
659 | \fBnet none | 658 | \fBnetfilter |
660 | Enable a new, unconnected network namespace. The only interface | 659 | If a new network namespace is created, enabled default network filter. |
661 | available in the new namespace is a new loopback interface (lo). | 660 | |
662 | Use this option to deny network access to programs that don't | 661 | .TP |
663 | really need network access. | 662 | \fBnetfilter filename |
663 | If a new network namespace is created, enabled the network filter in filename. | ||
664 | |||
664 | 665 | ||
665 | .TP | 666 | .TP |
666 | \fBnetmask address | 667 | \fBnetmask address |
@@ -675,14 +676,14 @@ instead of the default one. | |||
675 | 676 | ||
676 | .SH Other | 677 | .SH Other |
677 | .TP | 678 | .TP |
679 | \fBdeterministic-exit-code | ||
680 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
681 | |||
682 | .TP | ||
678 | \fBjoin-or-start sandboxname | 683 | \fBjoin-or-start sandboxname |
679 | Join the sandbox identified by name or start a new one. | 684 | Join the sandbox identified by name or start a new one. |
680 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 685 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
681 | 686 | ||
682 | .TP | ||
683 | \fBdeterministic-exit-code | ||
684 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
685 | |||
686 | .SH FILES | 687 | .SH FILES |
687 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 688 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile |
688 | 689 | ||