1 files changed, 181 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
new file mode 100644
index 000000000..46da19ecd
--- /dev/null
+++ b/src/man/firejail-profile.txt
@@ -0,0 +1,181 @@
+.TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
+.SH NAME
+profile \- Profile file syntax for Firejail
+.SH USAGE
+.TP
+firejail \-\-profile=filename.profile
+.SH DESCRIPTION
+Several Firejail command line configuration options can be passed to the program using
+profile files. Default Firejail profile files are stored in /etc/firejail
+directory and ~/.config/firejail directory.
+.SH Scripting
+Include and comment support:
+.TP
+\f\include other.profile
+Include other.profile file.
+.TP
+# this is a comment
+.SH Filesystem
+These profile entries define a chroot filesystem built on top of the existing
+host filesystem. Each line describes a file element that is removed from
+the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
+a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
+or mount-bind a directory  or file on top of another directory or file (\fBbind\fR).
+Use \fBprivate\fR to set private mode.
+File globbing is supported, and PATH and HOME directories are searched.
+Examples:
+.TP
+\f\blacklist /usr/bin
+Remove /usr/bin directory.
+.TP
+\f\blacklist /etc/password
+Remove /etc/password file.
+.TP
+\f\read-only /etc/password
+Read-only /etc/password file.
+.TP
+tmpfs /etc
+Mount an empty tmpfs filesystem on top of /etc directory.
+.TP
+bind /root/config/ssh,/etc/ssh
+Mount-bind /root/config/ssh on /etc/ssh.
+.TP
+\f\blacklist /usr/bin/gcc*
+Remove all gcc files in /usr/bin (file globbing).
+.TP
+\f\blacklist ${PATH}/ifconfig
+Remove ifconfig command from the regular path directories.
+.TP
+\f\blacklist ${HOME}/.ssh
+Remove .ssh directory from user home directory.
+.TP
+\f\private
+Mount new /root and /home/user directories in temporary
+filesystems. All modifications are discarded when the sandbox is
+closed.
+.TP
+\f\private directory
+Use directory as user home.
+.TP
+\f\private.keep file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.TP
+\f\private-dev
+Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.
+.SH Filters
+\fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:
+.TP
+caps
+Enable default Linux capabilities filter.
+.TP
+caps.drop all
+Blacklist all Linux capabilities.
+.TP
+caps.drop capability,capability,capability
+Blacklist Linux capabilities filter.
+.TP
+caps.drop capability,capability,capability
+Whitelist Linux capabilities filter.
+.TP
+\f\seccomp
+Enable default seccomp filter.
+.TP
+\f\seccomp syscall,syscall,syscall
+Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
+.TP
+\f\seccomp.drop syscall,syscall,syscall
+Enable seccomp filter and blacklist  the system calls in the list.
+.TP
+\f\seccomp.keep syscall,syscall,syscall
+Enable seccomp filter and whitelist the system calls in the list.
+.SH User Namespace
+Use \fBnoroot\fR to enable an user namespace. The namespace has only one user, the current user.
+There is no root account defined in the namespace.
+.TP
+noroot
+Enable an user namespace without root user defined.
+.SH Resource limits
+These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
+The limits can be modified inside the sandbox using the regular \fBulimt\fR command. Examples:
+.TP
+\f\rlimit-fsize 1024
+Set the maximum file size that can be created by a process to 1024 bytes.
+.TP
+\f\rlimit-nproc 1000
+Set the maximum number of processes that can be created for the real user ID of the calling process to 1000.
+.TP
+\f\rlimit-nofile 500
+Set the maximum number of files that can be opened by a process to 500.
+.TP
+\f\rlimit-sigpending 200
+Set the maximum number of processes that can be created for the real user ID of the calling process to 200.
+.SH CPU Affinity
+Set the CPU cores available for this sandbox. Examples:
+.TP
+cpu 1,2,3
+Use only CPU cores 0, 1 and 2.
+.SH Control Groups
+Place the sandbox in an existing control group specified by the full path of the task file. Example:
+.TP
+cgroup /sys/fs/cgroup/g1/tasks
+The sandbox is placed in g1 control group.
+.SH User Environment
+.TP
+nogroups
+Disable supplementary user groups
+.TP
+shell none
+Run the program directly, without a shell.
+.SH Networking
+Networking features available in profile files.
+.TP
+netfilter
+If a new network namespace is created, enabled default network filter.
+.TP
+netfilter filename
+If a new network namespace is created, enabled the network filter in filename.
+.TP
+dns address
+Set a DNS server for the sandbox. Up to three DNS servers can be defined.
+.SH FILES
+/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
+.SH LICENSE
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: http://firejail.sourceforge.net
+.SH SEE ALSO
+\&\flfirejail\fR\|(1),
+\&\flfiremon\fR\|(1),
+\&\flfirejail-login\fR\|(5)

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt new file mode 100644 index 000000000..46da19ecd --- /dev/null +++ b/src/man/firejail-profile.txt
@@ -0,0 +1,181 @@
	1	.TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
	2	.SH NAME
	3	profile \- Profile file syntax for Firejail
	4
	5	.SH USAGE
	6	.TP
	7	firejail \-\-profile=filename.profile
	8
	9	.SH DESCRIPTION
	10	Several Firejail command line configuration options can be passed to the program using
	11	profile files. Default Firejail profile files are stored in /etc/firejail
	12	directory and ~/.config/firejail directory.
	13
	14	.SH Scripting
	15	Include and comment support:
	16
	17	.TP
	18	\f\include other.profile
	19	Include other.profile file.
	20	.TP
	21	# this is a comment
	22
	23	.SH Filesystem
	24	These profile entries define a chroot filesystem built on top of the existing
	25	host filesystem. Each line describes a file element that is removed from
	26	the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
	27	a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
	28	or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
	29	Use \fBprivate\fR to set private mode.
	30	File globbing is supported, and PATH and HOME directories are searched.
	31	Examples:
	32	.TP
	33	\f\blacklist /usr/bin
	34	Remove /usr/bin directory.
	35	.TP
	36	\f\blacklist /etc/password
	37	Remove /etc/password file.
	38	.TP
	39	\f\read-only /etc/password
	40	Read-only /etc/password file.
	41	.TP
	42	tmpfs /etc
	43	Mount an empty tmpfs filesystem on top of /etc directory.
	44	.TP
	45	bind /root/config/ssh,/etc/ssh
	46	Mount-bind /root/config/ssh on /etc/ssh.
	47	.TP
	48	\f\blacklist /usr/bin/gcc*
	49	Remove all gcc files in /usr/bin (file globbing).
	50	.TP
	51	\f\blacklist ${PATH}/ifconfig
	52	Remove ifconfig command from the regular path directories.
	53	.TP
	54	\f\blacklist ${HOME}/.ssh
	55	Remove .ssh directory from user home directory.
	56	.TP
	57	\f\private
	58	Mount new /root and /home/user directories in temporary
	59	filesystems. All modifications are discarded when the sandbox is
	60	closed.
	61	.TP
	62	\f\private directory
	63	Use directory as user home.
	64	.TP
	65	\f\private.keep file,directory
	66	Build a new user home in a temporary
	67	filesystem, and copy the files and directories in the list in the
	68	new home. All modifications are discarded when the sandbox is
	69	closed.
	70	.TP
	71	\f\private-dev
	72	Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.
	73
	74	.SH Filters
	75	\fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples:
	76
	77	.TP
	78	caps
	79	Enable default Linux capabilities filter.
	80	.TP
	81	caps.drop all
	82	Blacklist all Linux capabilities.
	83	.TP
	84	caps.drop capability,capability,capability
	85	Blacklist Linux capabilities filter.
	86	.TP
	87	caps.drop capability,capability,capability
	88	Whitelist Linux capabilities filter.
	89	.TP
	90	\f\seccomp
	91	Enable default seccomp filter.
	92	.TP
	93	\f\seccomp syscall,syscall,syscall
	94	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
	95	.TP
	96	\f\seccomp.drop syscall,syscall,syscall
	97	Enable seccomp filter and blacklist the system calls in the list.
	98	.TP
	99	\f\seccomp.keep syscall,syscall,syscall
	100	Enable seccomp filter and whitelist the system calls in the list.
	101
	102
	103	.SH User Namespace
	104	Use \fBnoroot\fR to enable an user namespace. The namespace has only one user, the current user.
	105	There is no root account defined in the namespace.
	106
	107	.TP
	108	noroot
	109	Enable an user namespace without root user defined.
	110
	111
	112	.SH Resource limits
	113	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
	114	The limits can be modified inside the sandbox using the regular \fBulimt\fR command. Examples:
	115
	116	.TP
	117	\f\rlimit-fsize 1024
	118	Set the maximum file size that can be created by a process to 1024 bytes.
	119	.TP
	120	\f\rlimit-nproc 1000
	121	Set the maximum number of processes that can be created for the real user ID of the calling process to 1000.
	122	.TP
	123	\f\rlimit-nofile 500
	124	Set the maximum number of files that can be opened by a process to 500.
	125	.TP
	126	\f\rlimit-sigpending 200
	127	Set the maximum number of processes that can be created for the real user ID of the calling process to 200.
	128
	129	.SH CPU Affinity
	130	Set the CPU cores available for this sandbox. Examples:
	131
	132	.TP
	133	cpu 1,2,3
	134	Use only CPU cores 0, 1 and 2.
	135
	136	.SH Control Groups
	137	Place the sandbox in an existing control group specified by the full path of the task file. Example:
	138
	139	.TP
	140	cgroup /sys/fs/cgroup/g1/tasks
	141	The sandbox is placed in g1 control group.
	142
	143	.SH User Environment
	144
	145	.TP
	146	nogroups
	147	Disable supplementary user groups
	148	.TP
	149	shell none
	150	Run the program directly, without a shell.
	151
	152	.SH Networking
	153	Networking features available in profile files.
	154
	155	.TP
	156	netfilter
	157	If a new network namespace is created, enabled default network filter.
	158
	159	.TP
	160	netfilter filename
	161	If a new network namespace is created, enabled the network filter in filename.
	162
	163	.TP
	164	dns address
	165	Set a DNS server for the sandbox. Up to three DNS servers can be defined.
	166
	167
	168	.SH FILES
	169	/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
	170
	171	.SH LICENSE
	172	Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
	173	.PP
	174	Homepage: http://firejail.sourceforge.net
	175	.SH SEE ALSO
	176	\&\flfirejail\fR\\|(1),
	177	\&\flfiremon\fR\\|(1),
	178	\&\flfirejail-login\fR\\|(5)
	179
	180
	181