diff options
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 188 |
1 files changed, 165 insertions, 23 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9045c1122..d6113218c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example: | |||
44 | .RS | 44 | .RS |
45 | $ firejail | 45 | $ firejail |
46 | .br | 46 | .br |
47 | Reading profile /etc/firejail/generic.profile | 47 | Reading profile /etc/firejail/default.profile |
48 | .br | 48 | .br |
49 | Parent pid 8553, child pid 8554 | 49 | Parent pid 8553, child pid 8554 |
50 | .br | 50 | .br |
@@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac | |||
93 | Example: "noblacklist ${HOME}/.mozilla" | 93 | Example: "noblacklist ${HOME}/.mozilla" |
94 | 94 | ||
95 | .TP | 95 | .TP |
96 | \fBignore command | 96 | \fBignore |
97 | Ignore command. | 97 | Ignore command. |
98 | 98 | ||
99 | Example: "ignore seccomp" | 99 | Example: "ignore seccomp" |
100 | 100 | ||
101 | .TP | ||
102 | \fBquiet | ||
103 | Disable Firejail's output. This should be the first uncommented command in the profile file. | ||
104 | |||
105 | Example: "quiet" | ||
106 | |||
101 | .SH Filesystem | 107 | .SH Filesystem |
102 | These profile entries define a chroot filesystem built on top of the existing | 108 | These profile entries define a chroot filesystem built on top of the existing |
103 | host filesystem. Each line describes a file element that is removed from | 109 | host filesystem. Each line describes a file element that is removed from |
@@ -122,11 +128,16 @@ blacklist ${PATH}/ifconfig | |||
122 | blacklist ${HOME}/.ssh | 128 | blacklist ${HOME}/.ssh |
123 | 129 | ||
124 | .TP | 130 | .TP |
125 | \fBread-only file_or_directory | 131 | \fBblacklist-nolog file_or_directory |
126 | Make directory or file read-only. | 132 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. |
127 | .TP | 133 | blacklist-nolog command disables syslog messages for this particular file or directory. Examples: |
128 | \fBtmpfs directory | 134 | .br |
129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | 135 | |
136 | .br | ||
137 | blacklist-nolog /usr/bin | ||
138 | .br | ||
139 | blacklist-nolog /usr/bin/gcc* | ||
140 | |||
130 | .TP | 141 | .TP |
131 | \fBbind directory1,directory2 | 142 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 143 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
@@ -135,8 +146,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
135 | Mount-bind file1 on top of file2. This option is only available when running as root. | 146 | Mount-bind file1 on top of file2. This option is only available when running as root. |
136 | .TP | 147 | .TP |
137 | \fBmkdir directory | 148 | \fBmkdir directory |
138 | Create a directory in user home. Use this command for whitelisted directories you need to preserve | 149 | Create a directory in user home before the sandbox is started. |
139 | when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from | 150 | The directory is created if it doesn't already exist. |
151 | .br | ||
152 | |||
153 | .br | ||
154 | Use this command for whitelisted directories you need to preserve | ||
155 | when the sandbox is closed. Without it, the application will create the directory, and the directory | ||
156 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from | ||
140 | firefox profile: | 157 | firefox profile: |
141 | .br | 158 | .br |
142 | 159 | ||
@@ -145,14 +162,17 @@ mkdir ~/.mozilla | |||
145 | .br | 162 | .br |
146 | whitelist ~/.mozilla | 163 | whitelist ~/.mozilla |
147 | .br | 164 | .br |
148 | mkdir ~/.cache | ||
149 | .br | ||
150 | mkdir ~/.cache/mozilla | ||
151 | .br | ||
152 | mkdir ~/.cache/mozilla/firefox | 165 | mkdir ~/.cache/mozilla/firefox |
153 | .br | 166 | .br |
154 | whitelist ~/.cache/mozilla/firefox | 167 | whitelist ~/.cache/mozilla/firefox |
155 | .TP | 168 | .TP |
169 | \fBmkfile file | ||
170 | Similar to mkdir, this command creates a file in user home before the sandbox is started. | ||
171 | The file is created if it doesn't already exist, but it's target directory has to exist. | ||
172 | .TP | ||
173 | \fBnoexec file_or_directory | ||
174 | Remount the file or the directory noexec, nodev and nosuid. | ||
175 | .TP | ||
156 | \fBprivate | 176 | \fBprivate |
157 | Mount new /root and /home/user directories in temporary | 177 | Mount new /root and /home/user directories in temporary |
158 | filesystems. All modifications are discarded when the sandbox is | 178 | filesystems. All modifications are discarded when the sandbox is |
@@ -161,6 +181,12 @@ closed. | |||
161 | \fBprivate directory | 181 | \fBprivate directory |
162 | Use directory as user home. | 182 | Use directory as user home. |
163 | .TP | 183 | .TP |
184 | \f\private-home file,directory | ||
185 | Build a new user home in a temporary | ||
186 | filesystem, and copy the files and directories in the list in the | ||
187 | new home. All modifications are discarded when the sandbox is | ||
188 | closed. | ||
189 | .TP | ||
164 | \fBprivate-bin file,file | 190 | \fBprivate-bin file,file |
165 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 191 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
166 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 192 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
@@ -174,19 +200,43 @@ filesystem, and copy the files and directories in the list. | |||
174 | All modifications are discarded when the sandbox is closed. | 200 | All modifications are discarded when the sandbox is closed. |
175 | .TP | 201 | .TP |
176 | \fBprivate-tmp | 202 | \fBprivate-tmp |
177 | Mount an empty temporary filesystem on top of /tmp directory. | 203 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
178 | .TP | 204 | .TP |
179 | \fBwhitelist file_or_directory | 205 | \fBread-only file_or_directory |
180 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 206 | Make directory or file read-only. |
181 | The modifications to file_or_directory are persistent, everything else is discarded | 207 | .TP |
182 | when the sandbox is closed. | 208 | \fBread-write file_or_directory |
209 | Make directory or file read-write. | ||
210 | .TP | ||
211 | \fBtmpfs directory | ||
212 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
183 | .TP | 213 | .TP |
184 | \fBtracelog | 214 | \fBtracelog |
185 | Blacklist violations logged to syslog. | 215 | Blacklist violations logged to syslog. |
216 | .TP | ||
217 | \fBwhitelist file_or_directory | ||
218 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
219 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
220 | everything else is discarded when the sandbox is closed. The top directory could be | ||
221 | user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. | ||
222 | .br | ||
223 | |||
224 | .br | ||
225 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
226 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
227 | .TP | ||
228 | \fBwritable-etc | ||
229 | Mount /etc directory read-write. | ||
230 | .TP | ||
231 | \fBwritable-var | ||
232 | Mount /var directory read-write. | ||
186 | .SH Security filters | 233 | .SH Security filters |
187 | The following security filters are currently implemented: | 234 | The following security filters are currently implemented: |
188 | 235 | ||
189 | .TP | 236 | .TP |
237 | \fBapparmor | ||
238 | Enable AppArmor confinement. | ||
239 | .TP | ||
190 | \fBcaps | 240 | \fBcaps |
191 | Enable default Linux capabilities filter. | 241 | Enable default Linux capabilities filter. |
192 | .TP | 242 | .TP |
@@ -205,10 +255,7 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
205 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. | 255 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. |
206 | .TP | 256 | .TP |
207 | \fBseccomp | 257 | \fBseccomp |
208 | Enable default seccomp filter. The default list is as follows: | 258 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
209 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, | ||
210 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev, | ||
211 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. | ||
212 | .TP | 259 | .TP |
213 | \fBseccomp syscall,syscall,syscall | 260 | \fBseccomp syscall,syscall,syscall |
214 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 261 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
@@ -219,9 +266,32 @@ Enable seccomp filter and blacklist the system calls in the list. | |||
219 | \fBseccomp.keep syscall,syscall,syscall | 266 | \fBseccomp.keep syscall,syscall,syscall |
220 | Enable seccomp filter and whitelist the system calls in the list. | 267 | Enable seccomp filter and whitelist the system calls in the list. |
221 | .TP | 268 | .TP |
269 | \fBnonewprivs | ||
270 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | ||
271 | cannot acquire new privileges using execve(2); in particular, | ||
272 | this means that calling a suid binary (or one with file capabilities) | ||
273 | does not result in an increase of privilege. | ||
274 | .TP | ||
222 | \fBnoroot | 275 | \fBnoroot |
223 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 276 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
224 | There is no root account (uid 0) defined in the namespace. | 277 | There is no root account (uid 0) defined in the namespace. |
278 | .TP | ||
279 | \fBx11 | ||
280 | Enable X11 sandboxing. | ||
281 | .TP | ||
282 | \fBx11 none | ||
283 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | ||
284 | Remove DISPLAY and XAUTHORITY environment variables. | ||
285 | Stop with error message if X11 abstract socket will be accessible in jail. | ||
286 | .TP | ||
287 | \fBx11 xephyr | ||
288 | Enable X11 sandboxing with xephyr. | ||
289 | .TP | ||
290 | \fBx11 xorg | ||
291 | Enable X11 sandboxing with X11 security extension. | ||
292 | .TP | ||
293 | \fBx11 xpra | ||
294 | Enable X11 sandboxing with xpra. | ||
225 | 295 | ||
226 | .SH Resource limits, CPU affinity, Control Groups | 296 | .SH Resource limits, CPU affinity, Control Groups |
227 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 297 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
@@ -255,6 +325,10 @@ The sandbox is placed in g1 control group. | |||
255 | 325 | ||
256 | .SH User Environment | 326 | .SH User Environment |
257 | .TP | 327 | .TP |
328 | \fBallusers | ||
329 | All user home directories are visible inside the sandbox. By default, only current user home directory is visible. | ||
330 | |||
331 | .TP | ||
258 | \fBname sandboxname | 332 | \fBname sandboxname |
259 | Set sandbox name. Example: | 333 | Set sandbox name. Example: |
260 | .br | 334 | .br |
@@ -284,9 +358,18 @@ Enable IPC namespace. | |||
284 | .TP | 358 | .TP |
285 | \fBnosound | 359 | \fBnosound |
286 | Disable sound system. | 360 | Disable sound system. |
361 | .TP | ||
362 | \fBno3d | ||
363 | Disable 3D hardware acceleration. | ||
364 | |||
287 | .SH Networking | 365 | .SH Networking |
288 | Networking features available in profile files. | 366 | Networking features available in profile files. |
289 | 367 | ||
368 | .TP | ||
369 | \fBdefaultgw address | ||
370 | Use this address as default gateway in the new network namespace. | ||
371 | |||
372 | .TP | ||
290 | \fBdns address | 373 | \fBdns address |
291 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 374 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
292 | 375 | ||
@@ -295,6 +378,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. | |||
295 | Set a hostname for the sandbox. | 378 | Set a hostname for the sandbox. |
296 | 379 | ||
297 | .TP | 380 | .TP |
381 | \fBip address | ||
382 | Assign IP addresses to the last network interface defined by a net command. A | ||
383 | default gateway is assigned by default. | ||
384 | .br | ||
385 | |||
386 | .br | ||
387 | Example: | ||
388 | .br | ||
389 | net eth0 | ||
390 | .br | ||
391 | ip 10.10.20.56 | ||
392 | |||
393 | .TP | ||
394 | \fBip none | ||
395 | No IP address and no default gateway are configured for the last interface | ||
396 | defined by a net command. Use this option | ||
397 | in case you intend to start an external DHCP client in the sandbox. | ||
398 | .br | ||
399 | |||
400 | .br | ||
401 | Example: | ||
402 | .br | ||
403 | net eth0 | ||
404 | .br | ||
405 | ip none | ||
406 | |||
407 | .TP | ||
408 | \fBip6 address | ||
409 | Assign IPv6 addresses to the last network interface defined by a net command. | ||
410 | .br | ||
411 | |||
412 | .br | ||
413 | Example: | ||
414 | .br | ||
415 | net eth0 | ||
416 | .br | ||
417 | ip6 2001:0db8:0:f101::1/64 | ||
418 | |||
419 | .TP | ||
298 | \fBiprange address,address | 420 | \fBiprange address,address |
299 | Assign an IP address in the provided range to the last network | 421 | Assign an IP address in the provided range to the last network |
300 | interface defined by a net command. A default gateway is assigned by default. | 422 | interface defined by a net command. A default gateway is assigned by default. |
@@ -311,6 +433,16 @@ iprange 192.168.1.150,192.168.1.160 | |||
311 | .br | 433 | .br |
312 | 434 | ||
313 | .TP | 435 | .TP |
436 | \fBmac address | ||
437 | Assign MAC addresses to the last network interface defined by a net command. | ||
438 | |||
439 | .TP | ||
440 | \fBmtu number | ||
441 | Assign a MTU value to the last network interface defined by a net command. | ||
442 | |||
443 | |||
444 | |||
445 | .TP | ||
314 | \fBnetfilter | 446 | \fBnetfilter |
315 | If a new network namespace is created, enabled default network filter. | 447 | If a new network namespace is created, enabled default network filter. |
316 | 448 | ||
@@ -345,6 +477,17 @@ available in the new namespace is a new loopback interface (lo). | |||
345 | Use this option to deny network access to programs that don't | 477 | Use this option to deny network access to programs that don't |
346 | really need network access. | 478 | really need network access. |
347 | 479 | ||
480 | .TP | ||
481 | \fBveth-name name | ||
482 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | ||
483 | instead of the default one. | ||
484 | |||
485 | .SH Other | ||
486 | .TP | ||
487 | \fBjoin-or-start sandboxname | ||
488 | Join the sandbox identified by name or start a new one. | ||
489 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | ||
490 | |||
348 | .SH RELOCATING PROFILES | 491 | .SH RELOCATING PROFILES |
349 | For various reasons some users might want to keep the profile files in a different directory. | 492 | For various reasons some users might want to keep the profile files in a different directory. |
350 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles | 493 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles |
@@ -388,7 +531,6 @@ Homepage: http://firejail.wordpress.com | |||
388 | \&\flfiremon\fR\|(1), | 531 | \&\flfiremon\fR\|(1), |
389 | \&\flfirecfg\fR\|(1), | 532 | \&\flfirecfg\fR\|(1), |
390 | \&\flfirejail-login\fR\|(5) | 533 | \&\flfirejail-login\fR\|(5) |
391 | \&\flfirejail-config\fR\|(5) | ||
392 | 534 | ||
393 | 535 | ||
394 | 536 | ||