diff options
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 181 |
1 files changed, 181 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt new file mode 100644 index 000000000..46da19ecd --- /dev/null +++ b/src/man/firejail-profile.txt | |||
@@ -0,0 +1,181 @@ | |||
1 | .TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page" | ||
2 | .SH NAME | ||
3 | profile \- Profile file syntax for Firejail | ||
4 | |||
5 | .SH USAGE | ||
6 | .TP | ||
7 | firejail \-\-profile=filename.profile | ||
8 | |||
9 | .SH DESCRIPTION | ||
10 | Several Firejail command line configuration options can be passed to the program using | ||
11 | profile files. Default Firejail profile files are stored in /etc/firejail | ||
12 | directory and ~/.config/firejail directory. | ||
13 | |||
14 | .SH Scripting | ||
15 | Include and comment support: | ||
16 | |||
17 | .TP | ||
18 | \f\include other.profile | ||
19 | Include other.profile file. | ||
20 | .TP | ||
21 | # this is a comment | ||
22 | |||
23 | .SH Filesystem | ||
24 | These profile entries define a chroot filesystem built on top of the existing | ||
25 | host filesystem. Each line describes a file element that is removed from | ||
26 | the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), | ||
27 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), | ||
28 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). | ||
29 | Use \fBprivate\fR to set private mode. | ||
30 | File globbing is supported, and PATH and HOME directories are searched. | ||
31 | Examples: | ||
32 | .TP | ||
33 | \f\blacklist /usr/bin | ||
34 | Remove /usr/bin directory. | ||
35 | .TP | ||
36 | \f\blacklist /etc/password | ||
37 | Remove /etc/password file. | ||
38 | .TP | ||
39 | \f\read-only /etc/password | ||
40 | Read-only /etc/password file. | ||
41 | .TP | ||
42 | tmpfs /etc | ||
43 | Mount an empty tmpfs filesystem on top of /etc directory. | ||
44 | .TP | ||
45 | bind /root/config/ssh,/etc/ssh | ||
46 | Mount-bind /root/config/ssh on /etc/ssh. | ||
47 | .TP | ||
48 | \f\blacklist /usr/bin/gcc* | ||
49 | Remove all gcc files in /usr/bin (file globbing). | ||
50 | .TP | ||
51 | \f\blacklist ${PATH}/ifconfig | ||
52 | Remove ifconfig command from the regular path directories. | ||
53 | .TP | ||
54 | \f\blacklist ${HOME}/.ssh | ||
55 | Remove .ssh directory from user home directory. | ||
56 | .TP | ||
57 | \f\private | ||
58 | Mount new /root and /home/user directories in temporary | ||
59 | filesystems. All modifications are discarded when the sandbox is | ||
60 | closed. | ||
61 | .TP | ||
62 | \f\private directory | ||
63 | Use directory as user home. | ||
64 | .TP | ||
65 | \f\private.keep file,directory | ||
66 | Build a new user home in a temporary | ||
67 | filesystem, and copy the files and directories in the list in the | ||
68 | new home. All modifications are discarded when the sandbox is | ||
69 | closed. | ||
70 | .TP | ||
71 | \f\private-dev | ||
72 | Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. | ||
73 | |||
74 | .SH Filters | ||
75 | \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: | ||
76 | |||
77 | .TP | ||
78 | caps | ||
79 | Enable default Linux capabilities filter. | ||
80 | .TP | ||
81 | caps.drop all | ||
82 | Blacklist all Linux capabilities. | ||
83 | .TP | ||
84 | caps.drop capability,capability,capability | ||
85 | Blacklist Linux capabilities filter. | ||
86 | .TP | ||
87 | caps.drop capability,capability,capability | ||
88 | Whitelist Linux capabilities filter. | ||
89 | .TP | ||
90 | \f\seccomp | ||
91 | Enable default seccomp filter. | ||
92 | .TP | ||
93 | \f\seccomp syscall,syscall,syscall | ||
94 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | ||
95 | .TP | ||
96 | \f\seccomp.drop syscall,syscall,syscall | ||
97 | Enable seccomp filter and blacklist the system calls in the list. | ||
98 | .TP | ||
99 | \f\seccomp.keep syscall,syscall,syscall | ||
100 | Enable seccomp filter and whitelist the system calls in the list. | ||
101 | |||
102 | |||
103 | .SH User Namespace | ||
104 | Use \fBnoroot\fR to enable an user namespace. The namespace has only one user, the current user. | ||
105 | There is no root account defined in the namespace. | ||
106 | |||
107 | .TP | ||
108 | noroot | ||
109 | Enable an user namespace without root user defined. | ||
110 | |||
111 | |||
112 | .SH Resource limits | ||
113 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | ||
114 | The limits can be modified inside the sandbox using the regular \fBulimt\fR command. Examples: | ||
115 | |||
116 | .TP | ||
117 | \f\rlimit-fsize 1024 | ||
118 | Set the maximum file size that can be created by a process to 1024 bytes. | ||
119 | .TP | ||
120 | \f\rlimit-nproc 1000 | ||
121 | Set the maximum number of processes that can be created for the real user ID of the calling process to 1000. | ||
122 | .TP | ||
123 | \f\rlimit-nofile 500 | ||
124 | Set the maximum number of files that can be opened by a process to 500. | ||
125 | .TP | ||
126 | \f\rlimit-sigpending 200 | ||
127 | Set the maximum number of processes that can be created for the real user ID of the calling process to 200. | ||
128 | |||
129 | .SH CPU Affinity | ||
130 | Set the CPU cores available for this sandbox. Examples: | ||
131 | |||
132 | .TP | ||
133 | cpu 1,2,3 | ||
134 | Use only CPU cores 0, 1 and 2. | ||
135 | |||
136 | .SH Control Groups | ||
137 | Place the sandbox in an existing control group specified by the full path of the task file. Example: | ||
138 | |||
139 | .TP | ||
140 | cgroup /sys/fs/cgroup/g1/tasks | ||
141 | The sandbox is placed in g1 control group. | ||
142 | |||
143 | .SH User Environment | ||
144 | |||
145 | .TP | ||
146 | nogroups | ||
147 | Disable supplementary user groups | ||
148 | .TP | ||
149 | shell none | ||
150 | Run the program directly, without a shell. | ||
151 | |||
152 | .SH Networking | ||
153 | Networking features available in profile files. | ||
154 | |||
155 | .TP | ||
156 | netfilter | ||
157 | If a new network namespace is created, enabled default network filter. | ||
158 | |||
159 | .TP | ||
160 | netfilter filename | ||
161 | If a new network namespace is created, enabled the network filter in filename. | ||
162 | |||
163 | .TP | ||
164 | dns address | ||
165 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | ||
166 | |||
167 | |||
168 | .SH FILES | ||
169 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | ||
170 | |||
171 | .SH LICENSE | ||
172 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
173 | .PP | ||
174 | Homepage: http://firejail.sourceforge.net | ||
175 | .SH SEE ALSO | ||
176 | \&\flfirejail\fR\|(1), | ||
177 | \&\flfiremon\fR\|(1), | ||
178 | \&\flfirejail-login\fR\|(5) | ||
179 | |||
180 | |||
181 | |||