diff options
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 202 |
1 files changed, 179 insertions, 23 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9045c1122..fa522c154 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example: | |||
44 | .RS | 44 | .RS |
45 | $ firejail | 45 | $ firejail |
46 | .br | 46 | .br |
47 | Reading profile /etc/firejail/generic.profile | 47 | Reading profile /etc/firejail/default.profile |
48 | .br | 48 | .br |
49 | Parent pid 8553, child pid 8554 | 49 | Parent pid 8553, child pid 8554 |
50 | .br | 50 | .br |
@@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac | |||
93 | Example: "noblacklist ${HOME}/.mozilla" | 93 | Example: "noblacklist ${HOME}/.mozilla" |
94 | 94 | ||
95 | .TP | 95 | .TP |
96 | \fBignore command | 96 | \fBignore |
97 | Ignore command. | 97 | Ignore command. |
98 | 98 | ||
99 | Example: "ignore seccomp" | 99 | Example: "ignore seccomp" |
100 | 100 | ||
101 | .TP | ||
102 | \fBquiet | ||
103 | Disable Firejail's output. This should be the first uncommented command in the profile file. | ||
104 | |||
105 | Example: "quiet" | ||
106 | |||
101 | .SH Filesystem | 107 | .SH Filesystem |
102 | These profile entries define a chroot filesystem built on top of the existing | 108 | These profile entries define a chroot filesystem built on top of the existing |
103 | host filesystem. Each line describes a file element that is removed from | 109 | host filesystem. Each line describes a file element that is removed from |
@@ -122,11 +128,16 @@ blacklist ${PATH}/ifconfig | |||
122 | blacklist ${HOME}/.ssh | 128 | blacklist ${HOME}/.ssh |
123 | 129 | ||
124 | .TP | 130 | .TP |
125 | \fBread-only file_or_directory | 131 | \fBblacklist-nolog file_or_directory |
126 | Make directory or file read-only. | 132 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. |
127 | .TP | 133 | blacklist-nolog command disables syslog messages for this particular file or directory. Examples: |
128 | \fBtmpfs directory | 134 | .br |
129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | 135 | |
136 | .br | ||
137 | blacklist-nolog /usr/bin | ||
138 | .br | ||
139 | blacklist-nolog /usr/bin/gcc* | ||
140 | |||
130 | .TP | 141 | .TP |
131 | \fBbind directory1,directory2 | 142 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 143 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
@@ -135,8 +146,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
135 | Mount-bind file1 on top of file2. This option is only available when running as root. | 146 | Mount-bind file1 on top of file2. This option is only available when running as root. |
136 | .TP | 147 | .TP |
137 | \fBmkdir directory | 148 | \fBmkdir directory |
138 | Create a directory in user home. Use this command for whitelisted directories you need to preserve | 149 | Create a directory in user home before the sandbox is started. |
139 | when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from | 150 | The directory is created if it doesn't already exist. |
151 | .br | ||
152 | |||
153 | .br | ||
154 | Use this command for whitelisted directories you need to preserve | ||
155 | when the sandbox is closed. Without it, the application will create the directory, and the directory | ||
156 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from | ||
140 | firefox profile: | 157 | firefox profile: |
141 | .br | 158 | .br |
142 | 159 | ||
@@ -145,14 +162,17 @@ mkdir ~/.mozilla | |||
145 | .br | 162 | .br |
146 | whitelist ~/.mozilla | 163 | whitelist ~/.mozilla |
147 | .br | 164 | .br |
148 | mkdir ~/.cache | ||
149 | .br | ||
150 | mkdir ~/.cache/mozilla | ||
151 | .br | ||
152 | mkdir ~/.cache/mozilla/firefox | 165 | mkdir ~/.cache/mozilla/firefox |
153 | .br | 166 | .br |
154 | whitelist ~/.cache/mozilla/firefox | 167 | whitelist ~/.cache/mozilla/firefox |
155 | .TP | 168 | .TP |
169 | \fBmkfile file | ||
170 | Similar to mkdir, this command creates a file in user home before the sandbox is started. | ||
171 | The file is created if it doesn't already exist, but it's target directory has to exist. | ||
172 | .TP | ||
173 | \fBnoexec file_or_directory | ||
174 | Remount the file or the directory noexec, nodev and nosuid. | ||
175 | .TP | ||
156 | \fBprivate | 176 | \fBprivate |
157 | Mount new /root and /home/user directories in temporary | 177 | Mount new /root and /home/user directories in temporary |
158 | filesystems. All modifications are discarded when the sandbox is | 178 | filesystems. All modifications are discarded when the sandbox is |
@@ -161,6 +181,12 @@ closed. | |||
161 | \fBprivate directory | 181 | \fBprivate directory |
162 | Use directory as user home. | 182 | Use directory as user home. |
163 | .TP | 183 | .TP |
184 | \fBprivate-home file,directory | ||
185 | Build a new user home in a temporary | ||
186 | filesystem, and copy the files and directories in the list in the | ||
187 | new home. All modifications are discarded when the sandbox is | ||
188 | closed. | ||
189 | .TP | ||
164 | \fBprivate-bin file,file | 190 | \fBprivate-bin file,file |
165 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 191 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
166 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 192 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
@@ -173,20 +199,54 @@ Build a new /etc in a temporary | |||
173 | filesystem, and copy the files and directories in the list. | 199 | filesystem, and copy the files and directories in the list. |
174 | All modifications are discarded when the sandbox is closed. | 200 | All modifications are discarded when the sandbox is closed. |
175 | .TP | 201 | .TP |
202 | \fBprivate-opt file,directory | ||
203 | Build a new /optin a temporary | ||
204 | filesystem, and copy the files and directories in the list. | ||
205 | All modifications are discarded when the sandbox is closed. | ||
206 | .TP | ||
207 | \fBprivate-srv file,directory | ||
208 | Build a new /srv in a temporary | ||
209 | filesystem, and copy the files and directories in the list. | ||
210 | All modifications are discarded when the sandbox is closed. | ||
211 | .TP | ||
176 | \fBprivate-tmp | 212 | \fBprivate-tmp |
177 | Mount an empty temporary filesystem on top of /tmp directory. | 213 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
178 | .TP | 214 | .TP |
179 | \fBwhitelist file_or_directory | 215 | \fBread-only file_or_directory |
180 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 216 | Make directory or file read-only. |
181 | The modifications to file_or_directory are persistent, everything else is discarded | 217 | .TP |
182 | when the sandbox is closed. | 218 | \fBread-write file_or_directory |
219 | Make directory or file read-write. | ||
220 | .TP | ||
221 | \fBtmpfs directory | ||
222 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
183 | .TP | 223 | .TP |
184 | \fBtracelog | 224 | \fBtracelog |
185 | Blacklist violations logged to syslog. | 225 | Blacklist violations logged to syslog. |
226 | .TP | ||
227 | \fBwhitelist file_or_directory | ||
228 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
229 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
230 | everything else is discarded when the sandbox is closed. The top directory could be | ||
231 | user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. | ||
232 | .br | ||
233 | |||
234 | .br | ||
235 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
236 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
237 | .TP | ||
238 | \fBwritable-etc | ||
239 | Mount /etc directory read-write. | ||
240 | .TP | ||
241 | \fBwritable-var | ||
242 | Mount /var directory read-write. | ||
186 | .SH Security filters | 243 | .SH Security filters |
187 | The following security filters are currently implemented: | 244 | The following security filters are currently implemented: |
188 | 245 | ||
189 | .TP | 246 | .TP |
247 | \fBapparmor | ||
248 | Enable AppArmor confinement. | ||
249 | .TP | ||
190 | \fBcaps | 250 | \fBcaps |
191 | Enable default Linux capabilities filter. | 251 | Enable default Linux capabilities filter. |
192 | .TP | 252 | .TP |
@@ -205,10 +265,7 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
205 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. | 265 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. |
206 | .TP | 266 | .TP |
207 | \fBseccomp | 267 | \fBseccomp |
208 | Enable default seccomp filter. The default list is as follows: | 268 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
209 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, | ||
210 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev, | ||
211 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. | ||
212 | .TP | 269 | .TP |
213 | \fBseccomp syscall,syscall,syscall | 270 | \fBseccomp syscall,syscall,syscall |
214 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 271 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
@@ -219,9 +276,32 @@ Enable seccomp filter and blacklist the system calls in the list. | |||
219 | \fBseccomp.keep syscall,syscall,syscall | 276 | \fBseccomp.keep syscall,syscall,syscall |
220 | Enable seccomp filter and whitelist the system calls in the list. | 277 | Enable seccomp filter and whitelist the system calls in the list. |
221 | .TP | 278 | .TP |
279 | \fBnonewprivs | ||
280 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | ||
281 | cannot acquire new privileges using execve(2); in particular, | ||
282 | this means that calling a suid binary (or one with file capabilities) | ||
283 | does not result in an increase of privilege. | ||
284 | .TP | ||
222 | \fBnoroot | 285 | \fBnoroot |
223 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 286 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
224 | There is no root account (uid 0) defined in the namespace. | 287 | There is no root account (uid 0) defined in the namespace. |
288 | .TP | ||
289 | \fBx11 | ||
290 | Enable X11 sandboxing. | ||
291 | .TP | ||
292 | \fBx11 none | ||
293 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | ||
294 | Remove DISPLAY and XAUTHORITY environment variables. | ||
295 | Stop with error message if X11 abstract socket will be accessible in jail. | ||
296 | .TP | ||
297 | \fBx11 xephyr | ||
298 | Enable X11 sandboxing with xephyr. | ||
299 | .TP | ||
300 | \fBx11 xorg | ||
301 | Enable X11 sandboxing with X11 security extension. | ||
302 | .TP | ||
303 | \fBx11 xpra | ||
304 | Enable X11 sandboxing with xpra. | ||
225 | 305 | ||
226 | .SH Resource limits, CPU affinity, Control Groups | 306 | .SH Resource limits, CPU affinity, Control Groups |
227 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 307 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
@@ -255,6 +335,10 @@ The sandbox is placed in g1 control group. | |||
255 | 335 | ||
256 | .SH User Environment | 336 | .SH User Environment |
257 | .TP | 337 | .TP |
338 | \fBallusers | ||
339 | All user home directories are visible inside the sandbox. By default, only current user home directory is visible. | ||
340 | |||
341 | .TP | ||
258 | \fBname sandboxname | 342 | \fBname sandboxname |
259 | Set sandbox name. Example: | 343 | Set sandbox name. Example: |
260 | .br | 344 | .br |
@@ -284,9 +368,18 @@ Enable IPC namespace. | |||
284 | .TP | 368 | .TP |
285 | \fBnosound | 369 | \fBnosound |
286 | Disable sound system. | 370 | Disable sound system. |
371 | .TP | ||
372 | \fBno3d | ||
373 | Disable 3D hardware acceleration. | ||
374 | |||
287 | .SH Networking | 375 | .SH Networking |
288 | Networking features available in profile files. | 376 | Networking features available in profile files. |
289 | 377 | ||
378 | .TP | ||
379 | \fBdefaultgw address | ||
380 | Use this address as default gateway in the new network namespace. | ||
381 | |||
382 | .TP | ||
290 | \fBdns address | 383 | \fBdns address |
291 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 384 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
292 | 385 | ||
@@ -295,6 +388,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. | |||
295 | Set a hostname for the sandbox. | 388 | Set a hostname for the sandbox. |
296 | 389 | ||
297 | .TP | 390 | .TP |
391 | \fBip address | ||
392 | Assign IP addresses to the last network interface defined by a net command. A | ||
393 | default gateway is assigned by default. | ||
394 | .br | ||
395 | |||
396 | .br | ||
397 | Example: | ||
398 | .br | ||
399 | net eth0 | ||
400 | .br | ||
401 | ip 10.10.20.56 | ||
402 | |||
403 | .TP | ||
404 | \fBip none | ||
405 | No IP address and no default gateway are configured for the last interface | ||
406 | defined by a net command. Use this option | ||
407 | in case you intend to start an external DHCP client in the sandbox. | ||
408 | .br | ||
409 | |||
410 | .br | ||
411 | Example: | ||
412 | .br | ||
413 | net eth0 | ||
414 | .br | ||
415 | ip none | ||
416 | |||
417 | .TP | ||
418 | \fBip6 address | ||
419 | Assign IPv6 addresses to the last network interface defined by a net command. | ||
420 | .br | ||
421 | |||
422 | .br | ||
423 | Example: | ||
424 | .br | ||
425 | net eth0 | ||
426 | .br | ||
427 | ip6 2001:0db8:0:f101::1/64 | ||
428 | |||
429 | .TP | ||
298 | \fBiprange address,address | 430 | \fBiprange address,address |
299 | Assign an IP address in the provided range to the last network | 431 | Assign an IP address in the provided range to the last network |
300 | interface defined by a net command. A default gateway is assigned by default. | 432 | interface defined by a net command. A default gateway is assigned by default. |
@@ -311,6 +443,20 @@ iprange 192.168.1.150,192.168.1.160 | |||
311 | .br | 443 | .br |
312 | 444 | ||
313 | .TP | 445 | .TP |
446 | \fBmac address | ||
447 | Assign MAC addresses to the last network interface defined by a net command. | ||
448 | |||
449 | .TP | ||
450 | \fBmachine-id | ||
451 | Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. | ||
452 | |||
453 | .TP | ||
454 | \fBmtu number | ||
455 | Assign a MTU value to the last network interface defined by a net command. | ||
456 | |||
457 | |||
458 | |||
459 | .TP | ||
314 | \fBnetfilter | 460 | \fBnetfilter |
315 | If a new network namespace is created, enabled default network filter. | 461 | If a new network namespace is created, enabled default network filter. |
316 | 462 | ||
@@ -345,6 +491,17 @@ available in the new namespace is a new loopback interface (lo). | |||
345 | Use this option to deny network access to programs that don't | 491 | Use this option to deny network access to programs that don't |
346 | really need network access. | 492 | really need network access. |
347 | 493 | ||
494 | .TP | ||
495 | \fBveth-name name | ||
496 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | ||
497 | instead of the default one. | ||
498 | |||
499 | .SH Other | ||
500 | .TP | ||
501 | \fBjoin-or-start sandboxname | ||
502 | Join the sandbox identified by name or start a new one. | ||
503 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | ||
504 | |||
348 | .SH RELOCATING PROFILES | 505 | .SH RELOCATING PROFILES |
349 | For various reasons some users might want to keep the profile files in a different directory. | 506 | For various reasons some users might want to keep the profile files in a different directory. |
350 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles | 507 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles |
@@ -388,7 +545,6 @@ Homepage: http://firejail.wordpress.com | |||
388 | \&\flfiremon\fR\|(1), | 545 | \&\flfiremon\fR\|(1), |
389 | \&\flfirecfg\fR\|(1), | 546 | \&\flfirecfg\fR\|(1), |
390 | \&\flfirejail-login\fR\|(5) | 547 | \&\flfirejail-login\fR\|(5) |
391 | \&\flfirejail-config\fR\|(5) | ||
392 | 548 | ||
393 | 549 | ||
394 | 550 | ||