1 files changed, 164 insertions, 160 deletions

diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 4edb0902e..47cb7ccde 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -611,8 +611,9 @@ Example:
 $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
 
 .TP
-\fB\-\-dbus-user.talk=name
-Allows the application to talk to the specified well-known name on the session DBus.
+\fB\-\-dbus-user.see=name
+Allows the application to see, but not talk to the specified well-known name on
+the session DBus.
 The name may have a .* suffix to match all names underneath it, including itself
 (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
 not "foobar").
@@ -621,14 +622,13 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.talk=\\
+$ firejail --dbus-user=filter --dbus-user.see=\\
 .br
 org.freedesktop.Notifications
 
 .TP
-\fB\-\-dbus-user.see=name
-Allows the application to see, but not talk to the specified well-known name on
-the session DBus.
+\fB\-\-dbus-user.talk=name
+Allows the application to talk to the specified well-known name on the session DBus.
 The name may have a .* suffix to match all names underneath it, including itself
 (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
 not "foobar").
@@ -637,7 +637,7 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.see=\\
+$ firejail --dbus-user=filter --dbus-user.talk=\\
 .br
 org.freedesktop.Notifications
 #endif
@@ -888,6 +888,32 @@ Example:
 .br
 $ firejail \-\-hosts-file=~/myhosts firefox
 
+.TP
+\fB\-\-icmptrace[=name|pid]
+Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+Example
+.br
+$ sudo firejail --icmptrace
+.br
+20:53:54  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
+.br
+20:53:54  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
+.br
+20:53:55  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
+.br
+20:53:55  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
+.br
+20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
+.br
+
 #ifdef HAVE_IDS
 .TP
 \fB\-\-ids-check
@@ -925,33 +951,7 @@ $ firejail \-\-ignore="net eth0" firefox
 #endif
 
 .TP
-\fB\-\-icmptrace[=name|pid]
-Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
-created with \-\-net are supported. This option is only available when running the sandbox as root.
-.br
-
-.br
-Without a name/pid, Firejail will monitor the main system network namespace.
-.br
-
-.br
-Example
-.br
-$ sudo firejail --icmptrace
-.br
-20:53:54  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
-.br
-20:53:54  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
-.br
-20:53:55  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
-.br
-20:53:55  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
-.br
-20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
-.br
-
-.TP
-\fB\-\-\include=file.profile
+\fB\-\-include=file.profile
 Include a profile file before the regular profiles are used.
 .br
 
@@ -984,23 +984,6 @@ Example:
 $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox
 
 .TP
-\fB\-\-ip=none
-No IP address and no default gateway are configured for the last interface
-defined by a \-\-net option. Use this option
-in case you intend to start an external DHCP client in the sandbox.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-net=eth0 \-\-\ip=none
-.br
-
-.br
-If the corresponding interface doesn't have an IP address configured, this
-option is enabled by default.
-
-.TP
 \fB\-\-ip=dhcp
 Acquire an IP address and default gateway for the last interface defined by a
 \-\-net option, as well as set the DNS servers according to the DHCP response.
@@ -1026,6 +1009,23 @@ a DHCP client and releasing the lease manually in conjunction with the
 \-\-net=none option.
 
 .TP
+\fB\-\-ip=none
+No IP address and no default gateway are configured for the last interface
+defined by a \-\-net option. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-ip=none
+.br
+
+.br
+If the corresponding interface doesn't have an IP address configured, this
+option is enabled by default.
+
+.TP
 \fB\-\-ip6=address
 Assign IPv6 addresses to the last network interface defined by a \-\-net option.
 .br
@@ -1070,7 +1070,7 @@ default gateway is assigned by default.
 .br
 Example:
 .br
-$ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
+$ firejail \-\-net=eth0 \-\-iprange=192.168.1.100,192.168.1.150
 
 .TP
 \fB\-\-ipc-namespace
@@ -1241,30 +1241,30 @@ $ firejail --keep-var-tmp
 
 #ifdef HAVE_LANDLOCK
 .TP
-\fB\-\-landlock.enforce (experimental)
+\fB\-\-landlock.enforce\fR (experimental)
 Enforce the Landlock ruleset.
 Without it, the other Landlock commands have no effect.
 See the \fBLANDLOCK\fR section for more information.
 .TP
-\fB\-\-landlock.fs.read=path (experimental)
+\fB\-\-landlock.fs.read=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a read access
 rule for path.
 .TP
-\fB\-\-landlock.fs.write=path (experimental)
+\fB\-\-landlock.fs.write=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a write access
 rule for path.
 .TP
-\fB\-\-landlock.fs.makeipc=path (experimental)
+\fB\-\-landlock.fs.makeipc=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
 the given path.
 .TP
-\fB\-\-landlock.fs.makedev=path (experimental)
+\fB\-\-landlock.fs.makedev=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of block devices and character devices beneath the given
 path.
 .TP
-\fB\-\-landlock.fs.execute=path (experimental)
+\fB\-\-landlock.fs.execute=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add an execution
 permission rule for path.
 .br
@@ -1324,6 +1324,21 @@ Example:
 $ firejail \-\-machine-id
 
 .TP
+\fB\-\-memory-deny-write-execute
+Install a seccomp filter to block attempts to create memory mappings
+that are both writable and executable, to change mappings to be
+executable, or to create executable shared memory. The filter examines
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
+and shmat system calls and returns error EPERM to the process (or
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
+.br
+
+.br
+Note: shmat is not implemented
+as a system call on some platforms including i386, and it cannot be
+handled by seccomp-bpf.
+
+.TP
 \fB\-\-mkdir=dirname
 Create a directory in user home. Parent directories are created as needed.
 .br
@@ -1343,20 +1358,6 @@ Example:
 .br
 $ firejail --mkfile=~/work/project/readme
 
-.TP
-\fB\-\-memory-deny-write-execute
-Install a seccomp filter to block attempts to create memory mappings
-that are both writable and executable, to change mappings to be
-executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
-and shmat system calls and returns error EPERM to the process (or
-kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
-.br
-
-.br
-Note: shmat is not implemented
-as a system call on some platforms including i386, and it cannot be
-handled by seccomp-bpf.
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-mtu=number
@@ -1726,7 +1727,7 @@ Example:
 $ firejail --no3d firefox
 
 .TP
-\fB\-\-noautopulse \fR(deprecated)
+\fB\-\-noautopulse\fR (deprecated)
 See --keep-config-pulse.
 
 .TP
@@ -1772,7 +1773,7 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
-\fB\-\-nodbus \fR(deprecated)
+\fB\-\-nodbus\fR (deprecated)
 #ifdef HAVE_DBUSPROXY
 Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none.
 .br
@@ -1792,15 +1793,6 @@ Example:
 .br
 $ firejail \-\-nodvd
 .TP
-\fB\-\-noinput
-Disable input devices.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-noinput
-.TP
 \fB\-\-noexec=dirname_or_filename
 Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
@@ -1845,6 +1837,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
 $
 
 .TP
+\fB\-\-noinput
+Disable input devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noinput
+
+.TP
 \fB\-\-nonewprivs
 Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
@@ -3353,16 +3355,6 @@ $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
 #endif
 .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c.
-.SH NAME VALIDATION
-For simplicity, the same name validation is used for multiple options.
-Rules:
-.PP
-The name must be 1-253 characters long.
-The name can only contain ASCII letters, digits and the special characters
-"-._" (that is, the name cannot contain spaces or control characters).
-The name cannot contain only digits.
-The first and last characters must be an ASCII letter or digit and the name
-may contain special characters in the middle.
 #ifdef HAVE_APPARMOR
 .SH APPARMOR
 .TP
@@ -3408,64 +3400,6 @@ To enable AppArmor confinement on top of your current Firejail security features
 $ firejail --apparmor firefox
 #endif
 
-#ifdef HAVE_LANDLOCK
-.SH LANDLOCK
-Warning: Landlock support in firejail is considered experimental and unstable.
-The contents of landlock-common.inc are likely to change and the feature is
-still being expanded upon in the Linux kernel.
-Also, note that its functionality overlaps with existing firejail features,
-such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
-Its filesystem access rules can currently only restrict direct access to paths;
-it is not able to make only select paths appear in the sandbox such as with the
-\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
-Lastly, note that depending on the Linux kernel version, Landlock may not
-protect all of the relevant syscalls (see the kernel's Landlock documentation
-for details).
-Therefore, it is recommended to treat Landlock as an extra layer of protection,
-to be used together with other firejail features (rather than as a bulletproof
-mechanism by itself).
-.PP
-Landlock is a Linux security module first introduced in version 5.13 of the
-Linux kernel.
-It allows unprivileged processes to restrict their access to the filesystem.
-Once imposed, these restrictions can never be removed, and all child processes
-created by a Landlock-restricted processes inherit these restrictions.
-Firejail supports Landlock as an additional sandboxing feature.
-It can be used to ensure that a sandboxed application can only access files and
-directories that it was explicitly allowed to access.
-Firejail supports populating the ruleset with both a basic set of rules (see
-landlock-common.inc) and with a custom set of rules.
-.TP
-Important notes:
-.PP
-.RS
-- Currently only Landlock ABI version 1 is supported.
-.PP
-- If "lsm=" is used in the kernel command line, it should contain "landlock"
-(such as "lsm=apparmor,landlock"), or else it will be disabled.
-.PP
-- A process can install a Landlock ruleset only if it has either
-\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
-Privileges" restriction enabled.
-Because of this, enabling the Landlock feature will also cause Firejail to
-enable the "No New Privileges" restriction, regardless of the profile or the
-\fB\-\-nonewprivs\fR command line option.
-.PP
-- Access to the /etc directory is automatically allowed.
-To override this, use the \fB\-\-writable\-etc\fR command line option.
-You can also use the \fB\-\-private\-etc\fR option to restrict access to the
-/etc directory.
-.RE
-.PP
-To enable Landlock self-restriction on top of your current Firejail security
-features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
-Without it, the other Landlock commands have no effect.
-Example:
-.PP
-$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
-.PP
-To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
-#endif
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
@@ -3519,37 +3453,37 @@ $ firejail --tree
       1221:netblue:/usr/lib/firefox/firefox
 .RE
 
-We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details.
+We provide a tool that automates all this integration, please see \fBfirecfg\fR(1) for more details.
 
 .SH EXAMPLES
 .TP
-\f\firejail
+\fBfirejail
 Sandbox a regular shell session.
 .TP
-\f\firejail firefox
+\fBfirejail firefox
 Start Mozilla Firefox.
 .TP
-\f\firejail \-\-debug firefox
+\fBfirejail \-\-debug firefox
 Debug Firefox sandbox.
 .TP
-\f\firejail \-\-private firefox
+\fBfirejail \-\-private firefox
 Start Firefox with a new, empty home directory.
 .TP
-\f\firejail --net=none vlc
+\fBfirejail --net=none vlc
 Start VLC in an unconnected network namespace.
 #ifdef HAVE_NETWORK
 .TP
-\f\firejail \-\-net=eth0 firefox
+\fBfirejail \-\-net=eth0 firefox
 Start Firefox in a new network namespace. An IP address is
 assigned automatically.
 .TP
-\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
+\fBfirejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
 Start a shell session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
 #endif
 .TP
-\f\firejail \-\-list
+\fBfirejail \-\-list
 List all sandboxed processes.
 
 .SH FILE GLOBBING
@@ -3713,6 +3647,65 @@ Currently while scanning the file system, symbolic links are not followed, and f
 The program can also be run as root (sudo firejail --ids-init/--ids-check).
 #endif
 
+#ifdef HAVE_LANDLOCK
+.SH LANDLOCK
+Warning: Landlock support in firejail is considered experimental and unstable.
+The contents of landlock-common.inc are likely to change and the feature is
+still being expanded upon in the Linux kernel.
+Also, note that its functionality overlaps with existing firejail features,
+such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
+Its filesystem access rules can currently only restrict direct access to paths;
+it is not able to make only select paths appear in the sandbox such as with the
+\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
+Lastly, note that depending on the Linux kernel version, Landlock may not
+protect all of the relevant syscalls (see the kernel's Landlock documentation
+for details).
+Therefore, it is recommended to treat Landlock as an extra layer of protection,
+to be used together with other firejail features (rather than as a bulletproof
+mechanism by itself).
+.PP
+Landlock is a Linux security module first introduced in version 5.13 of the
+Linux kernel.
+It allows unprivileged processes to restrict their access to the filesystem.
+Once imposed, these restrictions can never be removed, and all child processes
+created by a Landlock-restricted processes inherit these restrictions.
+Firejail supports Landlock as an additional sandboxing feature.
+It can be used to ensure that a sandboxed application can only access files and
+directories that it was explicitly allowed to access.
+Firejail supports populating the ruleset with both a basic set of rules (see
+landlock-common.inc) and with a custom set of rules.
+.TP
+Important notes:
+.PP
+.RS
+- Currently only Landlock ABI version 1 is supported.
+.PP
+- If "lsm=" is used in the kernel command line, it should contain "landlock"
+(such as "lsm=apparmor,landlock"), or else it will be disabled.
+.PP
+- A process can install a Landlock ruleset only if it has either
+\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
+Privileges" restriction enabled.
+Because of this, enabling the Landlock feature will also cause Firejail to
+enable the "No New Privileges" restriction, regardless of the profile or the
+\fB\-\-nonewprivs\fR command line option.
+.PP
+- Access to the /etc directory is automatically allowed.
+To override this, use the \fB\-\-writable\-etc\fR command line option.
+You can also use the \fB\-\-private\-etc\fR option to restrict access to the
+/etc directory.
+.RE
+.PP
+To enable Landlock self-restriction on top of your current Firejail security
+features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
+Without it, the other Landlock commands have no effect.
+Example:
+.PP
+$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
+.PP
+To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
+#endif
+
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
@@ -3770,6 +3763,17 @@ Sandbox running time in hours:minutes:seconds format.
 USER
 The owner of the sandbox.
 
+.SH NAME VALIDATION
+For simplicity, the same name validation is used for multiple options.
+Rules:
+.PP
+The name must be 1-253 characters long.
+The name can only contain ASCII letters, digits and the special characters
+"-._" (that is, the name cannot contain spaces or control characters).
+The name cannot contain only digits.
+The first and last characters must be an ASCII letter or digit and the name
+may contain special characters in the middle.
+
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
 /etc/passwd file for each user that needs to be restricted. Alternatively,