diff options
Diffstat (limited to 'src/man/firejail.1.in')
-rw-r--r-- | src/man/firejail.1.in | 324 |
1 files changed, 164 insertions, 160 deletions
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 4edb0902e..47cb7ccde 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -611,8 +611,9 @@ Example: | |||
611 | $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* | 611 | $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* |
612 | 612 | ||
613 | .TP | 613 | .TP |
614 | \fB\-\-dbus-user.talk=name | 614 | \fB\-\-dbus-user.see=name |
615 | Allows the application to talk to the specified well-known name on the session DBus. | 615 | Allows the application to see, but not talk to the specified well-known name on |
616 | the session DBus. | ||
616 | The name may have a .* suffix to match all names underneath it, including itself | 617 | The name may have a .* suffix to match all names underneath it, including itself |
617 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | 618 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but |
618 | not "foobar"). | 619 | not "foobar"). |
@@ -621,14 +622,13 @@ not "foobar"). | |||
621 | .br | 622 | .br |
622 | Example: | 623 | Example: |
623 | .br | 624 | .br |
624 | $ firejail --dbus-user=filter --dbus-user.talk=\\ | 625 | $ firejail --dbus-user=filter --dbus-user.see=\\ |
625 | .br | 626 | .br |
626 | org.freedesktop.Notifications | 627 | org.freedesktop.Notifications |
627 | 628 | ||
628 | .TP | 629 | .TP |
629 | \fB\-\-dbus-user.see=name | 630 | \fB\-\-dbus-user.talk=name |
630 | Allows the application to see, but not talk to the specified well-known name on | 631 | Allows the application to talk to the specified well-known name on the session DBus. |
631 | the session DBus. | ||
632 | The name may have a .* suffix to match all names underneath it, including itself | 632 | The name may have a .* suffix to match all names underneath it, including itself |
633 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | 633 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but |
634 | not "foobar"). | 634 | not "foobar"). |
@@ -637,7 +637,7 @@ not "foobar"). | |||
637 | .br | 637 | .br |
638 | Example: | 638 | Example: |
639 | .br | 639 | .br |
640 | $ firejail --dbus-user=filter --dbus-user.see=\\ | 640 | $ firejail --dbus-user=filter --dbus-user.talk=\\ |
641 | .br | 641 | .br |
642 | org.freedesktop.Notifications | 642 | org.freedesktop.Notifications |
643 | #endif | 643 | #endif |
@@ -888,6 +888,32 @@ Example: | |||
888 | .br | 888 | .br |
889 | $ firejail \-\-hosts-file=~/myhosts firefox | 889 | $ firejail \-\-hosts-file=~/myhosts firefox |
890 | 890 | ||
891 | .TP | ||
892 | \fB\-\-icmptrace[=name|pid] | ||
893 | Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes | ||
894 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
895 | .br | ||
896 | |||
897 | .br | ||
898 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
899 | .br | ||
900 | |||
901 | .br | ||
902 | Example | ||
903 | .br | ||
904 | $ sudo firejail --icmptrace | ||
905 | .br | ||
906 | 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
907 | .br | ||
908 | 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
909 | .br | ||
910 | 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
911 | .br | ||
912 | 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
913 | .br | ||
914 | 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable | ||
915 | .br | ||
916 | |||
891 | #ifdef HAVE_IDS | 917 | #ifdef HAVE_IDS |
892 | .TP | 918 | .TP |
893 | \fB\-\-ids-check | 919 | \fB\-\-ids-check |
@@ -925,33 +951,7 @@ $ firejail \-\-ignore="net eth0" firefox | |||
925 | #endif | 951 | #endif |
926 | 952 | ||
927 | .TP | 953 | .TP |
928 | \fB\-\-icmptrace[=name|pid] | 954 | \fB\-\-include=file.profile |
929 | Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes | ||
930 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
931 | .br | ||
932 | |||
933 | .br | ||
934 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
935 | .br | ||
936 | |||
937 | .br | ||
938 | Example | ||
939 | .br | ||
940 | $ sudo firejail --icmptrace | ||
941 | .br | ||
942 | 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
943 | .br | ||
944 | 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
945 | .br | ||
946 | 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0 | ||
947 | .br | ||
948 | 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0 | ||
949 | .br | ||
950 | 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable | ||
951 | .br | ||
952 | |||
953 | .TP | ||
954 | \fB\-\-\include=file.profile | ||
955 | Include a profile file before the regular profiles are used. | 955 | Include a profile file before the regular profiles are used. |
956 | .br | 956 | .br |
957 | 957 | ||
@@ -984,23 +984,6 @@ Example: | |||
984 | $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox | 984 | $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox |
985 | 985 | ||
986 | .TP | 986 | .TP |
987 | \fB\-\-ip=none | ||
988 | No IP address and no default gateway are configured for the last interface | ||
989 | defined by a \-\-net option. Use this option | ||
990 | in case you intend to start an external DHCP client in the sandbox. | ||
991 | .br | ||
992 | |||
993 | .br | ||
994 | Example: | ||
995 | .br | ||
996 | $ firejail \-\-net=eth0 \-\-\ip=none | ||
997 | .br | ||
998 | |||
999 | .br | ||
1000 | If the corresponding interface doesn't have an IP address configured, this | ||
1001 | option is enabled by default. | ||
1002 | |||
1003 | .TP | ||
1004 | \fB\-\-ip=dhcp | 987 | \fB\-\-ip=dhcp |
1005 | Acquire an IP address and default gateway for the last interface defined by a | 988 | Acquire an IP address and default gateway for the last interface defined by a |
1006 | \-\-net option, as well as set the DNS servers according to the DHCP response. | 989 | \-\-net option, as well as set the DNS servers according to the DHCP response. |
@@ -1026,6 +1009,23 @@ a DHCP client and releasing the lease manually in conjunction with the | |||
1026 | \-\-net=none option. | 1009 | \-\-net=none option. |
1027 | 1010 | ||
1028 | .TP | 1011 | .TP |
1012 | \fB\-\-ip=none | ||
1013 | No IP address and no default gateway are configured for the last interface | ||
1014 | defined by a \-\-net option. Use this option | ||
1015 | in case you intend to start an external DHCP client in the sandbox. | ||
1016 | .br | ||
1017 | |||
1018 | .br | ||
1019 | Example: | ||
1020 | .br | ||
1021 | $ firejail \-\-net=eth0 \-\-ip=none | ||
1022 | .br | ||
1023 | |||
1024 | .br | ||
1025 | If the corresponding interface doesn't have an IP address configured, this | ||
1026 | option is enabled by default. | ||
1027 | |||
1028 | .TP | ||
1029 | \fB\-\-ip6=address | 1029 | \fB\-\-ip6=address |
1030 | Assign IPv6 addresses to the last network interface defined by a \-\-net option. | 1030 | Assign IPv6 addresses to the last network interface defined by a \-\-net option. |
1031 | .br | 1031 | .br |
@@ -1070,7 +1070,7 @@ default gateway is assigned by default. | |||
1070 | .br | 1070 | .br |
1071 | Example: | 1071 | Example: |
1072 | .br | 1072 | .br |
1073 | $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 | 1073 | $ firejail \-\-net=eth0 \-\-iprange=192.168.1.100,192.168.1.150 |
1074 | 1074 | ||
1075 | .TP | 1075 | .TP |
1076 | \fB\-\-ipc-namespace | 1076 | \fB\-\-ipc-namespace |
@@ -1241,30 +1241,30 @@ $ firejail --keep-var-tmp | |||
1241 | 1241 | ||
1242 | #ifdef HAVE_LANDLOCK | 1242 | #ifdef HAVE_LANDLOCK |
1243 | .TP | 1243 | .TP |
1244 | \fB\-\-landlock.enforce (experimental) | 1244 | \fB\-\-landlock.enforce\fR (experimental) |
1245 | Enforce the Landlock ruleset. | 1245 | Enforce the Landlock ruleset. |
1246 | Without it, the other Landlock commands have no effect. | 1246 | Without it, the other Landlock commands have no effect. |
1247 | See the \fBLANDLOCK\fR section for more information. | 1247 | See the \fBLANDLOCK\fR section for more information. |
1248 | .TP | 1248 | .TP |
1249 | \fB\-\-landlock.fs.read=path (experimental) | 1249 | \fB\-\-landlock.fs.read=path\fR (experimental) |
1250 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 1250 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
1251 | rule for path. | 1251 | rule for path. |
1252 | .TP | 1252 | .TP |
1253 | \fB\-\-landlock.fs.write=path (experimental) | 1253 | \fB\-\-landlock.fs.write=path\fR (experimental) |
1254 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 1254 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
1255 | rule for path. | 1255 | rule for path. |
1256 | .TP | 1256 | .TP |
1257 | \fB\-\-landlock.fs.makeipc=path (experimental) | 1257 | \fB\-\-landlock.fs.makeipc=path\fR (experimental) |
1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1259 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath | 1259 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
1260 | the given path. | 1260 | the given path. |
1261 | .TP | 1261 | .TP |
1262 | \fB\-\-landlock.fs.makedev=path (experimental) | 1262 | \fB\-\-landlock.fs.makedev=path\fR (experimental) |
1263 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1263 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1264 | allows the creation of block devices and character devices beneath the given | 1264 | allows the creation of block devices and character devices beneath the given |
1265 | path. | 1265 | path. |
1266 | .TP | 1266 | .TP |
1267 | \fB\-\-landlock.fs.execute=path (experimental) | 1267 | \fB\-\-landlock.fs.execute=path\fR (experimental) |
1268 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 1268 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
1269 | permission rule for path. | 1269 | permission rule for path. |
1270 | .br | 1270 | .br |
@@ -1324,6 +1324,21 @@ Example: | |||
1324 | $ firejail \-\-machine-id | 1324 | $ firejail \-\-machine-id |
1325 | 1325 | ||
1326 | .TP | 1326 | .TP |
1327 | \fB\-\-memory-deny-write-execute | ||
1328 | Install a seccomp filter to block attempts to create memory mappings | ||
1329 | that are both writable and executable, to change mappings to be | ||
1330 | executable, or to create executable shared memory. The filter examines | ||
1331 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | ||
1332 | and shmat system calls and returns error EPERM to the process (or | ||
1333 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. | ||
1334 | .br | ||
1335 | |||
1336 | .br | ||
1337 | Note: shmat is not implemented | ||
1338 | as a system call on some platforms including i386, and it cannot be | ||
1339 | handled by seccomp-bpf. | ||
1340 | |||
1341 | .TP | ||
1327 | \fB\-\-mkdir=dirname | 1342 | \fB\-\-mkdir=dirname |
1328 | Create a directory in user home. Parent directories are created as needed. | 1343 | Create a directory in user home. Parent directories are created as needed. |
1329 | .br | 1344 | .br |
@@ -1343,20 +1358,6 @@ Example: | |||
1343 | .br | 1358 | .br |
1344 | $ firejail --mkfile=~/work/project/readme | 1359 | $ firejail --mkfile=~/work/project/readme |
1345 | 1360 | ||
1346 | .TP | ||
1347 | \fB\-\-memory-deny-write-execute | ||
1348 | Install a seccomp filter to block attempts to create memory mappings | ||
1349 | that are both writable and executable, to change mappings to be | ||
1350 | executable, or to create executable shared memory. The filter examines | ||
1351 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | ||
1352 | and shmat system calls and returns error EPERM to the process (or | ||
1353 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. | ||
1354 | .br | ||
1355 | |||
1356 | .br | ||
1357 | Note: shmat is not implemented | ||
1358 | as a system call on some platforms including i386, and it cannot be | ||
1359 | handled by seccomp-bpf. | ||
1360 | #ifdef HAVE_NETWORK | 1361 | #ifdef HAVE_NETWORK |
1361 | .TP | 1362 | .TP |
1362 | \fB\-\-mtu=number | 1363 | \fB\-\-mtu=number |
@@ -1726,7 +1727,7 @@ Example: | |||
1726 | $ firejail --no3d firefox | 1727 | $ firejail --no3d firefox |
1727 | 1728 | ||
1728 | .TP | 1729 | .TP |
1729 | \fB\-\-noautopulse \fR(deprecated) | 1730 | \fB\-\-noautopulse\fR (deprecated) |
1730 | See --keep-config-pulse. | 1731 | See --keep-config-pulse. |
1731 | 1732 | ||
1732 | .TP | 1733 | .TP |
@@ -1772,7 +1773,7 @@ $ nc dict.org 2628 | |||
1772 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | 1773 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 |
1773 | .br | 1774 | .br |
1774 | .TP | 1775 | .TP |
1775 | \fB\-\-nodbus \fR(deprecated) | 1776 | \fB\-\-nodbus\fR (deprecated) |
1776 | #ifdef HAVE_DBUSPROXY | 1777 | #ifdef HAVE_DBUSPROXY |
1777 | Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. | 1778 | Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. |
1778 | .br | 1779 | .br |
@@ -1792,15 +1793,6 @@ Example: | |||
1792 | .br | 1793 | .br |
1793 | $ firejail \-\-nodvd | 1794 | $ firejail \-\-nodvd |
1794 | .TP | 1795 | .TP |
1795 | \fB\-\-noinput | ||
1796 | Disable input devices. | ||
1797 | .br | ||
1798 | |||
1799 | .br | ||
1800 | Example: | ||
1801 | .br | ||
1802 | $ firejail \-\-noinput | ||
1803 | .TP | ||
1804 | \fB\-\-noexec=dirname_or_filename | 1796 | \fB\-\-noexec=dirname_or_filename |
1805 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 1797 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1806 | .br | 1798 | .br |
@@ -1845,6 +1837,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) | |||
1845 | $ | 1837 | $ |
1846 | 1838 | ||
1847 | .TP | 1839 | .TP |
1840 | \fB\-\-noinput | ||
1841 | Disable input devices. | ||
1842 | .br | ||
1843 | |||
1844 | .br | ||
1845 | Example: | ||
1846 | .br | ||
1847 | $ firejail \-\-noinput | ||
1848 | |||
1849 | .TP | ||
1848 | \fB\-\-nonewprivs | 1850 | \fB\-\-nonewprivs |
1849 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | 1851 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes |
1850 | cannot acquire new privileges using execve(2); in particular, | 1852 | cannot acquire new privileges using execve(2); in particular, |
@@ -3353,16 +3355,6 @@ $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | |||
3353 | .br | 3355 | .br |
3354 | #endif | 3356 | #endif |
3355 | .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c. | 3357 | .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c. |
3356 | .SH NAME VALIDATION | ||
3357 | For simplicity, the same name validation is used for multiple options. | ||
3358 | Rules: | ||
3359 | .PP | ||
3360 | The name must be 1-253 characters long. | ||
3361 | The name can only contain ASCII letters, digits and the special characters | ||
3362 | "-._" (that is, the name cannot contain spaces or control characters). | ||
3363 | The name cannot contain only digits. | ||
3364 | The first and last characters must be an ASCII letter or digit and the name | ||
3365 | may contain special characters in the middle. | ||
3366 | #ifdef HAVE_APPARMOR | 3358 | #ifdef HAVE_APPARMOR |
3367 | .SH APPARMOR | 3359 | .SH APPARMOR |
3368 | .TP | 3360 | .TP |
@@ -3408,64 +3400,6 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
3408 | $ firejail --apparmor firefox | 3400 | $ firejail --apparmor firefox |
3409 | #endif | 3401 | #endif |
3410 | 3402 | ||
3411 | #ifdef HAVE_LANDLOCK | ||
3412 | .SH LANDLOCK | ||
3413 | Warning: Landlock support in firejail is considered experimental and unstable. | ||
3414 | The contents of landlock-common.inc are likely to change and the feature is | ||
3415 | still being expanded upon in the Linux kernel. | ||
3416 | Also, note that its functionality overlaps with existing firejail features, | ||
3417 | such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. | ||
3418 | Its filesystem access rules can currently only restrict direct access to paths; | ||
3419 | it is not able to make only select paths appear in the sandbox such as with the | ||
3420 | \fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). | ||
3421 | Lastly, note that depending on the Linux kernel version, Landlock may not | ||
3422 | protect all of the relevant syscalls (see the kernel's Landlock documentation | ||
3423 | for details). | ||
3424 | Therefore, it is recommended to treat Landlock as an extra layer of protection, | ||
3425 | to be used together with other firejail features (rather than as a bulletproof | ||
3426 | mechanism by itself). | ||
3427 | .PP | ||
3428 | Landlock is a Linux security module first introduced in version 5.13 of the | ||
3429 | Linux kernel. | ||
3430 | It allows unprivileged processes to restrict their access to the filesystem. | ||
3431 | Once imposed, these restrictions can never be removed, and all child processes | ||
3432 | created by a Landlock-restricted processes inherit these restrictions. | ||
3433 | Firejail supports Landlock as an additional sandboxing feature. | ||
3434 | It can be used to ensure that a sandboxed application can only access files and | ||
3435 | directories that it was explicitly allowed to access. | ||
3436 | Firejail supports populating the ruleset with both a basic set of rules (see | ||
3437 | landlock-common.inc) and with a custom set of rules. | ||
3438 | .TP | ||
3439 | Important notes: | ||
3440 | .PP | ||
3441 | .RS | ||
3442 | - Currently only Landlock ABI version 1 is supported. | ||
3443 | .PP | ||
3444 | - If "lsm=" is used in the kernel command line, it should contain "landlock" | ||
3445 | (such as "lsm=apparmor,landlock"), or else it will be disabled. | ||
3446 | .PP | ||
3447 | - A process can install a Landlock ruleset only if it has either | ||
3448 | \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New | ||
3449 | Privileges" restriction enabled. | ||
3450 | Because of this, enabling the Landlock feature will also cause Firejail to | ||
3451 | enable the "No New Privileges" restriction, regardless of the profile or the | ||
3452 | \fB\-\-nonewprivs\fR command line option. | ||
3453 | .PP | ||
3454 | - Access to the /etc directory is automatically allowed. | ||
3455 | To override this, use the \fB\-\-writable\-etc\fR command line option. | ||
3456 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the | ||
3457 | /etc directory. | ||
3458 | .RE | ||
3459 | .PP | ||
3460 | To enable Landlock self-restriction on top of your current Firejail security | ||
3461 | features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. | ||
3462 | Without it, the other Landlock commands have no effect. | ||
3463 | Example: | ||
3464 | .PP | ||
3465 | $ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc | ||
3466 | .PP | ||
3467 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | ||
3468 | #endif | ||
3469 | .SH DESKTOP INTEGRATION | 3403 | .SH DESKTOP INTEGRATION |
3470 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 3404 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
3471 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 3405 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
@@ -3519,37 +3453,37 @@ $ firejail --tree | |||
3519 | 1221:netblue:/usr/lib/firefox/firefox | 3453 | 1221:netblue:/usr/lib/firefox/firefox |
3520 | .RE | 3454 | .RE |
3521 | 3455 | ||
3522 | We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details. | 3456 | We provide a tool that automates all this integration, please see \fBfirecfg\fR(1) for more details. |
3523 | 3457 | ||
3524 | .SH EXAMPLES | 3458 | .SH EXAMPLES |
3525 | .TP | 3459 | .TP |
3526 | \f\firejail | 3460 | \fBfirejail |
3527 | Sandbox a regular shell session. | 3461 | Sandbox a regular shell session. |
3528 | .TP | 3462 | .TP |
3529 | \f\firejail firefox | 3463 | \fBfirejail firefox |
3530 | Start Mozilla Firefox. | 3464 | Start Mozilla Firefox. |
3531 | .TP | 3465 | .TP |
3532 | \f\firejail \-\-debug firefox | 3466 | \fBfirejail \-\-debug firefox |
3533 | Debug Firefox sandbox. | 3467 | Debug Firefox sandbox. |
3534 | .TP | 3468 | .TP |
3535 | \f\firejail \-\-private firefox | 3469 | \fBfirejail \-\-private firefox |
3536 | Start Firefox with a new, empty home directory. | 3470 | Start Firefox with a new, empty home directory. |
3537 | .TP | 3471 | .TP |
3538 | \f\firejail --net=none vlc | 3472 | \fBfirejail --net=none vlc |
3539 | Start VLC in an unconnected network namespace. | 3473 | Start VLC in an unconnected network namespace. |
3540 | #ifdef HAVE_NETWORK | 3474 | #ifdef HAVE_NETWORK |
3541 | .TP | 3475 | .TP |
3542 | \f\firejail \-\-net=eth0 firefox | 3476 | \fBfirejail \-\-net=eth0 firefox |
3543 | Start Firefox in a new network namespace. An IP address is | 3477 | Start Firefox in a new network namespace. An IP address is |
3544 | assigned automatically. | 3478 | assigned automatically. |
3545 | .TP | 3479 | .TP |
3546 | \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 | 3480 | \fBfirejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 |
3547 | Start a shell session in a new network namespace and connect it | 3481 | Start a shell session in a new network namespace and connect it |
3548 | to br0, br1, and br2 host bridge devices. IP addresses are assigned | 3482 | to br0, br1, and br2 host bridge devices. IP addresses are assigned |
3549 | automatically for the interfaces connected to br1 and b2 | 3483 | automatically for the interfaces connected to br1 and b2 |
3550 | #endif | 3484 | #endif |
3551 | .TP | 3485 | .TP |
3552 | \f\firejail \-\-list | 3486 | \fBfirejail \-\-list |
3553 | List all sandboxed processes. | 3487 | List all sandboxed processes. |
3554 | 3488 | ||
3555 | .SH FILE GLOBBING | 3489 | .SH FILE GLOBBING |
@@ -3713,6 +3647,65 @@ Currently while scanning the file system, symbolic links are not followed, and f | |||
3713 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | 3647 | The program can also be run as root (sudo firejail --ids-init/--ids-check). |
3714 | #endif | 3648 | #endif |
3715 | 3649 | ||
3650 | #ifdef HAVE_LANDLOCK | ||
3651 | .SH LANDLOCK | ||
3652 | Warning: Landlock support in firejail is considered experimental and unstable. | ||
3653 | The contents of landlock-common.inc are likely to change and the feature is | ||
3654 | still being expanded upon in the Linux kernel. | ||
3655 | Also, note that its functionality overlaps with existing firejail features, | ||
3656 | such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. | ||
3657 | Its filesystem access rules can currently only restrict direct access to paths; | ||
3658 | it is not able to make only select paths appear in the sandbox such as with the | ||
3659 | \fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). | ||
3660 | Lastly, note that depending on the Linux kernel version, Landlock may not | ||
3661 | protect all of the relevant syscalls (see the kernel's Landlock documentation | ||
3662 | for details). | ||
3663 | Therefore, it is recommended to treat Landlock as an extra layer of protection, | ||
3664 | to be used together with other firejail features (rather than as a bulletproof | ||
3665 | mechanism by itself). | ||
3666 | .PP | ||
3667 | Landlock is a Linux security module first introduced in version 5.13 of the | ||
3668 | Linux kernel. | ||
3669 | It allows unprivileged processes to restrict their access to the filesystem. | ||
3670 | Once imposed, these restrictions can never be removed, and all child processes | ||
3671 | created by a Landlock-restricted processes inherit these restrictions. | ||
3672 | Firejail supports Landlock as an additional sandboxing feature. | ||
3673 | It can be used to ensure that a sandboxed application can only access files and | ||
3674 | directories that it was explicitly allowed to access. | ||
3675 | Firejail supports populating the ruleset with both a basic set of rules (see | ||
3676 | landlock-common.inc) and with a custom set of rules. | ||
3677 | .TP | ||
3678 | Important notes: | ||
3679 | .PP | ||
3680 | .RS | ||
3681 | - Currently only Landlock ABI version 1 is supported. | ||
3682 | .PP | ||
3683 | - If "lsm=" is used in the kernel command line, it should contain "landlock" | ||
3684 | (such as "lsm=apparmor,landlock"), or else it will be disabled. | ||
3685 | .PP | ||
3686 | - A process can install a Landlock ruleset only if it has either | ||
3687 | \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New | ||
3688 | Privileges" restriction enabled. | ||
3689 | Because of this, enabling the Landlock feature will also cause Firejail to | ||
3690 | enable the "No New Privileges" restriction, regardless of the profile or the | ||
3691 | \fB\-\-nonewprivs\fR command line option. | ||
3692 | .PP | ||
3693 | - Access to the /etc directory is automatically allowed. | ||
3694 | To override this, use the \fB\-\-writable\-etc\fR command line option. | ||
3695 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the | ||
3696 | /etc directory. | ||
3697 | .RE | ||
3698 | .PP | ||
3699 | To enable Landlock self-restriction on top of your current Firejail security | ||
3700 | features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. | ||
3701 | Without it, the other Landlock commands have no effect. | ||
3702 | Example: | ||
3703 | .PP | ||
3704 | $ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc | ||
3705 | .PP | ||
3706 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | ||
3707 | #endif | ||
3708 | |||
3716 | .SH MONITORING | 3709 | .SH MONITORING |
3717 | Option \-\-list prints a list of all sandboxes. The format | 3710 | Option \-\-list prints a list of all sandboxes. The format |
3718 | for each process entry is as follows: | 3711 | for each process entry is as follows: |
@@ -3770,6 +3763,17 @@ Sandbox running time in hours:minutes:seconds format. | |||
3770 | USER | 3763 | USER |
3771 | The owner of the sandbox. | 3764 | The owner of the sandbox. |
3772 | 3765 | ||
3766 | .SH NAME VALIDATION | ||
3767 | For simplicity, the same name validation is used for multiple options. | ||
3768 | Rules: | ||
3769 | .PP | ||
3770 | The name must be 1-253 characters long. | ||
3771 | The name can only contain ASCII letters, digits and the special characters | ||
3772 | "-._" (that is, the name cannot contain spaces or control characters). | ||
3773 | The name cannot contain only digits. | ||
3774 | The first and last characters must be an ASCII letter or digit and the name | ||
3775 | may contain special characters in the middle. | ||
3776 | |||
3773 | .SH RESTRICTED SHELL | 3777 | .SH RESTRICTED SHELL |
3774 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 3778 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
3775 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 3779 | /etc/passwd file for each user that needs to be restricted. Alternatively, |