diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 74 |
1 files changed, 70 insertions, 4 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f978661dc..f603daecb 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1067,6 +1067,10 @@ Example: | |||
1067 | $ firejail \-\-nosound firefox | 1067 | $ firejail \-\-nosound firefox |
1068 | 1068 | ||
1069 | .TP | 1069 | .TP |
1070 | \fB\-\-nowhitelist=dirname_or_filename | ||
1071 | Disable whitelist for this directory or file. | ||
1072 | |||
1073 | .TP | ||
1070 | \fB\-\-output=logfile | 1074 | \fB\-\-output=logfile |
1071 | stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log | 1075 | stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log |
1072 | rotation. Five files with prefixes .1 to .5 are used in rotation. | 1076 | rotation. Five files with prefixes .1 to .5 are used in rotation. |
@@ -1772,17 +1776,17 @@ $ sudo firejail --writable-var-log | |||
1772 | 1776 | ||
1773 | .TP | 1777 | .TP |
1774 | \fB\-\-x11 | 1778 | \fB\-\-x11 |
1775 | Sandbox the application using Xpra, Xephyr or Xorg security extension. | 1779 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. |
1776 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing | 1780 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing |
1777 | clients running outside the sandbox. | 1781 | clients running outside the sandbox. |
1778 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | 1782 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. |
1779 | If all fails, Firejail will not attempt to use X11 security extension. | 1783 | If all fails, Firejail will not attempt to use Xvfb or X11 security extension. |
1780 | .br | 1784 | .br |
1781 | 1785 | ||
1782 | .br | 1786 | .br |
1783 | Xpra and Xephyr modes require a network namespace to be instantiated in order to disable | 1787 | Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable |
1784 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket | 1788 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket |
1785 | by adding "-nolisten local" on Xorg command line. | 1789 | by adding "-nolisten local" on Xorg command line at system level. |
1786 | .br | 1790 | .br |
1787 | 1791 | ||
1788 | .br | 1792 | .br |
@@ -1859,6 +1863,68 @@ Example: | |||
1859 | .br | 1863 | .br |
1860 | $ firejail \-\-x11=xpra --net=eth0 firefox | 1864 | $ firejail \-\-x11=xpra --net=eth0 firefox |
1861 | 1865 | ||
1866 | |||
1867 | .TP | ||
1868 | \fB\-\-x11=xvfb | ||
1869 | Start Xvfb X11 server and attach the sandbox to this server. | ||
1870 | Xvfb, short for X virtual framebuffer, performs all graphical operations in memory | ||
1871 | without showing any screen output. Xvfb is mainly used for remote access and software | ||
1872 | testing on headless servers. | ||
1873 | .br | ||
1874 | |||
1875 | .br | ||
1876 | On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR. | ||
1877 | This feature is not available when running as root. | ||
1878 | .br | ||
1879 | |||
1880 | .br | ||
1881 | Example: remote VNC access | ||
1882 | .br | ||
1883 | |||
1884 | .br | ||
1885 | On the server we start a sandbox using Xvfb and openbox | ||
1886 | window manager. The default size of Xvfb screen is 800x600 - it can be changed | ||
1887 | in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required | ||
1888 | in order to isolate the abstract sockets used by other X servers. | ||
1889 | .br | ||
1890 | |||
1891 | .br | ||
1892 | $ firejail --net=none --x11=xvfb openbox | ||
1893 | .br | ||
1894 | |||
1895 | .br | ||
1896 | *** Attaching to Xvfb display 792 *** | ||
1897 | .br | ||
1898 | |||
1899 | .br | ||
1900 | Reading profile /etc/firejail/openbox.profile | ||
1901 | .br | ||
1902 | Reading profile /etc/firejail/disable-common.inc | ||
1903 | .br | ||
1904 | Reading profile /etc/firejail/disable-common.local | ||
1905 | .br | ||
1906 | Parent pid 5400, child pid 5401 | ||
1907 | .br | ||
1908 | |||
1909 | .br | ||
1910 | On the server we also start a VNC server and attach it to the display handled by our | ||
1911 | Xvfb server (792). | ||
1912 | .br | ||
1913 | |||
1914 | .br | ||
1915 | $ x11vnc -display :792 | ||
1916 | .br | ||
1917 | |||
1918 | .br | ||
1919 | On the client machine we start a VNC viewer and use it to connect to our server: | ||
1920 | .br | ||
1921 | |||
1922 | .br | ||
1923 | $ vncviewer | ||
1924 | .br | ||
1925 | |||
1926 | |||
1927 | |||
1862 | .TP | 1928 | .TP |
1863 | \fB\-\-zsh | 1929 | \fB\-\-zsh |
1864 | Use /usr/bin/zsh as default user shell. | 1930 | Use /usr/bin/zsh as default user shell. |