diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 138 |
1 files changed, 75 insertions, 63 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0462705c0..498ff9aa9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -99,6 +99,40 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
99 | \fB\-\- | 99 | \fB\-\- |
100 | Signal the end of options and disables further option processing. | 100 | Signal the end of options and disables further option processing. |
101 | .TP | 101 | .TP |
102 | \fB\-\-allow=dirname_or_filename | ||
103 | Allow access to a directory or file. A temporary file system is mounted on the top directory, and the | ||
104 | allowed files are mount-binded inside. Modifications to allowed files are persistent, | ||
105 | everything else is discarded when the sandbox is closed. The top directory can be | ||
106 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
107 | all directories in /usr. | ||
108 | .br | ||
109 | |||
110 | .br | ||
111 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
112 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
113 | .br | ||
114 | |||
115 | .br | ||
116 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
117 | .br | ||
118 | |||
119 | .br | ||
120 | Example: | ||
121 | .br | ||
122 | $ firejail \-\-noprofile \-\-allow=~/.mozilla | ||
123 | .br | ||
124 | $ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null | ||
125 | .br | ||
126 | $ firejail "\-\-allow=/home/username/My Virtual Machines" | ||
127 | .br | ||
128 | $ firejail \-\-allow=~/work* \-\-allow=/var/backups* | ||
129 | |||
130 | |||
131 | |||
132 | |||
133 | |||
134 | |||
135 | .TP | ||
102 | \fB\-\-allow-debuggers | 136 | \fB\-\-allow-debuggers |
103 | Allow tools such as strace and gdb inside the sandbox by whitelisting | 137 | Allow tools such as strace and gdb inside the sandbox by whitelisting |
104 | system calls ptrace and process_vm_readv. This option is only | 138 | system calls ptrace and process_vm_readv. This option is only |
@@ -169,21 +203,6 @@ Example: | |||
169 | .br | 203 | .br |
170 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | 204 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd |
171 | .TP | 205 | .TP |
172 | \fB\-\-blacklist=dirname_or_filename | ||
173 | Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
174 | .br | ||
175 | |||
176 | .br | ||
177 | Example: | ||
178 | .br | ||
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | ||
180 | .br | ||
181 | $ firejail \-\-blacklist=~/.mozilla | ||
182 | .br | ||
183 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | ||
184 | .br | ||
185 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | ||
186 | .TP | ||
187 | \fB\-\-build | 206 | \fB\-\-build |
188 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also | 207 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also |
189 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | 208 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, |
@@ -243,7 +262,7 @@ $ firejail \-\-caps.drop=all warzone2100 | |||
243 | 262 | ||
244 | .TP | 263 | .TP |
245 | \fB\-\-caps.drop=capability,capability,capability | 264 | \fB\-\-caps.drop=capability,capability,capability |
246 | Define a custom blacklist Linux capabilities filter. | 265 | Define a custom Linux capabilities filter. |
247 | .br | 266 | .br |
248 | 267 | ||
249 | .br | 268 | .br |
@@ -624,14 +643,14 @@ Example: | |||
624 | $ firejail \-\-debug firefox | 643 | $ firejail \-\-debug firefox |
625 | 644 | ||
626 | .TP | 645 | .TP |
627 | \fB\-\-debug-blacklists\fR | 646 | \fB\-\-debug-allow\fR |
628 | Debug blacklisting. | 647 | Debug file system access. |
629 | .br | 648 | .br |
630 | 649 | ||
631 | .br | 650 | .br |
632 | Example: | 651 | Example: |
633 | .br | 652 | .br |
634 | $ firejail \-\-debug-blacklists firefox | 653 | $ firejail \-\-debug-allow firefox |
635 | 654 | ||
636 | .TP | 655 | .TP |
637 | \fB\-\-debug-caps | 656 | \fB\-\-debug-caps |
@@ -644,6 +663,16 @@ Example: | |||
644 | $ firejail \-\-debug-caps | 663 | $ firejail \-\-debug-caps |
645 | 664 | ||
646 | .TP | 665 | .TP |
666 | \fB\-\-debug-deny\fR | ||
667 | Debug file access. | ||
668 | .br | ||
669 | |||
670 | .br | ||
671 | Example: | ||
672 | .br | ||
673 | $ firejail \-\-debug-deny firefox | ||
674 | |||
675 | .TP | ||
647 | \fB\-\-debug-errnos | 676 | \fB\-\-debug-errnos |
648 | Print all recognized error numbers in the current Firejail software build and exit. | 677 | Print all recognized error numbers in the current Firejail software build and exit. |
649 | .br | 678 | .br |
@@ -677,15 +706,7 @@ $ firejail \-\-debug-syscalls | |||
677 | \fB\-\-debug-syscalls32 | 706 | \fB\-\-debug-syscalls32 |
678 | Print all recognized 32 bit system calls in the current Firejail software build and exit. | 707 | Print all recognized 32 bit system calls in the current Firejail software build and exit. |
679 | .br | 708 | .br |
680 | .TP | ||
681 | \fB\-\-debug-whitelists\fR | ||
682 | Debug whitelisting. | ||
683 | .br | ||
684 | 709 | ||
685 | .br | ||
686 | Example: | ||
687 | .br | ||
688 | $ firejail \-\-debug-whitelists firefox | ||
689 | #ifdef HAVE_NETWORK | 710 | #ifdef HAVE_NETWORK |
690 | .TP | 711 | .TP |
691 | \fB\-\-defaultgw=address | 712 | \fB\-\-defaultgw=address |
@@ -697,13 +718,32 @@ Example: | |||
697 | .br | 718 | .br |
698 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 719 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
699 | #endif | 720 | #endif |
721 | |||
722 | .TP | ||
723 | \fB\-\-deny=dirname_or_filename | ||
724 | Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
725 | .br | ||
726 | |||
727 | .br | ||
728 | Example: | ||
729 | .br | ||
730 | $ firejail \-\-deny=/sbin \-\-deny=/usr/sbin | ||
731 | .br | ||
732 | $ firejail \-\-deny=~/.mozilla | ||
733 | .br | ||
734 | $ firejail "\-\-deny=/home/username/My Virtual Machines" | ||
735 | .br | ||
736 | $ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines | ||
737 | |||
738 | |||
739 | |||
700 | .TP | 740 | .TP |
701 | \fB\-\-deterministic-exit-code | 741 | \fB\-\-deterministic-exit-code |
702 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 742 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
703 | .br | 743 | .br |
704 | .TP | 744 | .TP |
705 | \fB\-\-disable-mnt | 745 | \fB\-\-disable-mnt |
706 | Blacklist /mnt, /media, /run/mount and /run/media access. | 746 | Deny access to /mnt, /media, /run/mount and /run/media. |
707 | .br | 747 | .br |
708 | 748 | ||
709 | .br | 749 | .br |
@@ -1471,12 +1511,16 @@ Example: | |||
1471 | $ firejail --no3d firefox | 1511 | $ firejail --no3d firefox |
1472 | 1512 | ||
1473 | .TP | 1513 | .TP |
1514 | \fB\-\-noallow=dirname_or_filename | ||
1515 | Disable \-\-allow for this directory or file. | ||
1516 | |||
1517 | .TP | ||
1474 | \fB\-\-noautopulse \fR(deprecated) | 1518 | \fB\-\-noautopulse \fR(deprecated) |
1475 | See --keep-config-pulse. | 1519 | See --keep-config-pulse. |
1476 | 1520 | ||
1477 | .TP | 1521 | .TP |
1478 | \fB\-\-noblacklist=dirname_or_filename | 1522 | \fB\-\-nodeny=dirname_or_filename |
1479 | Disable blacklist for this directory or file. | 1523 | Disable \-\-deny for this directory or file. |
1480 | .br | 1524 | .br |
1481 | 1525 | ||
1482 | .br | 1526 | .br |
@@ -1492,7 +1536,7 @@ $ exit | |||
1492 | .br | 1536 | .br |
1493 | 1537 | ||
1494 | .br | 1538 | .br |
1495 | $ firejail --noblacklist=/bin/nc | 1539 | $ firejail --nodeny=/bin/nc |
1496 | .br | 1540 | .br |
1497 | $ nc dict.org 2628 | 1541 | $ nc dict.org 2628 |
1498 | .br | 1542 | .br |
@@ -1666,10 +1710,6 @@ $ firejail \-\-nou2f | |||
1666 | Disable video devices. | 1710 | Disable video devices. |
1667 | .br | 1711 | .br |
1668 | 1712 | ||
1669 | .TP | ||
1670 | \fB\-\-nowhitelist=dirname_or_filename | ||
1671 | Disable whitelist for this directory or file. | ||
1672 | |||
1673 | #ifdef HAVE_OUTPUT | 1713 | #ifdef HAVE_OUTPUT |
1674 | .TP | 1714 | .TP |
1675 | \fB\-\-output=logfile | 1715 | \fB\-\-output=logfile |
@@ -2733,34 +2773,6 @@ Example: | |||
2733 | .br | 2773 | .br |
2734 | $ firejail \-\-net=br0 --veth-name=if0 | 2774 | $ firejail \-\-net=br0 --veth-name=if0 |
2735 | #endif | 2775 | #endif |
2736 | .TP | ||
2737 | \fB\-\-whitelist=dirname_or_filename | ||
2738 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
2739 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
2740 | everything else is discarded when the sandbox is closed. The top directory can be | ||
2741 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
2742 | all directories in /usr. | ||
2743 | .br | ||
2744 | |||
2745 | .br | ||
2746 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
2747 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
2748 | .br | ||
2749 | |||
2750 | .br | ||
2751 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
2752 | .br | ||
2753 | |||
2754 | .br | ||
2755 | Example: | ||
2756 | .br | ||
2757 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | ||
2758 | .br | ||
2759 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
2760 | .br | ||
2761 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | ||
2762 | .br | ||
2763 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* | ||
2764 | 2776 | ||
2765 | .TP | 2777 | .TP |
2766 | \fB\-\-writable-etc | 2778 | \fB\-\-writable-etc |