diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 121 |
1 files changed, 60 insertions, 61 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 38bc0edc4..cabc4f619 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -828,24 +828,6 @@ $ sudo ifconfig br1 10.10.30.1/24 | |||
828 | $ firejail \-\-net=br0 \-\-net=br1 | 828 | $ firejail \-\-net=br0 \-\-net=br1 |
829 | 829 | ||
830 | .TP | 830 | .TP |
831 | \fB\-\-net=none | ||
832 | Enable a new, unconnected network namespace. The only interface | ||
833 | available in the new namespace is a new loopback interface (lo). | ||
834 | Use this option to deny | ||
835 | network access to programs that don't really need network access. | ||
836 | .br | ||
837 | |||
838 | .br | ||
839 | Example: | ||
840 | .br | ||
841 | $ firejail \-\-net=none vlc | ||
842 | .br | ||
843 | |||
844 | .br | ||
845 | Note: \-\-net=none can crash the application on some platforms. | ||
846 | In these cases, it can be replaced with \-\-protocol=unix. | ||
847 | |||
848 | .TP | ||
849 | \fB\-\-net=ethernet_interface|wireless_interface | 831 | \fB\-\-net=ethernet_interface|wireless_interface |
850 | Enable a new network namespace and connect it | 832 | Enable a new network namespace and connect it |
851 | to this ethernet interface using the standard Linux macvlan|ipvaln | 833 | to this ethernet interface using the standard Linux macvlan|ipvaln |
@@ -865,6 +847,24 @@ $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox | |||
865 | $ firejail \-\-net=wlan0 firefox | 847 | $ firejail \-\-net=wlan0 firefox |
866 | 848 | ||
867 | .TP | 849 | .TP |
850 | \fB\-\-net=none | ||
851 | Enable a new, unconnected network namespace. The only interface | ||
852 | available in the new namespace is a new loopback interface (lo). | ||
853 | Use this option to deny | ||
854 | network access to programs that don't really need network access. | ||
855 | .br | ||
856 | |||
857 | .br | ||
858 | Example: | ||
859 | .br | ||
860 | $ firejail \-\-net=none vlc | ||
861 | .br | ||
862 | |||
863 | .br | ||
864 | Note: \-\-net=none can crash the application on some platforms. | ||
865 | In these cases, it can be replaced with \-\-protocol=unix. | ||
866 | |||
867 | .TP | ||
868 | \fB\-\-net=tap_interface | 868 | \fB\-\-net=tap_interface |
869 | Enable a new network namespace and connect it | 869 | Enable a new network namespace and connect it |
870 | to this ethernet tap interface using the standard Linux macvlan | 870 | to this ethernet tap interface using the standard Linux macvlan |
@@ -1434,6 +1434,48 @@ Example: | |||
1434 | $ firejail \-\-private-cache openbox | 1434 | $ firejail \-\-private-cache openbox |
1435 | 1435 | ||
1436 | .TP | 1436 | .TP |
1437 | \fB\-\-private-cwd | ||
1438 | Set working directory inside jail to the home directory, and failing that, the root directory. | ||
1439 | .br | ||
1440 | Does not impact working directory of profile include paths. | ||
1441 | .br | ||
1442 | |||
1443 | .br | ||
1444 | Example: | ||
1445 | .br | ||
1446 | $ pwd | ||
1447 | .br | ||
1448 | /tmp | ||
1449 | .br | ||
1450 | $ firejail \-\-private-cwd | ||
1451 | .br | ||
1452 | $ pwd | ||
1453 | .br | ||
1454 | /home/user | ||
1455 | .br | ||
1456 | |||
1457 | .TP | ||
1458 | \fB\-\-private-cwd=directory | ||
1459 | Set working directory inside the jail. | ||
1460 | .br | ||
1461 | Does not impact working directory of profile include paths. | ||
1462 | .br | ||
1463 | |||
1464 | .br | ||
1465 | Example: | ||
1466 | .br | ||
1467 | $ pwd | ||
1468 | .br | ||
1469 | /tmp | ||
1470 | .br | ||
1471 | $ firejail \-\-private-cwd=/opt | ||
1472 | .br | ||
1473 | $ pwd | ||
1474 | .br | ||
1475 | /opt | ||
1476 | .br | ||
1477 | |||
1478 | .TP | ||
1437 | \fB\-\-private-dev | 1479 | \fB\-\-private-dev |
1438 | Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available. | 1480 | Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available. |
1439 | Use the options --no3d, --nodvd, --nosound, --notv, --nou2f and --novideo for additional restrictions. | 1481 | Use the options --no3d, --nodvd, --nosound, --notv, --nou2f and --novideo for additional restrictions. |
@@ -1579,49 +1621,6 @@ drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix | |||
1579 | .br | 1621 | .br |
1580 | 1622 | ||
1581 | .TP | 1623 | .TP |
1582 | \fB\-\-private-cwd | ||
1583 | Set working directory inside jail to the home directory, and failing that, the root directory. | ||
1584 | .br | ||
1585 | Does not impact working directory of profile include paths. | ||
1586 | .br | ||
1587 | |||
1588 | .br | ||
1589 | Example: | ||
1590 | .br | ||
1591 | $ pwd | ||
1592 | .br | ||
1593 | /tmp | ||
1594 | .br | ||
1595 | $ firejail \-\-private-cwd | ||
1596 | .br | ||
1597 | $ pwd | ||
1598 | .br | ||
1599 | /home/user | ||
1600 | .br | ||
1601 | |||
1602 | .TP | ||
1603 | \fB\-\-private-cwd=directory | ||
1604 | Set working directory inside the jail. | ||
1605 | .br | ||
1606 | Does not impact working directory of profile include paths. | ||
1607 | .br | ||
1608 | |||
1609 | .br | ||
1610 | Example: | ||
1611 | .br | ||
1612 | $ pwd | ||
1613 | .br | ||
1614 | /tmp | ||
1615 | .br | ||
1616 | $ firejail \-\-private-cwd=/opt | ||
1617 | .br | ||
1618 | $ pwd | ||
1619 | .br | ||
1620 | /opt | ||
1621 | .br | ||
1622 | |||
1623 | |||
1624 | .TP | ||
1625 | \fB\-\-profile=filename_or_profilename | 1624 | \fB\-\-profile=filename_or_profilename |
1626 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. | 1625 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. |
1627 | For more information, see \fBSECURITY PROFILES\fR section below. | 1626 | For more information, see \fBSECURITY PROFILES\fR section below. |