1 files changed, 34 insertions, 3 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 087d1c85a..1dd5508b3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles.
 Each profile defines a set of permissions for a specific application or group
 of applications. The software includes security profiles for a number of more common
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.\" TODO: Explain the security/usability tradeoffs from #4601.
+.PP
+Firejail is currently implemented as an SUID binary, which means that if a
+malicious or compromised user account manages to exploit a bug in Firejail,
+that could ultimately lead to a privilege escalation to root.
+To mitigate this, it is recommended to only allow trusted users to run firejail
+(see firejail-users(5) for details on how to achieve that).
+For more details on the security/usability tradeoffs of Firejail, see:
+.UR https://github.com/netblue30/firejail/discussions/4601
+#4601
+.UE
 .PP
 Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
 are not supported. Snap and flatpak packages have their own native management tools and will
@@ -122,7 +133,13 @@ $ firejail --allusers
 #ifdef HAVE_APPARMOR
 .TP
 \fB\-\-apparmor
-Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+For more information, please see \fBAPPARMOR\fR section below.
+.TP
+\fB\-\-apparmor=profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that profile in question must already be loaded into the kernel.
+For more information, please see \fBAPPARMOR\fR section below.
 .TP
 \fB\-\-apparmor.print=name|pid
 Print the AppArmor confinement status for the sandbox identified by name or by PID.
@@ -174,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR
 .br
 .br
+Symbolic link handling: Blacklisting a path that is a symbolic link will also
+blacklist the path that it points to.
+For example, if ~/foo is blacklisted and it points to /foo, then /foo will also
+be blacklisted.
+.br
+.br
 Example:
 .br
 $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
@@ -2905,8 +2929,14 @@ all directories in /usr.
 .br
 .br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
+Symbolic link handling: Whitelisting a path that is a symbolic link will also
-the same top directory. For user home, both the link and the real file should be owned by the user.
+whitelist the path that it points to.
+For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will
+also be whitelisted.
+Restrictions: With the exception of the user home directory, both the link and
+the real file should be in the same top directory.
+For symbolic links in the user home directory, both the link and the real file
+should be owned by the user.
 .br
 .br
@@ -3611,3 +3641,4 @@ Homepage: https://firejail.wordpress.com
 .UE ,
 .UR https://github.com/netblue30/firejail
 .UE
+.\" vim: set filetype=groff :

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 087d1c85a..1dd5508b3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles.
67	Each profile defines a set of permissions for a specific application or group	67	Each profile defines a set of permissions for a specific application or group
68	of applications. The software includes security profiles for a number of more common	68	of applications. The software includes security profiles for a number of more common
69	Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.	69	Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
		70	.\" TODO: Explain the security/usability tradeoffs from #4601.
		71	.PP
		72	Firejail is currently implemented as an SUID binary, which means that if a
		73	malicious or compromised user account manages to exploit a bug in Firejail,
		74	that could ultimately lead to a privilege escalation to root.
		75	To mitigate this, it is recommended to only allow trusted users to run firejail
		76	(see firejail-users(5) for details on how to achieve that).
		77	For more details on the security/usability tradeoffs of Firejail, see:
		78	.UR https://github.com/netblue30/firejail/discussions/4601
		79	#4601
		80	.UE
70	.PP	81	.PP
71	Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)	82	Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
72	are not supported. Snap and flatpak packages have their own native management tools and will	83	are not supported. Snap and flatpak packages have their own native management tools and will
@@ -122,7 +133,13 @@ $ firejail --allusers
122	#ifdef HAVE_APPARMOR	133	#ifdef HAVE_APPARMOR
123	.TP	134	.TP
124	\fB\-\-apparmor	135	\fB\-\-apparmor
125	Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.	136	Enable AppArmor confinement with the "firejail-default" AppArmor profile.
		137	For more information, please see \fBAPPARMOR\fR section below.
		138	.TP
		139	\fB\-\-apparmor=profile_name
		140	Enable AppArmor confinement with a custom AppArmor profile.
		141	Note that profile in question must already be loaded into the kernel.
		142	For more information, please see \fBAPPARMOR\fR section below.
126	.TP	143	.TP
127	\fB\-\-apparmor.print=name\|pid	144	\fB\-\-apparmor.print=name\|pid
128	Print the AppArmor confinement status for the sandbox identified by name or by PID.	145	Print the AppArmor confinement status for the sandbox identified by name or by PID.
@@ -174,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR
174	.br	191	.br
175		192
176	.br	193	.br
		194	Symbolic link handling: Blacklisting a path that is a symbolic link will also
		195	blacklist the path that it points to.
		196	For example, if ~/foo is blacklisted and it points to /foo, then /foo will also
		197	be blacklisted.
		198	.br
		199
		200	.br
177	Example:	201	Example:
178	.br	202	.br
179	$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin	203	$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
@@ -2905,8 +2929,14 @@ all directories in /usr.
2905	.br	2929	.br
2906		2930
2907	.br	2931	.br
2908	Symbolic link handling: with the exception of user home, both the link and the real file should be in	2932	Symbolic link handling: Whitelisting a path that is a symbolic link will also
2909	the same top directory. For user home, both the link and the real file should be owned by the user.	2933	whitelist the path that it points to.
		2934	For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will
		2935	also be whitelisted.
		2936	Restrictions: With the exception of the user home directory, both the link and
		2937	the real file should be in the same top directory.
		2938	For symbolic links in the user home directory, both the link and the real file
		2939	should be owned by the user.
2910	.br	2940	.br
2911		2941
2912	.br	2942	.br
@@ -3611,3 +3641,4 @@ Homepage: https://firejail.wordpress.com
3611	.UE ,	3641	.UE ,
3612	.UR https://github.com/netblue30/firejail	3642	.UR https://github.com/netblue30/firejail
3613	.UE	3643	.UE
		3644	.\" vim: set filetype=groff :