diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 37 |
1 files changed, 34 insertions, 3 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 087d1c85a..1dd5508b3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles. | |||
67 | Each profile defines a set of permissions for a specific application or group | 67 | Each profile defines a set of permissions for a specific application or group |
68 | of applications. The software includes security profiles for a number of more common | 68 | of applications. The software includes security profiles for a number of more common |
69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
70 | .\" TODO: Explain the security/usability tradeoffs from #4601. | ||
71 | .PP | ||
72 | Firejail is currently implemented as an SUID binary, which means that if a | ||
73 | malicious or compromised user account manages to exploit a bug in Firejail, | ||
74 | that could ultimately lead to a privilege escalation to root. | ||
75 | To mitigate this, it is recommended to only allow trusted users to run firejail | ||
76 | (see firejail-users(5) for details on how to achieve that). | ||
77 | For more details on the security/usability tradeoffs of Firejail, see: | ||
78 | .UR https://github.com/netblue30/firejail/discussions/4601 | ||
79 | #4601 | ||
80 | .UE | ||
70 | .PP | 81 | .PP |
71 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | 82 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) |
72 | are not supported. Snap and flatpak packages have their own native management tools and will | 83 | are not supported. Snap and flatpak packages have their own native management tools and will |
@@ -122,7 +133,13 @@ $ firejail --allusers | |||
122 | #ifdef HAVE_APPARMOR | 133 | #ifdef HAVE_APPARMOR |
123 | .TP | 134 | .TP |
124 | \fB\-\-apparmor | 135 | \fB\-\-apparmor |
125 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 136 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
137 | For more information, please see \fBAPPARMOR\fR section below. | ||
138 | .TP | ||
139 | \fB\-\-apparmor=profile_name | ||
140 | Enable AppArmor confinement with a custom AppArmor profile. | ||
141 | Note that profile in question must already be loaded into the kernel. | ||
142 | For more information, please see \fBAPPARMOR\fR section below. | ||
126 | .TP | 143 | .TP |
127 | \fB\-\-apparmor.print=name|pid | 144 | \fB\-\-apparmor.print=name|pid |
128 | Print the AppArmor confinement status for the sandbox identified by name or by PID. | 145 | Print the AppArmor confinement status for the sandbox identified by name or by PID. |
@@ -174,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR | |||
174 | .br | 191 | .br |
175 | 192 | ||
176 | .br | 193 | .br |
194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also | ||
195 | blacklist the path that it points to. | ||
196 | For example, if ~/foo is blacklisted and it points to /foo, then /foo will also | ||
197 | be blacklisted. | ||
198 | .br | ||
199 | |||
200 | .br | ||
177 | Example: | 201 | Example: |
178 | .br | 202 | .br |
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | 203 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin |
@@ -2905,8 +2929,14 @@ all directories in /usr. | |||
2905 | .br | 2929 | .br |
2906 | 2930 | ||
2907 | .br | 2931 | .br |
2908 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 2932 | Symbolic link handling: Whitelisting a path that is a symbolic link will also |
2909 | the same top directory. For user home, both the link and the real file should be owned by the user. | 2933 | whitelist the path that it points to. |
2934 | For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will | ||
2935 | also be whitelisted. | ||
2936 | Restrictions: With the exception of the user home directory, both the link and | ||
2937 | the real file should be in the same top directory. | ||
2938 | For symbolic links in the user home directory, both the link and the real file | ||
2939 | should be owned by the user. | ||
2910 | .br | 2940 | .br |
2911 | 2941 | ||
2912 | .br | 2942 | .br |
@@ -3611,3 +3641,4 @@ Homepage: https://firejail.wordpress.com | |||
3611 | .UE , | 3641 | .UE , |
3612 | .UR https://github.com/netblue30/firejail | 3642 | .UR https://github.com/netblue30/firejail |
3613 | .UE | 3643 | .UE |
3644 | .\" vim: set filetype=groff : | ||