diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 63 |
1 files changed, 32 insertions, 31 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9e89d4e79..68deb85ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -42,6 +42,15 @@ Miscellaneous: | |||
42 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} | 42 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} |
43 | .RE | 43 | .RE |
44 | .SH DESCRIPTION | 44 | .SH DESCRIPTION |
45 | #ifdef HAVE_LTS | ||
46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, | ||
47 | LTS is usually supported for two or three years. | ||
48 | During this time only bugs and the occasional documentation problems are fixed. | ||
49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. | ||
50 | .br | ||
51 | |||
52 | .br | ||
53 | #endif | ||
45 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 54 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
46 | restricting the running environment of untrusted applications using Linux | 55 | restricting the running environment of untrusted applications using Linux |
47 | namespaces, seccomp-bpf and Linux capabilities. | 56 | namespaces, seccomp-bpf and Linux capabilities. |
@@ -146,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage | |||
146 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | 155 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage |
147 | #endif | 156 | #endif |
148 | .TP | 157 | .TP |
149 | \fB\-\-audit | ||
150 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
151 | .TP | ||
152 | \fB\-\-audit=test-program | ||
153 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
154 | .TP | ||
155 | \fB\-\-bandwidth=name|pid | 158 | \fB\-\-bandwidth=name|pid |
156 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 159 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
157 | .TP | 160 | .TP |
@@ -1105,6 +1108,26 @@ Example: | |||
1105 | $ firejail \-\-machine-id | 1108 | $ firejail \-\-machine-id |
1106 | 1109 | ||
1107 | .TP | 1110 | .TP |
1111 | \fB\-\-mkdir=dirname | ||
1112 | Create a directory in user home. Parent directories are created as needed. | ||
1113 | .br | ||
1114 | |||
1115 | .br | ||
1116 | Example: | ||
1117 | .br | ||
1118 | $ firejail --mkdir=~/work/project | ||
1119 | |||
1120 | .TP | ||
1121 | \fB\-\-mkfile=filename | ||
1122 | Create an empty file in user home. | ||
1123 | .br | ||
1124 | |||
1125 | .br | ||
1126 | Example: | ||
1127 | .br | ||
1128 | $ firejail --mkfile=~/work/project/readme | ||
1129 | |||
1130 | .TP | ||
1108 | \fB\-\-memory-deny-write-execute | 1131 | \fB\-\-memory-deny-write-execute |
1109 | Install a seccomp filter to block attempts to create memory mappings | 1132 | Install a seccomp filter to block attempts to create memory mappings |
1110 | that are both writable and executable, to change mappings to be | 1133 | that are both writable and executable, to change mappings to be |
@@ -1622,6 +1645,7 @@ Disable video devices. | |||
1622 | \fB\-\-nowhitelist=dirname_or_filename | 1645 | \fB\-\-nowhitelist=dirname_or_filename |
1623 | Disable whitelist for this directory or file. | 1646 | Disable whitelist for this directory or file. |
1624 | 1647 | ||
1648 | #ifdef HAVE_OUTPUT | ||
1625 | .TP | 1649 | .TP |
1626 | \fB\-\-output=logfile | 1650 | \fB\-\-output=logfile |
1627 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log | 1651 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log |
@@ -1652,6 +1676,7 @@ $ ls -l sandboxlog* | |||
1652 | .TP | 1676 | .TP |
1653 | \fB\-\-output-stderr=logfile | 1677 | \fB\-\-output-stderr=logfile |
1654 | Similar to \-\-output, but stderr is also stored. | 1678 | Similar to \-\-output, but stderr is also stored. |
1679 | #endif | ||
1655 | 1680 | ||
1656 | #ifdef HAVE_OVERLAYFS | 1681 | #ifdef HAVE_OVERLAYFS |
1657 | .TP | 1682 | .TP |
@@ -2451,7 +2476,7 @@ $ firejail --seccomp.print=browser | |||
2451 | $ | 2476 | $ |
2452 | 2477 | ||
2453 | .TP | 2478 | .TP |
2454 | \fB\-\-seccomp-error-action= kill | ERRNO | 2479 | \fB\-\-seccomp-error-action= kill | ERRNO | log |
2455 | By default, if a seccomp filter blocks a system call, the process gets | 2480 | By default, if a seccomp filter blocks a system call, the process gets |
2456 | EPERM as the error. With \-\-seccomp-error-action=error, another error | 2481 | EPERM as the error. With \-\-seccomp-error-action=error, another error |
2457 | number can be returned, for example ENOSYS or EACCES. The process can | 2482 | number can be returned, for example ENOSYS or EACCES. The process can |
@@ -2941,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
2941 | $ firejail --apparmor firefox | 2966 | $ firejail --apparmor firefox |
2942 | #endif | 2967 | #endif |
2943 | 2968 | ||
2944 | .SH AUDIT | ||
2945 | Audit feature allows the user to point out gaps in security profiles. The | ||
2946 | implementation replaces the program to be sandboxed with a test program. By | ||
2947 | default, we use faudit program distributed with Firejail. A custom test program | ||
2948 | can also be supplied by the user. Examples: | ||
2949 | |||
2950 | Running the default audit program: | ||
2951 | .br | ||
2952 | $ firejail --audit transmission-gtk | ||
2953 | |||
2954 | Running a custom audit program: | ||
2955 | .br | ||
2956 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
2957 | |||
2958 | In the examples above, the sandbox configures transmission-gtk profile and | ||
2959 | starts the test program. The real program, transmission-gtk, will not be | ||
2960 | started. | ||
2961 | |||
2962 | You can also audit a specific profile without specifying a program. | ||
2963 | .br | ||
2964 | $ firejail --audit --profile=/etc/firejail/zoom.profile | ||
2965 | |||
2966 | Limitations: audit feature is not implemented for --x11 commands. | ||
2967 | |||
2968 | .SH DESKTOP INTEGRATION | 2969 | .SH DESKTOP INTEGRATION |
2969 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 2970 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
2970 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 2971 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |