1 files changed, 32 insertions, 31 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 9e89d4e79..68deb85ec 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -42,6 +42,15 @@ Miscellaneous:
 firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
 .RE
 .SH DESCRIPTION
+#ifdef HAVE_LTS
+This is Firejail long-term support (LTS), an enterprise focused version of the software,
+LTS is usually supported for two or three years.
+During this time  only bugs and the occasional documentation problems are fixed.
+The attack surface of the SUID executable was greatly reduced by removing some of the features.
+.br
+.br
+#endif
 Firejail is a SUID sandbox program that reduces the risk of security breaches by
 restricting the running environment of untrusted applications using Linux
 namespaces, seccomp-bpf and Linux capabilities.
@@ -146,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage
 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
 #endif
 .TP
-\fB\-\-audit
-Audit the sandbox, see \fBAUDIT\fR section for more details.
-.TP
-\fB\-\-audit=test-program
-Audit the sandbox, see \fBAUDIT\fR section for more details.
-.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -1105,6 +1108,26 @@ Example:
 $ firejail \-\-machine-id
 .TP
+\fB\-\-mkdir=dirname
+Create a directory in user home. Parent directories are created as needed.
+.br
+.br
+Example:
+.br
+$ firejail --mkdir=~/work/project
+.TP
+\fB\-\-mkfile=filename
+Create an empty file in user home.
+.br
+.br
+Example:
+.br
+$ firejail --mkfile=~/work/project/readme
+.TP
 \fB\-\-memory-deny-write-execute
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
@@ -1622,6 +1645,7 @@ Disable video devices.
 \fB\-\-nowhitelist=dirname_or_filename
 Disable whitelist for this directory or file.
+#ifdef HAVE_OUTPUT
 .TP
 \fB\-\-output=logfile
 stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log
@@ -1652,6 +1676,7 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-output-stderr=logfile
 Similar to \-\-output, but stderr is also stored.
+#endif
 #ifdef HAVE_OVERLAYFS
 .TP
@@ -2451,7 +2476,7 @@ $ firejail --seccomp.print=browser
 $
 .TP
-\fB\-\-seccomp-error-action= kill | ERRNO
+\fB\-\-seccomp-error-action= kill | ERRNO | log
 By default, if a seccomp filter blocks a system call, the process gets
 EPERM as the error. With \-\-seccomp-error-action=error, another error
 number can be returned, for example ENOSYS or EACCES. The process can
@@ -2941,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features
 $ firejail --apparmor firefox
 #endif
-.SH AUDIT
-Audit feature allows the user to point out gaps in security profiles. The
-implementation replaces the program to be sandboxed with a test program. By
-default, we use faudit program distributed with Firejail. A custom test program
-can also be supplied by the user. Examples:
-Running the default audit program:
-.br
-        $ firejail --audit transmission-gtk
-Running a custom audit program:
-.br
-        $ firejail --audit=~/sandbox-test transmission-gtk
-In the examples above, the sandbox configures transmission-gtk profile and
-starts the test program. The real program, transmission-gtk, will not be
-started.
-You can also audit a specific profile without specifying a program.
-.br
-        $ firejail --audit --profile=/etc/firejail/zoom.profile
-Limitations: audit feature is not implemented for --x11 commands.
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9e89d4e79..68deb85ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -42,6 +42,15 @@ Miscellaneous:
42	firejail {\-? \| \-\-debug-caps \| \-\-debug-errnos \| \-\-debug-syscalls \| \-\-debug-syscalls32 \| \-\-debug-protocols \| \-\-help \| \-\-version}	42	firejail {\-? \| \-\-debug-caps \| \-\-debug-errnos \| \-\-debug-syscalls \| \-\-debug-syscalls32 \| \-\-debug-protocols \| \-\-help \| \-\-version}
43	.RE	43	.RE
44	.SH DESCRIPTION	44	.SH DESCRIPTION
		45	#ifdef HAVE_LTS
		46	This is Firejail long-term support (LTS), an enterprise focused version of the software,
		47	LTS is usually supported for two or three years.
		48	During this time only bugs and the occasional documentation problems are fixed.
		49	The attack surface of the SUID executable was greatly reduced by removing some of the features.
		50	.br
		51
		52	.br
		53	#endif
45	Firejail is a SUID sandbox program that reduces the risk of security breaches by	54	Firejail is a SUID sandbox program that reduces the risk of security breaches by
46	restricting the running environment of untrusted applications using Linux	55	restricting the running environment of untrusted applications using Linux
47	namespaces, seccomp-bpf and Linux capabilities.	56	namespaces, seccomp-bpf and Linux capabilities.
@@ -146,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage
146	$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage	155	$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
147	#endif	156	#endif
148	.TP	157	.TP
149	\fB\-\-audit
150	Audit the sandbox, see \fBAUDIT\fR section for more details.
151	.TP
152	\fB\-\-audit=test-program
153	Audit the sandbox, see \fBAUDIT\fR section for more details.
154	.TP
155	\fB\-\-bandwidth=name\|pid	158	\fB\-\-bandwidth=name\|pid
156	Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.	159	Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
157	.TP	160	.TP
@@ -1105,6 +1108,26 @@ Example:
1105	$ firejail \-\-machine-id	1108	$ firejail \-\-machine-id
1106		1109
1107	.TP	1110	.TP
		1111	\fB\-\-mkdir=dirname
		1112	Create a directory in user home. Parent directories are created as needed.
		1113	.br
		1114
		1115	.br
		1116	Example:
		1117	.br
		1118	$ firejail --mkdir=~/work/project
		1119
		1120	.TP
		1121	\fB\-\-mkfile=filename
		1122	Create an empty file in user home.
		1123	.br
		1124
		1125	.br
		1126	Example:
		1127	.br
		1128	$ firejail --mkfile=~/work/project/readme
		1129
		1130	.TP
1108	\fB\-\-memory-deny-write-execute	1131	\fB\-\-memory-deny-write-execute
1109	Install a seccomp filter to block attempts to create memory mappings	1132	Install a seccomp filter to block attempts to create memory mappings
1110	that are both writable and executable, to change mappings to be	1133	that are both writable and executable, to change mappings to be
@@ -1622,6 +1645,7 @@ Disable video devices.
1622	\fB\-\-nowhitelist=dirname_or_filename	1645	\fB\-\-nowhitelist=dirname_or_filename
1623	Disable whitelist for this directory or file.	1646	Disable whitelist for this directory or file.
1624		1647
		1648	#ifdef HAVE_OUTPUT
1625	.TP	1649	.TP
1626	\fB\-\-output=logfile	1650	\fB\-\-output=logfile
1627	stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log	1651	stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log
@@ -1652,6 +1676,7 @@ $ ls -l sandboxlog*
1652	.TP	1676	.TP
1653	\fB\-\-output-stderr=logfile	1677	\fB\-\-output-stderr=logfile
1654	Similar to \-\-output, but stderr is also stored.	1678	Similar to \-\-output, but stderr is also stored.
		1679	#endif
1655		1680
1656	#ifdef HAVE_OVERLAYFS	1681	#ifdef HAVE_OVERLAYFS
1657	.TP	1682	.TP
@@ -2451,7 +2476,7 @@ $ firejail --seccomp.print=browser
2451	$	2476	$
2452		2477
2453	.TP	2478	.TP
2454	\fB\-\-seccomp-error-action= kill \| ERRNO	2479	\fB\-\-seccomp-error-action= kill \| ERRNO \| log
2455	By default, if a seccomp filter blocks a system call, the process gets	2480	By default, if a seccomp filter blocks a system call, the process gets
2456	EPERM as the error. With \-\-seccomp-error-action=error, another error	2481	EPERM as the error. With \-\-seccomp-error-action=error, another error
2457	number can be returned, for example ENOSYS or EACCES. The process can	2482	number can be returned, for example ENOSYS or EACCES. The process can
@@ -2941,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features
2941	$ firejail --apparmor firefox	2966	$ firejail --apparmor firefox
2942	#endif	2967	#endif
2943		2968
2944	.SH AUDIT
2945	Audit feature allows the user to point out gaps in security profiles. The
2946	implementation replaces the program to be sandboxed with a test program. By
2947	default, we use faudit program distributed with Firejail. A custom test program
2948	can also be supplied by the user. Examples:
2949
2950	Running the default audit program:
2951	.br
2952	$ firejail --audit transmission-gtk
2953
2954	Running a custom audit program:
2955	.br
2956	$ firejail --audit=~/sandbox-test transmission-gtk
2957
2958	In the examples above, the sandbox configures transmission-gtk profile and
2959	starts the test program. The real program, transmission-gtk, will not be
2960	started.
2961
2962	You can also audit a specific profile without specifying a program.
2963	.br
2964	$ firejail --audit --profile=/etc/firejail/zoom.profile
2965
2966	Limitations: audit feature is not implemented for --x11 commands.
2967
2968	.SH DESKTOP INTEGRATION	2969	.SH DESKTOP INTEGRATION
2969	A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.	2970	A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
2970	The symbolic link should be placed in the first $PATH position. On most systems, a good place	2971	The symbolic link should be placed in the first $PATH position. On most systems, a good place