diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 205 |
1 files changed, 46 insertions, 159 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 509461f0d..60c53378a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -161,8 +161,8 @@ make the whitelist read-only. Example: | |||
161 | .br | 161 | .br |
162 | $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work | 162 | $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work |
163 | .TP | 163 | .TP |
164 | \fB\-\-caps.print=name | 164 | \fB\-\-caps.print=name|pid |
165 | Print the caps filter for the sandbox identified by name. | 165 | Print the caps filter for the sandbox identified by name or by PID. |
166 | .br | 166 | .br |
167 | 167 | ||
168 | .br | 168 | .br |
@@ -170,13 +170,7 @@ Example: | |||
170 | .br | 170 | .br |
171 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 171 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
172 | .br | 172 | .br |
173 | [...] | ||
174 | .br | ||
175 | $ firejail \-\-caps.print=mygame | 173 | $ firejail \-\-caps.print=mygame |
176 | |||
177 | .TP | ||
178 | \fB\-\-caps.print=pid | ||
179 | Print the caps filter for a sandbox identified by PID. | ||
180 | .br | 174 | .br |
181 | 175 | ||
182 | .br | 176 | .br |
@@ -221,6 +215,28 @@ Example: | |||
221 | $ firejail \-\-cpu=0,1 handbrake | 215 | $ firejail \-\-cpu=0,1 handbrake |
222 | 216 | ||
223 | .TP | 217 | .TP |
218 | \fB\-\-cpu.print=name|pid | ||
219 | Print the CPU cores in use by the sandbox identified by name or by PID. | ||
220 | .br | ||
221 | |||
222 | .br | ||
223 | Example: | ||
224 | .br | ||
225 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | ||
226 | .br | ||
227 | $ firejail \-\-cpu.print=mygame | ||
228 | .br | ||
229 | |||
230 | .br | ||
231 | Example: | ||
232 | .br | ||
233 | $ firejail \-\-list | ||
234 | .br | ||
235 | 3272:netblue:firejail \-\-private firefox | ||
236 | .br | ||
237 | $ firejail \-\-cpu.print=3272 | ||
238 | |||
239 | .TP | ||
224 | \fB\-\-csh | 240 | \fB\-\-csh |
225 | Use /bin/csh as default user shell. | 241 | Use /bin/csh as default user shell. |
226 | .br | 242 | .br |
@@ -327,8 +343,8 @@ Example: | |||
327 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox | 343 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox |
328 | 344 | ||
329 | .TP | 345 | .TP |
330 | \fB\-\-dns.print=name | 346 | \fB\-\-dns.print=name|pid |
331 | Print DNS configuration for a sandbox identified by name. | 347 | Print DNS configuration for a sandbox identified by name or by PID. |
332 | .br | 348 | .br |
333 | 349 | ||
334 | .br | 350 | .br |
@@ -336,13 +352,7 @@ Example: | |||
336 | .br | 352 | .br |
337 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 353 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
338 | .br | 354 | .br |
339 | [...] | ||
340 | .br | ||
341 | $ firejail \-\-dns.print=mygame | 355 | $ firejail \-\-dns.print=mygame |
342 | |||
343 | .TP | ||
344 | \fB\-\-dns.print=pid | ||
345 | Print DNS configuration for a sandbox identified by PID. | ||
346 | .br | 356 | .br |
347 | 357 | ||
348 | .br | 358 | .br |
@@ -372,8 +382,8 @@ There could be lots of reasons for it to fail, for example if the existing sandb | |||
372 | admin capabilities, SUID binaries, or if it runs seccomp. | 382 | admin capabilities, SUID binaries, or if it runs seccomp. |
373 | 383 | ||
374 | .TP | 384 | .TP |
375 | \fB\-\-fs.print=name | 385 | \fB\-\-fs.print=name|print |
376 | Print the filesystem log for the sandbox identified by name. | 386 | Print the filesystem log for the sandbox identified by name or by PID. |
377 | .br | 387 | .br |
378 | 388 | ||
379 | .br | 389 | .br |
@@ -381,13 +391,7 @@ Example: | |||
381 | .br | 391 | .br |
382 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 392 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
383 | .br | 393 | .br |
384 | [...] | ||
385 | .br | ||
386 | $ firejail \-\-fs.print=mygame | 394 | $ firejail \-\-fs.print=mygame |
387 | |||
388 | .TP | ||
389 | \fB\-\-fs.print=pid | ||
390 | Print the filesystem log for a sandbox identified by PID. | ||
391 | .br | 395 | .br |
392 | 396 | ||
393 | .br | 397 | .br |
@@ -496,13 +500,12 @@ Example: | |||
496 | .br | 500 | .br |
497 | $ firejail \-\-ipc-namespace firefox | 501 | $ firejail \-\-ipc-namespace firefox |
498 | .TP | 502 | .TP |
499 | \fB\-\-join=name | 503 | \fB\-\-join=name|pid |
500 | Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 504 | Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. |
501 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, | 505 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, |
502 | all security filters are configured for the new process the same they are configured in the sandbox. | 506 | all security filters are configured for the new process the same they are configured in the sandbox. |
503 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | 507 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied |
504 | to the process joining the sandbox. | 508 | to the process joining the sandbox. |
505 | |||
506 | .br | 509 | .br |
507 | 510 | ||
508 | .br | 511 | .br |
@@ -510,18 +513,7 @@ Example: | |||
510 | .br | 513 | .br |
511 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 514 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
512 | .br | 515 | .br |
513 | [...] | ||
514 | .br | ||
515 | $ firejail \-\-join=mygame | 516 | $ firejail \-\-join=mygame |
516 | |||
517 | |||
518 | .TP | ||
519 | \fB\-\-join=pid | ||
520 | Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
521 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, | ||
522 | all security filters are configured for the new process the same they are configured in the sandbox. | ||
523 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | ||
524 | to the process joining the sandbox. | ||
525 | .br | 517 | .br |
526 | 518 | ||
527 | .br | 519 | .br |
@@ -534,19 +526,13 @@ $ firejail \-\-list | |||
534 | $ firejail \-\-join=3272 | 526 | $ firejail \-\-join=3272 |
535 | 527 | ||
536 | .TP | 528 | .TP |
537 | \fB\-\-join-filesystem=name | 529 | \fB\-\-join-filesystem=name|pid |
538 | Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 530 | Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. |
539 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 531 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
540 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | 532 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. |
541 | 533 | ||
542 | .TP | 534 | .TP |
543 | \fB\-\-join-filesystem=pid | 535 | \fB\-\-join-network=name|PID |
544 | Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
545 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | ||
546 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | ||
547 | |||
548 | .TP | ||
549 | \fB\-\-join-network=name | ||
550 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 536 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. |
551 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 537 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
552 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example: | 538 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example: |
@@ -602,19 +588,9 @@ Switching to pid 1932, the first child process inside the sandbox | |||
602 | valid_lft forever preferred_lft forever | 588 | valid_lft forever preferred_lft forever |
603 | 589 | ||
604 | .TP | 590 | .TP |
605 | \fB\-\-join-network=pid | ||
606 | Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
607 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | ||
608 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | ||
609 | |||
610 | |||
611 | |||
612 | .TP | ||
613 | \fB\-\-ls=name|pid dir_or_filename | 591 | \fB\-\-ls=name|pid dir_or_filename |
614 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | 592 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. |
615 | 593 | ||
616 | \fB | ||
617 | |||
618 | .TP | 594 | .TP |
619 | \fB\-\-list | 595 | \fB\-\-list |
620 | List all sandboxes, see \fBMONITORING\fR section for more details. | 596 | List all sandboxes, see \fBMONITORING\fR section for more details. |
@@ -1119,8 +1095,8 @@ Example: | |||
1119 | .br | 1095 | .br |
1120 | $ firejail \-\-protocol=unix,inet,inet6 firefox | 1096 | $ firejail \-\-protocol=unix,inet,inet6 firefox |
1121 | .TP | 1097 | .TP |
1122 | \fB\-\-protocol.print=name | 1098 | \fB\-\-protocol.print=name|pid |
1123 | Print the protocol filter for the sandbox identified by name. | 1099 | Print the protocol filter for the sandbox identified by name or PID. |
1124 | .br | 1100 | .br |
1125 | 1101 | ||
1126 | .br | 1102 | .br |
@@ -1128,15 +1104,9 @@ Example: | |||
1128 | .br | 1104 | .br |
1129 | $ firejail \-\-name=mybrowser firefox & | 1105 | $ firejail \-\-name=mybrowser firefox & |
1130 | .br | 1106 | .br |
1131 | [...] | ||
1132 | .br | ||
1133 | $ firejail \-\-protocol.print=mybrowser | 1107 | $ firejail \-\-protocol.print=mybrowser |
1134 | .br | 1108 | .br |
1135 | unix,inet,inet6,netlink | 1109 | unix,inet,inet6,netlink |
1136 | |||
1137 | .TP | ||
1138 | \fB\-\-protocol.print=pid | ||
1139 | Print the protocol filter for a sandbox identified by PID. | ||
1140 | .br | 1110 | .br |
1141 | 1111 | ||
1142 | .br | 1112 | .br |
@@ -1256,8 +1226,8 @@ $ rm testfile | |||
1256 | rm: cannot remove `testfile': Operation not permitted | 1226 | rm: cannot remove `testfile': Operation not permitted |
1257 | 1227 | ||
1258 | .TP | 1228 | .TP |
1259 | \fB\-\-seccomp.print=name | 1229 | \fB\-\-seccomp.print=name|PID |
1260 | Print the seccomp filter for the sandbox started using \-\-name option. | 1230 | Print the seccomp filter for the sandbox identified by name or PID. |
1261 | .br | 1231 | .br |
1262 | 1232 | ||
1263 | .br | 1233 | .br |
@@ -1321,72 +1291,6 @@ SECCOMP Filter: | |||
1321 | .br | 1291 | .br |
1322 | $ | 1292 | $ |
1323 | .TP | 1293 | .TP |
1324 | \fB\-\-seccomp.print=pid | ||
1325 | Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
1326 | .br | ||
1327 | |||
1328 | .br | ||
1329 | Example: | ||
1330 | .br | ||
1331 | $ firejail \-\-list | ||
1332 | .br | ||
1333 | 10786:netblue:firejail \-\-name=browser firefox | ||
1334 | $ firejail \-\-seccomp.print=10786 | ||
1335 | .br | ||
1336 | SECCOMP Filter: | ||
1337 | .br | ||
1338 | VALIDATE_ARCHITECTURE | ||
1339 | .br | ||
1340 | EXAMINE_SYSCAL | ||
1341 | .br | ||
1342 | BLACKLIST 165 mount | ||
1343 | .br | ||
1344 | BLACKLIST 166 umount2 | ||
1345 | .br | ||
1346 | BLACKLIST 101 ptrace | ||
1347 | .br | ||
1348 | BLACKLIST 246 kexec_load | ||
1349 | .br | ||
1350 | BLACKLIST 304 open_by_handle_at | ||
1351 | .br | ||
1352 | BLACKLIST 175 init_module | ||
1353 | .br | ||
1354 | BLACKLIST 176 delete_module | ||
1355 | .br | ||
1356 | BLACKLIST 172 iopl | ||
1357 | .br | ||
1358 | BLACKLIST 173 ioperm | ||
1359 | .br | ||
1360 | BLACKLIST 167 swapon | ||
1361 | .br | ||
1362 | BLACKLIST 168 swapoff | ||
1363 | .br | ||
1364 | BLACKLIST 103 syslog | ||
1365 | .br | ||
1366 | BLACKLIST 310 process_vm_readv | ||
1367 | .br | ||
1368 | BLACKLIST 311 process_vm_writev | ||
1369 | .br | ||
1370 | BLACKLIST 133 mknod | ||
1371 | .br | ||
1372 | BLACKLIST 139 sysfs | ||
1373 | .br | ||
1374 | BLACKLIST 156 _sysctl | ||
1375 | .br | ||
1376 | BLACKLIST 159 adjtimex | ||
1377 | .br | ||
1378 | BLACKLIST 305 clock_adjtime | ||
1379 | .br | ||
1380 | BLACKLIST 212 lookup_dcookie | ||
1381 | .br | ||
1382 | BLACKLIST 298 perf_event_open | ||
1383 | .br | ||
1384 | BLACKLIST 300 fanotify_init | ||
1385 | .br | ||
1386 | RETURN_ALLOW | ||
1387 | .br | ||
1388 | $ | ||
1389 | .TP | ||
1390 | \fB\-\-shell=none | 1294 | \fB\-\-shell=none |
1391 | Run the program directly, without a user shell. | 1295 | Run the program directly, without a user shell. |
1392 | .br | 1296 | .br |
@@ -1407,8 +1311,8 @@ shell. | |||
1407 | Example: | 1311 | Example: |
1408 | $firejail \-\-shell=/bin/dash script.sh | 1312 | $firejail \-\-shell=/bin/dash script.sh |
1409 | .TP | 1313 | .TP |
1410 | \fB\-\-shutdown=name | 1314 | \fB\-\-shutdown=name|PID |
1411 | Shutdown the sandbox started using \-\-name option. | 1315 | Shutdown the sandbox identified by name or PID. |
1412 | .br | 1316 | .br |
1413 | 1317 | ||
1414 | .br | 1318 | .br |
@@ -1416,12 +1320,7 @@ Example: | |||
1416 | .br | 1320 | .br |
1417 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 1321 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
1418 | .br | 1322 | .br |
1419 | [...] | ||
1420 | .br | ||
1421 | $ firejail \-\-shutdown=mygame | 1323 | $ firejail \-\-shutdown=mygame |
1422 | .TP | ||
1423 | \fB\-\-shutdown=pid | ||
1424 | Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
1425 | .br | 1324 | .br |
1426 | 1325 | ||
1427 | .br | 1326 | .br |
@@ -1682,25 +1581,13 @@ These features allow the user to inspect the filesystem container of an existing | |||
1682 | and transfer files from the container to the host filesystem. | 1581 | and transfer files from the container to the host filesystem. |
1683 | 1582 | ||
1684 | .TP | 1583 | .TP |
1685 | \fB\-\-get=name filename | 1584 | \fB\-\-get=name|pid filename |
1686 | Retrieve the container file and store it on the host in the current working directory. | ||
1687 | The container is specified by name (\-\-name option). Full path is needed for filename. | ||
1688 | |||
1689 | .TP | ||
1690 | \fB\-\-get=pid filename | ||
1691 | Retrieve the container file and store it on the host in the current working directory. | 1585 | Retrieve the container file and store it on the host in the current working directory. |
1692 | The container is specified by process ID. Full path is needed for filename. | 1586 | The container is specified by name or PID. Full path is needed for filename. |
1693 | 1587 | ||
1694 | .TP | 1588 | .TP |
1695 | \fB\-\-ls=name dir_or_filename | 1589 | \fB\-\-ls=name|pid dir_or_filename |
1696 | List container files. | 1590 | List container files. The container is specified by name or PID. |
1697 | The container is specified by name (\-\-name option). | ||
1698 | Full path is needed for dir_or_filename. | ||
1699 | |||
1700 | .TP | ||
1701 | \fB\-\-ls=pid dir_or_filename | ||
1702 | List container files. | ||
1703 | The container is specified by process ID. | ||
1704 | Full path is needed for dir_or_filename. | 1591 | Full path is needed for dir_or_filename. |
1705 | 1592 | ||
1706 | .TP | 1593 | .TP |
@@ -1739,15 +1626,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured | |||
1739 | 1626 | ||
1740 | Set rate-limits: | 1627 | Set rate-limits: |
1741 | 1628 | ||
1742 | firejail --bandwidth={name|pid} set network download upload | 1629 | firejail --bandwidth=name|pid set network download upload |
1743 | 1630 | ||
1744 | Clear rate-limits: | 1631 | Clear rate-limits: |
1745 | 1632 | ||
1746 | firejail --bandwidth={name|pid} clear network | 1633 | firejail --bandwidth=name|pid clear network |
1747 | 1634 | ||
1748 | Status: | 1635 | Status: |
1749 | 1636 | ||
1750 | firejail --bandwidth={name|pid} status | 1637 | firejail --bandwidth=name|pid status |
1751 | 1638 | ||
1752 | where: | 1639 | where: |
1753 | .br | 1640 | .br |