diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 67 |
1 files changed, 64 insertions, 3 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 60c21cbc1..f978661dc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
76 | Signal the end of options and disables further option processing. | 76 | Signal the end of options and disables further option processing. |
77 | .TP | 77 | .TP |
78 | \fB\-\-allow-debuggers | 78 | \fB\-\-allow-debuggers |
79 | Allow tools such as strace and gdb inside the sandbox. | 79 | Allow tools such as strace and gdb inside the sandbox. This option is only available |
80 | when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full | ||
81 | bypass of the seccomp filter. | ||
80 | .br | 82 | .br |
81 | 83 | ||
82 | .br | 84 | .br |
@@ -190,7 +192,7 @@ Define a custom blacklist Linux capabilities filter. | |||
190 | .br | 192 | .br |
191 | Example: | 193 | Example: |
192 | .br | 194 | .br |
193 | $ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw | 195 | $ firejail \-\-caps.drop=net_broadcast,net_admin,net_raw |
194 | 196 | ||
195 | .TP | 197 | .TP |
196 | \fB\-\-caps.keep=capability,capability,capability | 198 | \fB\-\-caps.keep=capability,capability,capability |
@@ -451,6 +453,39 @@ $ firejail \-\-fs.print=3272 | |||
451 | \fB\-\-get=name|pid filename | 453 | \fB\-\-get=name|pid filename |
452 | Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. | 454 | Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. |
453 | 455 | ||
456 | |||
457 | .TP | ||
458 | \fB\-\-git-install | ||
459 | Download, compile and install mainline git version of Firejail from the official repository on GitHub. | ||
460 | The software is installed in /usr/local/bin, and takes precedence over the (old) version | ||
461 | installed in /usr/bin. If for any reason the new version doesn't work, the user can uninstall it | ||
462 | using \-\-git-uninstall command and revert to the old version. | ||
463 | .br | ||
464 | |||
465 | .br | ||
466 | Prerequisites: git and compile support are required for this command to work. On Debian/Ubuntu | ||
467 | systems this support is installed using "sudo apt-get install build-essential git". | ||
468 | .br | ||
469 | |||
470 | .br | ||
471 | Example: | ||
472 | .br | ||
473 | |||
474 | .br | ||
475 | $ firejail \-\-git-install | ||
476 | |||
477 | .TP | ||
478 | \fB\-\-git-uninstall | ||
479 | Remove the Firejail version previously installed in /usr/local/bin using \-\-git-install command. | ||
480 | .br | ||
481 | |||
482 | .br | ||
483 | Example: | ||
484 | .br | ||
485 | |||
486 | .br | ||
487 | $ firejail \-\-git-uninstall | ||
488 | |||
454 | .TP | 489 | .TP |
455 | \fB\-?\fR, \fB\-\-help\fR | 490 | \fB\-?\fR, \fB\-\-help\fR |
456 | Print options end exit. | 491 | Print options end exit. |
@@ -467,6 +502,16 @@ Example: | |||
467 | $ firejail \-\-hostname=officepc firefox | 502 | $ firejail \-\-hostname=officepc firefox |
468 | 503 | ||
469 | .TP | 504 | .TP |
505 | \fB\-\-hosts-file=file | ||
506 | Use file as /etc/hosts. | ||
507 | .br | ||
508 | |||
509 | .br | ||
510 | Example: | ||
511 | .br | ||
512 | $ firejail \-\-hosts-file=~/myhosts firefox | ||
513 | |||
514 | .TP | ||
470 | \fB\-\-ignore=command | 515 | \fB\-\-ignore=command |
471 | Ignore command in profile file. | 516 | Ignore command in profile file. |
472 | .br | 517 | .br |
@@ -676,7 +721,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox | |||
676 | 721 | ||
677 | .TP | 722 | .TP |
678 | \fB\-\-machine-id | 723 | \fB\-\-machine-id |
679 | Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. | 724 | Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. |
680 | .br | 725 | .br |
681 | 726 | ||
682 | .br | 727 | .br |
@@ -759,6 +804,11 @@ Example: | |||
759 | $ firejail \-\-net=none vlc | 804 | $ firejail \-\-net=none vlc |
760 | 805 | ||
761 | .TP | 806 | .TP |
807 | \fB\-\-netns=name | ||
808 | Run the program in a named, persistent network namespace. These can | ||
809 | be created and configured using "ip netns". | ||
810 | |||
811 | .TP | ||
762 | \fB\-\-netfilter | 812 | \fB\-\-netfilter |
763 | Enable a default client network filter in the new network namespace. | 813 | Enable a default client network filter in the new network namespace. |
764 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, | 814 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, |
@@ -1708,6 +1758,17 @@ Example: | |||
1708 | .br | 1758 | .br |
1709 | $ sudo firejail --writable-var | 1759 | $ sudo firejail --writable-var |
1710 | 1760 | ||
1761 | .TP | ||
1762 | \fB\-\-writable-var-log | ||
1763 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log | ||
1764 | directory, and a skeleton filesystem is created based on the original /var/log. | ||
1765 | .br | ||
1766 | |||
1767 | .br | ||
1768 | Example: | ||
1769 | .br | ||
1770 | $ sudo firejail --writable-var-log | ||
1771 | |||
1711 | 1772 | ||
1712 | .TP | 1773 | .TP |
1713 | \fB\-\-x11 | 1774 | \fB\-\-x11 |