diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 78 |
1 files changed, 40 insertions, 38 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 38bb6a19e..de300d47b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -42,7 +42,7 @@ and it is integrated with Linux Control Groups. | |||
42 | .PP | 42 | .PP |
43 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version | 43 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version |
44 | or newer. | 44 | or newer. |
45 | It can sandbox any type of processes: servers, graphical applications, and even user login sessions. | 45 | It can sandbox any type of processes: servers, graphical applications, and even user login sessions. |
46 | .PP | 46 | .PP |
47 | Firejail allows the user to manage application security using security profiles. | 47 | Firejail allows the user to manage application security using security profiles. |
48 | Each profile defines a set of permissions for a specific application or group | 48 | Each profile defines a set of permissions for a specific application or group |
@@ -52,13 +52,13 @@ Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | |||
52 | .SH USAGE | 52 | .SH USAGE |
53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, | 53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, |
54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the | 54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the |
55 | command line options. The default Firejail filesystem is based on the host filesystem with the main | 55 | command line options. The default Firejail filesystem is based on the host filesystem with the main |
56 | system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, | 56 | system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, |
57 | /libx32 and /lib64. Only /home and /tmp are writable. | 57 | /libx32 and /lib64. Only /home and /tmp are writable. |
58 | .PP | 58 | .PP |
59 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 59 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
60 | If an appropriate profile is not found, Firejail will use a default profile. | 60 | If an appropriate profile is not found, Firejail will use a default profile. |
61 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 61 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
62 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. | 62 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
63 | .PP | 63 | .PP |
64 | If a program argument is not specified, Firejail starts /bin/bash shell. | 64 | If a program argument is not specified, Firejail starts /bin/bash shell. |
@@ -657,7 +657,7 @@ $ sudo firejail --join-network=browser ip addr | |||
657 | .br | 657 | .br |
658 | Switching to pid 1932, the first child process inside the sandbox | 658 | Switching to pid 1932, the first child process inside the sandbox |
659 | .br | 659 | .br |
660 | 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default | 660 | 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default |
661 | .br | 661 | .br |
662 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | 662 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 |
663 | .br | 663 | .br |
@@ -665,11 +665,11 @@ Switching to pid 1932, the first child process inside the sandbox | |||
665 | .br | 665 | .br |
666 | valid_lft forever preferred_lft forever | 666 | valid_lft forever preferred_lft forever |
667 | .br | 667 | .br |
668 | inet6 ::1/128 scope host | 668 | inet6 ::1/128 scope host |
669 | .br | 669 | .br |
670 | valid_lft forever preferred_lft forever | 670 | valid_lft forever preferred_lft forever |
671 | .br | 671 | .br |
672 | 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default | 672 | 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default |
673 | .br | 673 | .br |
674 | link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff | 674 | link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff |
675 | .br | 675 | .br |
@@ -677,7 +677,7 @@ Switching to pid 1932, the first child process inside the sandbox | |||
677 | .br | 677 | .br |
678 | valid_lft forever preferred_lft forever | 678 | valid_lft forever preferred_lft forever |
679 | .br | 679 | .br |
680 | inet6 fe80::7458:14ff:fe42:78e4/64 scope link | 680 | inet6 fe80::7458:14ff:fe42:78e4/64 scope link |
681 | .br | 681 | .br |
682 | valid_lft forever preferred_lft forever | 682 | valid_lft forever preferred_lft forever |
683 | 683 | ||
@@ -702,13 +702,13 @@ Example: | |||
702 | .br | 702 | .br |
703 | $ firejail \-\-list | 703 | $ firejail \-\-list |
704 | .br | 704 | .br |
705 | 7015:netblue:firejail firefox | 705 | 7015:netblue:firejail firefox |
706 | .br | 706 | .br |
707 | 7056:netblue:firejail \-\-net=eth0 transmission-gtk | 707 | 7056:netblue:firejail \-\-net=eth0 transmission-gtk |
708 | .br | 708 | .br |
709 | 7064:netblue:firejail \-\-noroot xterm | 709 | 7064:netblue:firejail \-\-noroot xterm |
710 | .br | 710 | .br |
711 | $ | 711 | $ |
712 | .TP | 712 | .TP |
713 | \fB\-\-mac=address | 713 | \fB\-\-mac=address |
714 | Assign MAC addresses to the last network interface defined by a \-\-net option. | 714 | Assign MAC addresses to the last network interface defined by a \-\-net option. |
@@ -998,7 +998,7 @@ $ | |||
998 | 998 | ||
999 | .TP | 999 | .TP |
1000 | \fB\-\-noprofile | 1000 | \fB\-\-noprofile |
1001 | Do not use a security profile. | 1001 | Do not use a security profile. |
1002 | .br | 1002 | .br |
1003 | 1003 | ||
1004 | .br | 1004 | .br |
@@ -1012,7 +1012,7 @@ Parent pid 8553, child pid 8554 | |||
1012 | .br | 1012 | .br |
1013 | Child process initialized | 1013 | Child process initialized |
1014 | .br | 1014 | .br |
1015 | [...] | 1015 | [...] |
1016 | .br | 1016 | .br |
1017 | 1017 | ||
1018 | .br | 1018 | .br |
@@ -1067,6 +1067,11 @@ Example: | |||
1067 | $ firejail \-\-nosound firefox | 1067 | $ firejail \-\-nosound firefox |
1068 | 1068 | ||
1069 | .TP | 1069 | .TP |
1070 | \fB\-\-novideo | ||
1071 | Disable video devices. | ||
1072 | .br | ||
1073 | |||
1074 | .TP | ||
1070 | \fB\-\-nowhitelist=dirname_or_filename | 1075 | \fB\-\-nowhitelist=dirname_or_filename |
1071 | Disable whitelist for this directory or file. | 1076 | Disable whitelist for this directory or file. |
1072 | 1077 | ||
@@ -1200,7 +1205,7 @@ $ firejail \-\-private-home=.mozilla firefox | |||
1200 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 1205 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
1201 | If no listed file is found, /bin directory will be empty. | 1206 | If no listed file is found, /bin directory will be empty. |
1202 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. | 1207 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. |
1203 | All modifications are discarded when the sandbox is closed. | 1208 | All modifications are discarded when the sandbox is closed. |
1204 | .br | 1209 | .br |
1205 | 1210 | ||
1206 | .br | 1211 | .br |
@@ -1240,7 +1245,7 @@ $ | |||
1240 | Build a new /etc in a temporary | 1245 | Build a new /etc in a temporary |
1241 | filesystem, and copy the files and directories in the list. | 1246 | filesystem, and copy the files and directories in the list. |
1242 | If no listed file is found, /etc directory will be empty. | 1247 | If no listed file is found, /etc directory will be empty. |
1243 | All modifications are discarded when the sandbox is closed. | 1248 | All modifications are discarded when the sandbox is closed. |
1244 | .br | 1249 | .br |
1245 | 1250 | ||
1246 | .br | 1251 | .br |
@@ -1255,7 +1260,7 @@ nsswitch.conf,passwd,resolv.conf | |||
1255 | Build a new /opt in a temporary | 1260 | Build a new /opt in a temporary |
1256 | filesystem, and copy the files and directories in the list. | 1261 | filesystem, and copy the files and directories in the list. |
1257 | If no listed file is found, /opt directory will be empty. | 1262 | If no listed file is found, /opt directory will be empty. |
1258 | All modifications are discarded when the sandbox is closed. | 1263 | All modifications are discarded when the sandbox is closed. |
1259 | .br | 1264 | .br |
1260 | 1265 | ||
1261 | .br | 1266 | .br |
@@ -1268,7 +1273,7 @@ $ firejail --private-opt=firefox /opt/firefox/firefox | |||
1268 | Build a new /srv in a temporary | 1273 | Build a new /srv in a temporary |
1269 | filesystem, and copy the files and directories in the list. | 1274 | filesystem, and copy the files and directories in the list. |
1270 | If no listed file is found, /srv directory will be empty. | 1275 | If no listed file is found, /srv directory will be empty. |
1271 | All modifications are discarded when the sandbox is closed. | 1276 | All modifications are discarded when the sandbox is closed. |
1272 | .br | 1277 | .br |
1273 | 1278 | ||
1274 | .br | 1279 | .br |
@@ -1573,7 +1578,7 @@ SECCOMP Filter: | |||
1573 | .br | 1578 | .br |
1574 | RETURN_ALLOW | 1579 | RETURN_ALLOW |
1575 | .br | 1580 | .br |
1576 | $ | 1581 | $ |
1577 | .TP | 1582 | .TP |
1578 | \fB\-\-shell=none | 1583 | \fB\-\-shell=none |
1579 | Run the program directly, without a user shell. | 1584 | Run the program directly, without a user shell. |
@@ -1665,7 +1670,7 @@ parent is shutting down, bye... | |||
1665 | .TP | 1670 | .TP |
1666 | \fB\-\-tracelog | 1671 | \fB\-\-tracelog |
1667 | This option enables auditing blacklisted files and directories. A message | 1672 | This option enables auditing blacklisted files and directories. A message |
1668 | is sent to syslog in case the file or the directory is accessed. | 1673 | is sent to syslog in case the file or the directory is accessed. |
1669 | .br | 1674 | .br |
1670 | 1675 | ||
1671 | .br | 1676 | .br |
@@ -1698,13 +1703,13 @@ $ firejail \-\-tree | |||
1698 | .br | 1703 | .br |
1699 | 11903:netblue:firejail iceweasel | 1704 | 11903:netblue:firejail iceweasel |
1700 | .br | 1705 | .br |
1701 | 11904:netblue:iceweasel | 1706 | 11904:netblue:iceweasel |
1702 | .br | 1707 | .br |
1703 | 11957:netblue:/usr/lib/iceweasel/plugin-container | 1708 | 11957:netblue:/usr/lib/iceweasel/plugin-container |
1704 | .br | 1709 | .br |
1705 | 11969:netblue:firejail \-\-net=eth0 transmission-gtk | 1710 | 11969:netblue:firejail \-\-net=eth0 transmission-gtk |
1706 | .br | 1711 | .br |
1707 | 11970:netblue:transmission-gtk | 1712 | 11970:netblue:transmission-gtk |
1708 | 1713 | ||
1709 | .TP | 1714 | .TP |
1710 | \fB\-\-version | 1715 | \fB\-\-version |
@@ -1720,7 +1725,7 @@ firejail version 0.9.27 | |||
1720 | 1725 | ||
1721 | .TP | 1726 | .TP |
1722 | \fB\-\-veth-name=name | 1727 | \fB\-\-veth-name=name |
1723 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | 1728 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, |
1724 | instead of the default one. | 1729 | instead of the default one. |
1725 | .br | 1730 | .br |
1726 | 1731 | ||
@@ -1733,7 +1738,7 @@ $ firejail \-\-net=br0 --veth-name=if0 | |||
1733 | \fB\-\-whitelist=dirname_or_filename | 1738 | \fB\-\-whitelist=dirname_or_filename |
1734 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 1739 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
1735 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | 1740 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
1736 | everything else is discarded when the sandbox is closed. The top directory could be | 1741 | everything else is discarded when the sandbox is closed. The top directory could be |
1737 | user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. | 1742 | user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. |
1738 | .br | 1743 | .br |
1739 | 1744 | ||
@@ -1789,7 +1794,7 @@ Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. | |||
1789 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing | 1794 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing |
1790 | clients running outside the sandbox. | 1795 | clients running outside the sandbox. |
1791 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | 1796 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. |
1792 | If all fails, Firejail will not attempt to use Xvfb or X11 security extension. | 1797 | If all fails, Firejail will not attempt to use Xvfb or X11 security extension. |
1793 | .br | 1798 | .br |
1794 | 1799 | ||
1795 | .br | 1800 | .br |
@@ -1828,7 +1833,7 @@ A security profile for OpenBox is provided. | |||
1828 | 1833 | ||
1829 | .br | 1834 | .br |
1830 | Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | 1835 | Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. |
1831 | This feature is not available when running as root. | 1836 | This feature is not available when running as root. |
1832 | .br | 1837 | .br |
1833 | 1838 | ||
1834 | .br | 1839 | .br |
@@ -1838,9 +1843,9 @@ $ firejail \-\-x11=xephyr --net=eth0 openbox | |||
1838 | 1843 | ||
1839 | .TP | 1844 | .TP |
1840 | \fB\-\-x11=xorg | 1845 | \fB\-\-x11=xorg |
1841 | Sandbox the application using the untrusted mode implemented by X11 security extension. | 1846 | Sandbox the application using the untrusted mode implemented by X11 security extension. |
1842 | The extension is available in Xorg package | 1847 | The extension is available in Xorg package |
1843 | and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted | 1848 | and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted |
1844 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | 1849 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window |
1845 | contents of other clients, stealing input events, etc. | 1850 | contents of other clients, stealing input events, etc. |
1846 | 1851 | ||
@@ -1875,9 +1880,9 @@ $ firejail \-\-x11=xpra --net=eth0 firefox | |||
1875 | 1880 | ||
1876 | .TP | 1881 | .TP |
1877 | \fB\-\-x11=xvfb | 1882 | \fB\-\-x11=xvfb |
1878 | Start Xvfb X11 server and attach the sandbox to this server. | 1883 | Start Xvfb X11 server and attach the sandbox to this server. |
1879 | Xvfb, short for X virtual framebuffer, performs all graphical operations in memory | 1884 | Xvfb, short for X virtual framebuffer, performs all graphical operations in memory |
1880 | without showing any screen output. Xvfb is mainly used for remote access and software | 1885 | without showing any screen output. Xvfb is mainly used for remote access and software |
1881 | testing on headless servers. | 1886 | testing on headless servers. |
1882 | .br | 1887 | .br |
1883 | 1888 | ||
@@ -1992,7 +1997,7 @@ $ firejail --tree | |||
1992 | .br | 1997 | .br |
1993 | 1190:netblue:firejail firefox | 1998 | 1190:netblue:firejail firefox |
1994 | .br | 1999 | .br |
1995 | 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox" | 2000 | 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox" |
1996 | .br | 2001 | .br |
1997 | 1221:netblue:/usr/lib/firefox/firefox | 2002 | 1221:netblue:/usr/lib/firefox/firefox |
1998 | .RE | 2003 | .RE |
@@ -2246,7 +2251,7 @@ Parent pid 8553, child pid 8554 | |||
2246 | .br | 2251 | .br |
2247 | Child process initialized | 2252 | Child process initialized |
2248 | .br | 2253 | .br |
2249 | [...] | 2254 | [...] |
2250 | .br | 2255 | .br |
2251 | 2256 | ||
2252 | .br | 2257 | .br |
@@ -2260,7 +2265,7 @@ Child process initialized | |||
2260 | .RE | 2265 | .RE |
2261 | 2266 | ||
2262 | See man 5 firejail-profile for profile file syntax information. | 2267 | See man 5 firejail-profile for profile file syntax information. |
2263 | 2268 | ||
2264 | .SH RESTRICTED SHELL | 2269 | .SH RESTRICTED SHELL |
2265 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 2270 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
2266 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 2271 | /etc/passwd file for each user that needs to be restricted. Alternatively, |
@@ -2307,6 +2312,3 @@ Homepage: http://firejail.wordpress.com | |||
2307 | \&\flfirecfg\fR\|(1), | 2312 | \&\flfirecfg\fR\|(1), |
2308 | \&\flfirejail-profile\fR\|(5), | 2313 | \&\flfirejail-profile\fR\|(5), |
2309 | \&\flfirejail-login\fR\|(5) | 2314 | \&\flfirejail-login\fR\|(5) |
2310 | |||
2311 | |||
2312 | |||