diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 49 |
1 files changed, 34 insertions, 15 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e5020e37e..6068c9ff4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1224,6 +1224,14 @@ Example: | |||
1224 | $ firejail --keep-fd=3,4,5 | 1224 | $ firejail --keep-fd=3,4,5 |
1225 | 1225 | ||
1226 | .TP | 1226 | .TP |
1227 | \fB\-\-keep-shell-rc | ||
1228 | By default, when using a private home directory, firejail copies files from the | ||
1229 | system's user home template (/etc/skel) into it, which overrides attempts to | ||
1230 | whitelist the original files (such as ~/.bashrc and ~/.zshrc). | ||
1231 | This option disables this feature, and enables the user to whitelist the | ||
1232 | original files. | ||
1233 | |||
1234 | .TP | ||
1227 | \fB\-\-keep-var-tmp | 1235 | \fB\-\-keep-var-tmp |
1228 | /var/tmp directory is untouched. | 1236 | /var/tmp directory is untouched. |
1229 | .br | 1237 | .br |
@@ -1330,6 +1338,7 @@ $ firejail \-\-net=eth0 \-\-mtu=1492 | |||
1330 | \fB\-\-name=name | 1338 | \fB\-\-name=name |
1331 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use | 1339 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use |
1332 | this name to identify a sandbox. | 1340 | this name to identify a sandbox. |
1341 | The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join. | ||
1333 | 1342 | ||
1334 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a | 1343 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a |
1335 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality | 1344 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality |
@@ -2127,22 +2136,32 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 | |||
2127 | .br | 2136 | .br |
2128 | $ | 2137 | $ |
2129 | .TP | 2138 | .TP |
2130 | \fB\-\-private-etc=file,directory | 2139 | \fB\-\-private-etc, \-\-private-etc=file,directory,@group |
2131 | Build a new /etc in a temporary | 2140 | The files installed by \-\-private-etc are copies of the original system files from /etc directory. |
2132 | filesystem, and copy the files and directories in the list. | 2141 | By default, the command brings in a skeleton of files and directories used by most console tools: |
2133 | The files and directories in the list must be expressed as relative to | ||
2134 | the /etc directory (e.g., /etc/foo must be expressed as foo). | ||
2135 | If no listed file is found, /etc directory will be empty. | ||
2136 | All modifications are discarded when the sandbox is closed. | ||
2137 | Multiple private-etc commands are allowed and they accumulate. | ||
2138 | .br | ||
2139 | 2142 | ||
2140 | .br | 2143 | $ firejail --private-etc dig debian.org |
2141 | Example: | 2144 | |
2142 | .br | 2145 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameter. Example: |
2143 | $ firejail --private-etc=group,hostname,localtime, \\ | 2146 | |
2144 | .br | 2147 | $ firejail --private-etc=@x11,gcrypt,python* gimp |
2145 | nsswitch.conf,passwd,resolv.conf | 2148 | |
2149 | gcrypt and /etc/python* directories are not part of the generic @x11 group. | ||
2150 | File globbing is supported. | ||
2151 | |||
2152 | For games, add @games group: | ||
2153 | |||
2154 | $ firejail --private-etc=@games,@x11 warzone2100 | ||
2155 | |||
2156 | Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified. | ||
2157 | Files for encrypted TLS/SSL protocol are in @tls-ca group. | ||
2158 | |||
2159 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org | ||
2160 | |||
2161 | |||
2162 | Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: | ||
2163 | |||
2164 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc | ||
2146 | #ifdef HAVE_PRIVATE_HOME | 2165 | #ifdef HAVE_PRIVATE_HOME |
2147 | .TP | 2166 | .TP |
2148 | \fB\-\-private-home=file,directory | 2167 | \fB\-\-private-home=file,directory |