aboutsummaryrefslogtreecommitdiffstats
path: root/src/man/firejail.txt
diff options
context:
space:
mode:
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r--src/man/firejail.txt49
1 files changed, 34 insertions, 15 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e5020e37e..6068c9ff4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1224,6 +1224,14 @@ Example:
1224$ firejail --keep-fd=3,4,5 1224$ firejail --keep-fd=3,4,5
1225 1225
1226.TP 1226.TP
1227\fB\-\-keep-shell-rc
1228By default, when using a private home directory, firejail copies files from the
1229system's user home template (/etc/skel) into it, which overrides attempts to
1230whitelist the original files (such as ~/.bashrc and ~/.zshrc).
1231This option disables this feature, and enables the user to whitelist the
1232original files.
1233
1234.TP
1227\fB\-\-keep-var-tmp 1235\fB\-\-keep-var-tmp
1228/var/tmp directory is untouched. 1236/var/tmp directory is untouched.
1229.br 1237.br
@@ -1330,6 +1338,7 @@ $ firejail \-\-net=eth0 \-\-mtu=1492
1330\fB\-\-name=name 1338\fB\-\-name=name
1331Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use 1339Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
1332this name to identify a sandbox. 1340this name to identify a sandbox.
1341The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join.
1333 1342
1334In case the name supplied by the user is already in use by another sandbox, Firejail will assign a 1343In case the name supplied by the user is already in use by another sandbox, Firejail will assign a
1335new name as "name-PID", where PID is the process ID of the sandbox. This functionality 1344new name as "name-PID", where PID is the process ID of the sandbox. This functionality
@@ -2127,22 +2136,32 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0
2127.br 2136.br
2128$ 2137$
2129.TP 2138.TP
2130\fB\-\-private-etc=file,directory 2139\fB\-\-private-etc, \-\-private-etc=file,directory,@group
2131Build a new /etc in a temporary 2140The files installed by \-\-private-etc are copies of the original system files from /etc directory.
2132filesystem, and copy the files and directories in the list. 2141By default, the command brings in a skeleton of files and directories used by most console tools:
2133The files and directories in the list must be expressed as relative to
2134the /etc directory (e.g., /etc/foo must be expressed as foo).
2135If no listed file is found, /etc directory will be empty.
2136All modifications are discarded when the sandbox is closed.
2137Multiple private-etc commands are allowed and they accumulate.
2138.br
2139 2142
2140.br 2143$ firejail --private-etc dig debian.org
2141Example: 2144
2142.br 2145For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameter. Example:
2143$ firejail --private-etc=group,hostname,localtime, \\ 2146
2144.br 2147$ firejail --private-etc=@x11,gcrypt,python* gimp
2145nsswitch.conf,passwd,resolv.conf 2148
2149gcrypt and /etc/python* directories are not part of the generic @x11 group.
2150File globbing is supported.
2151
2152For games, add @games group:
2153
2154$ firejail --private-etc=@games,@x11 warzone2100
2155
2156Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
2157Files for encrypted TLS/SSL protocol are in @tls-ca group.
2158
2159$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
2160
2161
2162Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility:
2163
2164$ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc
2146#ifdef HAVE_PRIVATE_HOME 2165#ifdef HAVE_PRIVATE_HOME
2147.TP 2166.TP
2148\fB\-\-private-home=file,directory 2167\fB\-\-private-home=file,directory
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-11 14:02:02 +0000