aboutsummaryrefslogtreecommitdiffstats
path: root/src/man/firejail.txt
diff options
context:
space:
mode:
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r--src/man/firejail.txt78
1 files changed, 40 insertions, 38 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 38bb6a19e..de300d47b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -42,7 +42,7 @@ and it is integrated with Linux Control Groups.
42.PP 42.PP
43Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version 43Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version
44or newer. 44or newer.
45It can sandbox any type of processes: servers, graphical applications, and even user login sessions. 45It can sandbox any type of processes: servers, graphical applications, and even user login sessions.
46.PP 46.PP
47Firejail allows the user to manage application security using security profiles. 47Firejail allows the user to manage application security using security profiles.
48Each profile defines a set of permissions for a specific application or group 48Each profile defines a set of permissions for a specific application or group
@@ -52,13 +52,13 @@ Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
52.SH USAGE 52.SH USAGE
53Without any options, the sandbox consists of a filesystem build in a new mount namespace, 53Without any options, the sandbox consists of a filesystem build in a new mount namespace,
54and new PID and UTS namespaces. IPC, network and user namespaces can be added using the 54and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
55command line options. The default Firejail filesystem is based on the host filesystem with the main 55command line options. The default Firejail filesystem is based on the host filesystem with the main
56system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, 56system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32,
57/libx32 and /lib64. Only /home and /tmp are writable. 57/libx32 and /lib64. Only /home and /tmp are writable.
58.PP 58.PP
59As it starts up, Firejail tries to find a security profile based on the name of the application. 59As it starts up, Firejail tries to find a security profile based on the name of the application.
60If an appropriate profile is not found, Firejail will use a default profile. 60If an appropriate profile is not found, Firejail will use a default profile.
61The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 61The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
62to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. 62to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
63.PP 63.PP
64If a program argument is not specified, Firejail starts /bin/bash shell. 64If a program argument is not specified, Firejail starts /bin/bash shell.
@@ -657,7 +657,7 @@ $ sudo firejail --join-network=browser ip addr
657.br 657.br
658Switching to pid 1932, the first child process inside the sandbox 658Switching to pid 1932, the first child process inside the sandbox
659.br 659.br
6601: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 6601: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
661.br 661.br
662 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 662 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
663.br 663.br
@@ -665,11 +665,11 @@ Switching to pid 1932, the first child process inside the sandbox
665.br 665.br
666 valid_lft forever preferred_lft forever 666 valid_lft forever preferred_lft forever
667.br 667.br
668 inet6 ::1/128 scope host 668 inet6 ::1/128 scope host
669.br 669.br
670 valid_lft forever preferred_lft forever 670 valid_lft forever preferred_lft forever
671.br 671.br
6722: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 6722: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
673.br 673.br
674 link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff 674 link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
675.br 675.br
@@ -677,7 +677,7 @@ Switching to pid 1932, the first child process inside the sandbox
677.br 677.br
678 valid_lft forever preferred_lft forever 678 valid_lft forever preferred_lft forever
679.br 679.br
680 inet6 fe80::7458:14ff:fe42:78e4/64 scope link 680 inet6 fe80::7458:14ff:fe42:78e4/64 scope link
681.br 681.br
682 valid_lft forever preferred_lft forever 682 valid_lft forever preferred_lft forever
683 683
@@ -702,13 +702,13 @@ Example:
702.br 702.br
703$ firejail \-\-list 703$ firejail \-\-list
704.br 704.br
7057015:netblue:firejail firefox 7057015:netblue:firejail firefox
706.br 706.br
7077056:netblue:firejail \-\-net=eth0 transmission-gtk 7077056:netblue:firejail \-\-net=eth0 transmission-gtk
708.br 708.br
7097064:netblue:firejail \-\-noroot xterm 7097064:netblue:firejail \-\-noroot xterm
710.br 710.br
711$ 711$
712.TP 712.TP
713\fB\-\-mac=address 713\fB\-\-mac=address
714Assign MAC addresses to the last network interface defined by a \-\-net option. 714Assign MAC addresses to the last network interface defined by a \-\-net option.
@@ -998,7 +998,7 @@ $
998 998
999.TP 999.TP
1000\fB\-\-noprofile 1000\fB\-\-noprofile
1001Do not use a security profile. 1001Do not use a security profile.
1002.br 1002.br
1003 1003
1004.br 1004.br
@@ -1012,7 +1012,7 @@ Parent pid 8553, child pid 8554
1012.br 1012.br
1013Child process initialized 1013Child process initialized
1014.br 1014.br
1015[...] 1015[...]
1016.br 1016.br
1017 1017
1018.br 1018.br
@@ -1067,6 +1067,11 @@ Example:
1067$ firejail \-\-nosound firefox 1067$ firejail \-\-nosound firefox
1068 1068
1069.TP 1069.TP
1070\fB\-\-novideo
1071Disable video devices.
1072.br
1073
1074.TP
1070\fB\-\-nowhitelist=dirname_or_filename 1075\fB\-\-nowhitelist=dirname_or_filename
1071Disable whitelist for this directory or file. 1076Disable whitelist for this directory or file.
1072 1077
@@ -1200,7 +1205,7 @@ $ firejail \-\-private-home=.mozilla firefox
1200Build a new /bin in a temporary filesystem, and copy the programs in the list. 1205Build a new /bin in a temporary filesystem, and copy the programs in the list.
1201If no listed file is found, /bin directory will be empty. 1206If no listed file is found, /bin directory will be empty.
1202The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. 1207The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
1203All modifications are discarded when the sandbox is closed. 1208All modifications are discarded when the sandbox is closed.
1204.br 1209.br
1205 1210
1206.br 1211.br
@@ -1240,7 +1245,7 @@ $
1240Build a new /etc in a temporary 1245Build a new /etc in a temporary
1241filesystem, and copy the files and directories in the list. 1246filesystem, and copy the files and directories in the list.
1242If no listed file is found, /etc directory will be empty. 1247If no listed file is found, /etc directory will be empty.
1243All modifications are discarded when the sandbox is closed. 1248All modifications are discarded when the sandbox is closed.
1244.br 1249.br
1245 1250
1246.br 1251.br
@@ -1255,7 +1260,7 @@ nsswitch.conf,passwd,resolv.conf
1255Build a new /opt in a temporary 1260Build a new /opt in a temporary
1256filesystem, and copy the files and directories in the list. 1261filesystem, and copy the files and directories in the list.
1257If no listed file is found, /opt directory will be empty. 1262If no listed file is found, /opt directory will be empty.
1258All modifications are discarded when the sandbox is closed. 1263All modifications are discarded when the sandbox is closed.
1259.br 1264.br
1260 1265
1261.br 1266.br
@@ -1268,7 +1273,7 @@ $ firejail --private-opt=firefox /opt/firefox/firefox
1268Build a new /srv in a temporary 1273Build a new /srv in a temporary
1269filesystem, and copy the files and directories in the list. 1274filesystem, and copy the files and directories in the list.
1270If no listed file is found, /srv directory will be empty. 1275If no listed file is found, /srv directory will be empty.
1271All modifications are discarded when the sandbox is closed. 1276All modifications are discarded when the sandbox is closed.
1272.br 1277.br
1273 1278
1274.br 1279.br
@@ -1573,7 +1578,7 @@ SECCOMP Filter:
1573.br 1578.br
1574 RETURN_ALLOW 1579 RETURN_ALLOW
1575.br 1580.br
1576$ 1581$
1577.TP 1582.TP
1578\fB\-\-shell=none 1583\fB\-\-shell=none
1579Run the program directly, without a user shell. 1584Run the program directly, without a user shell.
@@ -1665,7 +1670,7 @@ parent is shutting down, bye...
1665.TP 1670.TP
1666\fB\-\-tracelog 1671\fB\-\-tracelog
1667This option enables auditing blacklisted files and directories. A message 1672This option enables auditing blacklisted files and directories. A message
1668is sent to syslog in case the file or the directory is accessed. 1673is sent to syslog in case the file or the directory is accessed.
1669.br 1674.br
1670 1675
1671.br 1676.br
@@ -1698,13 +1703,13 @@ $ firejail \-\-tree
1698.br 1703.br
169911903:netblue:firejail iceweasel 170411903:netblue:firejail iceweasel
1700.br 1705.br
1701 11904:netblue:iceweasel 1706 11904:netblue:iceweasel
1702.br 1707.br
1703 11957:netblue:/usr/lib/iceweasel/plugin-container 1708 11957:netblue:/usr/lib/iceweasel/plugin-container
1704.br 1709.br
170511969:netblue:firejail \-\-net=eth0 transmission-gtk 171011969:netblue:firejail \-\-net=eth0 transmission-gtk
1706.br 1711.br
1707 11970:netblue:transmission-gtk 1712 11970:netblue:transmission-gtk
1708 1713
1709.TP 1714.TP
1710\fB\-\-version 1715\fB\-\-version
@@ -1720,7 +1725,7 @@ firejail version 0.9.27
1720 1725
1721.TP 1726.TP
1722\fB\-\-veth-name=name 1727\fB\-\-veth-name=name
1723Use this name for the interface connected to the bridge for --net=bridge_interface commands, 1728Use this name for the interface connected to the bridge for --net=bridge_interface commands,
1724instead of the default one. 1729instead of the default one.
1725.br 1730.br
1726 1731
@@ -1733,7 +1738,7 @@ $ firejail \-\-net=br0 --veth-name=if0
1733\fB\-\-whitelist=dirname_or_filename 1738\fB\-\-whitelist=dirname_or_filename
1734Whitelist directory or file. A temporary file system is mounted on the top directory, and the 1739Whitelist directory or file. A temporary file system is mounted on the top directory, and the
1735whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, 1740whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
1736everything else is discarded when the sandbox is closed. The top directory could be 1741everything else is discarded when the sandbox is closed. The top directory could be
1737user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. 1742user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
1738.br 1743.br
1739 1744
@@ -1789,7 +1794,7 @@ Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
1789The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing 1794The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
1790clients running outside the sandbox. 1795clients running outside the sandbox.
1791Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. 1796Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
1792If all fails, Firejail will not attempt to use Xvfb or X11 security extension. 1797If all fails, Firejail will not attempt to use Xvfb or X11 security extension.
1793.br 1798.br
1794 1799
1795.br 1800.br
@@ -1828,7 +1833,7 @@ A security profile for OpenBox is provided.
1828 1833
1829.br 1834.br
1830Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. 1835Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
1831This feature is not available when running as root. 1836This feature is not available when running as root.
1832.br 1837.br
1833 1838
1834.br 1839.br
@@ -1838,9 +1843,9 @@ $ firejail \-\-x11=xephyr --net=eth0 openbox
1838 1843
1839.TP 1844.TP
1840\fB\-\-x11=xorg 1845\fB\-\-x11=xorg
1841Sandbox the application using the untrusted mode implemented by X11 security extension. 1846Sandbox the application using the untrusted mode implemented by X11 security extension.
1842The extension is available in Xorg package 1847The extension is available in Xorg package
1843and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted 1848and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted
1844connection model. Untrusted clients are restricted in certain ways to prevent them from reading window 1849connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
1845contents of other clients, stealing input events, etc. 1850contents of other clients, stealing input events, etc.
1846 1851
@@ -1875,9 +1880,9 @@ $ firejail \-\-x11=xpra --net=eth0 firefox
1875 1880
1876.TP 1881.TP
1877\fB\-\-x11=xvfb 1882\fB\-\-x11=xvfb
1878Start Xvfb X11 server and attach the sandbox to this server. 1883Start Xvfb X11 server and attach the sandbox to this server.
1879Xvfb, short for X virtual framebuffer, performs all graphical operations in memory 1884Xvfb, short for X virtual framebuffer, performs all graphical operations in memory
1880without showing any screen output. Xvfb is mainly used for remote access and software 1885without showing any screen output. Xvfb is mainly used for remote access and software
1881testing on headless servers. 1886testing on headless servers.
1882.br 1887.br
1883 1888
@@ -1992,7 +1997,7 @@ $ firejail --tree
1992.br 1997.br
1993 1190:netblue:firejail firefox 1998 1190:netblue:firejail firefox
1994.br 1999.br
1995 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox" 2000 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
1996.br 2001.br
1997 1221:netblue:/usr/lib/firefox/firefox 2002 1221:netblue:/usr/lib/firefox/firefox
1998.RE 2003.RE
@@ -2246,7 +2251,7 @@ Parent pid 8553, child pid 8554
2246.br 2251.br
2247Child process initialized 2252Child process initialized
2248.br 2253.br
2249[...] 2254[...]
2250.br 2255.br
2251 2256
2252.br 2257.br
@@ -2260,7 +2265,7 @@ Child process initialized
2260.RE 2265.RE
2261 2266
2262See man 5 firejail-profile for profile file syntax information. 2267See man 5 firejail-profile for profile file syntax information.
2263 2268
2264.SH RESTRICTED SHELL 2269.SH RESTRICTED SHELL
2265To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in 2270To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
2266/etc/passwd file for each user that needs to be restricted. Alternatively, 2271/etc/passwd file for each user that needs to be restricted. Alternatively,
@@ -2307,6 +2312,3 @@ Homepage: http://firejail.wordpress.com
2307\&\flfirecfg\fR\|(1), 2312\&\flfirecfg\fR\|(1),
2308\&\flfirejail-profile\fR\|(5), 2313\&\flfirejail-profile\fR\|(5),
2309\&\flfirejail-login\fR\|(5) 2314\&\flfirejail-login\fR\|(5)
2310
2311
2312
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 22:38:06 +0000