1 files changed, 72 insertions, 84 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 498ff9aa9..2883ab257 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb
 #ifdef HAVE_LTS
 This is Firejail long-term support (LTS), an enterprise focused version of the software,
 LTS is usually supported for two or three years.
-During this time  only bugs and the occasional documentation problems are fixed.
+During this time only bugs and the occasional documentation problems are fixed.
 The attack surface of the SUID executable was greatly reduced by removing some of the features.
 .br
@@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
-\fB\-\-allow=dirname_or_filename
-Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
-allowed files are mount-binded inside. Modifications to allowed files are persistent,
-everything else is discarded when the sandbox is closed. The top directory can be
-all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
-all directories in /usr.
-.br
-.br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
-.br
-.br
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-.br
-.br
-Example:
-.br
-$ firejail \-\-noprofile \-\-allow=~/.mozilla
-.br
-$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
-.br
-$ firejail "\-\-allow=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
-.TP
 \fB\-\-allow-debuggers
 Allow tools such as strace and gdb inside the sandbox by whitelisting
 system calls ptrace and process_vm_readv. This option is only
@@ -143,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter.
 .br
 Example:
 .br
-$ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
+$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -203,6 +169,21 @@ Example:
 .br
 # firejail \-\-bind=/config/etc/passwd,/etc/passwd
 .TP
+\fB\-\-blacklist=dirname_or_filename
+Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+.br
+Example:
+.br
+$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
+.br
+$ firejail \-\-blacklist=~/.mozilla
+.br
+$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
+.TP
 \fB\-\-build
 The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
 builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100
 .TP
 \fB\-\-caps.drop=capability,capability,capability
-Define a custom Linux capabilities filter.
+Define a custom blacklist Linux capabilities filter.
 .br
 .br
@@ -643,14 +624,14 @@ Example:
 $ firejail \-\-debug firefox
 .TP
-\fB\-\-debug-allow\fR
+\fB\-\-debug-blacklists\fR
-Debug file system access.
+Debug blacklisting.
 .br
 .br
 Example:
 .br
-$ firejail \-\-debug-allow firefox
+$ firejail \-\-debug-blacklists firefox
 .TP
 \fB\-\-debug-caps
@@ -663,16 +644,6 @@ Example:
 $ firejail \-\-debug-caps
 .TP
-\fB\-\-debug-deny\fR
-Debug file access.
-.br
-.br
-Example:
-.br
-$ firejail \-\-debug-deny firefox
-.TP
 \fB\-\-debug-errnos
 Print all recognized error numbers in the current Firejail software build and exit.
 .br
@@ -706,44 +677,33 @@ $ firejail \-\-debug-syscalls
 \fB\-\-debug-syscalls32
 Print all recognized 32 bit system calls in the current Firejail software build and exit.
 .br
-#ifdef HAVE_NETWORK
 .TP
-\fB\-\-defaultgw=address
+\fB\-\-debug-whitelists\fR
-Use this address as default gateway in the new network namespace.
+Debug whitelisting.
 .br
 .br
 Example:
 .br
-$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
+$ firejail \-\-debug-whitelists firefox
-#endif
+#ifdef HAVE_NETWORK
 .TP
-\fB\-\-deny=dirname_or_filename
+\fB\-\-defaultgw=address
-Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Use this address as default gateway in the new network namespace.
 .br
 .br
 Example:
 .br
-$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin
+$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
-.br
+#endif
-$ firejail \-\-deny=~/.mozilla
-.br
-$ firejail "\-\-deny=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
 .TP
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .br
 .TP
 \fB\-\-disable-mnt
-Deny access to /mnt, /media, /run/mount and /run/media.
+Blacklist /mnt, /media, /run/mount and /run/media access.
 .br
 .br
@@ -987,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
 .TP
 \fB\-\-ipc-namespace
-Enable  a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
+Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
 for sandboxes started as root.
 .br
@@ -1054,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL
 .br
 .br
-# verify  IP addresses
+# verify IP addresses
 .br
 $ sudo firejail --join-network=browser ip addr
 .br
@@ -1511,16 +1471,12 @@ Example:
 $ firejail --no3d firefox
 .TP
-\fB\-\-noallow=dirname_or_filename
-Disable \-\-allow for this directory or file.
-.TP
 \fB\-\-noautopulse \fR(deprecated)
 See --keep-config-pulse.
 .TP
-\fB\-\-nodeny=dirname_or_filename
+\fB\-\-noblacklist=dirname_or_filename
-Disable \-\-deny for this directory or file.
+Disable blacklist for this directory or file.
 .br
 .br
@@ -1536,7 +1492,7 @@ $ exit
 .br
 .br
-$ firejail --nodeny=/bin/nc
+$ firejail --noblacklist=/bin/nc
 .br
 $ nc dict.org 2628
 .br
@@ -1710,6 +1666,10 @@ $ firejail \-\-nou2f
 Disable video devices.
 .br
+.TP
+\fB\-\-nowhitelist=dirname_or_filename
+Disable whitelist for this directory or file.
 #ifdef HAVE_OUTPUT
 .TP
 \fB\-\-output=logfile
@@ -2174,7 +2134,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-cpu=number
 Set the maximum limit, in seconds, for the amount of CPU time each
-sandboxed process  can consume. When the limit is reached, the processes are killed.
+sandboxed process can consume. When the limit is reached, the processes are killed.
 The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
 the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2218,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
+which is @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 .br
@@ -2773,6 +2733,34 @@ Example:
 .br
 $ firejail \-\-net=br0 --veth-name=if0
 #endif
+.TP
+\fB\-\-whitelist=dirname_or_filename
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.br
+.br
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
+.br
+$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
+.br
+$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 .TP
 \fB\-\-writable-etc
@@ -2877,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support
 connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
 contents of other clients, stealing input events, etc.
-The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
 and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
 Firefox and transmission-gtk seem to be working fine.
 A network namespace is not required for this option.
@@ -3268,7 +3256,7 @@ The owner of the sandbox.
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
 /etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  in adduser command:
+you can specify /usr/bin/firejail in adduser command:
 adduser \-\-shell /usr/bin/firejail username
@@ -3278,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
-1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
+1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
 Example:
 .PP
 .RS

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 498ff9aa9..2883ab257 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -45,7 +45,7 @@ firejail {\-? \| \-\-debug-caps \| \-\-debug-errnos \| \-\-debug-syscalls \| \-\-deb
45	#ifdef HAVE_LTS	45	#ifdef HAVE_LTS
46	This is Firejail long-term support (LTS), an enterprise focused version of the software,	46	This is Firejail long-term support (LTS), an enterprise focused version of the software,
47	LTS is usually supported for two or three years.	47	LTS is usually supported for two or three years.
48	During this time only bugs and the occasional documentation problems are fixed.	48	During this time only bugs and the occasional documentation problems are fixed.
49	The attack surface of the SUID executable was greatly reduced by removing some of the features.	49	The attack surface of the SUID executable was greatly reduced by removing some of the features.
50	.br	50	.br
51		51
@@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
99	\fB\-\-	99	\fB\-\-
100	Signal the end of options and disables further option processing.	100	Signal the end of options and disables further option processing.
101	.TP	101	.TP
102	\fB\-\-allow=dirname_or_filename
103	Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
104	allowed files are mount-binded inside. Modifications to allowed files are persistent,
105	everything else is discarded when the sandbox is closed. The top directory can be
106	all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
107	all directories in /usr.
108	.br
109
110	.br
111	Symbolic link handling: with the exception of user home, both the link and the real file should be in
112	the same top directory. For user home, both the link and the real file should be owned by the user.
113	.br
114
115	.br
116	File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
117	.br
118
119	.br
120	Example:
121	.br
122	$ firejail \-\-noprofile \-\-allow=~/.mozilla
123	.br
124	$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
125	.br
126	$ firejail "\-\-allow=/home/username/My Virtual Machines"
127	.br
128	$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
129
130
131
132
133
134
135	.TP
136	\fB\-\-allow-debuggers	102	\fB\-\-allow-debuggers
137	Allow tools such as strace and gdb inside the sandbox by whitelisting	103	Allow tools such as strace and gdb inside the sandbox by whitelisting
138	system calls ptrace and process_vm_readv. This option is only	104	system calls ptrace and process_vm_readv. This option is only
@@ -143,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter.
143	.br	109	.br
144	Example:	110	Example:
145	.br	111	.br
146	$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox	112	$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
147	.TP	113	.TP
148	\fB\-\-allusers	114	\fB\-\-allusers
149	All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.	115	All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -203,6 +169,21 @@ Example:
203	.br	169	.br
204	# firejail \-\-bind=/config/etc/passwd,/etc/passwd	170	# firejail \-\-bind=/config/etc/passwd,/etc/passwd
205	.TP	171	.TP
		172	\fB\-\-blacklist=dirname_or_filename
		173	Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
		174	.br
		175
		176	.br
		177	Example:
		178	.br
		179	$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
		180	.br
		181	$ firejail \-\-blacklist=~/.mozilla
		182	.br
		183	$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
		184	.br
		185	$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
		186	.TP
206	\fB\-\-build	187	\fB\-\-build
207	The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also	188	The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
208	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,	189	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100
262		243
263	.TP	244	.TP
264	\fB\-\-caps.drop=capability,capability,capability	245	\fB\-\-caps.drop=capability,capability,capability
265	Define a custom Linux capabilities filter.	246	Define a custom blacklist Linux capabilities filter.
266	.br	247	.br
267		248
268	.br	249	.br
@@ -643,14 +624,14 @@ Example:
643	$ firejail \-\-debug firefox	624	$ firejail \-\-debug firefox
644		625
645	.TP	626	.TP
646	\fB\-\-debug-allow\fR	627	\fB\-\-debug-blacklists\fR
647	Debug file system access.	628	Debug blacklisting.
648	.br	629	.br
649		630
650	.br	631	.br
651	Example:	632	Example:
652	.br	633	.br
653	$ firejail \-\-debug-allow firefox	634	$ firejail \-\-debug-blacklists firefox
654		635
655	.TP	636	.TP
656	\fB\-\-debug-caps	637	\fB\-\-debug-caps
@@ -663,16 +644,6 @@ Example:
663	$ firejail \-\-debug-caps	644	$ firejail \-\-debug-caps
664		645
665	.TP	646	.TP
666	\fB\-\-debug-deny\fR
667	Debug file access.
668	.br
669
670	.br
671	Example:
672	.br
673	$ firejail \-\-debug-deny firefox
674
675	.TP
676	\fB\-\-debug-errnos	647	\fB\-\-debug-errnos
677	Print all recognized error numbers in the current Firejail software build and exit.	648	Print all recognized error numbers in the current Firejail software build and exit.
678	.br	649	.br
@@ -706,44 +677,33 @@ $ firejail \-\-debug-syscalls
706	\fB\-\-debug-syscalls32	677	\fB\-\-debug-syscalls32
707	Print all recognized 32 bit system calls in the current Firejail software build and exit.	678	Print all recognized 32 bit system calls in the current Firejail software build and exit.
708	.br	679	.br
709
710	#ifdef HAVE_NETWORK
711	.TP	680	.TP
712	\fB\-\-defaultgw=address	681	\fB\-\-debug-whitelists\fR
713	Use this address as default gateway in the new network namespace.	682	Debug whitelisting.
714	.br	683	.br
715		684
716	.br	685	.br
717	Example:	686	Example:
718	.br	687	.br
719	$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox	688	$ firejail \-\-debug-whitelists firefox
720	#endif	689	#ifdef HAVE_NETWORK
721
722	.TP	690	.TP
723	\fB\-\-deny=dirname_or_filename	691	\fB\-\-defaultgw=address
724	Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.	692	Use this address as default gateway in the new network namespace.
725	.br	693	.br
726		694
727	.br	695	.br
728	Example:	696	Example:
729	.br	697	.br
730	$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin	698	$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
731	.br	699	#endif
732	$ firejail \-\-deny=~/.mozilla
733	.br
734	$ firejail "\-\-deny=/home/username/My Virtual Machines"
735	.br
736	$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
737
738
739
740	.TP	700	.TP
741	\fB\-\-deterministic-exit-code	701	\fB\-\-deterministic-exit-code
742	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.	702	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
743	.br	703	.br
744	.TP	704	.TP
745	\fB\-\-disable-mnt	705	\fB\-\-disable-mnt
746	Deny access to /mnt, /media, /run/mount and /run/media.	706	Blacklist /mnt, /media, /run/mount and /run/media access.
747	.br	707	.br
748		708
749	.br	709	.br
@@ -987,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
987		947
988	.TP	948	.TP
989	\fB\-\-ipc-namespace	949	\fB\-\-ipc-namespace
990	Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default	950	Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
991	for sandboxes started as root.	951	for sandboxes started as root.
992	.br	952	.br
993		953
@@ -1054,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL
1054	.br	1014	.br
1055		1015
1056	.br	1016	.br
1057	# verify IP addresses	1017	# verify IP addresses
1058	.br	1018	.br
1059	$ sudo firejail --join-network=browser ip addr	1019	$ sudo firejail --join-network=browser ip addr
1060	.br	1020	.br
@@ -1511,16 +1471,12 @@ Example:
1511	$ firejail --no3d firefox	1471	$ firejail --no3d firefox
1512		1472
1513	.TP	1473	.TP
1514	\fB\-\-noallow=dirname_or_filename
1515	Disable \-\-allow for this directory or file.
1516
1517	.TP
1518	\fB\-\-noautopulse \fR(deprecated)	1474	\fB\-\-noautopulse \fR(deprecated)
1519	See --keep-config-pulse.	1475	See --keep-config-pulse.
1520		1476
1521	.TP	1477	.TP
1522	\fB\-\-nodeny=dirname_or_filename	1478	\fB\-\-noblacklist=dirname_or_filename
1523	Disable \-\-deny for this directory or file.	1479	Disable blacklist for this directory or file.
1524	.br	1480	.br
1525		1481
1526	.br	1482	.br
@@ -1536,7 +1492,7 @@ $ exit
1536	.br	1492	.br
1537		1493
1538	.br	1494	.br
1539	$ firejail --nodeny=/bin/nc	1495	$ firejail --noblacklist=/bin/nc
1540	.br	1496	.br
1541	$ nc dict.org 2628	1497	$ nc dict.org 2628
1542	.br	1498	.br
@@ -1710,6 +1666,10 @@ $ firejail \-\-nou2f
1710	Disable video devices.	1666	Disable video devices.
1711	.br	1667	.br
1712		1668
		1669	.TP
		1670	\fB\-\-nowhitelist=dirname_or_filename
		1671	Disable whitelist for this directory or file.
		1672
1713	#ifdef HAVE_OUTPUT	1673	#ifdef HAVE_OUTPUT
1714	.TP	1674	.TP
1715	\fB\-\-output=logfile	1675	\fB\-\-output=logfile
@@ -2174,7 +2134,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
2174	.TP	2134	.TP
2175	\fB\-\-rlimit-cpu=number	2135	\fB\-\-rlimit-cpu=number
2176	Set the maximum limit, in seconds, for the amount of CPU time each	2136	Set the maximum limit, in seconds, for the amount of CPU time each
2177	sandboxed process can consume. When the limit is reached, the processes are killed.	2137	sandboxed process can consume. When the limit is reached, the processes are killed.
2178		2138
2179	The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds	2139	The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
2180	the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps	2140	the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2218,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
2218	.TP	2178	.TP
2219	\fB\-\-seccomp	2179	\fB\-\-seccomp
2220	Enable seccomp filter and blacklist the syscalls in the default list,	2180	Enable seccomp filter and blacklist the syscalls in the default list,
2221	which is @default-nodebuggers unless \-\-allow-debuggers is specified,	2181	which is @default-nodebuggers unless \-\-allow-debuggers is specified,
2222	then it is @default.	2182	then it is @default.
2223		2183
2224	.br	2184	.br
@@ -2773,6 +2733,34 @@ Example:
2773	.br	2733	.br
2774	$ firejail \-\-net=br0 --veth-name=if0	2734	$ firejail \-\-net=br0 --veth-name=if0
2775	#endif	2735	#endif
		2736	.TP
		2737	\fB\-\-whitelist=dirname_or_filename
		2738	Whitelist directory or file. A temporary file system is mounted on the top directory, and the
		2739	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
		2740	everything else is discarded when the sandbox is closed. The top directory can be
		2741	all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
		2742	all directories in /usr.
		2743	.br
		2744
		2745	.br
		2746	Symbolic link handling: with the exception of user home, both the link and the real file should be in
		2747	the same top directory. For user home, both the link and the real file should be owned by the user.
		2748	.br
		2749
		2750	.br
		2751	File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
		2752	.br
		2753
		2754	.br
		2755	Example:
		2756	.br
		2757	$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
		2758	.br
		2759	$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
		2760	.br
		2761	$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
		2762	.br
		2763	$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
2776		2764
2777	.TP	2765	.TP
2778	\fB\-\-writable-etc	2766	\fB\-\-writable-etc
@@ -2877,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support
2877	connection model. Untrusted clients are restricted in certain ways to prevent them from reading window	2865	connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
2878	contents of other clients, stealing input events, etc.	2866	contents of other clients, stealing input events, etc.
2879		2867
2880	The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients	2868	The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
2881	and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.	2869	and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
2882	Firefox and transmission-gtk seem to be working fine.	2870	Firefox and transmission-gtk seem to be working fine.
2883	A network namespace is not required for this option.	2871	A network namespace is not required for this option.
@@ -3268,7 +3256,7 @@ The owner of the sandbox.
3268	.SH RESTRICTED SHELL	3256	.SH RESTRICTED SHELL
3269	To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in	3257	To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
3270	/etc/passwd file for each user that needs to be restricted. Alternatively,	3258	/etc/passwd file for each user that needs to be restricted. Alternatively,
3271	you can specify /usr/bin/firejail in adduser command:	3259	you can specify /usr/bin/firejail in adduser command:
3272		3260
3273	adduser \-\-shell /usr/bin/firejail username	3261	adduser \-\-shell /usr/bin/firejail username
3274		3262
@@ -3278,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
3278	Several command line options can be passed to the program using	3266	Several command line options can be passed to the program using
3279	profile files. Firejail chooses the profile file as follows:	3267	profile files. Firejail chooses the profile file as follows:
3280		3268
3281	1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.	3269	1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
3282	Example:	3270	Example:
3283	.PP	3271	.PP
3284	.RS	3272	.RS