diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-login.txt | 36 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 181 | ||||
-rw-r--r-- | src/man/firejail.txt | 1196 | ||||
-rw-r--r-- | src/man/firemon.txt | 107 |
4 files changed, 1520 insertions, 0 deletions
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt new file mode 100644 index 000000000..6613dc044 --- /dev/null +++ b/src/man/firejail-login.txt | |||
@@ -0,0 +1,36 @@ | |||
1 | .TH man 5 "MONTH YEAR" "VERSION" "firejail login.users man page" | ||
2 | .SH NAME | ||
3 | login.users \- Login file syntax for Firejail | ||
4 | |||
5 | .SH DESCRIPTION | ||
6 | /etc/firejail/login.users file describes additional arguments passed to firejail executable | ||
7 | upon user logging into a Firejail restircted shell. Each user entry in the file consists of | ||
8 | a user name followed by the arguments passed to firejail. The format is as follows: | ||
9 | |||
10 | user_name: arguments | ||
11 | |||
12 | Example: | ||
13 | |||
14 | netblue:--debug --net=none | ||
15 | |||
16 | .SH RESTRICTED SHELL | ||
17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | ||
18 | /etc/password file for each user that needs to be restricted. Alternatively, | ||
19 | you can specify /usr/bin/firejail in adduser command: | ||
20 | |||
21 | adduser \-\-shell /usr/bin/firejail username | ||
22 | |||
23 | .SH FILES | ||
24 | /etc/firejail/login.users | ||
25 | |||
26 | .SH LICENSE | ||
27 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
28 | .PP | ||
29 | Homepage: http://firejail.sourceforge.net | ||
30 | .SH SEE ALSO | ||
31 | \&\flfirejail\fR\|(1), | ||
32 | \&\flfiremon\fR\|(1), | ||
33 | \&\flfirejail-profile\fR\|(5) | ||
34 | |||
35 | |||
36 | |||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt new file mode 100644 index 000000000..46da19ecd --- /dev/null +++ b/src/man/firejail-profile.txt | |||
@@ -0,0 +1,181 @@ | |||
1 | .TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page" | ||
2 | .SH NAME | ||
3 | profile \- Profile file syntax for Firejail | ||
4 | |||
5 | .SH USAGE | ||
6 | .TP | ||
7 | firejail \-\-profile=filename.profile | ||
8 | |||
9 | .SH DESCRIPTION | ||
10 | Several Firejail command line configuration options can be passed to the program using | ||
11 | profile files. Default Firejail profile files are stored in /etc/firejail | ||
12 | directory and ~/.config/firejail directory. | ||
13 | |||
14 | .SH Scripting | ||
15 | Include and comment support: | ||
16 | |||
17 | .TP | ||
18 | \f\include other.profile | ||
19 | Include other.profile file. | ||
20 | .TP | ||
21 | # this is a comment | ||
22 | |||
23 | .SH Filesystem | ||
24 | These profile entries define a chroot filesystem built on top of the existing | ||
25 | host filesystem. Each line describes a file element that is removed from | ||
26 | the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), | ||
27 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), | ||
28 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). | ||
29 | Use \fBprivate\fR to set private mode. | ||
30 | File globbing is supported, and PATH and HOME directories are searched. | ||
31 | Examples: | ||
32 | .TP | ||
33 | \f\blacklist /usr/bin | ||
34 | Remove /usr/bin directory. | ||
35 | .TP | ||
36 | \f\blacklist /etc/password | ||
37 | Remove /etc/password file. | ||
38 | .TP | ||
39 | \f\read-only /etc/password | ||
40 | Read-only /etc/password file. | ||
41 | .TP | ||
42 | tmpfs /etc | ||
43 | Mount an empty tmpfs filesystem on top of /etc directory. | ||
44 | .TP | ||
45 | bind /root/config/ssh,/etc/ssh | ||
46 | Mount-bind /root/config/ssh on /etc/ssh. | ||
47 | .TP | ||
48 | \f\blacklist /usr/bin/gcc* | ||
49 | Remove all gcc files in /usr/bin (file globbing). | ||
50 | .TP | ||
51 | \f\blacklist ${PATH}/ifconfig | ||
52 | Remove ifconfig command from the regular path directories. | ||
53 | .TP | ||
54 | \f\blacklist ${HOME}/.ssh | ||
55 | Remove .ssh directory from user home directory. | ||
56 | .TP | ||
57 | \f\private | ||
58 | Mount new /root and /home/user directories in temporary | ||
59 | filesystems. All modifications are discarded when the sandbox is | ||
60 | closed. | ||
61 | .TP | ||
62 | \f\private directory | ||
63 | Use directory as user home. | ||
64 | .TP | ||
65 | \f\private.keep file,directory | ||
66 | Build a new user home in a temporary | ||
67 | filesystem, and copy the files and directories in the list in the | ||
68 | new home. All modifications are discarded when the sandbox is | ||
69 | closed. | ||
70 | .TP | ||
71 | \f\private-dev | ||
72 | Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. | ||
73 | |||
74 | .SH Filters | ||
75 | \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: | ||
76 | |||
77 | .TP | ||
78 | caps | ||
79 | Enable default Linux capabilities filter. | ||
80 | .TP | ||
81 | caps.drop all | ||
82 | Blacklist all Linux capabilities. | ||
83 | .TP | ||
84 | caps.drop capability,capability,capability | ||
85 | Blacklist Linux capabilities filter. | ||
86 | .TP | ||
87 | caps.drop capability,capability,capability | ||
88 | Whitelist Linux capabilities filter. | ||
89 | .TP | ||
90 | \f\seccomp | ||
91 | Enable default seccomp filter. | ||
92 | .TP | ||
93 | \f\seccomp syscall,syscall,syscall | ||
94 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | ||
95 | .TP | ||
96 | \f\seccomp.drop syscall,syscall,syscall | ||
97 | Enable seccomp filter and blacklist the system calls in the list. | ||
98 | .TP | ||
99 | \f\seccomp.keep syscall,syscall,syscall | ||
100 | Enable seccomp filter and whitelist the system calls in the list. | ||
101 | |||
102 | |||
103 | .SH User Namespace | ||
104 | Use \fBnoroot\fR to enable an user namespace. The namespace has only one user, the current user. | ||
105 | There is no root account defined in the namespace. | ||
106 | |||
107 | .TP | ||
108 | noroot | ||
109 | Enable an user namespace without root user defined. | ||
110 | |||
111 | |||
112 | .SH Resource limits | ||
113 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | ||
114 | The limits can be modified inside the sandbox using the regular \fBulimt\fR command. Examples: | ||
115 | |||
116 | .TP | ||
117 | \f\rlimit-fsize 1024 | ||
118 | Set the maximum file size that can be created by a process to 1024 bytes. | ||
119 | .TP | ||
120 | \f\rlimit-nproc 1000 | ||
121 | Set the maximum number of processes that can be created for the real user ID of the calling process to 1000. | ||
122 | .TP | ||
123 | \f\rlimit-nofile 500 | ||
124 | Set the maximum number of files that can be opened by a process to 500. | ||
125 | .TP | ||
126 | \f\rlimit-sigpending 200 | ||
127 | Set the maximum number of processes that can be created for the real user ID of the calling process to 200. | ||
128 | |||
129 | .SH CPU Affinity | ||
130 | Set the CPU cores available for this sandbox. Examples: | ||
131 | |||
132 | .TP | ||
133 | cpu 1,2,3 | ||
134 | Use only CPU cores 0, 1 and 2. | ||
135 | |||
136 | .SH Control Groups | ||
137 | Place the sandbox in an existing control group specified by the full path of the task file. Example: | ||
138 | |||
139 | .TP | ||
140 | cgroup /sys/fs/cgroup/g1/tasks | ||
141 | The sandbox is placed in g1 control group. | ||
142 | |||
143 | .SH User Environment | ||
144 | |||
145 | .TP | ||
146 | nogroups | ||
147 | Disable supplementary user groups | ||
148 | .TP | ||
149 | shell none | ||
150 | Run the program directly, without a shell. | ||
151 | |||
152 | .SH Networking | ||
153 | Networking features available in profile files. | ||
154 | |||
155 | .TP | ||
156 | netfilter | ||
157 | If a new network namespace is created, enabled default network filter. | ||
158 | |||
159 | .TP | ||
160 | netfilter filename | ||
161 | If a new network namespace is created, enabled the network filter in filename. | ||
162 | |||
163 | .TP | ||
164 | dns address | ||
165 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | ||
166 | |||
167 | |||
168 | .SH FILES | ||
169 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | ||
170 | |||
171 | .SH LICENSE | ||
172 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
173 | .PP | ||
174 | Homepage: http://firejail.sourceforge.net | ||
175 | .SH SEE ALSO | ||
176 | \&\flfirejail\fR\|(1), | ||
177 | \&\flfiremon\fR\|(1), | ||
178 | \&\flfirejail-login\fR\|(5) | ||
179 | |||
180 | |||
181 | |||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt new file mode 100644 index 000000000..51f21975e --- /dev/null +++ b/src/man/firejail.txt | |||
@@ -0,0 +1,1196 @@ | |||
1 | .TH man 1 "MONTH YEAR" "VERSION" "firejail man page" | ||
2 | .SH NAME | ||
3 | Firejail \- Linux namespaces sandbox program | ||
4 | .SH SYNOPSIS | ||
5 | Start a sandbox: | ||
6 | .PP | ||
7 | .RS | ||
8 | firejail [OPTIONS] [program and arguments] | ||
9 | .RE | ||
10 | .PP | ||
11 | Network traffic shaping for an existing sandbox: | ||
12 | .PP | ||
13 | .RS | ||
14 | firejail \-\-bandwidth={<name>|<PID>} bandwidth-command | ||
15 | .RE | ||
16 | .PP | ||
17 | Monitoring: | ||
18 | .PP | ||
19 | .RS | ||
20 | firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree} | ||
21 | .RE | ||
22 | .PP | ||
23 | Miscellaneous: | ||
24 | .PP | ||
25 | .RS | ||
26 | firejail {\-? | \-\-debug-caps | \-\-debug-syscalls | \-\-help | | ||
27 | .br | ||
28 | \-\-version} | ||
29 | .RE | ||
30 | .SH DESCRIPTION | ||
31 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | ||
32 | restricting the running environment of untrusted applications using Linux | ||
33 | namespaces, seccomp-bpf and Linux capabilities. | ||
34 | It allows a process and all its descendants to have their own private view of the | ||
35 | globally shared kernel resources, such as the network stack, process table, mount table. | ||
36 | Firejail can work in a SELinux or AppArmor environment, | ||
37 | and it is integrated with Linux Control Groups. | ||
38 | .PP | ||
39 | Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version | ||
40 | or newer. | ||
41 | It can sandbox any type of processes: servers, graphical applications, and even user login sessions. | ||
42 | The software includes sandbox profiles for a number of more common | ||
43 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | ||
44 | .SH USAGE | ||
45 | Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, | ||
46 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. | ||
47 | The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. | ||
48 | Only /home, /tmp and /var directories are writable. | ||
49 | .PP | ||
50 | If no program is specified as an argument, /bin/bash is started by default. | ||
51 | Examples: | ||
52 | .PP | ||
53 | $ firejail [OPTIONS] # starting a /bin/bash shell | ||
54 | .PP | ||
55 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox | ||
56 | .PP | ||
57 | Multiple commands can be run in sandbox using regular bash logic operators: | ||
58 | .PP | ||
59 | $ sudo firejail [OPTIONS] "/etc/init.d/nginx start && sleep inf" | ||
60 | .PP | ||
61 | In the previous example, "sleep inf" command is required in order to keep the session open for the daemon program. | ||
62 | |||
63 | .SH OPTIONS | ||
64 | .TP | ||
65 | \fB\-\- | ||
66 | Signal the end of options and disables further option processing. | ||
67 | .TP | ||
68 | \fB\-\-bandwidth=name | ||
69 | Set bandwidth limits for the sandbox identified by name, see TRAFFIC SHAPING section for more details. | ||
70 | .TP | ||
71 | \fB\-\-bandwidth=pid | ||
72 | Set bandwidth limits for the sandbox identified by PID, see TRAFFIC SHAPING section for more details. | ||
73 | .TP | ||
74 | \fB\-\-bind=dirname1,dirname2 | ||
75 | Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root. | ||
76 | .br | ||
77 | |||
78 | .br | ||
79 | Example: | ||
80 | .br | ||
81 | # firejail \-\-bind=/config/www,/var/www | ||
82 | .TP | ||
83 | \fB\-\-bind=filename1,filename2 | ||
84 | Mount-bind filename1 on top of filename2. This option is only available when running as root. | ||
85 | .br | ||
86 | |||
87 | .br | ||
88 | Example: | ||
89 | .br | ||
90 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | ||
91 | .TP | ||
92 | \fB\-\-blacklist=dirname_or_filename | ||
93 | Blacklist directory or file. | ||
94 | .br | ||
95 | |||
96 | .br | ||
97 | Example: | ||
98 | .br | ||
99 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | ||
100 | .TP | ||
101 | \fB\-c | ||
102 | Execute command and exit. | ||
103 | .TP | ||
104 | \fB\-\-caps | ||
105 | Linux capabilities is a kernel feature designed to split up the root privilege into a set of distinct privileges. | ||
106 | These privileges can be enabled or disabled independently, thus restricting what a process running | ||
107 | as root can do in the system. | ||
108 | |||
109 | By default root programs run with all capabilities enabled. \-\-caps option disables the following capabilities: | ||
110 | CAP_SYS_MODULE, CAP_SYS_RAWIO, | ||
111 | CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. | ||
112 | The filter is applied to all processes started in the sandbox. | ||
113 | .br | ||
114 | |||
115 | .br | ||
116 | Example: | ||
117 | .br | ||
118 | $ sudo firejail \-\-caps "/etc/init.d/nginx start && sleep inf" | ||
119 | |||
120 | .TP | ||
121 | \fB\-\-caps.drop=all | ||
122 | Drop all capabilities for the processes running in the sandbox. This option is recommended for running GUI programs | ||
123 | or any other program that doesn't require root privileges. It is a must-have option for sandboxing untrusted programs | ||
124 | installed from unofficial sources - such as games, Java programs, etc. | ||
125 | .br | ||
126 | |||
127 | .br | ||
128 | Example: | ||
129 | .br | ||
130 | $ firejail \-\-caps.drop=all warzone2100 | ||
131 | |||
132 | .TP | ||
133 | \fB\-\-caps.drop=capability,capability,capability | ||
134 | Define a custom blacklist Linux capabilities filter. | ||
135 | .br | ||
136 | |||
137 | .br | ||
138 | Example: | ||
139 | .br | ||
140 | $ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw | ||
141 | |||
142 | .TP | ||
143 | \fB\-\-caps.keep=capability,capability,capability | ||
144 | Define a custom whitelist Linux capabilities filter. | ||
145 | .br | ||
146 | |||
147 | .br | ||
148 | Example: | ||
149 | .br | ||
150 | $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\ | ||
151 | setuid "/etc/init.d/nginx start && sleep inf" | ||
152 | |||
153 | .TP | ||
154 | \fB\-\-caps.print=name | ||
155 | Print the caps filter for the sandbox identified by name. | ||
156 | .br | ||
157 | |||
158 | .br | ||
159 | Example: | ||
160 | .br | ||
161 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | ||
162 | .br | ||
163 | [...] | ||
164 | .br | ||
165 | $ firejail \-\-caps.print=mygame | ||
166 | |||
167 | .TP | ||
168 | \fB\-\-caps.print=pid | ||
169 | Print the caps filter for a sandbox identified by PID. | ||
170 | .br | ||
171 | |||
172 | .br | ||
173 | Example: | ||
174 | .br | ||
175 | $ firejail \-\-list | ||
176 | .br | ||
177 | 3272:netblue:firejail \-\-private firefox | ||
178 | .br | ||
179 | $ firejail \-\-caps.print=3272 | ||
180 | |||
181 | .TP | ||
182 | \fB\-\-cgroup=tasks-file | ||
183 | Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. | ||
184 | .br | ||
185 | |||
186 | .br | ||
187 | Example: | ||
188 | .br | ||
189 | # firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks | ||
190 | |||
191 | .TP | ||
192 | \fB\-\-chroot=dirname | ||
193 | Chroot the sandbox into a root filesystem. If the sandbox is started as a | ||
194 | regular user, default seccomp and capabilities filters are eanbled. | ||
195 | .br | ||
196 | |||
197 | .br | ||
198 | Example: | ||
199 | .br | ||
200 | $ firejail \-\-chroot=/media/ubuntu warzone2100 | ||
201 | |||
202 | .TP | ||
203 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number | ||
204 | Set CPU affinity. | ||
205 | .br | ||
206 | |||
207 | .br | ||
208 | Example: | ||
209 | .br | ||
210 | $ firejail \-\-cpu=0,1 handbrake | ||
211 | |||
212 | .TP | ||
213 | \fB\-\-csh | ||
214 | Use /bin/csh as default user shell. | ||
215 | .br | ||
216 | |||
217 | .br | ||
218 | Example: | ||
219 | .br | ||
220 | $ firejail \-\-csh | ||
221 | .TP | ||
222 | \fB\-\-debug\fR | ||
223 | Print debug messages. | ||
224 | .br | ||
225 | |||
226 | .br | ||
227 | Example: | ||
228 | .br | ||
229 | $ firejail \-\-debug firefox | ||
230 | .TP | ||
231 | \fB\-\-debug-syscalls | ||
232 | Print all recognized system calls in the current Firejail software build and exit. | ||
233 | .br | ||
234 | |||
235 | .br | ||
236 | Example: | ||
237 | .br | ||
238 | $ firejail \-\-debug-syscalls | ||
239 | .TP | ||
240 | \fB\-\-debug-caps | ||
241 | Print all recognized capabilities in the current Firejail software build and exit. | ||
242 | .br | ||
243 | |||
244 | .br | ||
245 | Example: | ||
246 | .br | ||
247 | $ firejail \-\-debug-caps | ||
248 | .TP | ||
249 | \fB\-\-defaultgw=address | ||
250 | Use this address as default gateway in the new network namespace. | ||
251 | .br | ||
252 | |||
253 | .br | ||
254 | Example: | ||
255 | .br | ||
256 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | ||
257 | |||
258 | .TP | ||
259 | \fB\-\-dns=address | ||
260 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | ||
261 | Use this option if you don't trust the DNS setup on your network. | ||
262 | .br | ||
263 | |||
264 | .br | ||
265 | Example: | ||
266 | .br | ||
267 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox | ||
268 | |||
269 | .TP | ||
270 | \fB\-\-dns.print=name | ||
271 | Print DNS configuration for a sandbox identified by name. | ||
272 | .br | ||
273 | |||
274 | .br | ||
275 | Example: | ||
276 | .br | ||
277 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | ||
278 | .br | ||
279 | [...] | ||
280 | .br | ||
281 | $ firejail \-\-dns.print=mygame | ||
282 | |||
283 | .TP | ||
284 | \fB\-\-dns.print=pid | ||
285 | Print DNS configuration for a sandbox identified by PID. | ||
286 | .br | ||
287 | |||
288 | .br | ||
289 | Example: | ||
290 | .br | ||
291 | $ firejail \-\-list | ||
292 | .br | ||
293 | 3272:netblue:firejail \-\-private firefox | ||
294 | .br | ||
295 | $ firejail \-\-dns.print=3272 | ||
296 | |||
297 | .TP | ||
298 | \fB\-?\fR, \fB\-\-help\fR | ||
299 | Print options end exit. | ||
300 | .TP | ||
301 | \fB\-\-ip=address | ||
302 | Assign IP addresses to the last network interface defined by a \-\-net option. A | ||
303 | default gateway is assigned by default. | ||
304 | .br | ||
305 | |||
306 | .br | ||
307 | Example: | ||
308 | .br | ||
309 | $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox | ||
310 | |||
311 | .TP | ||
312 | \fB\-\-ip=none | ||
313 | No IP address and no default gateway are configured for the last interface | ||
314 | defined by a \-\-net option. Use this option | ||
315 | in case you intend to start an external DHCP client in the sandbox. | ||
316 | .br | ||
317 | |||
318 | .br | ||
319 | Example: | ||
320 | .br | ||
321 | $ firejail \-\-net=eth0 \-\-\ip=none | ||
322 | |||
323 | .TP | ||
324 | \fB\-\-iprange=address,address | ||
325 | Assign an IP address in the provided range to the last network interface defined by a \-\-net option. A | ||
326 | default gateway is assigned by default. | ||
327 | .br | ||
328 | |||
329 | .br | ||
330 | Example: | ||
331 | .br | ||
332 | $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 | ||
333 | |||
334 | .TP | ||
335 | \fB\-\-ipc-namespace | ||
336 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default | ||
337 | for sandboxes started as root. | ||
338 | .br | ||
339 | |||
340 | .br | ||
341 | Example: | ||
342 | .br | ||
343 | $ firejail \-\-ipc-namespace firefox | ||
344 | .TP | ||
345 | \fB\-\-join=name | ||
346 | Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | ||
347 | If a program is specified, the program is run in the sandbox. | ||
348 | .br | ||
349 | |||
350 | .br | ||
351 | Example: | ||
352 | .br | ||
353 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | ||
354 | .br | ||
355 | [...] | ||
356 | .br | ||
357 | $ firejail \-\-join=mygame | ||
358 | |||
359 | |||
360 | .TP | ||
361 | \fB\-\-join=pid | ||
362 | Join the sandbox identified by PID. By default a /bin/bash shell is started after joining the sandbox. | ||
363 | If a program is specified, the program is run in the sandbox. | ||
364 | .br | ||
365 | |||
366 | .br | ||
367 | Example: | ||
368 | .br | ||
369 | $ firejail \-\-list | ||
370 | .br | ||
371 | 3272:netblue:firejail \-\-private firefox | ||
372 | .br | ||
373 | $ firejail \-\-join=3272 | ||
374 | |||
375 | .TP | ||
376 | \fB\-\-list | ||
377 | List all sandboxes, see MONITORING section for more details. | ||
378 | .br | ||
379 | |||
380 | .br | ||
381 | Example: | ||
382 | .br | ||
383 | $ firejail \-\-list | ||
384 | .br | ||
385 | 7015:netblue:firejail firefox | ||
386 | .br | ||
387 | 7056:netblue:firejail \-\-net=eth0 transmission-gtk | ||
388 | .br | ||
389 | 7064:netblue:firejail \-\-noroot xterm | ||
390 | .br | ||
391 | $ | ||
392 | .TP | ||
393 | \fB\-\-mac=address | ||
394 | Assign MAC addresses to the last network interface defined by a \-\-net option. | ||
395 | .br | ||
396 | |||
397 | .br | ||
398 | Example: | ||
399 | .br | ||
400 | $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox | ||
401 | |||
402 | .TP | ||
403 | \fB\-\-name=name | ||
404 | Set sandbox hostname. Several options, such as \-\-join and \-\-shutdown, can use | ||
405 | this name to identify a sandbox. | ||
406 | .br | ||
407 | |||
408 | .br | ||
409 | Example: | ||
410 | .br | ||
411 | $ firejail \-\-name=mybrowser firefox | ||
412 | |||
413 | .TP | ||
414 | \fB\-\-net=bridge_interface | ||
415 | Enable a new network namespace and connect it to this bridge interface. | ||
416 | Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned | ||
417 | automatically to the sandbox. The IP address is verified using ARP before assignment. The address | ||
418 | configured as default gateway is the bridge device IP address. Up to four \-\-net | ||
419 | bridge devices can be defined. Mixing bridge and macvlan devices is allowed. | ||
420 | .br | ||
421 | |||
422 | .br | ||
423 | Example: | ||
424 | .br | ||
425 | $ sudo brctl addbr br0 | ||
426 | .br | ||
427 | $ sudo ifconfig br0 10.10.20.1/24 | ||
428 | .br | ||
429 | $ sudo brctl addbr br1 | ||
430 | .br | ||
431 | $ sudo ifconfig br1 10.10.30.1/24 | ||
432 | .br | ||
433 | $ firejail \-\-net=br0 \-\-net=br1 | ||
434 | |||
435 | .TP | ||
436 | \fB\-\-net=ethernet_interface | ||
437 | Enable a new network namespace and connect it | ||
438 | to this ethernet interface using the standard Linux macvlan | ||
439 | driver. Unless specified with option \-\-ip and \-\-defaultgw, an | ||
440 | IP address and a default gateway will be assigned automatically | ||
441 | to the sandbox. The IP address is verified using ARP before | ||
442 | assignment. The address configured as default gateway is the | ||
443 | default gateway of the host. Up to four \-\-net devices can | ||
444 | be defined. Mixing bridge and macvlan devices is allowed. | ||
445 | .br | ||
446 | |||
447 | .br | ||
448 | Example: | ||
449 | .br | ||
450 | $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox | ||
451 | |||
452 | .TP | ||
453 | \fB\-\-net=none | ||
454 | Enable a new, unconnected network namespace. The only interface | ||
455 | available in the new namespace is a new loopback interface (lo). | ||
456 | Use this option to deny | ||
457 | network access to programs that don't really need network access. | ||
458 | .br | ||
459 | |||
460 | .br | ||
461 | Example: | ||
462 | .br | ||
463 | $ firejail \-\-net=none vlc | ||
464 | |||
465 | .TP | ||
466 | \fB\-\-netfilter | ||
467 | Enable a default client network filter in the new network namespace. | ||
468 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, | ||
469 | \-\-netfilter option does nothing. | ||
470 | The default filter is as follows: | ||
471 | .br | ||
472 | |||
473 | .br | ||
474 | *filter | ||
475 | .br | ||
476 | :INPUT DROP [0:0] | ||
477 | .br | ||
478 | :FORWARD DROP [0:0] | ||
479 | .br | ||
480 | :OUTPUT ACCEPT [0:0] | ||
481 | .br | ||
482 | \-A INPUT \-i lo \-j ACCEPT | ||
483 | .br | ||
484 | \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT | ||
485 | .br | ||
486 | \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT | ||
487 | .br | ||
488 | \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT | ||
489 | .br | ||
490 | \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT | ||
491 | .br | ||
492 | COMMIT | ||
493 | .br | ||
494 | |||
495 | .br | ||
496 | Example: | ||
497 | .br | ||
498 | $ firejail \-\-net=eth0 \-\-netfilter firefox | ||
499 | .TP | ||
500 | \fB\-\-netfilter=filename | ||
501 | Enable the network filter specified by filename in the new network namespace. The filter file format | ||
502 | is the format of iptables-save and iptable-restore commands. | ||
503 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, | ||
504 | \-\-netfilter option does nothing. | ||
505 | .br | ||
506 | |||
507 | .br | ||
508 | Example: | ||
509 | .br | ||
510 | $ firejail \-\-net=eth0 \-\-netfilter=myfile firefox | ||
511 | .TP | ||
512 | \fB\-\-netstats | ||
513 | Monitor network namespace statistics, see MONITORING section for more details. | ||
514 | .br | ||
515 | |||
516 | .br | ||
517 | Example: | ||
518 | .br | ||
519 | $ firejail \-\-netstats | ||
520 | .br | ||
521 | PID User RX(KB/s) TX(KB/s) Command | ||
522 | .br | ||
523 | 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox | ||
524 | .br | ||
525 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission | ||
526 | |||
527 | |||
528 | .TP | ||
529 | \fB\-\-nogroups | ||
530 | Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the | ||
531 | sandbox. For root user supplementary groups are always disabled. | ||
532 | .br | ||
533 | |||
534 | .br | ||
535 | Example: | ||
536 | .br | ||
537 | $ id | ||
538 | .br | ||
539 | uid=1000(netblue) gid=1000(netblue) groups=1000(netblue),24(cdrom),25(floppy),27(sudo),29(audio) | ||
540 | .br | ||
541 | $ firejail \-\-nogroups | ||
542 | .br | ||
543 | Parent pid 8704, child pid 8705 | ||
544 | .br | ||
545 | Child process initialized | ||
546 | .br | ||
547 | $ id | ||
548 | .br | ||
549 | uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) | ||
550 | .br | ||
551 | $ | ||
552 | |||
553 | .TP | ||
554 | \fB\-\-noroot | ||
555 | Install a user namespace with a single user - the current user. | ||
556 | root user does not exist in the new namespace. This option | ||
557 | requires a Linux kernel version 3.8 or newer. The option | ||
558 | is not supported for \-\-chroot and \-\-overlay configurations, | ||
559 | or for sandboxes started as root. | ||
560 | .br | ||
561 | |||
562 | .br | ||
563 | Example: | ||
564 | .br | ||
565 | $ firejail \-\-noroot | ||
566 | .br | ||
567 | Parent pid 8553, child pid 8554 | ||
568 | .br | ||
569 | Child process initialized | ||
570 | .br | ||
571 | $ ping google.com | ||
572 | .br | ||
573 | ping: icmp open socket: Operation not permitted | ||
574 | .br | ||
575 | $ | ||
576 | .TP | ||
577 | \fB\-\-output=logfile | ||
578 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log | ||
579 | rotation. Five files with prefixes .1 to .5 are used in rotation. | ||
580 | .br | ||
581 | |||
582 | .br | ||
583 | Example: | ||
584 | .br | ||
585 | $ firejail \-\-output=sandboxlog /bin/bash | ||
586 | .br | ||
587 | [...] | ||
588 | .br | ||
589 | $ ls -l sandboxlog* | ||
590 | .br | ||
591 | -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sadnboxlog | ||
592 | .br | ||
593 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1 | ||
594 | .br | ||
595 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2 | ||
596 | .br | ||
597 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3 | ||
598 | .br | ||
599 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4 | ||
600 | .br | ||
601 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5 | ||
602 | |||
603 | .TP | ||
604 | \fB\-\-overlay | ||
605 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, | ||
606 | and are discarded when the sandbox is closed. | ||
607 | .br | ||
608 | |||
609 | .br | ||
610 | OverlayFS support is required in Linux kernel for this option to work. | ||
611 | OverlayFS was officially introduced in Linux kernel version 3.18. It was also | ||
612 | available in earlier kernel versions in some distributions such as Ubuntu and OpenSUSE. | ||
613 | .br | ||
614 | |||
615 | .br | ||
616 | Example: | ||
617 | .br | ||
618 | $ firejail \-\-overlay firefox | ||
619 | |||
620 | .TP | ||
621 | \fB\-\-private | ||
622 | Mount new /root and /home/user directories in temporary | ||
623 | filesystems. All modifications are discarded when the sandbox is | ||
624 | closed. | ||
625 | .br | ||
626 | |||
627 | .br | ||
628 | Example: | ||
629 | .br | ||
630 | $ firejail \-\-private firefox | ||
631 | .TP | ||
632 | \fB\-\-private=directory | ||
633 | Use directory as user home. | ||
634 | .br | ||
635 | |||
636 | .br | ||
637 | Example: | ||
638 | .br | ||
639 | $ firejail \-\-private=/home/netblue/firefox-home firefox | ||
640 | |||
641 | .TP | ||
642 | \fB\-\-private.keep=file,directory | ||
643 | Build a new user home in a temporary | ||
644 | filesystem, and copy the files and directories in the list in the | ||
645 | new home. All modifications are discarded when the sandbox is | ||
646 | closed. | ||
647 | .br | ||
648 | |||
649 | .br | ||
650 | Example: | ||
651 | .br | ||
652 | $ firejail \-\-private.keep=.mozilla firefox | ||
653 | .TP | ||
654 | \fB\-\-private-dev | ||
655 | Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. | ||
656 | .br | ||
657 | |||
658 | .br | ||
659 | Example: | ||
660 | .br | ||
661 | $ firejail \-\-private-dev | ||
662 | .br | ||
663 | Parent pid 9887, child pid 9888 | ||
664 | .br | ||
665 | Child process initialized | ||
666 | .br | ||
667 | $ ls /dev | ||
668 | .br | ||
669 | full null ptmx pts random shm tty urandom zero | ||
670 | .br | ||
671 | $ | ||
672 | .TP | ||
673 | \fB\-\-profile=filename | ||
674 | Load a custom profile from filename. For filename use an absolute path or a path relative to the current path. | ||
675 | For more information, see PROFILES section below. | ||
676 | .br | ||
677 | |||
678 | .br | ||
679 | Example: | ||
680 | .br | ||
681 | $ firejail \-\-profile=myprofile | ||
682 | .TP | ||
683 | \fB\-\-read-only=dirname_or_filename | ||
684 | Set directory or file read-only. | ||
685 | .br | ||
686 | |||
687 | .br | ||
688 | Example: | ||
689 | .br | ||
690 | $ firejail \-\-read-only=~/.mozilla firefox | ||
691 | .TP | ||
692 | \fB\-\-rlimit-fsize=number | ||
693 | Set the maximum file size that can be created by a process. | ||
694 | .TP | ||
695 | \fB\-\-rlimit-nofile=number | ||
696 | Set the maximum number of files that can be opened by a process. | ||
697 | .TP | ||
698 | \fB\-\-rlimit-nproc=number | ||
699 | Set the maximum number of processes that can be created for the real user ID of the calling process. | ||
700 | .TP | ||
701 | \fB\-\-rlimit-sigpending=number | ||
702 | Set the maximum number of pending signals for a process. | ||
703 | .TP | ||
704 | \fB\-\-scan | ||
705 | ARP-scan all the networks from inside a network namespace. | ||
706 | This makes it possible to detect macvlan kernel device drivers running on the current host. | ||
707 | .br | ||
708 | |||
709 | .br | ||
710 | Example: | ||
711 | .br | ||
712 | $ firejail \-\-net=eth0 \-\-scan | ||
713 | .TP | ||
714 | \fB\-\-seccomp | ||
715 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: | ||
716 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, | ||
717 | iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, | ||
718 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. | ||
719 | .br | ||
720 | |||
721 | .br | ||
722 | Example: | ||
723 | .br | ||
724 | $ firejail \-\-sccomp | ||
725 | .TP | ||
726 | \fB\-\-seccomp=syscall,syscall,syscall | ||
727 | Enable seccomp filter, blacklist the default list and the syscalls specified by the command. | ||
728 | .br | ||
729 | |||
730 | .br | ||
731 | Example: | ||
732 | .br | ||
733 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox | ||
734 | .TP | ||
735 | \fB\-\-seccomp.drop=syscall,syscall,syscall | ||
736 | Enable seccomp filter, and blacklist the syscalls specified by the command. | ||
737 | .br | ||
738 | |||
739 | .br | ||
740 | Example: | ||
741 | .br | ||
742 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes | ||
743 | .TP | ||
744 | \fB\-\-seccomp.keep=syscall,syscall,syscall | ||
745 | Enable seccomp filter, and whitelist the syscalls specified by the command. | ||
746 | .br | ||
747 | |||
748 | .br | ||
749 | Example: | ||
750 | .br | ||
751 | $ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk | ||
752 | .TP | ||
753 | \fB\-\-seccomp.print=name | ||
754 | Print the seccomp filter for the sandbox started using \-\-name option. | ||
755 | .br | ||
756 | |||
757 | .br | ||
758 | Example: | ||
759 | .br | ||
760 | $ firejail \-\-name=browser firefox & | ||
761 | .br | ||
762 | $ firejail \-\-seccomp.print=browser | ||
763 | .br | ||
764 | SECCOMP Filter: | ||
765 | .br | ||
766 | VALIDATE_ARCHITECTURE | ||
767 | .br | ||
768 | EXAMINE_SYSCAL | ||
769 | .br | ||
770 | BLACKLIST 165 mount | ||
771 | .br | ||
772 | BLACKLIST 166 umount2 | ||
773 | .br | ||
774 | BLACKLIST 101 ptrace | ||
775 | .br | ||
776 | BLACKLIST 246 kexec_load | ||
777 | .br | ||
778 | BLACKLIST 304 open_by_handle_at | ||
779 | .br | ||
780 | BLACKLIST 175 init_module | ||
781 | .br | ||
782 | BLACKLIST 176 delete_module | ||
783 | .br | ||
784 | BLACKLIST 172 iopl | ||
785 | .br | ||
786 | BLACKLIST 173 ioperm | ||
787 | .br | ||
788 | BLACKLIST 167 swapon | ||
789 | .br | ||
790 | BLACKLIST 168 swapoff | ||
791 | .br | ||
792 | BLACKLIST 103 syslog | ||
793 | .br | ||
794 | BLACKLIST 310 process_vm_readv | ||
795 | .br | ||
796 | BLACKLIST 311 process_vm_writev | ||
797 | .br | ||
798 | BLACKLIST 133 mknod | ||
799 | .br | ||
800 | BLACKLIST 139 sysfs | ||
801 | .br | ||
802 | BLACKLIST 156 _sysctl | ||
803 | .br | ||
804 | BLACKLIST 159 adjtimex | ||
805 | .br | ||
806 | BLACKLIST 305 clock_adjtime | ||
807 | .br | ||
808 | BLACKLIST 212 lookup_dcookie | ||
809 | .br | ||
810 | BLACKLIST 298 perf_event_open | ||
811 | .br | ||
812 | BLACKLIST 300 fanotify_init | ||
813 | .br | ||
814 | RETURN_ALLOW | ||
815 | .br | ||
816 | $ | ||
817 | .TP | ||
818 | \fB\-\-seccomp.print=pid | ||
819 | Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
820 | .br | ||
821 | |||
822 | .br | ||
823 | Example: | ||
824 | .br | ||
825 | $ firejail \-\-list | ||
826 | .br | ||
827 | 10786:netblue:firejail \-\-name=browser firefox | ||
828 | $ firejail \-\-seccomp.print=10786 | ||
829 | .br | ||
830 | SECCOMP Filter: | ||
831 | .br | ||
832 | VALIDATE_ARCHITECTURE | ||
833 | .br | ||
834 | EXAMINE_SYSCAL | ||
835 | .br | ||
836 | BLACKLIST 165 mount | ||
837 | .br | ||
838 | BLACKLIST 166 umount2 | ||
839 | .br | ||
840 | BLACKLIST 101 ptrace | ||
841 | .br | ||
842 | BLACKLIST 246 kexec_load | ||
843 | .br | ||
844 | BLACKLIST 304 open_by_handle_at | ||
845 | .br | ||
846 | BLACKLIST 175 init_module | ||
847 | .br | ||
848 | BLACKLIST 176 delete_module | ||
849 | .br | ||
850 | BLACKLIST 172 iopl | ||
851 | .br | ||
852 | BLACKLIST 173 ioperm | ||
853 | .br | ||
854 | BLACKLIST 167 swapon | ||
855 | .br | ||
856 | BLACKLIST 168 swapoff | ||
857 | .br | ||
858 | BLACKLIST 103 syslog | ||
859 | .br | ||
860 | BLACKLIST 310 process_vm_readv | ||
861 | .br | ||
862 | BLACKLIST 311 process_vm_writev | ||
863 | .br | ||
864 | BLACKLIST 133 mknod | ||
865 | .br | ||
866 | BLACKLIST 139 sysfs | ||
867 | .br | ||
868 | BLACKLIST 156 _sysctl | ||
869 | .br | ||
870 | BLACKLIST 159 adjtimex | ||
871 | .br | ||
872 | BLACKLIST 305 clock_adjtime | ||
873 | .br | ||
874 | BLACKLIST 212 lookup_dcookie | ||
875 | .br | ||
876 | BLACKLIST 298 perf_event_open | ||
877 | .br | ||
878 | BLACKLIST 300 fanotify_init | ||
879 | .br | ||
880 | RETURN_ALLOW | ||
881 | .br | ||
882 | $ | ||
883 | .TP | ||
884 | \fB\-\-shell=none | ||
885 | Run the program directly, without a user shell. | ||
886 | .br | ||
887 | |||
888 | .br | ||
889 | Example: | ||
890 | .br | ||
891 | $ firejail \-\-shell=none script.sh | ||
892 | .TP | ||
893 | \fB\-\-shell=program | ||
894 | Set default user shell. Use this shell to run the application using \-c shell option. | ||
895 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". | ||
896 | By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default | ||
897 | shell. | ||
898 | .br | ||
899 | |||
900 | .br | ||
901 | Example: | ||
902 | $firejail \-\-shell=/bin/dash script.sh | ||
903 | .TP | ||
904 | \fB\-\-shutdown=name | ||
905 | Shutdown the sandbox started using \-\-name option. | ||
906 | .br | ||
907 | |||
908 | .br | ||
909 | Example: | ||
910 | .br | ||
911 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | ||
912 | .br | ||
913 | [...] | ||
914 | .br | ||
915 | $ firejail \-\-shutdown=mygame | ||
916 | .TP | ||
917 | \fB\-\-shutdown=pid | ||
918 | Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
919 | .br | ||
920 | |||
921 | .br | ||
922 | Example: | ||
923 | .br | ||
924 | $ firejail \-\-list | ||
925 | .br | ||
926 | 3272:netblue:firejail \-\-private firefox | ||
927 | .br | ||
928 | $ firejail \-\-shutdown=3272 | ||
929 | .TP | ||
930 | \fB\-\-tmpfs=dirname | ||
931 | Mount a tmpfs filesystem on directory dirname. | ||
932 | .br | ||
933 | |||
934 | .br | ||
935 | Example: | ||
936 | .br | ||
937 | $ firejail \-\-tmpfs=/var | ||
938 | .TP | ||
939 | \fB\-\-top | ||
940 | Monitor the most CPU-intensive sandboxes, see MONITORING section for more details. | ||
941 | .br | ||
942 | |||
943 | .br | ||
944 | Example: | ||
945 | .br | ||
946 | $ firejail \-\-top | ||
947 | .TP | ||
948 | \fB\-\-trace | ||
949 | Trace open, access and connect system calls. | ||
950 | .br | ||
951 | |||
952 | .br | ||
953 | Example: | ||
954 | .br | ||
955 | $ firejail \-\-trace wget -q www.debian.org | ||
956 | .br | ||
957 | Parent pid 11793, child pid 11794 | ||
958 | .br | ||
959 | Child process initialized | ||
960 | .br | ||
961 | 1:bash:open /dev/tty | ||
962 | .br | ||
963 | 1:wget:fopen64 /etc/wgetrc | ||
964 | .br | ||
965 | 1:wget:fopen /etc/hosts | ||
966 | .br | ||
967 | 1:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP | ||
968 | .br | ||
969 | 1:wget:connect 8.8.8.8:53 | ||
970 | .br | ||
971 | 1:wget:socket AF_INET SOCK_STREAM IPPROTO_IP | ||
972 | .br | ||
973 | 1:wget:connect 140.211.15.34:80 | ||
974 | .br | ||
975 | 1:wget:fopen64 index.html.1 | ||
976 | .br | ||
977 | |||
978 | .br | ||
979 | parent is shutting down, bye... | ||
980 | .TP | ||
981 | \fB\-\-tree | ||
982 | Print a tree of all sandboxed processes, see MONITORING section for more details. | ||
983 | .br | ||
984 | |||
985 | .br | ||
986 | Example: | ||
987 | .br | ||
988 | $ firejail \-\-tree | ||
989 | .br | ||
990 | 11903:netblue:firejail iceweasel | ||
991 | .br | ||
992 | 11904:netblue:iceweasel | ||
993 | .br | ||
994 | 11957:netblue:/usr/lib/iceweasel/plugin-container | ||
995 | .br | ||
996 | 11969:netblue:firejail \-\-net=eth0 transmission-gtk | ||
997 | .br | ||
998 | 11970:netblue:transmission-gtk | ||
999 | .TP | ||
1000 | \fB\-\-version | ||
1001 | Print program version and exit. | ||
1002 | .br | ||
1003 | |||
1004 | .br | ||
1005 | Example: | ||
1006 | .br | ||
1007 | $ firejail \-\-version | ||
1008 | .br | ||
1009 | firejail version 0.9.27 | ||
1010 | .TP | ||
1011 | \fB\-\-zsh | ||
1012 | Use /usr/bin/zsh as default user shell. | ||
1013 | .br | ||
1014 | |||
1015 | .br | ||
1016 | Example: | ||
1017 | .br | ||
1018 | $ firejakil \-\-zsh | ||
1019 | .SH TRAFFIC SHAPING | ||
1020 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. | ||
1021 | Traffic shaping allows the user to increase network performance by controlling | ||
1022 | the amount of data that flows into and out of the sandboxes. | ||
1023 | |||
1024 | Firejail implements a simple rate-limiting shaper based on Linux command tc. | ||
1025 | The shaper works at sandbox level, and can be used only for sandboxes configured with new network namespaces. | ||
1026 | |||
1027 | Set rate-limits: | ||
1028 | |||
1029 | firejail --bandwidth={name|pid} set network download upload | ||
1030 | |||
1031 | Clear rate-limits: | ||
1032 | |||
1033 | firejail --bandwidth={name|pid} clear network | ||
1034 | |||
1035 | Status: | ||
1036 | |||
1037 | firejail --bandwidth={name|pid} status | ||
1038 | |||
1039 | where: | ||
1040 | .br | ||
1041 | name - sandbox name | ||
1042 | .br | ||
1043 | pid - sandbox pid | ||
1044 | .br | ||
1045 | network - network interface as used by \-\-net option | ||
1046 | .br | ||
1047 | download - download speed in KB/s (kilobyte per second) | ||
1048 | .br | ||
1049 | upload - upload speed in KB/s (kilobyte per second) | ||
1050 | |||
1051 | Example: | ||
1052 | .br | ||
1053 | $ firejail \-\-name=mybrowser \-\-net=eth0 firefox & | ||
1054 | .br | ||
1055 | $ firejail \-\-bandwidth=mybrowser set eth0 80 20 | ||
1056 | .br | ||
1057 | $ firejail \-\-bandwidth=mybrowser status | ||
1058 | .br | ||
1059 | $ firejail \-\-bandwidth=mybrowser clear eth0 | ||
1060 | |||
1061 | .SH MONITORING | ||
1062 | Option \-\-list prints a list of all sandboxes. The format | ||
1063 | for each process entry is as follows: | ||
1064 | |||
1065 | PID:USER:Command | ||
1066 | |||
1067 | Option \-\-tree prints the tree of processes running in the sandbox. The format | ||
1068 | for each process entry is as follows: | ||
1069 | |||
1070 | PID:USER:Command | ||
1071 | |||
1072 | Option \-\-top is similar to the UNIX top command, however it applies only to | ||
1073 | sandboxes. | ||
1074 | |||
1075 | Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces. | ||
1076 | |||
1077 | |||
1078 | Listed below are the available fields (columns) in alphabetical | ||
1079 | order for \-\-top and \-\-netstat options: | ||
1080 | |||
1081 | .TP | ||
1082 | Command | ||
1083 | Command used to start the sandbox. | ||
1084 | .TP | ||
1085 | CPU% | ||
1086 | CPU usage, the sandbox share of the elapsed CPU time since the | ||
1087 | last screen update | ||
1088 | .TP | ||
1089 | PID | ||
1090 | Unique process ID for the task controlling the sandbox. | ||
1091 | .TP | ||
1092 | Prcs | ||
1093 | Number of processes running in sandbox, including the controlling process. | ||
1094 | .TP | ||
1095 | RES | ||
1096 | Resident Memory Size (KiB), sandbox non-swapped physical memory. | ||
1097 | It is a sum of the RES values for all processes running in the sandbox. | ||
1098 | .TP | ||
1099 | RX(KB/s) | ||
1100 | Network receive speed. | ||
1101 | .TP | ||
1102 | SHR | ||
1103 | Shared Memory Size (KiB), it reflects memory shared with other | ||
1104 | processes. It is a sum of the SHR values for all processes running | ||
1105 | in the sandbox, including the controlling process. | ||
1106 | .TP | ||
1107 | TX(KB/s) | ||
1108 | Network transmit speed. | ||
1109 | .TP | ||
1110 | Uptime | ||
1111 | Sandbox running time in hours:minutes:seconds format. | ||
1112 | .TP | ||
1113 | User | ||
1114 | The owner of the sandbox. | ||
1115 | |||
1116 | .SH PROFILES | ||
1117 | Several command line configuration options can be passed to the program using | ||
1118 | profile files. Firejail supports user specified profile files and automatic profile files, | ||
1119 | as follows: | ||
1120 | |||
1121 | 1. Load a specific profile file from a full path, or a path relative to the current directory. | ||
1122 | Example: | ||
1123 | .PP | ||
1124 | .RS | ||
1125 | $ firejail --profile=/home/netblue/icecat.profile icecat | ||
1126 | .RE | ||
1127 | |||
1128 | 2. Load a default profile file automatically from ~/.config/firejail or from /etc/firejail, based | ||
1129 | on the name of the executable started in the sandbox. Example: | ||
1130 | .PP | ||
1131 | .RS | ||
1132 | $ firejail icecat | ||
1133 | .br | ||
1134 | Command name #icecat# | ||
1135 | .br | ||
1136 | .br | ||
1137 | Found icecat profile in /home/netblue/.config/firejail directory | ||
1138 | .br | ||
1139 | Reading profile /home/netblue/.config/firejail/icecat.profile | ||
1140 | .br | ||
1141 | [...] | ||
1142 | .RE | ||
1143 | |||
1144 | See man 5 firejail-profile for profile file syntax information. | ||
1145 | |||
1146 | .SH RESTRICTED SHELL | ||
1147 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | ||
1148 | /etc/password file for each user that needs to be restricted. Alternatively, | ||
1149 | you can specify /usr/bin/firejail in adduser command: | ||
1150 | |||
1151 | adduser \-\-shell /usr/bin/firejail username | ||
1152 | |||
1153 | Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file. | ||
1154 | |||
1155 | .SH EXAMPLES | ||
1156 | .TP | ||
1157 | \f\firejail | ||
1158 | Start a regular /bin/bash session in sandbox. | ||
1159 | .TP | ||
1160 | \f\firejail firefox | ||
1161 | Start Mozilla Firefox. | ||
1162 | .TP | ||
1163 | \f\firejail \-\-seccomp firefox | ||
1164 | Start Mozilla Firefox in a seccomp sandbox. | ||
1165 | .TP | ||
1166 | \f\firejail \-\-caps firefox | ||
1167 | Start Mozilla Firefox in a Linux capabilities sandbox. | ||
1168 | .TP | ||
1169 | \f\firejail \-\-debug firefox | ||
1170 | Debug Firefox sandbox. | ||
1171 | .TP | ||
1172 | \f\firejail \-\-private | ||
1173 | Start a /bin/bash session with a new tmpfs home directory. | ||
1174 | .TP | ||
1175 | \f\firejail \-\-net=br0 ip=10.10.20.10 | ||
1176 | Start a /bin/bash session in a new network namespace. The session is | ||
1177 | connected to the main network using br0 bridge device. An IP address | ||
1178 | of 10.10.20.10 is assigned to the sandbox. | ||
1179 | .TP | ||
1180 | \f\firejail \-\-net=br0 \-\-net=br1 \-\-net=br2 | ||
1181 | Start a /bin/bash session in a new network namespace and connect it | ||
1182 | to br0, br1, and br2 host bridge devices. | ||
1183 | .TP | ||
1184 | \f\firejail \-\-list | ||
1185 | List all sandboxed processes. | ||
1186 | .SH LICENSE | ||
1187 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
1188 | .PP | ||
1189 | Homepage: http://firejail.sourceforge.net | ||
1190 | .SH SEE ALSO | ||
1191 | \&\flfiremon\fR\|(1), | ||
1192 | \&\flfirejail-profile\fR\|(5), | ||
1193 | \&\flfirejail-login\fR\|(5) | ||
1194 | |||
1195 | |||
1196 | |||
diff --git a/src/man/firemon.txt b/src/man/firemon.txt new file mode 100644 index 000000000..b6010f46e --- /dev/null +++ b/src/man/firemon.txt | |||
@@ -0,0 +1,107 @@ | |||
1 | .TH man 1 "MONTH YEAR" "VERSION" "firemon man page" | ||
2 | .SH NAME | ||
3 | Firemon \- Monitoring program for processes started in a Firejail sandbox. | ||
4 | .SH SYNOPSIS | ||
5 | firemon [OPTIONS] [PID] | ||
6 | .SH DESCRIPTION | ||
7 | Firemon monitors programs started in a Firejail sandbox. | ||
8 | Without a PID specified, all processes started by Firejail are monitored. Descendants of | ||
9 | these processes are also being monitored. | ||
10 | .SH OPTIONS | ||
11 | .TP | ||
12 | \fB\-\-arp | ||
13 | Print ARP table for each sandbox. | ||
14 | .TP | ||
15 | \fB\-\-caps | ||
16 | Print capabilities configuration for each sandbox. | ||
17 | .TP | ||
18 | \fB\-\-cgroup | ||
19 | Print control group information for each sandbox. | ||
20 | .TP | ||
21 | \fB\-\-cpu | ||
22 | Print CPU affinity for each sandbox. | ||
23 | .TP | ||
24 | \fB\-?\fR, \fB\-\-help\fR | ||
25 | Print options end exit. | ||
26 | .TP | ||
27 | \fB\-\-interface | ||
28 | Print network interface information for each sandbox. | ||
29 | .TP | ||
30 | \fB\-\-list | ||
31 | List all sandboxes. | ||
32 | .TP | ||
33 | \fB\-\-name=name | ||
34 | Print information only about named sandbox. | ||
35 | .TP | ||
36 | \fB\-\-netstats | ||
37 | Monitor network statistics for sandboxes creating a new network namespace. | ||
38 | .TP | ||
39 | \fB\-\-route | ||
40 | Print route table for each sandbox. | ||
41 | .TP | ||
42 | \fB\-\-seccomp | ||
43 | Print seccomp configuration for each sandbox. | ||
44 | .TP | ||
45 | \fB\-\-top | ||
46 | Monitor the most CPU-intensive sandboxes. | ||
47 | .TP | ||
48 | \fB\-\-tree | ||
49 | Print a tree of all sandboxed processes. | ||
50 | .TP | ||
51 | \fB\-\-version | ||
52 | Print program version and exit. | ||
53 | |||
54 | .PP | ||
55 | Option \-\-list prints a list of all sandboxes. The format | ||
56 | for each entry is as follows: | ||
57 | |||
58 | PID:USER:Command | ||
59 | |||
60 | Option \-\-tree prints the tree of processes running in the sandbox. The format | ||
61 | for each process entry is as follows: | ||
62 | |||
63 | PID:USER:Command | ||
64 | |||
65 | Option \-\-top is similar to the UNIX top command, however it applies only to | ||
66 | sandboxes. Listed below are the available fields (columns) in alphabetical | ||
67 | order: | ||
68 | |||
69 | .TP | ||
70 | Command | ||
71 | Command used to start the sandbox. | ||
72 | .TP | ||
73 | CPU% | ||
74 | CPU usage, the sandbox share of the elapsed CPU time since the | ||
75 | last screen update | ||
76 | .TP | ||
77 | PID | ||
78 | Unique process ID for the task controlling the sandbox. | ||
79 | .TP | ||
80 | Prcs | ||
81 | Number of processes running in sandbox, including the controlling process. | ||
82 | .TP | ||
83 | RES | ||
84 | Resident Memory Size (KiB), sandbox non-swapped physical memory. | ||
85 | It is a sum of the RES values for all processes running in the sandbox. | ||
86 | .TP | ||
87 | SHR | ||
88 | Shared Memory Size (KiB), it reflects memory shared with other | ||
89 | processes. It is a sum of the SHR values for all processes running | ||
90 | in the sandbox, including the controlling process. | ||
91 | .TP | ||
92 | Uptime | ||
93 | Sandbox running time in hours:minutes:seconds format. | ||
94 | .TP | ||
95 | User | ||
96 | The owner of the sandbox. | ||
97 | |||
98 | .SH LICENSE | ||
99 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
100 | .PP | ||
101 | Homepage: http://firejail.sourceforge.net | ||
102 | .SH SEE ALSO | ||
103 | \&\flfirejail\fR\|(1), | ||
104 | \&\flfirejail-profile\fR\|(5), | ||
105 | \&\flfirejail-login\fR\|(5) | ||
106 | |||
107 | |||