diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 21 | ||||
-rw-r--r-- | src/man/firejail.txt | 28 |
2 files changed, 49 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 138aae8af..6e75aceed 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -497,6 +497,27 @@ Blacklist all Linux capabilities. | |||
497 | .TP | 497 | .TP |
498 | \fBcaps.keep capability,capability,capability | 498 | \fBcaps.keep capability,capability,capability |
499 | Whitelist given Linux capabilities. | 499 | Whitelist given Linux capabilities. |
500 | #ifdef HAVE_LANDLOCK | ||
501 | .TP | ||
502 | \fBlandlock-read path | ||
503 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
504 | .br | ||
505 | |||
506 | .TP | ||
507 | \fBlandlock-write path | ||
508 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
509 | .br | ||
510 | |||
511 | .TP | ||
512 | \fBlandlock-restricted-write path | ||
513 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
514 | .br | ||
515 | |||
516 | .TP | ||
517 | \fBlandlock-execute path | ||
518 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
519 | .br | ||
520 | #endif | ||
500 | .TP | 521 | .TP |
501 | \fBmemory-deny-write-execute | 522 | \fBmemory-deny-write-execute |
502 | Install a seccomp filter to block attempts to create memory mappings | 523 | Install a seccomp filter to block attempts to create memory mappings |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2d8adb0b7..7082fe0ab 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1144,6 +1144,33 @@ Example: | |||
1144 | .br | 1144 | .br |
1145 | $ firejail --keep-var-tmp | 1145 | $ firejail --keep-var-tmp |
1146 | 1146 | ||
1147 | #ifdef HAVE_LANDLOCK | ||
1148 | .TP | ||
1149 | \fB\-\-landlock-read=path | ||
1150 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
1151 | .br | ||
1152 | |||
1153 | .TP | ||
1154 | \fB\-\-landlock-write=path | ||
1155 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
1156 | .br | ||
1157 | |||
1158 | .TP | ||
1159 | \fB\-\-landlock-restricted-write=path | ||
1160 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
1161 | .br | ||
1162 | |||
1163 | .TP | ||
1164 | \fB\-\-landlock-execute=path | ||
1165 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
1166 | .br | ||
1167 | |||
1168 | .br | ||
1169 | Example: | ||
1170 | .br | ||
1171 | $ firejail \-\-landlock-read=/ \-\-landlock-restricted-write=/home \-\-landlock-execute=/usr | ||
1172 | #endif | ||
1173 | |||
1147 | .TP | 1174 | .TP |
1148 | \fB\-\-list | 1175 | \fB\-\-list |
1149 | List all sandboxes, see \fBMONITORING\fR section for more details. | 1176 | List all sandboxes, see \fBMONITORING\fR section for more details. |
@@ -1261,6 +1288,7 @@ $ firejail --list | |||
1261 | .br | 1288 | .br |
1262 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote | 1289 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote |
1263 | .br | 1290 | .br |
1291 | |||
1264 | #ifdef HAVE_NETWORK | 1292 | #ifdef HAVE_NETWORK |
1265 | .TP | 1293 | .TP |
1266 | \fB\-\-net=bridge_interface | 1294 | \fB\-\-net=bridge_interface |