diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 88 | ||||
-rw-r--r-- | src/man/firejail.txt | 30 |
2 files changed, 77 insertions, 41 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1713b74dd..91c151fe8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -81,7 +81,7 @@ file in user home directory. | |||
81 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. | 81 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. |
82 | 82 | ||
83 | .TP | 83 | .TP |
84 | \f\noblacklist file_name | 84 | \f\ noblacklist file_name |
85 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. | 85 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. |
86 | 86 | ||
87 | Example: "noblacklist ${HOME}/.mozilla" | 87 | Example: "noblacklist ${HOME}/.mozilla" |
@@ -102,37 +102,31 @@ Use \fBprivate\fR to set private mode. | |||
102 | File globbing is supported, and PATH and HOME directories are searched. | 102 | File globbing is supported, and PATH and HOME directories are searched. |
103 | Examples: | 103 | Examples: |
104 | .TP | 104 | .TP |
105 | \f\blacklist /usr/bin | 105 | \f\blacklist file_or_directory |
106 | Remove /usr/bin directory. | 106 | Blacklist directory or file. Examples: |
107 | .TP | 107 | .br |
108 | \f\blacklist /etc/passwd | 108 | |
109 | Remove /etc/passwd file. | 109 | .br |
110 | .TP | 110 | blacklist /usr/bin |
111 | \f\read-only /etc/passwd | 111 | .br |
112 | Read-only /etc/passwd file. | 112 | blacklist /usr/bin/gcc* |
113 | .TP | 113 | .br |
114 | tmpfs /etc | 114 | blacklist ${PATH}/ifconfig |
115 | Mount an empty tmpfs filesystem on top of /etc directory. | 115 | .br |
116 | .TP | 116 | blacklist ${HOME}/.ssh |
117 | bind /root/config/ssh,/etc/ssh | 117 | |
118 | Mount-bind /root/config/ssh on /etc/ssh. | ||
119 | .TP | 118 | .TP |
120 | \f\blacklist /usr/bin/gcc* | 119 | \f\read-only file_or_directory |
121 | Remove all gcc files in /usr/bin (file globbing). | 120 | Make directory or file read-only. |
122 | .TP | 121 | .TP |
123 | \f\blacklist ${PATH}/ifconfig | 122 | \f\ tmpfs directory |
124 | Remove ifconfig command from the regular path directories. | 123 | Mount an empty tmpfs filesystem on top of directory. |
125 | .TP | 124 | .TP |
126 | \f\blacklist ${HOME}/.ssh | 125 | \f\bind directory1,directory2 |
127 | Remove .ssh directory from user home directory. | 126 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
128 | .TP | 127 | .TP |
129 | \f\noblacklist ${HOME}/config/evince | 128 | \f\bind file1,file2 |
130 | Prevent any new blacklist commands from blacklisting | 129 | Mount-bind file1 on top of file2. This option is only available when running as root. |
131 | config/evince in the user home directory. Useful for defining | ||
132 | exceptions before including a large blacklist from a file. Note | ||
133 | that blacklisting ${HOME}/config can still make | ||
134 | ${HOME}/config/evince effectively unreachable through filesystem | ||
135 | traversal. | ||
136 | .TP | 130 | .TP |
137 | \f\private | 131 | \f\private |
138 | Mount new /root and /home/user directories in temporary | 132 | Mount new /root and /home/user directories in temporary |
@@ -153,7 +147,7 @@ new home. All modifications are discarded when the sandbox is | |||
153 | closed. | 147 | closed. |
154 | .TP | 148 | .TP |
155 | \f\private-dev | 149 | \f\private-dev |
156 | Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. | 150 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. |
157 | .TP | 151 | .TP |
158 | \f\private-etc file,directory | 152 | \f\private-etc file,directory |
159 | Build a new /etc in a temporary | 153 | Build a new /etc in a temporary |
@@ -240,10 +234,8 @@ The sandbox is placed in g1 control group. | |||
240 | .SH User Environment | 234 | .SH User Environment |
241 | 235 | ||
242 | .TP | 236 | .TP |
243 | env LD_LIBRARY_PATH=/opt/test/lib | 237 | env name=value |
244 | Set environment variable. | 238 | Set environment variable. Examples: |
245 | .br | ||
246 | Examples: | ||
247 | .br | 239 | .br |
248 | 240 | ||
249 | .br | 241 | .br |
@@ -284,6 +276,36 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. | |||
284 | hostname name | 276 | hostname name |
285 | Set a hostname for the sandbox. | 277 | Set a hostname for the sandbox. |
286 | 278 | ||
279 | .SH RELOCATING PROFILES | ||
280 | For various reasons some users might want to keep the profile files in a different directory. | ||
281 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles | ||
282 | into this directory. | ||
283 | |||
284 | This is an example of relocating the profile files into a new | ||
285 | directory, /home/netblue/myprofiles. Start by creating the new directory and copy all | ||
286 | the profile files in: | ||
287 | .br | ||
288 | |||
289 | .br | ||
290 | $ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* . | ||
291 | .br | ||
292 | |||
293 | .br | ||
294 | Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands: | ||
295 | .br | ||
296 | |||
297 | .br | ||
298 | $ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile | ||
299 | .br | ||
300 | $ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc | ||
301 | .br | ||
302 | |||
303 | .br | ||
304 | Start Firejail using the new path: | ||
305 | .br | ||
306 | |||
307 | .br | ||
308 | $ firejail --profile-path=~/myprofile | ||
287 | 309 | ||
288 | .SH FILES | 310 | .SH FILES |
289 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 311 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 62225c407..e2382eb9f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -52,7 +52,7 @@ Only /home and /tmp are writable. | |||
52 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 52 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
53 | If an appropriate profile is not found, Firejail will use a default profile. | 53 | If an appropriate profile is not found, Firejail will use a default profile. |
54 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 54 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
55 | to disable it. For more information, please see SECURITY PROFILES section. | 55 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section. |
56 | .PP | 56 | .PP |
57 | If a program argument is not specified, Firejail starts /bin/bash shell. | 57 | If a program argument is not specified, Firejail starts /bin/bash shell. |
58 | Examples: | 58 | Examples: |
@@ -69,10 +69,10 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
69 | Signal the end of options and disables further option processing. | 69 | Signal the end of options and disables further option processing. |
70 | .TP | 70 | .TP |
71 | \fB\-\-bandwidth=name | 71 | \fB\-\-bandwidth=name |
72 | Set bandwidth limits for the sandbox identified by name, see TRAFFIC SHAPING section for more details. | 72 | Set bandwidth limits for the sandbox identified by name, see \fBTRAFFIC SHAPING\fR section for more details. |
73 | .TP | 73 | .TP |
74 | \fB\-\-bandwidth=pid | 74 | \fB\-\-bandwidth=pid |
75 | Set bandwidth limits for the sandbox identified by PID, see TRAFFIC SHAPING section for more details. | 75 | Set bandwidth limits for the sandbox identified by PID, see \fBTRAFFIC SHAPING\fR section for more details. |
76 | .TP | 76 | .TP |
77 | \fB\-\-bind=dirname1,dirname2 | 77 | \fB\-\-bind=dirname1,dirname2 |
78 | Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root. | 78 | Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root. |
@@ -478,7 +478,7 @@ $ firejail \-\-join=3272 | |||
478 | 478 | ||
479 | .TP | 479 | .TP |
480 | \fB\-\-list | 480 | \fB\-\-list |
481 | List all sandboxes, see MONITORING section for more details. | 481 | List all sandboxes, see \fBMONITORING\fR section for more details. |
482 | .br | 482 | .br |
483 | 483 | ||
484 | .br | 484 | .br |
@@ -645,7 +645,7 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\ | |||
645 | --net=eth0 firefox | 645 | --net=eth0 firefox |
646 | .TP | 646 | .TP |
647 | \fB\-\-netstats | 647 | \fB\-\-netstats |
648 | Monitor network namespace statistics, see MONITORING section for more details. | 648 | Monitor network namespace statistics, see \fBMONITORING\fR section for more details. |
649 | .br | 649 | .br |
650 | 650 | ||
651 | .br | 651 | .br |
@@ -919,7 +919,7 @@ nsswitch.conf,passwd,resolv.conf | |||
919 | .TP | 919 | .TP |
920 | \fB\-\-profile=filename | 920 | \fB\-\-profile=filename |
921 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. | 921 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. |
922 | For more information, see SECURITY PROFILES section below. | 922 | For more information, see \fBSECURITY PROFILES\fR section below. |
923 | .br | 923 | .br |
924 | 924 | ||
925 | .br | 925 | .br |
@@ -928,6 +928,20 @@ Example: | |||
928 | $ firejail \-\-profile=myprofile | 928 | $ firejail \-\-profile=myprofile |
929 | 929 | ||
930 | .TP | 930 | .TP |
931 | \fB\-\-profile-path=directory | ||
932 | Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. | ||
933 | For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in | ||
934 | \fBman 5 firejail-profile\fR. | ||
935 | .br | ||
936 | |||
937 | .br | ||
938 | Example: | ||
939 | .br | ||
940 | $ firejail \-\-profile-path=~/myprofiles | ||
941 | .br | ||
942 | $ firejail \-\-profile-path=/home/netblue/myprofiles | ||
943 | |||
944 | .TP | ||
931 | \fB\-\-protocol=protocol,protocol,protocol | 945 | \fB\-\-protocol=protocol,protocol,protocol |
932 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | 946 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. |
933 | Recognized values: unix, inet, inet6, netlink and packet. | 947 | Recognized values: unix, inet, inet6, netlink and packet. |
@@ -1255,7 +1269,7 @@ Example: | |||
1255 | $ firejail \-\-tmpfs=/var | 1269 | $ firejail \-\-tmpfs=/var |
1256 | .TP | 1270 | .TP |
1257 | \fB\-\-top | 1271 | \fB\-\-top |
1258 | Monitor the most CPU-intensive sandboxes, see MONITORING section for more details. | 1272 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. |
1259 | .br | 1273 | .br |
1260 | 1274 | ||
1261 | .br | 1275 | .br |
@@ -1321,7 +1335,7 @@ Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe fi | |||
1321 | [...] | 1335 | [...] |
1322 | .TP | 1336 | .TP |
1323 | \fB\-\-tree | 1337 | \fB\-\-tree |
1324 | Print a tree of all sandboxed processes, see MONITORING section for more details. | 1338 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. |
1325 | .br | 1339 | .br |
1326 | 1340 | ||
1327 | .br | 1341 | .br |