diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firecfg.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 7 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 37 | ||||
-rw-r--r-- | src/man/firemon.txt | 1 | ||||
-rw-r--r-- | src/man/jailcheck.txt | 1 |
7 files changed, 45 insertions, 4 deletions
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 280a4aff1..42add6a41 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -146,3 +146,4 @@ Homepage: https://firejail.wordpress.com | |||
146 | .BR firejail-login (5), | 146 | .BR firejail-login (5), |
147 | .BR firejail-users (5), | 147 | .BR firejail-users (5), |
148 | .BR jailcheck (1) | 148 | .BR jailcheck (1) |
149 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 05afd55b5..f03fc3c37 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -40,3 +40,4 @@ Homepage: https://firejail.wordpress.com | |||
40 | .BR firejail-profile (5), | 40 | .BR firejail-profile (5), |
41 | .BR firejail-users (5), | 41 | .BR firejail-users (5), |
42 | .BR jailcheck (1) | 42 | .BR jailcheck (1) |
43 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index be1f55f0f..138aae8af 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal | |||
478 | #ifdef HAVE_APPARMOR | 478 | #ifdef HAVE_APPARMOR |
479 | .TP | 479 | .TP |
480 | \fBapparmor | 480 | \fBapparmor |
481 | Enable AppArmor confinement. | 481 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
482 | .TP | ||
483 | \fBapparmor profile_name | ||
484 | Enable AppArmor confinement with a custom AppArmor profile. | ||
485 | Note that the profile in question must already be loaded into the kernel. | ||
482 | #endif | 486 | #endif |
483 | .TP | 487 | .TP |
484 | \fBcaps | 488 | \fBcaps |
@@ -1031,3 +1035,4 @@ Homepage: https://firejail.wordpress.com | |||
1031 | 1035 | ||
1032 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 1036 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
1033 | .UE | 1037 | .UE |
1038 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index e3cce7ed5..7aa151680 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -60,3 +60,4 @@ Homepage: https://firejail.wordpress.com | |||
60 | .BR firejail-profile (5), | 60 | .BR firejail-profile (5), |
61 | .BR firejail-login (5), | 61 | .BR firejail-login (5), |
62 | .BR jailcheck (1) | 62 | .BR jailcheck (1) |
63 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 087d1c85a..1dd5508b3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles. | |||
67 | Each profile defines a set of permissions for a specific application or group | 67 | Each profile defines a set of permissions for a specific application or group |
68 | of applications. The software includes security profiles for a number of more common | 68 | of applications. The software includes security profiles for a number of more common |
69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
70 | .\" TODO: Explain the security/usability tradeoffs from #4601. | ||
71 | .PP | ||
72 | Firejail is currently implemented as an SUID binary, which means that if a | ||
73 | malicious or compromised user account manages to exploit a bug in Firejail, | ||
74 | that could ultimately lead to a privilege escalation to root. | ||
75 | To mitigate this, it is recommended to only allow trusted users to run firejail | ||
76 | (see firejail-users(5) for details on how to achieve that). | ||
77 | For more details on the security/usability tradeoffs of Firejail, see: | ||
78 | .UR https://github.com/netblue30/firejail/discussions/4601 | ||
79 | #4601 | ||
80 | .UE | ||
70 | .PP | 81 | .PP |
71 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | 82 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) |
72 | are not supported. Snap and flatpak packages have their own native management tools and will | 83 | are not supported. Snap and flatpak packages have their own native management tools and will |
@@ -122,7 +133,13 @@ $ firejail --allusers | |||
122 | #ifdef HAVE_APPARMOR | 133 | #ifdef HAVE_APPARMOR |
123 | .TP | 134 | .TP |
124 | \fB\-\-apparmor | 135 | \fB\-\-apparmor |
125 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 136 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
137 | For more information, please see \fBAPPARMOR\fR section below. | ||
138 | .TP | ||
139 | \fB\-\-apparmor=profile_name | ||
140 | Enable AppArmor confinement with a custom AppArmor profile. | ||
141 | Note that profile in question must already be loaded into the kernel. | ||
142 | For more information, please see \fBAPPARMOR\fR section below. | ||
126 | .TP | 143 | .TP |
127 | \fB\-\-apparmor.print=name|pid | 144 | \fB\-\-apparmor.print=name|pid |
128 | Print the AppArmor confinement status for the sandbox identified by name or by PID. | 145 | Print the AppArmor confinement status for the sandbox identified by name or by PID. |
@@ -174,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR | |||
174 | .br | 191 | .br |
175 | 192 | ||
176 | .br | 193 | .br |
194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also | ||
195 | blacklist the path that it points to. | ||
196 | For example, if ~/foo is blacklisted and it points to /foo, then /foo will also | ||
197 | be blacklisted. | ||
198 | .br | ||
199 | |||
200 | .br | ||
177 | Example: | 201 | Example: |
178 | .br | 202 | .br |
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | 203 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin |
@@ -2905,8 +2929,14 @@ all directories in /usr. | |||
2905 | .br | 2929 | .br |
2906 | 2930 | ||
2907 | .br | 2931 | .br |
2908 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 2932 | Symbolic link handling: Whitelisting a path that is a symbolic link will also |
2909 | the same top directory. For user home, both the link and the real file should be owned by the user. | 2933 | whitelist the path that it points to. |
2934 | For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will | ||
2935 | also be whitelisted. | ||
2936 | Restrictions: With the exception of the user home directory, both the link and | ||
2937 | the real file should be in the same top directory. | ||
2938 | For symbolic links in the user home directory, both the link and the real file | ||
2939 | should be owned by the user. | ||
2910 | .br | 2940 | .br |
2911 | 2941 | ||
2912 | .br | 2942 | .br |
@@ -3611,3 +3641,4 @@ Homepage: https://firejail.wordpress.com | |||
3611 | .UE , | 3641 | .UE , |
3612 | .UR https://github.com/netblue30/firejail | 3642 | .UR https://github.com/netblue30/firejail |
3613 | .UE | 3643 | .UE |
3644 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index fd58a7168..9d0785a4a 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -118,3 +118,4 @@ Homepage: https://firejail.wordpress.com | |||
118 | .BR firejail-login (5), | 118 | .BR firejail-login (5), |
119 | .BR firejail-users (5), | 119 | .BR firejail-users (5), |
120 | .BR jailcheck (1) | 120 | .BR jailcheck (1) |
121 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt index 483f47fb9..e889ea91b 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.txt | |||
@@ -115,3 +115,4 @@ Homepage: https://firejail.wordpress.com | |||
115 | .BR firejail-profile (5), | 115 | .BR firejail-profile (5), |
116 | .BR firejail-login (5), | 116 | .BR firejail-login (5), |
117 | .BR firejail-users (5), | 117 | .BR firejail-users (5), |
118 | .\" vim: set filetype=groff : | ||