diff options
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/firejail.txt | 42 |
1 files changed, 26 insertions, 16 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 29f15a74f..1b051ab57 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -2128,22 +2128,32 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 | |||
| 2128 | .br | 2128 | .br |
| 2129 | $ | 2129 | $ |
| 2130 | .TP | 2130 | .TP |
| 2131 | \fB\-\-private-etc=file,directory | 2131 | \fB\-\-private-etc, \-\-private-etc=file,directory,@group |
| 2132 | Build a new /etc in a temporary | 2132 | The files installed by \-\-private-etc are copies of the original system files from /etc directory. |
| 2133 | filesystem, and copy the files and directories in the list. | 2133 | By default, the command brings in a skeleton of files and directories used by most console tools: |
| 2134 | The files and directories in the list must be expressed as relative to | ||
| 2135 | the /etc directory (e.g., /etc/foo must be expressed as foo). | ||
| 2136 | If no listed file is found, /etc directory will be empty. | ||
| 2137 | All modifications are discarded when the sandbox is closed. | ||
| 2138 | Multiple private-etc commands are allowed and they accumulate. | ||
| 2139 | .br | ||
| 2140 | 2134 | ||
| 2141 | .br | 2135 | $ firejail --private-etc dig debian.org |
| 2142 | Example: | 2136 | |
| 2143 | .br | 2137 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameter. Example: |
| 2144 | $ firejail --private-etc=group,hostname,localtime, \\ | 2138 | |
| 2145 | .br | 2139 | $ firejail --private-etc=@x11,gcrypt,python* gimp |
| 2146 | nsswitch.conf,passwd,resolv.conf | 2140 | |
| 2141 | gcrypt and /etc/python* directories are not part of the generic @x11 group. | ||
| 2142 | File globbing is supported. | ||
| 2143 | |||
| 2144 | For games, add @games group: | ||
| 2145 | |||
| 2146 | $ firejail --private-etc=@games,@x11 warzone2100 | ||
| 2147 | |||
| 2148 | Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified. | ||
| 2149 | Files for encrypted TLS/SSL protocol are in @tls-ca group. | ||
| 2150 | |||
| 2151 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org | ||
| 2152 | |||
| 2153 | |||
| 2154 | Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: | ||
| 2155 | |||
| 2156 | $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc | ||
| 2147 | #ifdef HAVE_PRIVATE_HOME | 2157 | #ifdef HAVE_PRIVATE_HOME |
| 2148 | .TP | 2158 | .TP |
| 2149 | \fB\-\-private-home=file,directory | 2159 | \fB\-\-private-home=file,directory |
| @@ -3065,7 +3075,7 @@ Example: | |||
| 3065 | .br | 3075 | .br |
| 3066 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | 3076 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
| 3067 | .br | 3077 | .br |
| 3068 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 3078 | $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null |
| 3069 | .br | 3079 | .br |
| 3070 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 3080 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
| 3071 | .br | 3081 | .br |