diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firecfg.txt | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 85 |
3 files changed, 91 insertions, 1 deletions
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 7e0a57f92..189e9cc8d 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -27,7 +27,7 @@ desktop managers are supported in this moment | |||
27 | To set it up, run "sudo firecfg" after installing Firejail software. | 27 | To set it up, run "sudo firecfg" after installing Firejail software. |
28 | The same command should also be run after | 28 | The same command should also be run after |
29 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin | 29 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin |
30 | will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config". | 30 | will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config". |
31 | 31 | ||
32 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. | 32 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. |
33 | .SH DEFAULT ACTIONS | 33 | .SH DEFAULT ACTIONS |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index a1eccaa5e..f6c905d59 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -954,12 +954,17 @@ be created and configured using "ip netns". | |||
954 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | 954 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, |
955 | instead of the default one. | 955 | instead of the default one. |
956 | #endif | 956 | #endif |
957 | |||
957 | .SH Other | 958 | .SH Other |
958 | .TP | 959 | .TP |
959 | \fBdeterministic-exit-code | 960 | \fBdeterministic-exit-code |
960 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 961 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
961 | 962 | ||
962 | .TP | 963 | .TP |
964 | \fBdeterministic-shutdown | ||
965 | Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes. | ||
966 | |||
967 | .TP | ||
963 | \fBjoin-or-start sandboxname | 968 | \fBjoin-or-start sandboxname |
964 | Join the sandbox identified by name or start a new one. | 969 | Join the sandbox identified by name or start a new one. |
965 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 970 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e724e4bb9..b5cb1e7c2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -706,6 +706,12 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | |||
706 | \fB\-\-deterministic-exit-code | 706 | \fB\-\-deterministic-exit-code |
707 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 707 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
708 | .br | 708 | .br |
709 | |||
710 | .TP | ||
711 | \fB\-\-deterministic-shutdown | ||
712 | Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes. | ||
713 | .br | ||
714 | |||
709 | .TP | 715 | .TP |
710 | \fB\-\-disable-mnt | 716 | \fB\-\-disable-mnt |
711 | Blacklist /mnt, /media, /run/mount and /run/media access. | 717 | Blacklist /mnt, /media, /run/mount and /run/media access. |
@@ -815,6 +821,26 @@ Example: | |||
815 | $ firejail \-\-hosts-file=~/myhosts firefox | 821 | $ firejail \-\-hosts-file=~/myhosts firefox |
816 | 822 | ||
817 | .TP | 823 | .TP |
824 | \fB\-\-ids-check | ||
825 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. | ||
826 | .br | ||
827 | |||
828 | .br | ||
829 | Example: | ||
830 | .br | ||
831 | $ firejail \-\-ids-check | ||
832 | |||
833 | .TP | ||
834 | \fB\-\-ids-init | ||
835 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. | ||
836 | .br | ||
837 | |||
838 | .br | ||
839 | Example: | ||
840 | .br | ||
841 | $ firejail \-\-ids-init | ||
842 | |||
843 | .TP | ||
818 | \fB\-\-ignore=command | 844 | \fB\-\-ignore=command |
819 | Ignore command in profile file. | 845 | Ignore command in profile file. |
820 | .br | 846 | .br |
@@ -3202,6 +3228,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png | |||
3202 | $ firejail \-\-cat=mybrowser ~/.bashrc | 3228 | $ firejail \-\-cat=mybrowser ~/.bashrc |
3203 | .br | 3229 | .br |
3204 | #endif | 3230 | #endif |
3231 | |||
3232 | .SH INTRUSION DETECTION SYSTEM (IDS) | ||
3233 | The host-based intrusion detection system tracks down and audits user and system file modifications. | ||
3234 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, | ||
3235 | where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing. | ||
3236 | |||
3237 | As a regular user, initialize the database: | ||
3238 | .br | ||
3239 | |||
3240 | .br | ||
3241 | $ firejail --ids-init | ||
3242 | .br | ||
3243 | Opening config file /etc/firejail/ids.config | ||
3244 | .br | ||
3245 | Loading config file /etc/firejail/ids.config | ||
3246 | .br | ||
3247 | Opening config file /etc/firejail/ids.config.local | ||
3248 | .br | ||
3249 | 500 1000 1500 2000 | ||
3250 | .br | ||
3251 | 2466 files scanned | ||
3252 | .br | ||
3253 | IDS database initialized | ||
3254 | .br | ||
3255 | |||
3256 | .br | ||
3257 | The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory | ||
3258 | such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed. | ||
3259 | .br | ||
3260 | |||
3261 | .br | ||
3262 | Run --ids-check to audit the system: | ||
3263 | .br | ||
3264 | |||
3265 | .br | ||
3266 | $ firejail --ids-check | ||
3267 | .br | ||
3268 | Opening config file /etc/firejail/ids.config | ||
3269 | .br | ||
3270 | Loading config file /etc/firejail/ids.config | ||
3271 | .br | ||
3272 | Opening config file /etc/firejail/ids.config.local | ||
3273 | .br | ||
3274 | 500 1000 1500 | ||
3275 | .br | ||
3276 | Warning: modified /home/netblue/.bashrc | ||
3277 | .br | ||
3278 | 2000 | ||
3279 | .br | ||
3280 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
3281 | .br | ||
3282 | |||
3283 | .br | ||
3284 | The program will print the files that have been modified since the database was created, or the files with different access permissions. | ||
3285 | New files and deleted files are also flagged. | ||
3286 | |||
3287 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | ||
3288 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | ||
3289 | |||
3205 | .SH MONITORING | 3290 | .SH MONITORING |
3206 | Option \-\-list prints a list of all sandboxes. The format | 3291 | Option \-\-list prints a list of all sandboxes. The format |
3207 | for each process entry is as follows: | 3292 | for each process entry is as follows: |