diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firecfg.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 7 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 20 |
5 files changed, 28 insertions, 2 deletions
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 280a4aff1..42add6a41 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -146,3 +146,4 @@ Homepage: https://firejail.wordpress.com | |||
146 | .BR firejail-login (5), | 146 | .BR firejail-login (5), |
147 | .BR firejail-users (5), | 147 | .BR firejail-users (5), |
148 | .BR jailcheck (1) | 148 | .BR jailcheck (1) |
149 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 05afd55b5..f03fc3c37 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -40,3 +40,4 @@ Homepage: https://firejail.wordpress.com | |||
40 | .BR firejail-profile (5), | 40 | .BR firejail-profile (5), |
41 | .BR firejail-users (5), | 41 | .BR firejail-users (5), |
42 | .BR jailcheck (1) | 42 | .BR jailcheck (1) |
43 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index be1f55f0f..138aae8af 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal | |||
478 | #ifdef HAVE_APPARMOR | 478 | #ifdef HAVE_APPARMOR |
479 | .TP | 479 | .TP |
480 | \fBapparmor | 480 | \fBapparmor |
481 | Enable AppArmor confinement. | 481 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
482 | .TP | ||
483 | \fBapparmor profile_name | ||
484 | Enable AppArmor confinement with a custom AppArmor profile. | ||
485 | Note that the profile in question must already be loaded into the kernel. | ||
482 | #endif | 486 | #endif |
483 | .TP | 487 | .TP |
484 | \fBcaps | 488 | \fBcaps |
@@ -1031,3 +1035,4 @@ Homepage: https://firejail.wordpress.com | |||
1031 | 1035 | ||
1032 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 1036 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
1033 | .UE | 1037 | .UE |
1038 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index e3cce7ed5..7aa151680 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -60,3 +60,4 @@ Homepage: https://firejail.wordpress.com | |||
60 | .BR firejail-profile (5), | 60 | .BR firejail-profile (5), |
61 | .BR firejail-login (5), | 61 | .BR firejail-login (5), |
62 | .BR jailcheck (1) | 62 | .BR jailcheck (1) |
63 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 087d1c85a..2d8adb0b7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles. | |||
67 | Each profile defines a set of permissions for a specific application or group | 67 | Each profile defines a set of permissions for a specific application or group |
68 | of applications. The software includes security profiles for a number of more common | 68 | of applications. The software includes security profiles for a number of more common |
69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
70 | .\" TODO: Explain the security/usability tradeoffs from #4601. | ||
71 | .PP | ||
72 | Firejail is currently implemented as an SUID binary, which means that if a | ||
73 | malicious or compromised user account manages to exploit a bug in Firejail, | ||
74 | that could ultimately lead to a privilege escalation to root. | ||
75 | To mitigate this, it is recommended to only allow trusted users to run firejail | ||
76 | (see firejail-users(5) for details on how to achieve that). | ||
77 | For more details on the security/usability tradeoffs of Firejail, see: | ||
78 | .UR https://github.com/netblue30/firejail/discussions/4601 | ||
79 | #4601 | ||
80 | .UE | ||
70 | .PP | 81 | .PP |
71 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | 82 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) |
72 | are not supported. Snap and flatpak packages have their own native management tools and will | 83 | are not supported. Snap and flatpak packages have their own native management tools and will |
@@ -122,7 +133,13 @@ $ firejail --allusers | |||
122 | #ifdef HAVE_APPARMOR | 133 | #ifdef HAVE_APPARMOR |
123 | .TP | 134 | .TP |
124 | \fB\-\-apparmor | 135 | \fB\-\-apparmor |
125 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 136 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
137 | For more information, please see \fBAPPARMOR\fR section below. | ||
138 | .TP | ||
139 | \fB\-\-apparmor=profile_name | ||
140 | Enable AppArmor confinement with a custom AppArmor profile. | ||
141 | Note that profile in question must already be loaded into the kernel. | ||
142 | For more information, please see \fBAPPARMOR\fR section below. | ||
126 | .TP | 143 | .TP |
127 | \fB\-\-apparmor.print=name|pid | 144 | \fB\-\-apparmor.print=name|pid |
128 | Print the AppArmor confinement status for the sandbox identified by name or by PID. | 145 | Print the AppArmor confinement status for the sandbox identified by name or by PID. |
@@ -3611,3 +3628,4 @@ Homepage: https://firejail.wordpress.com | |||
3611 | .UE , | 3628 | .UE , |
3612 | .UR https://github.com/netblue30/firejail | 3629 | .UR https://github.com/netblue30/firejail |
3613 | .UE | 3630 | .UE |
3631 | .\" vim: set filetype=groff : | ||