diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 60 | ||||
-rw-r--r-- | src/man/jailcheck.txt | 12 |
3 files changed, 50 insertions, 24 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6f3bef7f2..db58e0910 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -420,7 +420,7 @@ Make directory or file read-only. | |||
420 | Make directory or file read-write. | 420 | Make directory or file read-write. |
421 | .TP | 421 | .TP |
422 | \fBtmpfs directory | 422 | \fBtmpfs directory |
423 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | 423 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. |
424 | .TP | 424 | .TP |
425 | \fBtracelog | 425 | \fBtracelog |
426 | Blacklist violations logged to syslog. | 426 | Blacklist violations logged to syslog. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3212a88e4..0462705c0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2129,6 +2129,7 @@ $ firejail --read-only=~/test --read-write=~/test/a | |||
2129 | .TP | 2129 | .TP |
2130 | \fB\-\-rlimit-as=number | 2130 | \fB\-\-rlimit-as=number |
2131 | Set the maximum size of the process's virtual memory (address space) in bytes. | 2131 | Set the maximum size of the process's virtual memory (address space) in bytes. |
2132 | Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | ||
2132 | 2133 | ||
2133 | .TP | 2134 | .TP |
2134 | \fB\-\-rlimit-cpu=number | 2135 | \fB\-\-rlimit-cpu=number |
@@ -2142,6 +2143,7 @@ track of CPU seconds for each process independently. | |||
2142 | .TP | 2143 | .TP |
2143 | \fB\-\-rlimit-fsize=number | 2144 | \fB\-\-rlimit-fsize=number |
2144 | Set the maximum file size that can be created by a process. | 2145 | Set the maximum file size that can be created by a process. |
2146 | Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | ||
2145 | .TP | 2147 | .TP |
2146 | \fB\-\-rlimit-nofile=number | 2148 | \fB\-\-rlimit-nofile=number |
2147 | Set the maximum number of files that can be opened by a process. | 2149 | Set the maximum number of files that can be opened by a process. |
@@ -2176,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
2176 | .TP | 2178 | .TP |
2177 | \fB\-\-seccomp | 2179 | \fB\-\-seccomp |
2178 | Enable seccomp filter and blacklist the syscalls in the default list, | 2180 | Enable seccomp filter and blacklist the syscalls in the default list, |
2179 | which is @default-nodebuggers unless allow-debuggers is specified, | 2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
2180 | then it is @default. | 2182 | then it is @default. |
2181 | 2183 | ||
2182 | .br | 2184 | .br |
@@ -2187,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
2187 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 2189 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
2188 | @resources, @setuid, @swap, @sync, @system-service and @timer. | 2190 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
2189 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt | 2191 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt |
2190 | 2192 | .br | |
2191 | In addition, a system call can be specified by its number instead of | ||
2192 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
2193 | Exceptions can be allowed with prefix !. | ||
2194 | 2193 | ||
2195 | .br | 2194 | .br |
2196 | System architecture is strictly imposed only if flag | 2195 | System architecture is strictly imposed only if flag |
2197 | \-\-seccomp.block-secondary is used. The filter is applied at run time | 2196 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
2198 | only if the correct architecture was detected. For the case of I386 | 2197 | only if the correct architecture was detected. For the case of I386 |
2199 | and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit | 2198 | and AMD64 both 32-bit and 64-bit filters are installed. |
2200 | architecture, an additional filter for 32 bit system calls can be | ||
2201 | installed with \-\-seccomp.32. | ||
2202 | .br | 2199 | .br |
2203 | 2200 | ||
2204 | .br | 2201 | .br |
@@ -2209,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil | |||
2209 | Example: | 2206 | Example: |
2210 | .br | 2207 | .br |
2211 | $ firejail \-\-seccomp | 2208 | $ firejail \-\-seccomp |
2209 | .br | ||
2210 | |||
2211 | .br | ||
2212 | The default list can be customized, see \-\-seccomp= for a description. It can be customized | ||
2213 | also globally in /etc/firejail/firejail.config file. | ||
2214 | |||
2212 | .TP | 2215 | .TP |
2213 | \fB\-\-seccomp=syscall,@group,!syscall2 | 2216 | \fB\-\-seccomp=syscall,@group,!syscall2 |
2214 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 2217 | Enable seccomp filter, blacklist the default list and the syscalls or syscall groups |
2215 | list and the syscalls or syscall groups specified by the | 2218 | specified by the command, but don't blacklist "syscall2". On a 64 bit |
2216 | command. | 2219 | architecture, an additional filter for 32 bit system calls can be |
2220 | installed with \-\-seccomp.32. | ||
2217 | .br | 2221 | .br |
2218 | 2222 | ||
2219 | .br | 2223 | .br |
@@ -2223,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox | |||
2223 | .br | 2227 | .br |
2224 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk | 2228 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk |
2225 | .br | 2229 | .br |
2230 | $ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious | ||
2231 | .br | ||
2232 | |||
2233 | .br | ||
2234 | Syscalls can be specified by their number if prefix $ is added, | ||
2235 | so for example $165 would be equal to mount on i386. | ||
2236 | .br | ||
2226 | 2237 | ||
2227 | .br | 2238 | .br |
2228 | Instead of dropping the syscall by returning EPERM, another error | 2239 | Instead of dropping the syscall by returning EPERM, another error |
@@ -2235,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with | |||
2235 | 2246 | ||
2236 | .br | 2247 | .br |
2237 | Example: | 2248 | Example: |
2249 | .br | ||
2238 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | 2250 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes |
2239 | .br | 2251 | .br |
2240 | Parent pid 10662, child pid 10663 | 2252 | Parent pid 10662, child pid 10663 |
@@ -2243,9 +2255,13 @@ Child process initialized | |||
2243 | .br | 2255 | .br |
2244 | $ touch testfile | 2256 | $ touch testfile |
2245 | .br | 2257 | .br |
2258 | $ ls testfile | ||
2259 | .br | ||
2260 | testfile | ||
2261 | .br | ||
2246 | $ rm testfile | 2262 | $ rm testfile |
2247 | .br | 2263 | .br |
2248 | rm: cannot remove `testfile': Operation not permitted | 2264 | rm: cannot remove `testfile': No such file or directory |
2249 | .br | 2265 | .br |
2250 | 2266 | ||
2251 | .br | 2267 | .br |
@@ -2258,7 +2274,7 @@ filters. | |||
2258 | .br | 2274 | .br |
2259 | Example: | 2275 | Example: |
2260 | .br | 2276 | .br |
2261 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | 2277 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh |
2262 | .br | 2278 | .br |
2263 | Parent pid 32751, child pid 32752 | 2279 | Parent pid 32751, child pid 32752 |
2264 | .br | 2280 | .br |
@@ -2270,8 +2286,7 @@ Child process initialized in 46.44 ms | |||
2270 | .br | 2286 | .br |
2271 | $ ls | 2287 | $ ls |
2272 | .br | 2288 | .br |
2273 | Bad system call | 2289 | Operation not permitted |
2274 | .br | ||
2275 | 2290 | ||
2276 | .TP | 2291 | .TP |
2277 | \fB\-\-seccomp.block-secondary | 2292 | \fB\-\-seccomp.block-secondary |
@@ -2315,15 +2330,15 @@ Child process initialized | |||
2315 | .br | 2330 | .br |
2316 | $ touch testfile | 2331 | $ touch testfile |
2317 | .br | 2332 | .br |
2333 | $ ls testfile | ||
2334 | .br | ||
2335 | testfile | ||
2336 | .br | ||
2318 | $ rm testfile | 2337 | $ rm testfile |
2319 | .br | 2338 | .br |
2320 | rm: cannot remove `testfile': Operation not permitted | 2339 | rm: cannot remove `testfile': No such file or directory |
2321 | .br | 2340 | .br |
2322 | 2341 | ||
2323 | |||
2324 | |||
2325 | |||
2326 | |||
2327 | .TP | 2342 | .TP |
2328 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 2343 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
2329 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 2344 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
@@ -2566,14 +2581,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified | |||
2566 | $ firejail \-\-timeout=01:30:00 firefox | 2581 | $ firejail \-\-timeout=01:30:00 firefox |
2567 | .TP | 2582 | .TP |
2568 | \fB\-\-tmpfs=dirname | 2583 | \fB\-\-tmpfs=dirname |
2569 | Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. | 2584 | Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
2570 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
2571 | .br | 2585 | .br |
2572 | 2586 | ||
2573 | .br | 2587 | .br |
2574 | Example: | 2588 | Example: |
2575 | .br | 2589 | .br |
2576 | # firejail \-\-tmpfs=/var | 2590 | $ firejail \-\-tmpfs=~/.local/share |
2577 | .TP | 2591 | .TP |
2578 | \fB\-\-top | 2592 | \fB\-\-top |
2579 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. | 2593 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. |
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt index c80e305cc..483f47fb9 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.txt | |||
@@ -23,6 +23,8 @@ them from inside the sandbox. | |||
23 | .TP | 23 | .TP |
24 | \fB5. Seccomp test | 24 | \fB5. Seccomp test |
25 | .TP | 25 | .TP |
26 | \fB6. Networking test | ||
27 | .TP | ||
26 | The program is started as root using sudo. | 28 | The program is started as root using sudo. |
27 | 29 | ||
28 | .SH OPTIONS | 30 | .SH OPTIONS |
@@ -56,6 +58,8 @@ $ sudo jailcheck | |||
56 | .br | 58 | .br |
57 | Warning: I can run programs in /home/netblue | 59 | Warning: I can run programs in /home/netblue |
58 | .br | 60 | .br |
61 | Networking: disabled | ||
62 | .br | ||
59 | 63 | ||
60 | .br | 64 | .br |
61 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | 65 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net |
@@ -64,12 +68,16 @@ $ sudo jailcheck | |||
64 | .br | 68 | .br |
65 | Warning: I can read ~/.ssh | 69 | Warning: I can read ~/.ssh |
66 | .br | 70 | .br |
71 | Networking: enabled | ||
72 | .br | ||
67 | 73 | ||
68 | .br | 74 | .br |
69 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage | 75 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage |
70 | .br | 76 | .br |
71 | Virtual dirs: /tmp, /var/tmp, /dev, | 77 | Virtual dirs: /tmp, /var/tmp, /dev, |
72 | .br | 78 | .br |
79 | Networking: enabled | ||
80 | .br | ||
73 | 81 | ||
74 | .br | 82 | .br |
75 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | 83 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox |
@@ -78,6 +86,8 @@ $ sudo jailcheck | |||
78 | .br | 86 | .br |
79 | /run/user/1000, | 87 | /run/user/1000, |
80 | .br | 88 | .br |
89 | Networking: enabled | ||
90 | .br | ||
81 | 91 | ||
82 | .br | 92 | .br |
83 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | 93 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor |
@@ -90,6 +100,8 @@ $ sudo jailcheck | |||
90 | .br | 100 | .br |
91 | Warning: I can run programs in /home/netblue | 101 | Warning: I can run programs in /home/netblue |
92 | .br | 102 | .br |
103 | Networking: enabled | ||
104 | .br | ||
93 | 105 | ||
94 | 106 | ||
95 | .SH LICENSE | 107 | .SH LICENSE |