3 files changed, 50 insertions, 24 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6f3bef7f2..db58e0910 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -420,7 +420,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3212a88e4..0462705c0 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2129,6 +2129,7 @@ $ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-as=number
 Set the maximum size of the process's virtual memory (address space) in bytes.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-cpu=number
@@ -2142,6 +2143,7 @@ track of CPU seconds for each process independently.
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-nofile=number
 Set the maximum number of files that can be opened by a process.
@@ -2176,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless allow-debuggers is specified,
+which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 .br
@@ -2187,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
+.br
-In addition, a system call can be specified by its number instead of
-name with prefix $, so for example $165 would be equal to mount on i386.
-Exceptions can be allowed with prefix !.
 .br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
+and AMD64 both 32-bit and 64-bit filters are installed.
-architecture, an additional filter for 32 bit system calls can be
-installed with \-\-seccomp.32.
 .br
 .br
@@ -2209,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
+.br
+.br
+The default list can be customized, see \-\-seccomp= for a description. It can be customized
+also globally in /etc/firejail/firejail.config file.
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, whitelist "syscall2", but blacklist the default
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
-list and the syscalls or syscall groups specified by the
+specified by the command, but don't blacklist "syscall2". On a 64 bit
-command.
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 .br
@@ -2223,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
+.br
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
 .br
 Instead of dropping the syscall by returning EPERM, another error
@@ -2235,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -2243,9 +2255,13 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 .br
@@ -2258,7 +2274,7 @@ filters.
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -2270,8 +2286,7 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
+Operation not permitted
-.br
 .TP
 \fB\-\-seccomp.block-secondary
@@ -2315,15 +2330,15 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
@@ -2566,14 +2581,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index c80e305cc..483f47fb9 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -23,6 +23,8 @@ them from inside the sandbox.
 .TP
 \fB5. Seccomp test
 .TP
+\fB6. Networking test
+.TP
 The program is started as root using sudo.
 .SH OPTIONS
@@ -56,6 +58,8 @@ $ sudo jailcheck
 .br
   Warning: I can run programs in /home/netblue
 .br
+   Networking: disabled
+.br
 .br
 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
@@ -64,12 +68,16 @@ $ sudo jailcheck
 .br
   Warning: I can read ~/.ssh
 .br
+   Networking: enabled
+.br
 .br
 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
   Virtual dirs: /tmp, /var/tmp, /dev,
 .br
+   Networking: enabled
+.br
 .br
 26090:netblue::/usr/bin/firejail /opt/firefox/firefox
@@ -78,6 +86,8 @@ $ sudo jailcheck
 .br
                 /run/user/1000,
 .br
+   Networking: enabled
+.br
 .br
 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
@@ -90,6 +100,8 @@ $ sudo jailcheck
 .br
   Warning: I can run programs in /home/netblue
 .br
+   Networking: enabled
+.br
 .SH LICENSE

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6f3bef7f2..db58e0910 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -420,7 +420,7 @@ Make directory or file read-only.
420	Make directory or file read-write.	420	Make directory or file read-write.
421	.TP	421	.TP
422	\fBtmpfs directory	422	\fBtmpfs directory
423	Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.	423	Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
424	.TP	424	.TP
425	\fBtracelog	425	\fBtracelog
426	Blacklist violations logged to syslog.	426	Blacklist violations logged to syslog.


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3212a88e4..0462705c0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -2129,6 +2129,7 @@ $ firejail --read-only=~/test --read-write=~/test/a
2129	.TP	2129	.TP
2130	\fB\-\-rlimit-as=number	2130	\fB\-\-rlimit-as=number
2131	Set the maximum size of the process's virtual memory (address space) in bytes.	2131	Set the maximum size of the process's virtual memory (address space) in bytes.
		2132	Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
2132		2133
2133	.TP	2134	.TP
2134	\fB\-\-rlimit-cpu=number	2135	\fB\-\-rlimit-cpu=number
@@ -2142,6 +2143,7 @@ track of CPU seconds for each process independently.
2142	.TP	2143	.TP
2143	\fB\-\-rlimit-fsize=number	2144	\fB\-\-rlimit-fsize=number
2144	Set the maximum file size that can be created by a process.	2145	Set the maximum file size that can be created by a process.
		2146	Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
2145	.TP	2147	.TP
2146	\fB\-\-rlimit-nofile=number	2148	\fB\-\-rlimit-nofile=number
2147	Set the maximum number of files that can be opened by a process.	2149	Set the maximum number of files that can be opened by a process.
@@ -2176,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
2176	.TP	2178	.TP
2177	\fB\-\-seccomp	2179	\fB\-\-seccomp
2178	Enable seccomp filter and blacklist the syscalls in the default list,	2180	Enable seccomp filter and blacklist the syscalls in the default list,
2179	which is @default-nodebuggers unless allow-debuggers is specified,	2181	which is @default-nodebuggers unless \-\-allow-debuggers is specified,
2180	then it is @default.	2182	then it is @default.
2181		2183
2182	.br	2184	.br
@@ -2187,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
2187	@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,	2189	@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
2188	@resources, @setuid, @swap, @sync, @system-service and @timer.	2190	@resources, @setuid, @swap, @sync, @system-service and @timer.
2189	More information about groups can be found in /usr/share/doc/firejail/syscalls.txt	2191	More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
2190		2192	.br
2191	In addition, a system call can be specified by its number instead of
2192	name with prefix $, so for example $165 would be equal to mount on i386.
2193	Exceptions can be allowed with prefix !.
2194		2193
2195	.br	2194	.br
2196	System architecture is strictly imposed only if flag	2195	System architecture is strictly imposed only if flag
2197	\-\-seccomp.block-secondary is used. The filter is applied at run time	2196	\-\-seccomp.block-secondary is used. The filter is applied at run time
2198	only if the correct architecture was detected. For the case of I386	2197	only if the correct architecture was detected. For the case of I386
2199	and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit	2198	and AMD64 both 32-bit and 64-bit filters are installed.
2200	architecture, an additional filter for 32 bit system calls can be
2201	installed with \-\-seccomp.32.
2202	.br	2199	.br
2203		2200
2204	.br	2201	.br
@@ -2209,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
2209	Example:	2206	Example:
2210	.br	2207	.br
2211	$ firejail \-\-seccomp	2208	$ firejail \-\-seccomp
		2209	.br
		2210
		2211	.br
		2212	The default list can be customized, see \-\-seccomp= for a description. It can be customized
		2213	also globally in /etc/firejail/firejail.config file.
		2214
2212	.TP	2215	.TP
2213	\fB\-\-seccomp=syscall,@group,!syscall2	2216	\fB\-\-seccomp=syscall,@group,!syscall2
2214	Enable seccomp filter, whitelist "syscall2", but blacklist the default	2217	Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
2215	list and the syscalls or syscall groups specified by the	2218	specified by the command, but don't blacklist "syscall2". On a 64 bit
2216	command.	2219	architecture, an additional filter for 32 bit system calls can be
		2220	installed with \-\-seccomp.32.
2217	.br	2221	.br
2218		2222
2219	.br	2223	.br
@@ -2223,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
2223	.br	2227	.br
2224	$ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk	2228	$ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
2225	.br	2229	.br
		2230	$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
		2231	.br
		2232
		2233	.br
		2234	Syscalls can be specified by their number if prefix $ is added,
		2235	so for example $165 would be equal to mount on i386.
		2236	.br
2226		2237
2227	.br	2238	.br
2228	Instead of dropping the syscall by returning EPERM, another error	2239	Instead of dropping the syscall by returning EPERM, another error
@@ -2235,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
2235		2246
2236	.br	2247	.br
2237	Example:	2248	Example:
		2249	.br
2238	$ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes	2250	$ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
2239	.br	2251	.br
2240	Parent pid 10662, child pid 10663	2252	Parent pid 10662, child pid 10663
@@ -2243,9 +2255,13 @@ Child process initialized
2243	.br	2255	.br
2244	$ touch testfile	2256	$ touch testfile
2245	.br	2257	.br
		2258	$ ls testfile
		2259	.br
		2260	testfile
		2261	.br
2246	$ rm testfile	2262	$ rm testfile
2247	.br	2263	.br
2248	rm: cannot remove `testfile': Operation not permitted	2264	rm: cannot remove `testfile': No such file or directory
2249	.br	2265	.br
2250		2266
2251	.br	2267	.br
@@ -2258,7 +2274,7 @@ filters.
2258	.br	2274	.br
2259	Example:	2275	Example:
2260	.br	2276	.br
2261	$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash	2277	$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
2262	.br	2278	.br
2263	Parent pid 32751, child pid 32752	2279	Parent pid 32751, child pid 32752
2264	.br	2280	.br
@@ -2270,8 +2286,7 @@ Child process initialized in 46.44 ms
2270	.br	2286	.br
2271	$ ls	2287	$ ls
2272	.br	2288	.br
2273	Bad system call	2289	Operation not permitted
2274	.br
2275		2290
2276	.TP	2291	.TP
2277	\fB\-\-seccomp.block-secondary	2292	\fB\-\-seccomp.block-secondary
@@ -2315,15 +2330,15 @@ Child process initialized
2315	.br	2330	.br
2316	$ touch testfile	2331	$ touch testfile
2317	.br	2332	.br
		2333	$ ls testfile
		2334	.br
		2335	testfile
		2336	.br
2318	$ rm testfile	2337	$ rm testfile
2319	.br	2338	.br
2320	rm: cannot remove `testfile': Operation not permitted	2339	rm: cannot remove `testfile': No such file or directory
2321	.br	2340	.br
2322		2341
2323
2324
2325
2326
2327	.TP	2342	.TP
2328	\fB\-\-seccomp.keep=syscall,@group,!syscall2	2343	\fB\-\-seccomp.keep=syscall,@group,!syscall2
2329	Enable seccomp filter, blacklist all syscall not listed and "syscall2".	2344	Enable seccomp filter, blacklist all syscall not listed and "syscall2".
@@ -2566,14 +2581,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
2566	$ firejail \-\-timeout=01:30:00 firefox	2581	$ firejail \-\-timeout=01:30:00 firefox
2567	.TP	2582	.TP
2568	\fB\-\-tmpfs=dirname	2583	\fB\-\-tmpfs=dirname
2569	Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.	2584	Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
2570	File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
2571	.br	2585	.br
2572		2586
2573	.br	2587	.br
2574	Example:	2588	Example:
2575	.br	2589	.br
2576	# firejail \-\-tmpfs=/var	2590	$ firejail \-\-tmpfs=~/.local/share
2577	.TP	2591	.TP
2578	\fB\-\-top	2592	\fB\-\-top
2579	Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.	2593	Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.


diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt index c80e305cc..483f47fb9 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.txt
@@ -23,6 +23,8 @@ them from inside the sandbox.
23	.TP	23	.TP
24	\fB5. Seccomp test	24	\fB5. Seccomp test
25	.TP	25	.TP
		26	\fB6. Networking test
		27	.TP
26	The program is started as root using sudo.	28	The program is started as root using sudo.
27		29
28	.SH OPTIONS	30	.SH OPTIONS
@@ -56,6 +58,8 @@ $ sudo jailcheck
56	.br	58	.br
57	Warning: I can run programs in /home/netblue	59	Warning: I can run programs in /home/netblue
58	.br	60	.br
		61	Networking: disabled
		62	.br
59		63
60	.br	64	.br
61	2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net	65	2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
@@ -64,12 +68,16 @@ $ sudo jailcheck
64	.br	68	.br
65	Warning: I can read ~/.ssh	69	Warning: I can read ~/.ssh
66	.br	70	.br
		71	Networking: enabled
		72	.br
67		73
68	.br	74	.br
69	2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage	75	2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
70	.br	76	.br
71	Virtual dirs: /tmp, /var/tmp, /dev,	77	Virtual dirs: /tmp, /var/tmp, /dev,
72	.br	78	.br
		79	Networking: enabled
		80	.br
73		81
74	.br	82	.br
75	26090:netblue::/usr/bin/firejail /opt/firefox/firefox	83	26090:netblue::/usr/bin/firejail /opt/firefox/firefox
@@ -78,6 +86,8 @@ $ sudo jailcheck
78	.br	86	.br
79	/run/user/1000,	87	/run/user/1000,
80	.br	88	.br
		89	Networking: enabled
		90	.br
81		91
82	.br	92	.br
83	26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor	93	26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
@@ -90,6 +100,8 @@ $ sudo jailcheck
90	.br	100	.br
91	Warning: I can run programs in /home/netblue	101	Warning: I can run programs in /home/netblue
92	.br	102	.br
		103	Networking: enabled
		104	.br
93		105
94		106
95	.SH LICENSE	107	.SH LICENSE