diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/man/firejail-profile.txt | 107 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
2 files changed, 54 insertions, 55 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 600b82d3d..e9cb1aa49 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -10,7 +10,7 @@ firejail \-\-profile=filename.profile | |||
10 | Several command line options can be passed to the program using | 10 | Several command line options can be passed to the program using |
11 | profile files. Firejail chooses the profile file as follows: | 11 | profile files. Firejail chooses the profile file as follows: |
12 | 12 | ||
13 | 1. If a profile file is provided by the user with \-\-profile option, the profile file is loaded. | 13 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. |
14 | Example: | 14 | Example: |
15 | .PP | 15 | .PP |
16 | .RS | 16 | .RS |
@@ -21,7 +21,7 @@ Reading profile /home/netblue/icecat.profile | |||
21 | [...] | 21 | [...] |
22 | .RE | 22 | .RE |
23 | 23 | ||
24 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or | 24 | \fB2.\fR If a profile file with the same name as the application is present in ~/.config/firejail directory or |
25 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: | 25 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: |
26 | .PP | 26 | .PP |
27 | .RS | 27 | .RS |
@@ -36,7 +36,7 @@ Reading profile /home/netblue/.config/firejail/icecat.profile | |||
36 | [...] | 36 | [...] |
37 | .RE | 37 | .RE |
38 | 38 | ||
39 | 3. Use a default.profile file if the sandbox | 39 | \fB3.\fR Use a default.profile file if the sandbox |
40 | is started by a regular user, or a server.profile file if the sandbox | 40 | is started by a regular user, or a server.profile file if the sandbox |
41 | is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory. | 41 | is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory. |
42 | To disable default profile loading, use --noroot command option. Example: | 42 | To disable default profile loading, use --noroot command option. Example: |
@@ -67,10 +67,10 @@ Child process initialized | |||
67 | Scripting commands: | 67 | Scripting commands: |
68 | 68 | ||
69 | .TP | 69 | .TP |
70 | # this is a comment | 70 | \fB# this is a comment |
71 | 71 | ||
72 | .TP | 72 | .TP |
73 | \f\include other.profile | 73 | \fBinclude other.profile |
74 | Include other.profile file. | 74 | Include other.profile file. |
75 | 75 | ||
76 | Example: "include /etc/firejail/disable-common.inc" | 76 | Example: "include /etc/firejail/disable-common.inc" |
@@ -81,13 +81,13 @@ file in user home directory. | |||
81 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. | 81 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. |
82 | 82 | ||
83 | .TP | 83 | .TP |
84 | \f\ noblacklist file_name | 84 | \fBnoblacklist file_name |
85 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. | 85 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. |
86 | 86 | ||
87 | Example: "noblacklist ${HOME}/.mozilla" | 87 | Example: "noblacklist ${HOME}/.mozilla" |
88 | 88 | ||
89 | .TP | 89 | .TP |
90 | \f\ignore command | 90 | \fBignore command |
91 | Ignore command. | 91 | Ignore command. |
92 | 92 | ||
93 | Example: "ignore seccomp" | 93 | Example: "ignore seccomp" |
@@ -102,7 +102,7 @@ Use \fBprivate\fR to set private mode. | |||
102 | File globbing is supported, and PATH and HOME directories are searched. | 102 | File globbing is supported, and PATH and HOME directories are searched. |
103 | Examples: | 103 | Examples: |
104 | .TP | 104 | .TP |
105 | \f\blacklist file_or_directory | 105 | \fBblacklist file_or_directory |
106 | Blacklist directory or file. Examples: | 106 | Blacklist directory or file. Examples: |
107 | .br | 107 | .br |
108 | 108 | ||
@@ -116,118 +116,117 @@ blacklist ${PATH}/ifconfig | |||
116 | blacklist ${HOME}/.ssh | 116 | blacklist ${HOME}/.ssh |
117 | 117 | ||
118 | .TP | 118 | .TP |
119 | \f\read-only file_or_directory | 119 | \fBread-only file_or_directory |
120 | Make directory or file read-only. | 120 | Make directory or file read-only. |
121 | .TP | 121 | .TP |
122 | \f\ tmpfs directory | 122 | \fBtmpfs directory |
123 | Mount an empty tmpfs filesystem on top of directory. | 123 | Mount an empty tmpfs filesystem on top of directory. |
124 | .TP | 124 | .TP |
125 | \f\bind directory1,directory2 | 125 | \fBbind directory1,directory2 |
126 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 126 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
127 | .TP | 127 | .TP |
128 | \f\bind file1,file2 | 128 | \fBbind file1,file2 |
129 | Mount-bind file1 on top of file2. This option is only available when running as root. | 129 | Mount-bind file1 on top of file2. This option is only available when running as root. |
130 | .TP | 130 | .TP |
131 | \f\private | 131 | \fBprivate |
132 | Mount new /root and /home/user directories in temporary | 132 | Mount new /root and /home/user directories in temporary |
133 | filesystems. All modifications are discarded when the sandbox is | 133 | filesystems. All modifications are discarded when the sandbox is |
134 | closed. | 134 | closed. |
135 | .TP | 135 | .TP |
136 | \f\private-bin file,file | 136 | \fBprivate-bin file,file |
137 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 137 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
138 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 138 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
139 | .TP | 139 | .TP |
140 | \f\private directory | 140 | \fBprivate directory |
141 | Use directory as user home. | 141 | Use directory as user home. |
142 | .TP | 142 | .TP |
143 | \f\private-home file,directory | 143 | \fBprivate-home file,directory |
144 | Build a new user home in a temporary | 144 | Build a new user home in a temporary |
145 | filesystem, and copy the files and directories in the list in the | 145 | filesystem, and copy the files and directories in the list in the |
146 | new home. All modifications are discarded when the sandbox is | 146 | new home. All modifications are discarded when the sandbox is |
147 | closed. | 147 | closed. |
148 | .TP | 148 | .TP |
149 | \f\private-dev | 149 | \fBprivate-dev |
150 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. | 150 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. |
151 | .TP | 151 | .TP |
152 | \f\private-etc file,directory | 152 | \fBprivate-etc file,directory |
153 | Build a new /etc in a temporary | 153 | Build a new /etc in a temporary |
154 | filesystem, and copy the files and directories in the list. | 154 | filesystem, and copy the files and directories in the list. |
155 | All modifications are discarded when the sandbox is closed. | 155 | All modifications are discarded when the sandbox is closed. |
156 | .TP | 156 | .TP |
157 | \f\whitelist file_or_directory | 157 | \fBwhitelist file_or_directory |
158 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 158 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. |
159 | The modifications to file_or_directory are persistent, everything else is discarded | 159 | The modifications to file_or_directory are persistent, everything else is discarded |
160 | when the sandbox is closed. | 160 | when the sandbox is closed. |
161 | .TP | 161 | .TP |
162 | \f\ tracelog | 162 | \fBtracelog |
163 | Blacklist violations logged to syslog. | 163 | Blacklist violations logged to syslog. |
164 | .SH Filters | 164 | .SH Security filters |
165 | \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: | 165 | The following security filters are currently implemented: |
166 | 166 | ||
167 | .TP | 167 | .TP |
168 | caps | 168 | \fBcaps |
169 | Enable default Linux capabilities filter. | 169 | Enable default Linux capabilities filter. |
170 | .TP | 170 | .TP |
171 | caps.drop all | 171 | \fBcaps.drop all |
172 | Blacklist all Linux capabilities. | 172 | Blacklist all Linux capabilities. |
173 | .TP | 173 | .TP |
174 | caps.drop capability,capability,capability | 174 | \fBcaps.drop capability,capability,capability |
175 | Blacklist given Linux capabilities. | 175 | Blacklist given Linux capabilities. |
176 | .TP | 176 | .TP |
177 | caps.keep capability,capability,capability | 177 | \fBcaps.keep capability,capability,capability |
178 | Whitelist given Linux capabilities. | 178 | Whitelist given Linux capabilities. |
179 | .TP | 179 | .TP |
180 | \f\seccomp | 180 | \fBprotocol protocol1,protocol2,protocol3 |
181 | Enable protocol filter. The filter is based on seccomp and checks the | ||
182 | first argument to socket system call. Recognized values: \fBunix\fR, | ||
183 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. | ||
184 | .TP | ||
185 | \fBseccomp | ||
181 | Enable default seccomp filter. The default list is as follows: | 186 | Enable default seccomp filter. The default list is as follows: |
182 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, | 187 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, |
183 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev, | 188 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev, |
184 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. | 189 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. |
185 | .TP | 190 | .TP |
186 | \f\seccomp syscall,syscall,syscall | 191 | \fBseccomp syscall,syscall,syscall |
187 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 192 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
188 | .TP | 193 | .TP |
189 | \f\seccomp.drop syscall,syscall,syscall | 194 | \fBseccomp.drop syscall,syscall,syscall |
190 | Enable seccomp filter and blacklist the system calls in the list. | 195 | Enable seccomp filter and blacklist the system calls in the list. |
191 | .TP | 196 | .TP |
192 | \f\seccomp.keep syscall,syscall,syscall | 197 | \fBseccomp.keep syscall,syscall,syscall |
193 | Enable seccomp filter and whitelist the system calls in the list. | 198 | Enable seccomp filter and whitelist the system calls in the list. |
194 | |||
195 | |||
196 | .SH User Namespace | ||
197 | Use \fBnoroot\fR to enable an user namespace. The namespace has only one user, the current user. | ||
198 | There is no root account defined in the namespace. | ||
199 | |||
200 | .TP | 199 | .TP |
201 | noroot | 200 | \fBnoroot |
202 | Enable an user namespace without root user defined. | 201 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
203 | 202 | There is no root account (uid 0) defined in the namespace. | |
204 | 203 | ||
205 | .SH Resource limits | 204 | .SH Resource limits |
206 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 205 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
207 | The limits can be modified inside the sandbox using the regular \fBulimit\fR command. Examples: | 206 | The limits can be modified inside the sandbox using the regular \fBulimit\fR command. Example: |
208 | 207 | ||
209 | .TP | 208 | .TP |
210 | \f\rlimit-fsize 1024 | 209 | \fBrlimit-fsize 1024 |
211 | Set the maximum file size that can be created by a process to 1024 bytes. | 210 | Set the maximum file size that can be created by a process to 1024 bytes. |
212 | .TP | 211 | .TP |
213 | \f\rlimit-nproc 1000 | 212 | \fBrlimit-nproc 1000 |
214 | Set the maximum number of processes that can be created for the real user ID of the calling process to 1000. | 213 | Set the maximum number of processes that can be created for the real user ID of the calling process to 1000. |
215 | .TP | 214 | .TP |
216 | \f\rlimit-nofile 500 | 215 | \fBrlimit-nofile 500 |
217 | Set the maximum number of files that can be opened by a process to 500. | 216 | Set the maximum number of files that can be opened by a process to 500. |
218 | .TP | 217 | .TP |
219 | \f\rlimit-sigpending 200 | 218 | \fBrlimit-sigpending 200 |
220 | Set the maximum number of processes that can be created for the real user ID of the calling process to 200. | 219 | Set the maximum number of processes that can be created for the real user ID of the calling process to 200. |
221 | 220 | ||
222 | .SH CPU Affinity | 221 | .SH CPU Affinity |
223 | Set the CPU cores available for this sandbox. Examples: | 222 | Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples: |
224 | 223 | ||
225 | .TP | 224 | .TP |
226 | cpu 1,2,3 | 225 | cpu 1,2,3 |
227 | Use only CPU cores 0, 1 and 2. | 226 | Use only CPU cores 0, 1 and 2. |
228 | 227 | ||
229 | .SH Control Groups | 228 | .SH Control Groups |
230 | Place the sandbox in an existing control group specified by the full path of the task file. Example: | 229 | Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example: |
231 | 230 | ||
232 | .TP | 231 | .TP |
233 | cgroup /sys/fs/cgroup/g1/tasks | 232 | cgroup /sys/fs/cgroup/g1/tasks |
@@ -236,7 +235,7 @@ The sandbox is placed in g1 control group. | |||
236 | .SH User Environment | 235 | .SH User Environment |
237 | 236 | ||
238 | .TP | 237 | .TP |
239 | env name=value | 238 | \fBenv name=value |
240 | Set environment variable. Examples: | 239 | Set environment variable. Examples: |
241 | .br | 240 | .br |
242 | 241 | ||
@@ -246,36 +245,36 @@ env LD_LIBRARY_PATH=/opt/test/lib | |||
246 | env CFLAGS="-W -Wall -Werror" | 245 | env CFLAGS="-W -Wall -Werror" |
247 | 246 | ||
248 | .TP | 247 | .TP |
249 | nogroups | 248 | \fBnogroups |
250 | Disable supplementary user groups | 249 | Disable supplementary user groups |
251 | .TP | 250 | .TP |
252 | shell none | 251 | \fBshell none |
253 | Run the program directly, without a shell. | 252 | Run the program directly, without a shell. |
254 | 253 | ||
255 | .SH Networking | 254 | .SH Networking |
256 | Networking features available in profile files. | 255 | Networking features available in profile files. |
257 | 256 | ||
258 | .TP | 257 | .TP |
259 | netfilter | 258 | \fBnetfilter |
260 | If a new network namespace is created, enabled default network filter. | 259 | If a new network namespace is created, enabled default network filter. |
261 | 260 | ||
262 | .TP | 261 | .TP |
263 | netfilter filename | 262 | \fBnetfilter filename |
264 | If a new network namespace is created, enabled the network filter in filename. | 263 | If a new network namespace is created, enabled the network filter in filename. |
265 | 264 | ||
266 | .TP | 265 | .TP |
267 | net none | 266 | \fBnet none |
268 | Enable a new, unconnected network namespace. The only interface | 267 | Enable a new, unconnected network namespace. The only interface |
269 | available in the new namespace is a new loopback interface (lo). | 268 | available in the new namespace is a new loopback interface (lo). |
270 | Use this option to deny network access to programs that don't | 269 | Use this option to deny network access to programs that don't |
271 | really need network access. | 270 | really need network access. |
272 | 271 | ||
273 | .TP | 272 | .TP |
274 | dns address | 273 | \fBdns address |
275 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 274 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
276 | 275 | ||
277 | .TP | 276 | .TP |
278 | hostname name | 277 | \fBhostname name |
279 | Set a hostname for the sandbox. | 278 | Set a hostname for the sandbox. |
280 | 279 | ||
281 | .SH RELOCATING PROFILES | 280 | .SH RELOCATING PROFILES |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 57b169e89..cd36bead6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -973,7 +973,7 @@ $ firejail \-\-profile-path=/home/netblue/myprofiles | |||
973 | 973 | ||
974 | .TP | 974 | .TP |
975 | \fB\-\-protocol=protocol,protocol,protocol | 975 | \fB\-\-protocol=protocol,protocol,protocol |
976 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | 976 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. |
977 | Recognized values: unix, inet, inet6, netlink and packet. | 977 | Recognized values: unix, inet, inet6, netlink and packet. |
978 | .br | 978 | .br |
979 | 979 | ||