diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/rlimit.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 51 |
5 files changed, 58 insertions, 7 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 458bba6f6..584d0c293 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -71,7 +71,7 @@ int arg_rlimit_nofile = 0; // rlimit nofile | |||
71 | int arg_rlimit_nproc = 0; // rlimit nproc | 71 | int arg_rlimit_nproc = 0; // rlimit nproc |
72 | int arg_rlimit_fsize = 0; // rlimit fsize | 72 | int arg_rlimit_fsize = 0; // rlimit fsize |
73 | int arg_rlimit_sigpending = 0; // rlimit fsize | 73 | int arg_rlimit_sigpending = 0; // rlimit fsize |
74 | int arg_rlimit_as = 0; // rlimit as | 74 | int arg_rlimit_as = 0; // rlimit as |
75 | int arg_nogroups = 0; // disable supplementary groups | 75 | int arg_nogroups = 0; // disable supplementary groups |
76 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl | 76 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl |
77 | int arg_noroot = 0; // create a new user namespace and disable root user | 77 | int arg_noroot = 0; // create a new user namespace and disable root user |
@@ -1271,6 +1271,11 @@ int main(int argc, char **argv) { | |||
1271 | sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending); | 1271 | sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending); |
1272 | arg_rlimit_sigpending = 1; | 1272 | arg_rlimit_sigpending = 1; |
1273 | } | 1273 | } |
1274 | else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) { | ||
1275 | check_unsigned(argv[i] + 12, "Error: invalid rlimit"); | ||
1276 | sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as); | ||
1277 | arg_rlimit_as = 1; | ||
1278 | } | ||
1274 | else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) | 1279 | else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) |
1275 | arg_ipc = 1; | 1280 | arg_ipc = 1; |
1276 | else if (strncmp(argv[i], "--cpu=", 6) == 0) | 1281 | else if (strncmp(argv[i], "--cpu=", 6) == 0) |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index ec5fb3791..e5720a22b 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -78,7 +78,7 @@ void set_rlimits(void) { | |||
78 | #ifdef HAVE_GCOV | 78 | #ifdef HAVE_GCOV |
79 | __gcov_dump(); | 79 | __gcov_dump(); |
80 | #endif | 80 | #endif |
81 | if (setrlimit(RLIMIT_AS, &rl) == -1) | 81 | if (setrlimit(RLIMIT_AS, &rl) == -1) |
82 | errExit("setrlimit"); | 82 | errExit("setrlimit"); |
83 | if (arg_debug) | 83 | if (arg_debug) |
84 | printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as); | 84 | printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 28b5cc8a4..f3b3aace5 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -169,6 +169,8 @@ void usage(void) { | |||
169 | printf(" --quiet - turn off Firejail's output.\n"); | 169 | printf(" --quiet - turn off Firejail's output.\n"); |
170 | printf(" --read-only=filename - set directory or file read-only..\n"); | 170 | printf(" --read-only=filename - set directory or file read-only..\n"); |
171 | printf(" --read-write=filename - set directory or file read-write.\n"); | 171 | printf(" --read-write=filename - set directory or file read-write.\n"); |
172 | printf(" --rlimit-as=number - set the maximum size of the process's virtual memory\n"); | ||
173 | printf("\t(address space) in bytes.\n"); | ||
172 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); | 174 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); |
173 | printf("\tby a process.\n"); | 175 | printf("\tby a process.\n"); |
174 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); | 176 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5825d3427..185420ba4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -382,6 +382,9 @@ place the sandbox in an existing control group. | |||
382 | Examples: | 382 | Examples: |
383 | 383 | ||
384 | .TP | 384 | .TP |
385 | \fBrlimit-as 123456789012 | ||
386 | Set he maximum size of the process's virtual memory to 123456789012 bytes. | ||
387 | .TP | ||
385 | \fBrlimit-fsize 1024 | 388 | \fBrlimit-fsize 1024 |
386 | Set the maximum file size that can be created by a process to 1024 bytes. | 389 | Set the maximum file size that can be created by a process to 1024 bytes. |
387 | .TP | 390 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 20f2b7f8c..7ba09ba8a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -140,7 +140,7 @@ Example: | |||
140 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | 140 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd |
141 | .TP | 141 | .TP |
142 | \fB\-\-blacklist=dirname_or_filename | 142 | \fB\-\-blacklist=dirname_or_filename |
143 | Blacklist directory or file. | 143 | Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
144 | .br | 144 | .br |
145 | 145 | ||
146 | .br | 146 | .br |
@@ -1009,7 +1009,7 @@ Example: | |||
1009 | $ firejail \-\-nodvd | 1009 | $ firejail \-\-nodvd |
1010 | .TP | 1010 | .TP |
1011 | \fB\-\-noexec=dirname_or_filename | 1011 | \fB\-\-noexec=dirname_or_filename |
1012 | Remount directory or file noexec, nodev and nosuid. | 1012 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1013 | .br | 1013 | .br |
1014 | 1014 | ||
1015 | .br | 1015 | .br |
@@ -1275,7 +1275,8 @@ $ firejail \-\-private-home=.mozilla firefox | |||
1275 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 1275 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
1276 | If no listed file is found, /bin directory will be empty. | 1276 | If no listed file is found, /bin directory will be empty. |
1277 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. | 1277 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. |
1278 | All modifications are discarded when the sandbox is closed. | 1278 | All modifications are discarded when the sandbox is closed. File globbing is supported, |
1279 | see \fBFILE GLOBBING\fR section for more details. | ||
1279 | .br | 1280 | .br |
1280 | 1281 | ||
1281 | .br | 1282 | .br |
@@ -1505,7 +1506,7 @@ Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more detail | |||
1505 | Turn off Firejail's output. | 1506 | Turn off Firejail's output. |
1506 | .TP | 1507 | .TP |
1507 | \fB\-\-read-only=dirname_or_filename | 1508 | \fB\-\-read-only=dirname_or_filename |
1508 | Set directory or file read-only. | 1509 | Set directory or file read-only. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1509 | .br | 1510 | .br |
1510 | 1511 | ||
1511 | .br | 1512 | .br |
@@ -1526,7 +1527,8 @@ $ firejail --whitelist=~/work --read-only=~ --read-only=~/work | |||
1526 | .TP | 1527 | .TP |
1527 | \fB\-\-read-write=dirname_or_filename | 1528 | \fB\-\-read-write=dirname_or_filename |
1528 | Set directory or file read-write. Only files or directories belonging to the current user are allowed for | 1529 | Set directory or file read-write. Only files or directories belonging to the current user are allowed for |
1529 | this operation. Example: | 1530 | this operation. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1531 | Example: | ||
1530 | .br | 1532 | .br |
1531 | 1533 | ||
1532 | .br | 1534 | .br |
@@ -1538,6 +1540,10 @@ $ firejail --read-only=~/test --read-write=~/test/a | |||
1538 | 1540 | ||
1539 | 1541 | ||
1540 | .TP | 1542 | .TP |
1543 | \fB\-\-rlimit-as=number | ||
1544 | Set the maximum size of the process's virtual memory (address space) in bytes. | ||
1545 | |||
1546 | .TP | ||
1541 | \fB\-\-rlimit-fsize=number | 1547 | \fB\-\-rlimit-fsize=number |
1542 | Set the maximum file size that can be created by a process. | 1548 | Set the maximum file size that can be created by a process. |
1543 | .TP | 1549 | .TP |
@@ -1833,6 +1839,7 @@ $ firejail \-\-shutdown=3272 | |||
1833 | .TP | 1839 | .TP |
1834 | \fB\-\-tmpfs=dirname | 1840 | \fB\-\-tmpfs=dirname |
1835 | Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. | 1841 | Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. |
1842 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
1836 | .br | 1843 | .br |
1837 | 1844 | ||
1838 | .br | 1845 | .br |
@@ -2234,6 +2241,40 @@ $ firejail --tree | |||
2234 | 2241 | ||
2235 | We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details. | 2242 | We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details. |
2236 | 2243 | ||
2244 | .SH FILE GLOBBING | ||
2245 | .TP | ||
2246 | Globbing is the operation that expands a wildcard pattern into the list of pathnames matching the pattern. Matching is defined by: | ||
2247 | .br | ||
2248 | |||
2249 | .br | ||
2250 | - '?' matches any character | ||
2251 | .br | ||
2252 | - '*' matches any string | ||
2253 | .br | ||
2254 | - '[' denotes a range of characters | ||
2255 | .br | ||
2256 | .TP | ||
2257 | The gobing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob. | ||
2258 | .br | ||
2259 | |||
2260 | .br | ||
2261 | .TP | ||
2262 | The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, and \-\-tmpfs. | ||
2263 | .br | ||
2264 | |||
2265 | .br | ||
2266 | .TP | ||
2267 | Examples: | ||
2268 | .br | ||
2269 | |||
2270 | .br | ||
2271 | $ firejail --private-bin=sh,bash,python* | ||
2272 | .br | ||
2273 | $ firejail --blacklist=~/dir[1234] | ||
2274 | .br | ||
2275 | $ firejail --read-only=~/dir[1-4] | ||
2276 | .br | ||
2277 | |||
2237 | .SH APPARMOR | 2278 | .SH APPARMOR |
2238 | .TP | 2279 | .TP |
2239 | AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: | 2280 | AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: |