diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/cpu.c | 78 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 26 | ||||
-rw-r--r-- | src/firejail/restricted_shell.c | 15 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 205 |
8 files changed, 171 insertions, 166 deletions
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 23906ae48..1802ad5e1 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -139,3 +139,81 @@ void set_cpu_affinity(void) { | |||
139 | printf("CPU affinity not set\n"); | 139 | printf("CPU affinity not set\n"); |
140 | } | 140 | } |
141 | } | 141 | } |
142 | |||
143 | static void print_cpu(int pid) { | ||
144 | char *file; | ||
145 | if (asprintf(&file, "/proc/%d/status", pid) == -1) { | ||
146 | errExit("asprintf"); | ||
147 | exit(1); | ||
148 | } | ||
149 | |||
150 | EUID_ROOT(); // grsecurity | ||
151 | FILE *fp = fopen(file, "r"); | ||
152 | EUID_USER(); // grsecurity | ||
153 | if (!fp) { | ||
154 | printf(" Error: cannot open %s\n", file); | ||
155 | free(file); | ||
156 | return; | ||
157 | } | ||
158 | |||
159 | #define MAXBUF 4096 | ||
160 | char buf[MAXBUF]; | ||
161 | while (fgets(buf, MAXBUF, fp)) { | ||
162 | if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { | ||
163 | printf(" %s", buf); | ||
164 | fflush(0); | ||
165 | free(file); | ||
166 | fclose(fp); | ||
167 | return; | ||
168 | } | ||
169 | } | ||
170 | fclose(fp); | ||
171 | free(file); | ||
172 | } | ||
173 | |||
174 | void cpu_print_filter_name(const char *name) { | ||
175 | EUID_ASSERT(); | ||
176 | if (!name || strlen(name) == 0) { | ||
177 | fprintf(stderr, "Error: invalid sandbox name\n"); | ||
178 | exit(1); | ||
179 | } | ||
180 | pid_t pid; | ||
181 | if (name2pid(name, &pid)) { | ||
182 | fprintf(stderr, "Error: cannot find sandbox %s\n", name); | ||
183 | exit(1); | ||
184 | } | ||
185 | |||
186 | cpu_print_filter(pid); | ||
187 | } | ||
188 | |||
189 | void cpu_print_filter(pid_t pid) { | ||
190 | EUID_ASSERT(); | ||
191 | |||
192 | // if the pid is that of a firejail process, use the pid of the first child process | ||
193 | EUID_ROOT(); // grsecurity | ||
194 | char *comm = pid_proc_comm(pid); | ||
195 | EUID_USER(); // grsecurity | ||
196 | if (comm) { | ||
197 | if (strcmp(comm, "firejail") == 0) { | ||
198 | pid_t child; | ||
199 | if (find_child(pid, &child) == 0) { | ||
200 | pid = child; | ||
201 | } | ||
202 | } | ||
203 | free(comm); | ||
204 | } | ||
205 | |||
206 | // check privileges for non-root users | ||
207 | uid_t uid = getuid(); | ||
208 | if (uid != 0) { | ||
209 | uid_t sandbox_uid = pid_get_uid(pid); | ||
210 | if (uid != sandbox_uid) { | ||
211 | fprintf(stderr, "Error: permission denied.\n"); | ||
212 | exit(1); | ||
213 | } | ||
214 | } | ||
215 | |||
216 | print_cpu(pid); | ||
217 | exit(0); | ||
218 | } | ||
219 | |||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e50b22b4e..f43f31f02 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -438,6 +438,8 @@ void read_cpu_list(const char *str); | |||
438 | void set_cpu_affinity(void); | 438 | void set_cpu_affinity(void); |
439 | void load_cpu(const char *fname); | 439 | void load_cpu(const char *fname); |
440 | void save_cpu(void); | 440 | void save_cpu(void); |
441 | void cpu_print_filter_name(const char *name); | ||
442 | void cpu_print_filter(pid_t pid); | ||
441 | 443 | ||
442 | // cgroup.c | 444 | // cgroup.c |
443 | void save_cgroup(void); | 445 | void save_cgroup(void); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 166ca1b89..c9954d8c7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -437,6 +437,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
437 | exit(0); | 437 | exit(0); |
438 | } | 438 | } |
439 | #endif | 439 | #endif |
440 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { | ||
441 | // join sandbox by pid or by name | ||
442 | pid_t pid; | ||
443 | if (read_pid(argv[i] + 12, &pid) == 0) | ||
444 | cpu_print_filter(pid); | ||
445 | else | ||
446 | cpu_print_filter_name(argv[i] + 12); | ||
447 | exit(0); | ||
448 | } | ||
440 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { | 449 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { |
441 | // join sandbox by pid or by name | 450 | // join sandbox by pid or by name |
442 | pid_t pid; | 451 | pid_t pid; |
@@ -726,6 +735,7 @@ int main(int argc, char **argv) { | |||
726 | strncmp(argv[i], "--dns.print=", 12) == 0 || | 735 | strncmp(argv[i], "--dns.print=", 12) == 0 || |
727 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | 736 | strncmp(argv[i], "--bandwidth=", 12) == 0 || |
728 | strncmp(argv[i], "--caps.print=", 13) == 0 || | 737 | strncmp(argv[i], "--caps.print=", 13) == 0 || |
738 | strncmp(argv[i], "--cpu.print=", 12) == 0 || | ||
729 | //******************************************************************************** | 739 | //******************************************************************************** |
730 | // todo: fix the following problems | 740 | // todo: fix the following problems |
731 | strncmp(argv[i], "--join=", 7) == 0 || | 741 | strncmp(argv[i], "--join=", 7) == 0 || |
@@ -787,8 +797,10 @@ int main(int argc, char **argv) { | |||
787 | char *comm = pid_proc_comm(ppid); | 797 | char *comm = pid_proc_comm(ppid); |
788 | EUID_USER(); | 798 | EUID_USER(); |
789 | if (comm) { | 799 | if (comm) { |
790 | if (strcmp(comm, "sshd") == 0) | 800 | if (strcmp(comm, "sshd") == 0) { |
801 | arg_quiet = 1; | ||
791 | parent_sshd = 1; | 802 | parent_sshd = 1; |
803 | } | ||
792 | free(comm); | 804 | free(comm); |
793 | } | 805 | } |
794 | } | 806 | } |
@@ -817,9 +829,11 @@ int main(int argc, char **argv) { | |||
817 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 829 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
818 | 830 | ||
819 | if (strcmp(argv[i], "--debug") == 0) { | 831 | if (strcmp(argv[i], "--debug") == 0) { |
820 | arg_debug = 1; | 832 | if (!arg_quiet) { |
821 | if (option_force) | 833 | arg_debug = 1; |
822 | printf("Entering sandbox-in-sandbox mode\n"); | 834 | if (option_force) |
835 | printf("Entering sandbox-in-sandbox mode\n"); | ||
836 | } | ||
823 | } | 837 | } |
824 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | 838 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
825 | arg_debug_check_filename = 1; | 839 | arg_debug_check_filename = 1; |
@@ -827,8 +841,10 @@ int main(int argc, char **argv) { | |||
827 | arg_debug_blacklists = 1; | 841 | arg_debug_blacklists = 1; |
828 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 842 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
829 | arg_debug_whitelists = 1; | 843 | arg_debug_whitelists = 1; |
830 | else if (strcmp(argv[i], "--quiet") == 0) | 844 | else if (strcmp(argv[i], "--quiet") == 0) { |
831 | arg_quiet = 1; | 845 | arg_quiet = 1; |
846 | arg_debug = 0; | ||
847 | } | ||
832 | else if (strcmp(argv[i], "--force") == 0) | 848 | else if (strcmp(argv[i], "--force") == 0) |
833 | ; | 849 | ; |
834 | 850 | ||
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index da4e9d332..ee6e94957 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -61,7 +61,20 @@ int restricted_shell(const char *user) { | |||
61 | ptr = strchr(args, '\n'); | 61 | ptr = strchr(args, '\n'); |
62 | if (ptr) | 62 | if (ptr) |
63 | *ptr = '\0'; | 63 | *ptr = '\0'; |
64 | 64 | ||
65 | // if nothing follows, continue | ||
66 | char *ptr2 = args; | ||
67 | int found = 0; | ||
68 | while (*ptr2 != '\0') { | ||
69 | if (*ptr2 != ' ' && *ptr2 != '\t') { | ||
70 | found = 1; | ||
71 | break; | ||
72 | } | ||
73 | } | ||
74 | if (!found) | ||
75 | continue; | ||
76 | |||
77 | // process user | ||
65 | if (strcmp(user, usr) == 0) { | 78 | if (strcmp(user, usr) == 0) { |
66 | restricted_user = strdup(user); | 79 | restricted_user = strdup(user); |
67 | // extract program arguments | 80 | // extract program arguments |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ccddeb888..d148c1f40 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -131,9 +131,16 @@ static void chk_chroot(void) { | |||
131 | } | 131 | } |
132 | 132 | ||
133 | static int monitor_application(pid_t app_pid) { | 133 | static int monitor_application(pid_t app_pid) { |
134 | |||
135 | |||
134 | int status; | 136 | int status; |
135 | while (app_pid) { | 137 | while (app_pid) { |
136 | usleep(20000); | 138 | usleep(20000); |
139 | char *msg; | ||
140 | if (asprintf(&msg, "monitoring pid %d\n", app_pid) == -1) | ||
141 | errExit("asprintf"); | ||
142 | logmsg(msg); | ||
143 | free(msg); | ||
137 | 144 | ||
138 | pid_t rv; | 145 | pid_t rv; |
139 | do { | 146 | do { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 597005128..3e4a0d1c3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -56,6 +56,8 @@ void usage(void) { | |||
56 | printf(" --chroot=dirname - chroot into directory.\n\n"); | 56 | printf(" --chroot=dirname - chroot into directory.\n\n"); |
57 | #endif | 57 | #endif |
58 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n"); | 58 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n"); |
59 | printf(" --cpu.print=name|pid - print the cup in use by the sandbox identified\n"); | ||
60 | printf("\tby name or PID.\n\n"); | ||
59 | printf(" --csh - use /bin/csh as default shell.\n\n"); | 61 | printf(" --csh - use /bin/csh as default shell.\n\n"); |
60 | 62 | ||
61 | printf(" --debug - print sandbox debug messages.\n\n"); | 63 | printf(" --debug - print sandbox debug messages.\n\n"); |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 2825ca4cf..6cd9ce3cb 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo | |||
11 | 11 | ||
12 | Example: | 12 | Example: |
13 | 13 | ||
14 | netblue:--debug --net=none | 14 | netblue:--net=none --protocol=unix |
15 | 15 | ||
16 | .SH RESTRICTED SHELL | 16 | .SH RESTRICTED SHELL |
17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 509461f0d..60c53378a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -161,8 +161,8 @@ make the whitelist read-only. Example: | |||
161 | .br | 161 | .br |
162 | $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work | 162 | $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work |
163 | .TP | 163 | .TP |
164 | \fB\-\-caps.print=name | 164 | \fB\-\-caps.print=name|pid |
165 | Print the caps filter for the sandbox identified by name. | 165 | Print the caps filter for the sandbox identified by name or by PID. |
166 | .br | 166 | .br |
167 | 167 | ||
168 | .br | 168 | .br |
@@ -170,13 +170,7 @@ Example: | |||
170 | .br | 170 | .br |
171 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 171 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
172 | .br | 172 | .br |
173 | [...] | ||
174 | .br | ||
175 | $ firejail \-\-caps.print=mygame | 173 | $ firejail \-\-caps.print=mygame |
176 | |||
177 | .TP | ||
178 | \fB\-\-caps.print=pid | ||
179 | Print the caps filter for a sandbox identified by PID. | ||
180 | .br | 174 | .br |
181 | 175 | ||
182 | .br | 176 | .br |
@@ -221,6 +215,28 @@ Example: | |||
221 | $ firejail \-\-cpu=0,1 handbrake | 215 | $ firejail \-\-cpu=0,1 handbrake |
222 | 216 | ||
223 | .TP | 217 | .TP |
218 | \fB\-\-cpu.print=name|pid | ||
219 | Print the CPU cores in use by the sandbox identified by name or by PID. | ||
220 | .br | ||
221 | |||
222 | .br | ||
223 | Example: | ||
224 | .br | ||
225 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | ||
226 | .br | ||
227 | $ firejail \-\-cpu.print=mygame | ||
228 | .br | ||
229 | |||
230 | .br | ||
231 | Example: | ||
232 | .br | ||
233 | $ firejail \-\-list | ||
234 | .br | ||
235 | 3272:netblue:firejail \-\-private firefox | ||
236 | .br | ||
237 | $ firejail \-\-cpu.print=3272 | ||
238 | |||
239 | .TP | ||
224 | \fB\-\-csh | 240 | \fB\-\-csh |
225 | Use /bin/csh as default user shell. | 241 | Use /bin/csh as default user shell. |
226 | .br | 242 | .br |
@@ -327,8 +343,8 @@ Example: | |||
327 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox | 343 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox |
328 | 344 | ||
329 | .TP | 345 | .TP |
330 | \fB\-\-dns.print=name | 346 | \fB\-\-dns.print=name|pid |
331 | Print DNS configuration for a sandbox identified by name. | 347 | Print DNS configuration for a sandbox identified by name or by PID. |
332 | .br | 348 | .br |
333 | 349 | ||
334 | .br | 350 | .br |
@@ -336,13 +352,7 @@ Example: | |||
336 | .br | 352 | .br |
337 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 353 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
338 | .br | 354 | .br |
339 | [...] | ||
340 | .br | ||
341 | $ firejail \-\-dns.print=mygame | 355 | $ firejail \-\-dns.print=mygame |
342 | |||
343 | .TP | ||
344 | \fB\-\-dns.print=pid | ||
345 | Print DNS configuration for a sandbox identified by PID. | ||
346 | .br | 356 | .br |
347 | 357 | ||
348 | .br | 358 | .br |
@@ -372,8 +382,8 @@ There could be lots of reasons for it to fail, for example if the existing sandb | |||
372 | admin capabilities, SUID binaries, or if it runs seccomp. | 382 | admin capabilities, SUID binaries, or if it runs seccomp. |
373 | 383 | ||
374 | .TP | 384 | .TP |
375 | \fB\-\-fs.print=name | 385 | \fB\-\-fs.print=name|print |
376 | Print the filesystem log for the sandbox identified by name. | 386 | Print the filesystem log for the sandbox identified by name or by PID. |
377 | .br | 387 | .br |
378 | 388 | ||
379 | .br | 389 | .br |
@@ -381,13 +391,7 @@ Example: | |||
381 | .br | 391 | .br |
382 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 392 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
383 | .br | 393 | .br |
384 | [...] | ||
385 | .br | ||
386 | $ firejail \-\-fs.print=mygame | 394 | $ firejail \-\-fs.print=mygame |
387 | |||
388 | .TP | ||
389 | \fB\-\-fs.print=pid | ||
390 | Print the filesystem log for a sandbox identified by PID. | ||
391 | .br | 395 | .br |
392 | 396 | ||
393 | .br | 397 | .br |
@@ -496,13 +500,12 @@ Example: | |||
496 | .br | 500 | .br |
497 | $ firejail \-\-ipc-namespace firefox | 501 | $ firejail \-\-ipc-namespace firefox |
498 | .TP | 502 | .TP |
499 | \fB\-\-join=name | 503 | \fB\-\-join=name|pid |
500 | Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 504 | Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. |
501 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, | 505 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, |
502 | all security filters are configured for the new process the same they are configured in the sandbox. | 506 | all security filters are configured for the new process the same they are configured in the sandbox. |
503 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | 507 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied |
504 | to the process joining the sandbox. | 508 | to the process joining the sandbox. |
505 | |||
506 | .br | 509 | .br |
507 | 510 | ||
508 | .br | 511 | .br |
@@ -510,18 +513,7 @@ Example: | |||
510 | .br | 513 | .br |
511 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 514 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
512 | .br | 515 | .br |
513 | [...] | ||
514 | .br | ||
515 | $ firejail \-\-join=mygame | 516 | $ firejail \-\-join=mygame |
516 | |||
517 | |||
518 | .TP | ||
519 | \fB\-\-join=pid | ||
520 | Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
521 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, | ||
522 | all security filters are configured for the new process the same they are configured in the sandbox. | ||
523 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | ||
524 | to the process joining the sandbox. | ||
525 | .br | 517 | .br |
526 | 518 | ||
527 | .br | 519 | .br |
@@ -534,19 +526,13 @@ $ firejail \-\-list | |||
534 | $ firejail \-\-join=3272 | 526 | $ firejail \-\-join=3272 |
535 | 527 | ||
536 | .TP | 528 | .TP |
537 | \fB\-\-join-filesystem=name | 529 | \fB\-\-join-filesystem=name|pid |
538 | Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 530 | Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. |
539 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 531 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
540 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | 532 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. |
541 | 533 | ||
542 | .TP | 534 | .TP |
543 | \fB\-\-join-filesystem=pid | 535 | \fB\-\-join-network=name|PID |
544 | Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
545 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | ||
546 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | ||
547 | |||
548 | .TP | ||
549 | \fB\-\-join-network=name | ||
550 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 536 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. |
551 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 537 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
552 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example: | 538 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example: |
@@ -602,19 +588,9 @@ Switching to pid 1932, the first child process inside the sandbox | |||
602 | valid_lft forever preferred_lft forever | 588 | valid_lft forever preferred_lft forever |
603 | 589 | ||
604 | .TP | 590 | .TP |
605 | \fB\-\-join-network=pid | ||
606 | Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
607 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | ||
608 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | ||
609 | |||
610 | |||
611 | |||
612 | .TP | ||
613 | \fB\-\-ls=name|pid dir_or_filename | 591 | \fB\-\-ls=name|pid dir_or_filename |
614 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | 592 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. |
615 | 593 | ||
616 | \fB | ||
617 | |||
618 | .TP | 594 | .TP |
619 | \fB\-\-list | 595 | \fB\-\-list |
620 | List all sandboxes, see \fBMONITORING\fR section for more details. | 596 | List all sandboxes, see \fBMONITORING\fR section for more details. |
@@ -1119,8 +1095,8 @@ Example: | |||
1119 | .br | 1095 | .br |
1120 | $ firejail \-\-protocol=unix,inet,inet6 firefox | 1096 | $ firejail \-\-protocol=unix,inet,inet6 firefox |
1121 | .TP | 1097 | .TP |
1122 | \fB\-\-protocol.print=name | 1098 | \fB\-\-protocol.print=name|pid |
1123 | Print the protocol filter for the sandbox identified by name. | 1099 | Print the protocol filter for the sandbox identified by name or PID. |
1124 | .br | 1100 | .br |
1125 | 1101 | ||
1126 | .br | 1102 | .br |
@@ -1128,15 +1104,9 @@ Example: | |||
1128 | .br | 1104 | .br |
1129 | $ firejail \-\-name=mybrowser firefox & | 1105 | $ firejail \-\-name=mybrowser firefox & |
1130 | .br | 1106 | .br |
1131 | [...] | ||
1132 | .br | ||
1133 | $ firejail \-\-protocol.print=mybrowser | 1107 | $ firejail \-\-protocol.print=mybrowser |
1134 | .br | 1108 | .br |
1135 | unix,inet,inet6,netlink | 1109 | unix,inet,inet6,netlink |
1136 | |||
1137 | .TP | ||
1138 | \fB\-\-protocol.print=pid | ||
1139 | Print the protocol filter for a sandbox identified by PID. | ||
1140 | .br | 1110 | .br |
1141 | 1111 | ||
1142 | .br | 1112 | .br |
@@ -1256,8 +1226,8 @@ $ rm testfile | |||
1256 | rm: cannot remove `testfile': Operation not permitted | 1226 | rm: cannot remove `testfile': Operation not permitted |
1257 | 1227 | ||
1258 | .TP | 1228 | .TP |
1259 | \fB\-\-seccomp.print=name | 1229 | \fB\-\-seccomp.print=name|PID |
1260 | Print the seccomp filter for the sandbox started using \-\-name option. | 1230 | Print the seccomp filter for the sandbox identified by name or PID. |
1261 | .br | 1231 | .br |
1262 | 1232 | ||
1263 | .br | 1233 | .br |
@@ -1321,72 +1291,6 @@ SECCOMP Filter: | |||
1321 | .br | 1291 | .br |
1322 | $ | 1292 | $ |
1323 | .TP | 1293 | .TP |
1324 | \fB\-\-seccomp.print=pid | ||
1325 | Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
1326 | .br | ||
1327 | |||
1328 | .br | ||
1329 | Example: | ||
1330 | .br | ||
1331 | $ firejail \-\-list | ||
1332 | .br | ||
1333 | 10786:netblue:firejail \-\-name=browser firefox | ||
1334 | $ firejail \-\-seccomp.print=10786 | ||
1335 | .br | ||
1336 | SECCOMP Filter: | ||
1337 | .br | ||
1338 | VALIDATE_ARCHITECTURE | ||
1339 | .br | ||
1340 | EXAMINE_SYSCAL | ||
1341 | .br | ||
1342 | BLACKLIST 165 mount | ||
1343 | .br | ||
1344 | BLACKLIST 166 umount2 | ||
1345 | .br | ||
1346 | BLACKLIST 101 ptrace | ||
1347 | .br | ||
1348 | BLACKLIST 246 kexec_load | ||
1349 | .br | ||
1350 | BLACKLIST 304 open_by_handle_at | ||
1351 | .br | ||
1352 | BLACKLIST 175 init_module | ||
1353 | .br | ||
1354 | BLACKLIST 176 delete_module | ||
1355 | .br | ||
1356 | BLACKLIST 172 iopl | ||
1357 | .br | ||
1358 | BLACKLIST 173 ioperm | ||
1359 | .br | ||
1360 | BLACKLIST 167 swapon | ||
1361 | .br | ||
1362 | BLACKLIST 168 swapoff | ||
1363 | .br | ||
1364 | BLACKLIST 103 syslog | ||
1365 | .br | ||
1366 | BLACKLIST 310 process_vm_readv | ||
1367 | .br | ||
1368 | BLACKLIST 311 process_vm_writev | ||
1369 | .br | ||
1370 | BLACKLIST 133 mknod | ||
1371 | .br | ||
1372 | BLACKLIST 139 sysfs | ||
1373 | .br | ||
1374 | BLACKLIST 156 _sysctl | ||
1375 | .br | ||
1376 | BLACKLIST 159 adjtimex | ||
1377 | .br | ||
1378 | BLACKLIST 305 clock_adjtime | ||
1379 | .br | ||
1380 | BLACKLIST 212 lookup_dcookie | ||
1381 | .br | ||
1382 | BLACKLIST 298 perf_event_open | ||
1383 | .br | ||
1384 | BLACKLIST 300 fanotify_init | ||
1385 | .br | ||
1386 | RETURN_ALLOW | ||
1387 | .br | ||
1388 | $ | ||
1389 | .TP | ||
1390 | \fB\-\-shell=none | 1294 | \fB\-\-shell=none |
1391 | Run the program directly, without a user shell. | 1295 | Run the program directly, without a user shell. |
1392 | .br | 1296 | .br |
@@ -1407,8 +1311,8 @@ shell. | |||
1407 | Example: | 1311 | Example: |
1408 | $firejail \-\-shell=/bin/dash script.sh | 1312 | $firejail \-\-shell=/bin/dash script.sh |
1409 | .TP | 1313 | .TP |
1410 | \fB\-\-shutdown=name | 1314 | \fB\-\-shutdown=name|PID |
1411 | Shutdown the sandbox started using \-\-name option. | 1315 | Shutdown the sandbox identified by name or PID. |
1412 | .br | 1316 | .br |
1413 | 1317 | ||
1414 | .br | 1318 | .br |
@@ -1416,12 +1320,7 @@ Example: | |||
1416 | .br | 1320 | .br |
1417 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 1321 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
1418 | .br | 1322 | .br |
1419 | [...] | ||
1420 | .br | ||
1421 | $ firejail \-\-shutdown=mygame | 1323 | $ firejail \-\-shutdown=mygame |
1422 | .TP | ||
1423 | \fB\-\-shutdown=pid | ||
1424 | Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
1425 | .br | 1324 | .br |
1426 | 1325 | ||
1427 | .br | 1326 | .br |
@@ -1682,25 +1581,13 @@ These features allow the user to inspect the filesystem container of an existing | |||
1682 | and transfer files from the container to the host filesystem. | 1581 | and transfer files from the container to the host filesystem. |
1683 | 1582 | ||
1684 | .TP | 1583 | .TP |
1685 | \fB\-\-get=name filename | 1584 | \fB\-\-get=name|pid filename |
1686 | Retrieve the container file and store it on the host in the current working directory. | ||
1687 | The container is specified by name (\-\-name option). Full path is needed for filename. | ||
1688 | |||
1689 | .TP | ||
1690 | \fB\-\-get=pid filename | ||
1691 | Retrieve the container file and store it on the host in the current working directory. | 1585 | Retrieve the container file and store it on the host in the current working directory. |
1692 | The container is specified by process ID. Full path is needed for filename. | 1586 | The container is specified by name or PID. Full path is needed for filename. |
1693 | 1587 | ||
1694 | .TP | 1588 | .TP |
1695 | \fB\-\-ls=name dir_or_filename | 1589 | \fB\-\-ls=name|pid dir_or_filename |
1696 | List container files. | 1590 | List container files. The container is specified by name or PID. |
1697 | The container is specified by name (\-\-name option). | ||
1698 | Full path is needed for dir_or_filename. | ||
1699 | |||
1700 | .TP | ||
1701 | \fB\-\-ls=pid dir_or_filename | ||
1702 | List container files. | ||
1703 | The container is specified by process ID. | ||
1704 | Full path is needed for dir_or_filename. | 1591 | Full path is needed for dir_or_filename. |
1705 | 1592 | ||
1706 | .TP | 1593 | .TP |
@@ -1739,15 +1626,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured | |||
1739 | 1626 | ||
1740 | Set rate-limits: | 1627 | Set rate-limits: |
1741 | 1628 | ||
1742 | firejail --bandwidth={name|pid} set network download upload | 1629 | firejail --bandwidth=name|pid set network download upload |
1743 | 1630 | ||
1744 | Clear rate-limits: | 1631 | Clear rate-limits: |
1745 | 1632 | ||
1746 | firejail --bandwidth={name|pid} clear network | 1633 | firejail --bandwidth=name|pid clear network |
1747 | 1634 | ||
1748 | Status: | 1635 | Status: |
1749 | 1636 | ||
1750 | firejail --bandwidth={name|pid} status | 1637 | firejail --bandwidth=name|pid status |
1751 | 1638 | ||
1752 | where: | 1639 | where: |
1753 | .br | 1640 | .br |