diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firecfg/firecfg.config | 19 | ||||
-rw-r--r-- | src/firecfg/main.c | 20 | ||||
-rw-r--r-- | src/firejail/appimage.c | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 14 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 64 | ||||
-rw-r--r-- | src/firejail/util.c | 6 | ||||
-rw-r--r-- | src/firejail/x11.c | 6 | ||||
-rw-r--r-- | src/lib/common.c | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 18 |
11 files changed, 139 insertions, 23 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e997598af..e8ec20273 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -57,6 +57,7 @@ atril-previewer | |||
57 | atril-thumbnailer | 57 | atril-thumbnailer |
58 | audacious | 58 | audacious |
59 | audacity | 59 | audacity |
60 | audio-recorder | ||
60 | authenticator | 61 | authenticator |
61 | autokey-gtk | 62 | autokey-gtk |
62 | autokey-qt | 63 | autokey-qt |
@@ -82,6 +83,10 @@ brackets | |||
82 | brasero | 83 | brasero |
83 | brave | 84 | brave |
84 | brave-browser | 85 | brave-browser |
86 | brave-browser-beta | ||
87 | brave-browser-dev | ||
88 | brave-browser-nightly | ||
89 | brave-browser-stable | ||
85 | bunzip2 | 90 | bunzip2 |
86 | bzcat | 91 | bzcat |
87 | bzflag | 92 | bzflag |
@@ -96,6 +101,7 @@ calligraplanwork | |||
96 | calligrasheets | 101 | calligrasheets |
97 | calligrastage | 102 | calligrastage |
98 | calligrawords | 103 | calligrawords |
104 | cameramonitor | ||
99 | cantata | 105 | cantata |
100 | catfish | 106 | catfish |
101 | celluloid | 107 | celluloid |
@@ -132,6 +138,7 @@ cvlc | |||
132 | cyberfox | 138 | cyberfox |
133 | darktable | 139 | darktable |
134 | dconf-editor | 140 | dconf-editor |
141 | ddgtk | ||
135 | deadbeef | 142 | deadbeef |
136 | deluge | 143 | deluge |
137 | devhelp | 144 | devhelp |
@@ -151,10 +158,12 @@ dooble | |||
151 | dooble-qt4 | 158 | dooble-qt4 |
152 | dosbox | 159 | dosbox |
153 | dragon | 160 | dragon |
161 | drawio | ||
154 | dropbox | 162 | dropbox |
155 | d-feet | 163 | d-feet |
156 | easystroke | 164 | easystroke |
157 | ebook-viewer | 165 | ebook-viewer |
166 | electron-mail | ||
158 | electrum | 167 | electrum |
159 | elinks | 168 | elinks |
160 | empathy | 169 | empathy |
@@ -167,6 +176,7 @@ enox | |||
167 | enpass | 176 | enpass |
168 | eog | 177 | eog |
169 | eom | 178 | eom |
179 | ephemeral | ||
170 | #epiphany | 180 | #epiphany |
171 | etr | 181 | etr |
172 | evince | 182 | evince |
@@ -222,16 +232,20 @@ geary | |||
222 | gedit | 232 | gedit |
223 | geekbench | 233 | geekbench |
224 | geeqie | 234 | geeqie |
235 | gfeeds | ||
225 | ghb | 236 | ghb |
226 | ghostwriter | 237 | ghostwriter |
227 | gimp | 238 | gimp |
228 | gimp-2.10 | 239 | gimp-2.10 |
229 | gimp-2.8 | 240 | gimp-2.8 |
241 | gist | ||
242 | gist-paste | ||
230 | gitg | 243 | gitg |
231 | github-desktop | 244 | github-desktop |
232 | gitter | 245 | gitter |
233 | gjs | 246 | gjs |
234 | globaltime | 247 | globaltime |
248 | gmpc | ||
235 | gnome-2048 | 249 | gnome-2048 |
236 | gnome-books | 250 | gnome-books |
237 | gnome-builder | 251 | gnome-builder |
@@ -445,9 +459,12 @@ odt2txt | |||
445 | oggsplt | 459 | oggsplt |
446 | okular | 460 | okular |
447 | onionshare-gui | 461 | onionshare-gui |
462 | ooffice | ||
463 | ooviewdoc | ||
448 | open-invaders | 464 | open-invaders |
449 | openarena | 465 | openarena |
450 | opencity | 466 | opencity |
467 | openoffice.org | ||
451 | openshot | 468 | openshot |
452 | openshot-qt | 469 | openshot-qt |
453 | openttd | 470 | openttd |
@@ -482,6 +499,7 @@ pngquant | |||
482 | polari | 499 | polari |
483 | ppsspp | 500 | ppsspp |
484 | pragha | 501 | pragha |
502 | profanity | ||
485 | psi-plus | 503 | psi-plus |
486 | pybitmessage | 504 | pybitmessage |
487 | # pycharm-community - FB note: may enable later | 505 | # pycharm-community - FB note: may enable later |
@@ -627,6 +645,7 @@ udiskie | |||
627 | uefitool | 645 | uefitool |
628 | uget-gtk | 646 | uget-gtk |
629 | unbound | 647 | unbound |
648 | unf | ||
630 | unknown-horizons | 649 | unknown-horizons |
631 | unzstd | 650 | unzstd |
632 | utox | 651 | utox |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 3f5921322..9a2efebd2 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -443,15 +443,33 @@ int main(int argc, char **argv) { | |||
443 | // set new symlinks based on /usr/lib/firejail/firecfg.cfg | 443 | // set new symlinks based on /usr/lib/firejail/firecfg.cfg |
444 | set_links_firecfg(); | 444 | set_links_firecfg(); |
445 | 445 | ||
446 | // add user to firejail access database - only for root | ||
447 | if (getuid() == 0) { | 446 | if (getuid() == 0) { |
447 | // add user to firejail access database - only for root | ||
448 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); | 448 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); |
449 | // temporarily set the umask, access database must be world-readable | 449 | // temporarily set the umask, access database must be world-readable |
450 | mode_t orig_umask = umask(022); | 450 | mode_t orig_umask = umask(022); |
451 | firejail_user_add(user); | 451 | firejail_user_add(user); |
452 | umask(orig_umask); | 452 | umask(orig_umask); |
453 | |||
454 | #ifdef HAVE_APPARMOR | ||
455 | // enable firejail apparmor profile | ||
456 | struct stat s; | ||
457 | if (stat("/sbin/apparmor_parser", &s) == 0) { | ||
458 | char *cmd; | ||
459 | |||
460 | // SYSCONFDIR points to /etc/firejail, we have to go on level up (..) | ||
461 | printf("\nLoading AppArmor profile\n"); | ||
462 | if (asprintf(&cmd, "/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default %s/../apparmor.d/firejail-default", SYSCONFDIR) == -1) | ||
463 | errExit("asprintf"); | ||
464 | int rv = system(cmd); | ||
465 | (void) rv; | ||
466 | free(cmd); | ||
467 | } | ||
468 | #endif | ||
453 | } | 469 | } |
454 | 470 | ||
471 | |||
472 | |||
455 | // set new symlinks based on ~/.config/firejail directory | 473 | // set new symlinks based on ~/.config/firejail directory |
456 | set_links_homedir(home); | 474 | set_links_homedir(home); |
457 | 475 | ||
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index e886e81da..520960db2 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -113,12 +113,12 @@ void appimage_set(const char *appimage) { | |||
113 | EUID_ROOT(); | 113 | EUID_ROOT(); |
114 | if (size == 0) { | 114 | if (size == 0) { |
115 | fmessage("Mounting appimage type 1\n"); | 115 | fmessage("Mounting appimage type 1\n"); |
116 | if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) | 116 | if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) |
117 | errExit("mounting appimage"); | 117 | errExit("mounting appimage"); |
118 | } | 118 | } |
119 | else { | 119 | else { |
120 | fmessage("Mounting appimage type 2\n"); | 120 | fmessage("Mounting appimage type 2\n"); |
121 | if (mount(devloop, mntdir, "squashfs", flags, mode) < 0) | 121 | if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0) |
122 | errExit("mounting appimage"); | 122 | errExit("mounting appimage"); |
123 | } | 123 | } |
124 | 124 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 1f0ccac1a..316057ec5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -535,6 +535,14 @@ void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) { | |||
535 | 535 | ||
536 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { | 536 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { |
537 | assert(dir); | 537 | assert(dir); |
538 | struct stat s; | ||
539 | if (stat(dir, &s) != 0) | ||
540 | return; | ||
541 | if (!S_ISDIR(s.st_mode)) { | ||
542 | // no need to search in /proc/self/mountinfo for submounts if not a directory | ||
543 | fs_remount(dir, op, check_mnt); | ||
544 | return; | ||
545 | } | ||
538 | // get mount point of the directory | 546 | // get mount point of the directory |
539 | int mountid = get_mount_id(dir); | 547 | int mountid = get_mount_id(dir); |
540 | if (mountid == -1) | 548 | if (mountid == -1) |
@@ -634,7 +642,8 @@ void fs_proc_sys_dev_boot(void) { | |||
634 | // various /proc files | 642 | // various /proc files |
635 | disable_file(BLACKLIST_FILE, "/proc/irq"); | 643 | disable_file(BLACKLIST_FILE, "/proc/irq"); |
636 | disable_file(BLACKLIST_FILE, "/proc/bus"); | 644 | disable_file(BLACKLIST_FILE, "/proc/bus"); |
637 | disable_file(BLACKLIST_FILE, "/proc/config.gz"); | 645 | // move /proc/config.gz to disable-common.inc |
646 | //disable_file(BLACKLIST_FILE, "/proc/config.gz"); | ||
638 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); | 647 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); |
639 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); | 648 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); |
640 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); | 649 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); |
@@ -1139,6 +1148,9 @@ void fs_overlayfs(void) { | |||
1139 | 1148 | ||
1140 | // this function is called from sandbox.c before blacklist/whitelist functions | 1149 | // this function is called from sandbox.c before blacklist/whitelist functions |
1141 | void fs_private_tmp(void) { | 1150 | void fs_private_tmp(void) { |
1151 | if (arg_debug) | ||
1152 | printf("Generate private-tmp whitelist commands\n"); | ||
1153 | |||
1142 | // check XAUTHORITY file, KDE keeps it under /tmp | 1154 | // check XAUTHORITY file, KDE keeps it under /tmp |
1143 | char *xauth = getenv("XAUTHORITY"); | 1155 | char *xauth = getenv("XAUTHORITY"); |
1144 | if (xauth) { | 1156 | if (xauth) { |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index eb03eb35f..082f8b4a0 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -189,5 +189,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
189 | errExit("mount bind"); | 189 | errExit("mount bind"); |
190 | fs_logger2("mount", private_dir); | 190 | fs_logger2("mount", private_dir); |
191 | 191 | ||
192 | // mask private_run_dir (who knows if there are writable paths, and it is mounted exec) | ||
193 | if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
194 | errExit("mounting tmpfs"); | ||
195 | fs_logger2("tmpfs", private_run_dir); | ||
196 | |||
192 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); | 197 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); |
193 | } | 198 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index d09f92697..cfa0af078 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -315,7 +315,7 @@ void fs_private_homedir(void) { | |||
315 | errExit("mounting /root directory"); | 315 | errExit("mounting /root directory"); |
316 | fs_logger("tmpfs /root"); | 316 | fs_logger("tmpfs /root"); |
317 | } | 317 | } |
318 | if (u == 0 || strncmp(homedir, "/home/", 6) != 0) { | 318 | if (u == 0 && !arg_allusers) { |
319 | // mask /home | 319 | // mask /home |
320 | if (arg_debug) | 320 | if (arg_debug) |
321 | printf("Mounting a new /home directory\n"); | 321 | printf("Mounting a new /home directory\n"); |
@@ -606,7 +606,7 @@ void fs_private_home_list(void) { | |||
606 | errExit("mounting /root directory"); | 606 | errExit("mounting /root directory"); |
607 | fs_logger("tmpfs /root"); | 607 | fs_logger("tmpfs /root"); |
608 | } | 608 | } |
609 | if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) { | 609 | if (uid == 0 && !arg_allusers) { |
610 | // mask /home | 610 | // mask /home |
611 | if (arg_debug) | 611 | if (arg_debug) |
612 | printf("Mounting a new /home directory\n"); | 612 | printf("Mounting a new /home directory\n"); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1786cfac2..179f8ddf9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -55,7 +55,9 @@ uid_t firejail_uid = 0; | |||
55 | gid_t firejail_gid = 0; | 55 | gid_t firejail_gid = 0; |
56 | 56 | ||
57 | #define STACK_SIZE (1024 * 1024) | 57 | #define STACK_SIZE (1024 * 1024) |
58 | static char child_stack[STACK_SIZE] __attribute__((aligned(8))); // space for child's stack | 58 | #define STACK_ALIGNMENT 16 |
59 | static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack | ||
60 | |||
59 | Config cfg; // configuration | 61 | Config cfg; // configuration |
60 | int arg_private = 0; // mount private /home and /tmp directoryu | 62 | int arg_private = 0; // mount private /home and /tmp directoryu |
61 | int arg_private_cache = 0; // mount private home/.cache | 63 | int arg_private_cache = 0; // mount private home/.cache |
@@ -143,6 +145,14 @@ int arg_nou2f = 0; // --nou2f | |||
143 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 145 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
144 | int login_shell = 0; | 146 | int login_shell = 0; |
145 | 147 | ||
148 | //********************************************************************************** | ||
149 | // work in progress!!! | ||
150 | //********************************************************************************** | ||
151 | //#define POSTMORTEM | ||
152 | #ifdef POSTMORTEM | ||
153 | #include <grp.h> | ||
154 | pid_t pm_child = 0; | ||
155 | #endif | ||
146 | 156 | ||
147 | int parent_to_child_fds[2]; | 157 | int parent_to_child_fds[2]; |
148 | int child_to_parent_fds[2]; | 158 | int child_to_parent_fds[2]; |
@@ -176,6 +186,20 @@ static void myexit(int rv) { | |||
176 | static void my_handler(int s) { | 186 | static void my_handler(int s) { |
177 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); | 187 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); |
178 | logsignal(s); | 188 | logsignal(s); |
189 | |||
190 | #ifdef POSTMORTEM | ||
191 | printf("attempt to kill %d\n", pm_child); | ||
192 | if (pm_child) { | ||
193 | if (waitpid(pm_child, NULL, WNOHANG) == 0) { | ||
194 | if (has_handler(pm_child, s)) // signals are not delivered if there is no handler yet | ||
195 | kill(pm_child, s); | ||
196 | else | ||
197 | kill(pm_child, SIGKILL); | ||
198 | waitpid(pm_child, NULL, 0); | ||
199 | } | ||
200 | } | ||
201 | #endif | ||
202 | |||
179 | if (waitpid(child, NULL, WNOHANG) == 0) { | 203 | if (waitpid(child, NULL, WNOHANG) == 0) { |
180 | if (has_handler(child, s)) // signals are not delivered if there is no handler yet | 204 | if (has_handler(child, s)) // signals are not delivered if there is no handler yet |
181 | kill(child, s); | 205 | kill(child, s); |
@@ -2726,6 +2750,44 @@ int main(int argc, char **argv) { | |||
2726 | } | 2750 | } |
2727 | EUID_USER(); | 2751 | EUID_USER(); |
2728 | 2752 | ||
2753 | |||
2754 | #ifdef POSTMORTEM | ||
2755 | pm_child = fork(); | ||
2756 | if (pm_child == -1) | ||
2757 | fprintf(stderr, "Error: cannot start POSTMORTEM process\n"); | ||
2758 | else if (pm_child == 0) { | ||
2759 | // running --join as root | ||
2760 | EUID_ROOT(); | ||
2761 | int rv = setgroups(0, NULL); | ||
2762 | rv |= setuid(0); | ||
2763 | rv |= setgid(0); | ||
2764 | if (rv) { | ||
2765 | fprintf(stderr, "Error: cannot start POSTMORTEM process\n"); | ||
2766 | exit(1); | ||
2767 | } | ||
2768 | |||
2769 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | ||
2770 | /*problem???*/ sleep(1); // we need to give the sandbox some time to start the namespaces | ||
2771 | char *joincmd; | ||
2772 | if (asprintf(&joincmd, "--join-network=%d", child) == -1) | ||
2773 | errExit("asprintf"); | ||
2774 | |||
2775 | // we join only the network ns, the filesystem is intact so we can find tcpdump | ||
2776 | char *arg[] = { | ||
2777 | "/usr/bin/firejail", | ||
2778 | joincmd, | ||
2779 | "/usr/sbin/tcpdump", | ||
2780 | "-n", | ||
2781 | "-q", | ||
2782 | NULL | ||
2783 | }; | ||
2784 | execvp(arg[0], arg); | ||
2785 | assert(0); | ||
2786 | printf("**********************************\n"); | ||
2787 | exit(1); | ||
2788 | } | ||
2789 | #endif | ||
2790 | |||
2729 | int status = 0; | 2791 | int status = 0; |
2730 | //***************************** | 2792 | //***************************** |
2731 | // following code is signal-safe | 2793 | // following code is signal-safe |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 2a4353d8d..18d121ca9 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1111,10 +1111,10 @@ unsigned extract_timeout(const char *str) { | |||
1111 | } | 1111 | } |
1112 | 1112 | ||
1113 | void disable_file_or_dir(const char *fname) { | 1113 | void disable_file_or_dir(const char *fname) { |
1114 | if (arg_debug) | ||
1115 | printf("blacklist %s\n", fname); | ||
1116 | struct stat s; | 1114 | struct stat s; |
1117 | if (stat(fname, &s) != -1) { | 1115 | if (stat(fname, &s) != -1) { |
1116 | if (arg_debug) | ||
1117 | printf("blacklist %s\n", fname); | ||
1118 | if (is_dir(fname)) { | 1118 | if (is_dir(fname)) { |
1119 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 1119 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
1120 | errExit("disable directory"); | 1120 | errExit("disable directory"); |
@@ -1123,8 +1123,8 @@ void disable_file_or_dir(const char *fname) { | |||
1123 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 1123 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
1124 | errExit("disable file"); | 1124 | errExit("disable file"); |
1125 | } | 1125 | } |
1126 | fs_logger2("blacklist", fname); | ||
1126 | } | 1127 | } |
1127 | fs_logger2("blacklist", fname); | ||
1128 | } | 1128 | } |
1129 | 1129 | ||
1130 | void disable_file_path(const char *path, const char *file) { | 1130 | void disable_file_path(const char *path, const char *file) { |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 944c24bc7..b390ad38e 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1248,10 +1248,10 @@ void x11_xorg(void) { | |||
1248 | disable_file_or_dir(rp); | 1248 | disable_file_or_dir(rp); |
1249 | free(rp); | 1249 | free(rp); |
1250 | } | 1250 | } |
1251 | // update environment variable, so our new .Xauthority file is used | ||
1252 | if (setenv("XAUTHORITY", dest, 1) < 0) | ||
1253 | errExit("setenv"); | ||
1254 | } | 1251 | } |
1252 | // set environment variable | ||
1253 | if (setenv("XAUTHORITY", dest, 1) < 0) | ||
1254 | errExit("setenv"); | ||
1255 | free(dest); | 1255 | free(dest); |
1256 | #endif | 1256 | #endif |
1257 | } | 1257 | } |
diff --git a/src/lib/common.c b/src/lib/common.c index 1678a4092..3a7f910e1 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -53,7 +53,7 @@ int join_namespace(pid_t pid, char *type) { | |||
53 | 53 | ||
54 | errout: | 54 | errout: |
55 | free(path); | 55 | free(path); |
56 | fprintf(stderr, "Error: cannot join namespace %s\\n", type); | 56 | fprintf(stderr, "Error: cannot join namespace %s\n", type); |
57 | return -1; | 57 | return -1; |
58 | 58 | ||
59 | } | 59 | } |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cabc4f619..47f5ecbdf 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2768,6 +2768,15 @@ Sandbox running time in hours:minutes:seconds format. | |||
2768 | USER | 2768 | USER |
2769 | The owner of the sandbox. | 2769 | The owner of the sandbox. |
2770 | 2770 | ||
2771 | .SH RESTRICTED SHELL | ||
2772 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | ||
2773 | /etc/passwd file for each user that needs to be restricted. Alternatively, | ||
2774 | you can specify /usr/bin/firejail in adduser command: | ||
2775 | |||
2776 | adduser \-\-shell /usr/bin/firejail username | ||
2777 | |||
2778 | Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file. | ||
2779 | |||
2771 | .SH SECURITY PROFILES | 2780 | .SH SECURITY PROFILES |
2772 | Several command line options can be passed to the program using | 2781 | Several command line options can be passed to the program using |
2773 | profile files. Firejail chooses the profile file as follows: | 2782 | profile files. Firejail chooses the profile file as follows: |
@@ -2836,15 +2845,6 @@ Child process initialized | |||
2836 | 2845 | ||
2837 | See \fBman 5 firejail-profile\fR for profile file syntax information. | 2846 | See \fBman 5 firejail-profile\fR for profile file syntax information. |
2838 | 2847 | ||
2839 | .SH RESTRICTED SHELL | ||
2840 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | ||
2841 | /etc/passwd file for each user that needs to be restricted. Alternatively, | ||
2842 | you can specify /usr/bin/firejail in adduser command: | ||
2843 | |||
2844 | adduser \-\-shell /usr/bin/firejail username | ||
2845 | |||
2846 | Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file. | ||
2847 | |||
2848 | .SH TRAFFIC SHAPING | 2848 | .SH TRAFFIC SHAPING |
2849 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. | 2849 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. |
2850 | Traffic shaping allows the user to increase network performance by controlling | 2850 | Traffic shaping allows the user to increase network performance by controlling |