diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/protocol.c | 5 | ||||
-rw-r--r-- | src/firejail/usage.c | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 22 |
3 files changed, 34 insertions, 2 deletions
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 5f730afef..8e75277c2 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -74,6 +74,11 @@ static struct sock_filter *find_protocol_domain(const char *p) { | |||
74 | 74 | ||
75 | // --debug-protocols | 75 | // --debug-protocols |
76 | void protocol_list(void) { | 76 | void protocol_list(void) { |
77 | #ifndef SYS_socket | ||
78 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | ||
79 | return; | ||
80 | #endif | ||
81 | |||
77 | int i = 0; | 82 | int i = 0; |
78 | while (protocol[i] != NULL) { | 83 | while (protocol[i] != NULL) { |
79 | printf("%s, ", protocol[i]); | 84 | printf("%s, ", protocol[i]); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3cad1e63..c829b94f2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -70,6 +70,8 @@ void usage(void) { | |||
70 | printf("\t\tFirejail software build and exit.\n\n"); | 70 | printf("\t\tFirejail software build and exit.\n\n"); |
71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); | 71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); |
72 | printf("\t\tFirejail software build and exit.\n\n"); | 72 | printf("\t\tFirejail software build and exit.\n\n"); |
73 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); | ||
74 | printf("\t\tFirejail software build and exit.\n\n"); | ||
73 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); | 75 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); |
74 | printf("\t\tFirejail software build and exit.\n\n"); | 76 | printf("\t\tFirejail software build and exit.\n\n"); |
75 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 77 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
@@ -192,6 +194,10 @@ void usage(void) { | |||
192 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); | 194 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); |
193 | 195 | ||
194 | printf("\t--profile=filename - use a custom profile.\n\n"); | 196 | printf("\t--profile=filename - use a custom profile.\n\n"); |
197 | |||
198 | printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); | ||
199 | printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); | ||
200 | |||
195 | printf("\t--quiet - turn off Firejail's output.\n\n"); | 201 | printf("\t--quiet - turn off Firejail's output.\n\n"); |
196 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); | 202 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); |
197 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); | 203 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); |
@@ -218,7 +224,8 @@ void usage(void) { | |||
218 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); | 224 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); |
219 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); | 225 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); |
220 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); | 226 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); |
221 | printf("\t\tmigrate_pages, move_pages, vmsplice, and perf_event_open.\n\n"); | 227 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); |
228 | printf("\t\tkexec_file_load.\n\n"); | ||
222 | 229 | ||
223 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 230 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
224 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 231 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 12c32f4c7..52b75afaa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -23,7 +23,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree} | |||
23 | Miscellaneous: | 23 | Miscellaneous: |
24 | .PP | 24 | .PP |
25 | .RS | 25 | .RS |
26 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-help | \-\-version} | 26 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version} |
27 | .RE | 27 | .RE |
28 | .SH DESCRIPTION | 28 | .SH DESCRIPTION |
29 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 29 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
@@ -258,6 +258,15 @@ Example: | |||
258 | .br | 258 | .br |
259 | $ firejail \-\-debug-errnos | 259 | $ firejail \-\-debug-errnos |
260 | .TP | 260 | .TP |
261 | \fB\-\-debug-protocols | ||
262 | Print all recognized protocols in the current Firejail software build and exit. | ||
263 | .br | ||
264 | |||
265 | .br | ||
266 | Example: | ||
267 | .br | ||
268 | $ firejail \-\-debug-protocols | ||
269 | .TP | ||
261 | \fB\-\-debug-syscalls | 270 | \fB\-\-debug-syscalls |
262 | Print all recognized system calls in the current Firejail software build and exit. | 271 | Print all recognized system calls in the current Firejail software build and exit. |
263 | .br | 272 | .br |
@@ -842,6 +851,17 @@ For more information, see SECURITY PROFILES section below. | |||
842 | Example: | 851 | Example: |
843 | .br | 852 | .br |
844 | $ firejail \-\-profile=myprofile | 853 | $ firejail \-\-profile=myprofile |
854 | |||
855 | .TP | ||
856 | \fB\-\-protocol=protocol,protocol,protocol | ||
857 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | ||
858 | Recognized values: unix, inet, inet6, netlink and packet. | ||
859 | .br | ||
860 | |||
861 | .br | ||
862 | Example: | ||
863 | .br | ||
864 | $ firejail \-\-protocol=unix,inet,inet6 firefox | ||
845 | .TP | 865 | .TP |
846 | \fB\-\-quiet | 866 | \fB\-\-quiet |
847 | Turn off Firejail's output. | 867 | Turn off Firejail's output. |