aboutsummaryrefslogtreecommitdiffstats
path: root/src/man/firejail.txt
Commit message (Collapse)AuthorAge
* manpage: remove overlayfs from non-overlayfs buildsLibravatar startx20172020-09-02
|
* manpage: remove apparmor from non-apparor buildsLibravatar startx20172020-09-02
|
* harden cat optionLibravatar smitsohu2020-08-20
|
* Merge branch 'master' into lsLibravatar smitsohu2020-08-19
|\
| * seccomp: loggingLibravatar Topi Miettinen2020-08-05
| | | | | | | | | | | | | | Allow `log` as an alternative seccomp error action instead of killing or returning an errno code. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* | cat optionLibravatar smitsohu2020-08-19
|/
* Man pages: were missing info about .profile .local resolution (#3440)Libravatar OndrejMalek2020-06-04
| | | | | | | | | * Man pages: link to .profile resolution, urls * Man pages: firejail-profile add link to wiki profile creation * Man pages: line break, slash in path * Man pages remove space before dots
* man: minor clarifications to man pages (#3445)Libravatar Jeff Squyres2020-06-04
| | | | | | | | Add verbiage to the man pages clarifying that the files/directories in the lists given to options such as --private-bin must be relative to the directory that is being limited (e.g., --private-opt requires a list of files/directories that are relative to /opt). Signed-off-by: Jeff Squyres <jeff@squyres.com>
* Documentation for new DBus optionsLibravatar Kristóf Marussy2020-05-07
|
* Clarify that file globbing occurs only at startLibravatar Antonio Russo2020-04-11
| | | | | | firejail can blacklist (and now also whitelist) files based on glob pattern. This pattern is evaluated at firejail start, and not updated at run time. This patch documents this behavior.
* Deprecate --nodbus optionLibravatar Kristóf Marussy2020-04-07
|
* Add documentation for DBus filteringLibravatar Kristóf Marussy2020-04-06
|
* Allow changing error action in seccomp filtersLibravatar Topi Miettinen2020-04-06
| | | | | | | | | | | | | | Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call.
* whitelist globing man pageLibravatar netblue302020-04-01
|
* seccomp: allow defining separate filters for 32-bit archLibravatar Topi Miettinen2020-03-28
| | | | | | | | | | | | | | | | | | | | | System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* misc thingsLibravatar rusty-snake2020-02-22
| | | | | | - spelling suggestion from @glitsj16 on fda62527 - drop python2 from openshot it never has a python2 version - #3126 note in manpage: cannot combine --private with --private=
* Documentation for DHCP supportLibravatar Kristóf Marussy2020-01-27
|
* Improve --version command exampleLibravatar glitsj162020-01-20
| | | Fixes #3135.
* spelling fixLibravatar Reiner Herrmann2019-12-30
|
* Fix ordering of 'RESTRICTED SHELL'Libravatar glitsj162019-12-15
|
* alphabetize man page entriesLibravatar smitsohu2019-10-04
|
* Merge branch 'master' into fix-profile-builderLibravatar netblue302019-09-15
|\
| * update seccomp in man firejailLibravatar rusty-snake2019-09-13
| |
* | Update man page to note that --trace can now take an optional parameter.Libravatar Glenn Washburn2019-08-29
|/
* Merge pull request #2928 from topimiettinen/seccomp-more-groupsLibravatar netblue302019-08-29
|\ | | | | Add further seccomp groups
| * Add further seccomp groupsLibravatar Topi Miettinen2019-08-28
| | | | | | | | Get further seccomp group definitions from systemd.
* | Allow exceptions to seccomp listsLibravatar Topi Miettinen2019-08-25
|/ | | | | | | Prefix ! can be used to make exceptions to system call blacklists and whitelists used by seccomp, seccomp.drop and seccomp.keep. Closes #1366
* various fixes and improvementsLibravatar rusty-snake2019-08-22
| | | | | | | | | | | | - install contrib/syscalls.sh - add GitLab-CI status to README.md - read-only ${HOME}/.cargo/env - move blacklist ${HOME}/.cargo/registry, ${HOME}/.cargo/config to disable-programs - typo in man firejail firejail-profiles firecfg - better descriptions in man firejail-profiles - fixes in man firejail - template descriptions in firejail-profiles
* man fix (appimage, #2807)Libravatar netblue302019-07-04
|
* Fix typo in man firejail [--x11] (#2785)Libravatar glitsj162019-06-19
|
* Grammar fixLibravatar Reiner Herrmann2019-05-29
| | | | (found by lintian)
* Merge pull request #2712 from apmorton/features/private-cwdLibravatar smitsohu2019-05-24
|\ | | | | Add private-cwd option to control working directory within jail
| * Add private-cwd option to control working directory within jailLibravatar Austin Morton2019-05-23
| |
* | Add deterministic-exit-code option to ensure firejail exits with the first ↵Libravatar Austin Morton2019-05-20
|/ | | | childs exit code regardless of the termination ordering of orphaned children
* man pages: add FIREJAIL_QUIETLibravatar smitsohu2019-05-18
|
* dbus: make --nodbus block also system D-Bus socketLibravatar Topi Miettinen2019-05-15
| | | | Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* update man pages (private-dev, noexec)Libravatar smitsohu2019-05-04
|
* Fixes for man firejail (#2628)Libravatar glitsj162019-03-29
|
* Follow-up on flatpak/snap support (#2601)Libravatar glitsj162019-03-16
| | | | | | | | | | * Remove obsolete snap support from disable-programs.inc * Remove obsolete snap support from pycharm-community.profile * Update RELNOTES to reflect non-existing/dropped flatpak/snap support * Update firejail.txt to reflect flatpak/snap packages are not supported
* Update firejail.txt (#2585)Libravatar glitsj162019-03-13
|
* mdwx: block memfd_createLibravatar Topi Miettinen2019-03-05
| | | | | Some profiles may need adjusting if app uses memfd_create(2) and memory-deny-write-execute was enabled.
* Sort items alphabetically in man firejail (#2479)Libravatar glitsj162019-02-26
|
* documentation updateLibravatar smitsohu2019-02-23
|
* Add machine-id note to man firejail (#2442)Libravatar glitsj162019-02-21
|
* Stress apparmor local overridesLibravatar glitsj162019-02-05
| | | As per discussion on https://github.com/netblue30/firejail/pull/2390, we better use slightly stronger/less optional wording when it comes to where local apparmor overrides need to be done.
* --name reworkLibravatar netblue302019-02-01
|
* removed mincore syscall from default seccomp filterLibravatar netblue302019-01-23
|
* adding mincore syscall to the default seccomp filter and some independent ↵Libravatar netblue302019-01-14
| | | | profiles
* Merge pull request #2297 from smitsohu/patchLibravatar startx20172018-12-17
|\ | | | | enforce nonewprivs instead of seccomp for chroot sandboxes
| * enforce nonewprivs instead of seccomp for chroot sandboxesLibravatar smitsohu2018-12-15
| | | | | | | | | | currently users are able to specify a seccomp filter of their choosing, leaving the real defense to nonewprivs anyway.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 20:45:34 +0000