From 38c8f9151c8874248a06ded439d74678f748df1e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 12 Oct 2015 07:58:56 -0400 Subject: --private-bin --- RELNOTES | 1 + src/firejail/usage.c | 8 +++++--- src/man/firejail-profile.txt | 4 ++++ src/man/firejail.txt | 19 +++++++++++++++++++ 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/RELNOTES b/RELNOTES index a61f190d4..a8dd30de3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.31) baseline; urgency=low * added --interface option * added --mtu option + * added --private-bin option * added seccomp errno support * added FBReader default profile * added Spotify default profile diff --git a/src/firejail/usage.c b/src/firejail/usage.c index dec8c5349..93d79fd94 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -167,13 +167,15 @@ void usage(void) { printf("\t\tand it is discarded when the sandbox is closed. (OverlayFS\n"); printf("\t\tsupport is required in Linux kernel for this option to work).\n\n"); - - - printf("\t--private - mount new /root and /home/user directories in temporary\n"); printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n"); printf("\t\tclosed.\n\n"); printf("\t--private=directory - use directory as user home.\n\n"); + + printf("\t--private-bin=file,file - build a new /bin in a temporary filesystem,\n"); + printf("\t\tand copy the programs in the list. The same directory is\n"); + printf("\t\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); + printf("\t--private-home=file,directory - build a new user home in a temporary\n"); printf("\t\tfilesystem, and copy the files and directories in the list in\n"); printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e470cab36..1369fdc91 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -133,6 +133,10 @@ Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is closed. .TP +\f\private-bin file,file +Build a new /bin in a temporary filesystem, and copy the programs in the list. +The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. +.TP \f\private directory Use directory as user home. .TP diff --git a/src/man/firejail.txt b/src/man/firejail.txt index af3a18746..00360e65b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -734,6 +734,25 @@ Example: .br $ firejail \-\-private=/home/netblue/firefox-home firefox +.TP +\fB\-\-private-bin=file,file +Build a new /bin in a temporary filesystem, and copy the programs in the list. +The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. +.br + +.br +Example: +.br +$ firejail \-\-private-bin=bash,sed,ls,cat +.br +Parent pid 20841, child pid 20842 +.br +Child process initialized +.br +$ ls /bin +.br +bash cat ls sed + .TP \fB\-\-private-keep=file,directory This option is deprecated, use private-home instead -- cgit v1.2.3-70-g09d2