From 6b0cd0a8595eb6cb68b2f22f031037b26acd13bd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Mar 2016 08:19:21 -0400 Subject: fixes --- src/man/firejail-config.txt | 65 +++++++++++++++++++++++++++++++++++++++++++++ src/man/firejail.txt | 53 ++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+) create mode 100644 src/man/firejail-config.txt diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt new file mode 100644 index 000000000..55c35181a --- /dev/null +++ b/src/man/firejail-config.txt @@ -0,0 +1,65 @@ +.TH FIREJAIL-CONFIG 5 "MONTH YEAR" "VERSION" "firejail.config man page" +.SH NAME +firejail.config \- Firejail run time configuration file + +.SH DESCRIPTION +/etc/firejail/firejail.config is the system-wide configuration file for Firejail. +It allows the system administrator to enable or disable a number of +features and Linux kernel security technologies used by Firejail sandbox. +The file contains keyword-argument pairs, one per line. +Use 'yes' or 'no' as configuration values. + +Note that some of these features can also be enabled or disabled at compile +time. Most features are enabled by default both at compile time and +at run time. + +.TP +\fBsecomp +Enable or disable seccomp support, default enabled. + +.TP +\fBchroot +Enable or disable chroot support, default enabled. + +.TP +\fBbind +Enable or disable bind support, default enabled. + +.TP +\fBnetwork +Enable or disable networking features, default enabled. + +.TP +\fBrestricted-network +Enable or disable restricted network support, default disabled. If enabled, +networking features should also be enabled (network yes). +Restricted networking grants access to --interface and --net=ethXXX +only to root user. Regular users are only allowed --net=none. + +.TP +\fBuserns +Enable or disable user namespace support, default enabled. + +.TP +\fBx11 +Enable or disable X11 sandboxing support, default enabled. + +.TP +\fBfile-transfer +Enable or disable file transfer support, default enabled. + +.SH FILES +/etc/firejail/firejail.config + +.SH LICENSE +Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. +.PP +Homepage: http://firejail.wordpress.com +.SH SEE ALSO +\&\flfirejail\fR\|(1), +\&\flfiremon\fR\|(1), +\&\flfirejail-profile\fR\|(5) +\&\flfirejail-login\fR\|(5) + + + diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f3c023aba..99a9429c7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1534,6 +1534,59 @@ Example: .br $ firejail \-\-zsh +.SH DESKTOP INTEGRATION +A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. +The symbolic link should be placed in the first $PATH position. On most systems, a good place +is /usr/local/bin directory. Example: +.PP +.RS +.br + +.br +Make a firefox symlink to /usr/bin/firejail: +.br + +.br +$ ln -s /usr/bin/firejail /usr/local/bin/firefox +.br + +.br +Verify $PATH +.br + +.br +$ which -a firefox +.br +/usr/local/bin/firefox +.br +/usr/bin/firefox +.br + +.br +Starting firefox in this moment, automatically invokes “firejail firefox”. +.RE +.br + +.br +This works for clicking on desktop environment icons, menus etc. Use "firejail --tree" +to verify the program is sandboxed. +.PP +.RS +.br + +.br +.br +$ firejail --tree +.br +1189:netblue:firejail firefox +.br + 1190:netblue:firejail firefox +.br + 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox" +.br + 1221:netblue:/usr/lib/firefox/firefox +.RE + .SH FILE TRANSFER These features allow the user to inspect the filesystem container of an existing sandbox and transfer files from the container to the host filesystem. -- cgit v1.2.3-54-g00ecf