From e547b142597568da678c54da8b5b4164fb3fee86 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 21 Apr 2016 10:47:52 -0400 Subject: --read-write option --- RELNOTES | 1 + src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 21 ++++++++++++--------- src/man/firejail.txt | 27 ++++++++++++++++++++------- 4 files changed, 34 insertions(+), 16 deletions(-) diff --git a/RELNOTES b/RELNOTES index 19bd54dd6..2a7e8ca60 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * added --cpu.print option * added filetransfer options --ls and --get * added --writable-etc and --writable-var options + * added --read-only option * added mkdir, ipc-namespace, and nosound profile commands * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands * --version also prints compile options diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 8b61629f4..8c738a0fc 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -209,6 +209,7 @@ void usage(void) { printf("\tcreated for the real user ID of the calling process.\n\n"); printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); printf("\tfor a process.\n\n"); + printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); #ifdef HAVE_NETWORK printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8ad2eefad..19063f5ef 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -121,12 +121,6 @@ blacklist ${PATH}/ifconfig .br blacklist ${HOME}/.ssh -.TP -\fBread-only file_or_directory -Make directory or file read-only. -.TP -\fBtmpfs directory -Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. .TP \fBbind directory1,directory2 Mount-bind directory1 on top of directory2. This option is only available when running as root. @@ -182,6 +176,18 @@ All modifications are discarded when the sandbox is closed. \fBprivate-tmp Mount an empty temporary filesystem on top of /tmp directory. .TP +\fBread-only file_or_directory +Make directory or file read-only. +.TP +\fBread-write file_or_directory +Make directory or file read-write. +.TP +\fBtmpfs directory +Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. +.TP +\fBtracelog +Blacklist violations logged to syslog. +.TP \fBwhitelist file_or_directory Build a new user home in a temporary filesystem, and mount-bind file_or_directory. The modifications to file_or_directory are persistent, everything else is discarded @@ -194,9 +200,6 @@ when running the sandbox as root user. \fBwritable-var Mount /var directory read-write. This option is available only when running the sandbox as root user. -.TP -\fBtracelog -Blacklist violations logged to syslog. .SH Security filters The following security filters are currently implemented: diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 51abaef28..19415a332 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. .SH USAGE -Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, -and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. -The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. -Only /home and /tmp are writable. +Without any options, the sandbox consists of a filesystem build in a new mount namespace, +and new PID and UTS namespaces. IPC, network and user namespaces can be added using the +command line options. The default Firejail filesystem is based on the host filesystem with the main +system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, +/libx32 and /lib64. Only /home and /tmp are writable. .PP As it starts up, Firejail tries to find a security profile based on the name of the application. If an appropriate profile is not found, Firejail will use a default profile. The default profile is quite restrictive. In case the application doesn't work, use --noprofile option -to disable it. For more information, please see \fBSECURITY PROFILES\fR section. +to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. .PP If a program argument is not specified, Firejail starts /bin/bash shell. Examples: @@ -194,7 +195,8 @@ Example: .TP \fB\-\-chroot=dirname -Chroot the sandbox into a root filesystem. If the sandbox is started as a +Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, +the system directories are mounted read-write. If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. This option is not available on Grsecurity systems. .br @@ -946,7 +948,8 @@ $ ls -l sandboxlog* .TP \fB\-\-overlay -Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. +Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, +the system directories are mounted read-write. All filesystem modifications go into the overlay. The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. .br @@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of .TP \fB\-\-rlimit-sigpending=number Set the maximum number of pending signals for a process. + +.TP +\fB\-\-read-write=dirname_or_filename +By default, the sandbox mounts system directories read-only. +These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. +Use this option to mount read-write files or directories inside the system directories. + +This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these +cases the system directories are mounted read-write. + .TP \fB\-\-scan ARP-scan all the networks from inside a network namespace. -- cgit v1.2.3-54-g00ecf