From eafb460d94703e995e03a1c705b2e259bc5cfb65 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 30 Aug 2015 06:25:07 -0400 Subject: fixing manpages --- src/man/firejail-login.txt | 2 +- src/man/firejail-profile.txt | 54 ++++++++++++++++++++++++++++++++++-- src/man/firejail.txt | 65 ++++++++++++++++++++++++++++++++------------ 3 files changed, 100 insertions(+), 21 deletions(-) diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 768896872..1d6a8d80e 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -4,7 +4,7 @@ login.users \- Login file syntax for Firejail .SH DESCRIPTION /etc/firejail/login.users file describes additional arguments passed to firejail executable -upon user logging into a Firejail restircted shell. Each user entry in the file consists of +upon user logging into a Firejail restricted shell. Each user entry in the file consists of a user name followed by the arguments passed to firejail. The format is as follows: user_name: arguments diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 59fde72a6..246098bb7 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -1,6 +1,6 @@ .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" .SH NAME -profile \- Profile file syntax for Firejail +profile \- Security profile file syntax for Firejail .SH USAGE .TP @@ -8,8 +8,56 @@ firejail \-\-profile=filename.profile .SH DESCRIPTION Several Firejail command line configuration options can be passed to the program using -profile files. Default Firejail profile files are stored in /etc/firejail -directory and ~/.config/firejail directory. +profile files. +Firejail chooses a security profile in the following order: + +1. If a profile is provided by the user with --profile option, the profile is loaded. +Example: +.PP +.RS +$ firejail --profile=/home/netblue/icecat.profile icecat +.RE + +2. If a profile file with the same name as the application is present in ~/.config/firejail directory or +in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: +.PP +.RS +$ firejail icecat +.br +Command name #icecat# +.br +.br +Found icecat profile in /home/netblue/.config/firejail directory +.br +Reading profile /home/netblue/.config/firejail/icecat.profile +.br +[...] +.RE + +3. Use the default profile in /etc/firejail/generic.profile. This can be disabled with --noprofile. Example: +.PP +.RS +$ firejail \-\-noprofile +.br +Parent pid 8553, child pid 8554 +.br +Child process initialized +.br +$ exit +.br +.br +parent is shutting down, bye... +.br +$ firejail +.br +Reading profile /etc/firejail/generic.profile +.br +Parent pid 8553, child pid 8554 +.br +Child process initialized +.br +$ +.RE .SH Scripting Include and comment support: diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d78ce6723..c07a02c57 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -39,15 +39,24 @@ and it is integrated with Linux Control Groups. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. -The software includes sandbox profiles for a number of more common +.PP +Firejail allows the user to manage application security using security profiles. +Each profile defines a set of permissions for a specific application or group +of applications. The software includes security profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. + .SH USAGE Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. Only /home, /tmp and /var directories are writable. .PP -If no program is specified as an argument, /bin/bash is started by default. +As it starts up, Firejail tries to find a security profile based on the name of the application. +If an appropriate profile is not found, Firejail will use the default profile stored in /etc/firejail/default.profile. +The default security profile is quite restrictive. In case the application doesn't work, use --noprofile option +to disable it. For more information, please see SECURITY PROFILES section. +.PP +If a program argument is not specified, Firejail starts /bin/bash shell. Examples: .PP $ firejail [OPTIONS] # starting a /bin/bash shell @@ -56,7 +65,7 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox .PP Multiple commands can be run in sandbox using regular bash logic operators: .PP -$ sudo firejail [OPTIONS] "/etc/init.d/nginx start && sleep inf" +# sudo firejail [OPTIONS] "/etc/init.d/nginx start && sleep inf" .PP In the previous example, "sleep inf" command is required in order to keep the session open for the daemon program. @@ -195,7 +204,7 @@ Example: .TP \fB\-\-chroot=dirname Chroot the sandbox into a root filesystem. If the sandbox is started as a -regular user, default seccomp and capabilities filters are eanbled. +regular user, default seccomp and capabilities filters are enabled. .br .br @@ -566,9 +575,7 @@ $ .TP \fB\-\-noprofile -Do not use a profile. Profile priority is use the one -specified on the command line, next try to find one that -matches the command name, and lastly use generic.profile. +Do not use a profile. .br .br @@ -633,7 +640,7 @@ $ firejail \-\-output=sandboxlog /bin/bash .br $ ls -l sandboxlog* .br --rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sadnboxlog +-rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog .br -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1 .br @@ -744,8 +751,8 @@ $ firejail --private-etc=group,hostname,localtime, \\ nsswitch.conf,passwd,resolv.conf .TP \fB\-\-profile=filename -Load a custom profile from filename. For filename use an absolute path or a path relative to the current path. -For more information, see PROFILES section below. +Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. +For more information, see SECURITY PROFILES section below. .br .br @@ -1088,7 +1095,7 @@ Use /usr/bin/zsh as default user shell. .br Example: .br -$ firejakil \-\-zsh +$ firejail \-\-zsh .SH TRAFFIC SHAPING Network bandwidth is an expensive resource shared among all sandboxes running on a system. Traffic shaping allows the user to increase network performance by controlling @@ -1186,20 +1193,19 @@ Sandbox running time in hours:minutes:seconds format. User The owner of the sandbox. -.SH PROFILES +.SH SECURITY PROFILES Several command line configuration options can be passed to the program using -profile files. Firejail supports user specified profile files and automatic profile files, -as follows: +profile files. Firejail chooses a security profile in the following order: -1. Load a specific profile file from a full path, or a path relative to the current directory. +1. If a profile is provided by the user with --profile option, the profile is loaded. Example: .PP .RS $ firejail --profile=/home/netblue/icecat.profile icecat .RE -2. Load a default profile file automatically from ~/.config/firejail or from /etc/firejail, based -on the name of the executable started in the sandbox. Example: +2. If a profile file with the same name as the application is present in ~/.config/firejail directory or +in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: .PP .RS $ firejail icecat @@ -1214,6 +1220,31 @@ Reading profile /home/netblue/.config/firejail/icecat.profile [...] .RE +3. Use the default profile in /etc/firejail/generic.profile +.PP +.RS +$ firejail \-\-noprofile +.br +Parent pid 8553, child pid 8554 +.br +Child process initialized +.br +$ exit +.br +.br +parent is shutting down, bye... +.br +$ firejail +.br +Reading profile /etc/firejail/generic.profile +.br +Parent pid 8553, child pid 8554 +.br +Child process initialized +.br +$ +.RE + See man 5 firejail-profile for profile file syntax information. .SH RESTRICTED SHELL -- cgit v1.2.3-54-g00ecf