From 2e914f0940a025d971c484a9158c1eaeca9c6015 Mon Sep 17 00:00:00 2001 From: startx2017 Date: Wed, 30 Sep 2020 09:01:36 -0400 Subject: manpages: network configuration --- src/man/firejail.txt | 55 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 23 deletions(-) (limited to 'src/man/firejail.txt') diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e1d55258c..1e355de8a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -20,12 +20,14 @@ File transfer from an existing sandbox firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename .RE .PP +#ifdef HAVE_NETWORK Network traffic shaping for an existing sandbox: .PP .RS firejail \-\-bandwidth={name|pid} bandwidth-command .RE .PP +#endif Monitoring: .PP .RS @@ -647,7 +649,7 @@ Debug whitelisting. Example: .br $ firejail \-\-debug-whitelists firefox - +#ifdef HAVE_NETWORK .TP \fB\-\-defaultgw=address Use this address as default gateway in the new network namespace. @@ -657,7 +659,7 @@ Use this address as default gateway in the new network namespace. Example: .br $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox - +#endif .TP \fB\-\-disable-mnt Blacklist /mnt, /media, /run/mount and /run/media access. @@ -778,8 +780,12 @@ Ignore command in profile file. Example: .br $ firejail \-\-ignore=shell --ignore=seccomp firefox +#ifdef HAVE_NETWORK .br $ firejail \-\-ignore="net eth0" firefox +#endif + +#ifdef HAVE_NETWORK .TP \fB\-\-interface=interface Move interface in a new network namespace. Up to four --interface options can be specified. @@ -901,6 +907,7 @@ for sandboxes started as root. Example: .br $ firejail \-\-ipc-namespace firefox +#endif .TP \fB\-\-join=name|pid Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. @@ -932,7 +939,7 @@ $ firejail \-\-join=3272 Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. This command is available only to root user. Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. - +#ifdef HAVE_NETWORK .TP \fB\-\-join-network=name|pid Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. @@ -988,7 +995,7 @@ Switching to pid 1932, the first child process inside the sandbox inet6 fe80::7458:14ff:fe42:78e4/64 scope link .br valid_lft forever preferred_lft forever - +#endif .TP \fB\-\-join-or-start=name Join the sandbox identified by name or start a new one. @@ -1027,17 +1034,19 @@ Example: $ firejail \-\-list .br 7015:netblue:browser:firejail firefox +#ifdef HAVE_NETWORK .br 7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk -.br +#endif #ifdef HAVE_USERNS +.br 7064:netblue::firejail \-\-noroot xterm .br #endif .TP \fB\-\-ls=name|pid dir_or_filename List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. - +#ifdef HAVE_NETWORK .TP \fB\-\-mac=address Assign MAC addresses to the last network interface defined by a \-\-net option. This option @@ -1048,7 +1057,7 @@ is not supported for wireless interfaces. Example: .br $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox - +#endif .TP \fB\-\-machine-id Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. @@ -1074,7 +1083,7 @@ kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. Note: shmat is not implemented as a system call on some platforms including i386, and it cannot be handled by seccomp-bpf. - +#ifdef HAVE_NETWORK .TP \fB\-\-mtu=number Assign a MTU value to the last network interface defined by a \-\-net option. @@ -1084,7 +1093,7 @@ Assign a MTU value to the last network interface defined by a \-\-net option. Example: .br $ firejail \-\-net=eth0 \-\-mtu=1492 - +#endif .TP \fB\-\-name=name Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use @@ -1109,7 +1118,7 @@ $ firejail --list .br 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote .br - +#ifdef HAVE_NETWORK .TP \fB\-\-net=bridge_interface Enable a new network namespace and connect it to this bridge interface. @@ -1150,7 +1159,7 @@ Example: $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox .br $ firejail \-\-net=wlan0 firefox - +#endif .TP \fB\-\-net=none Enable a new, unconnected network namespace. The only interface @@ -1168,7 +1177,7 @@ $ firejail \-\-net=none vlc .br Note: \-\-net=none can crash the application on some platforms. In these cases, it can be replaced with \-\-protocol=unix. - +#ifdef HAVE_NETWORK .TP \fB\-\-net=tap_interface Enable a new network namespace and connect it @@ -1282,9 +1291,6 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\ .br --net=eth0 firefox - - - .TP \fB\-\-netfilter=filename,arg1,arg2,arg3 ... This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script @@ -1298,8 +1304,6 @@ $ firejail --net=eth0 --ip=192.168.1.105 \\ --netfilter=/etc/firejail/tcpserver.net,5001 server-program .br - - .TP \fB\-\-netfilter.print=name|pid Print the firewall installed in the sandbox specified by name or PID. Example: @@ -1363,7 +1367,7 @@ PID User RX(KB/s) TX(KB/s) Command 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox .br 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission - +#endif .TP \fB\-\-nice=value Set nice value for all processes running inside the sandbox. @@ -2066,7 +2070,7 @@ Remove environment variable in the new sandbox. Example: .br $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS - +#ifdef HAVE_NETWORK .TP \fB\-\-scan ARP-scan all the networks from inside a network namespace. @@ -2077,6 +2081,7 @@ This makes it possible to detect macvlan kernel device drivers running on the cu Example: .br $ firejail \-\-net=eth0 \-\-scan +#endif .TP \fB\-\-seccomp Enable seccomp filter and blacklist the syscalls in the default list, @@ -2556,8 +2561,10 @@ $ firejail \-\-tree 11904:netblue:iceweasel .br 11957:netblue:/usr/lib/iceweasel/plugin-container +#ifdef HAVE_NETWORK .br 11969:netblue:firejail \-\-net=eth0 transmission-gtk +#endif .br 11970:netblue:transmission-gtk @@ -2609,6 +2616,7 @@ Compile time support: - user namespace support is enabled - X11 sandboxing support is enabled .br +#ifdef HAVE_NETWORK .TP \fB\-\-veth-name=name Use this name for the interface connected to the bridge for --net=bridge_interface commands, @@ -2619,7 +2627,7 @@ instead of the default one. Example: .br $ firejail \-\-net=br0 --veth-name=if0 - +#endif .TP \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. A temporary file system is mounted on the top directory, and the @@ -2987,6 +2995,7 @@ Start Firefox with a new, empty home directory. .TP \f\firejail --net=none vlc Start VLC in an unconnected network namespace. +#ifdef HAVE_NETWORK .TP \f\firejail \-\-net=eth0 firefox Start Firefox in a new network namespace. An IP address is @@ -2996,6 +3005,7 @@ assigned automatically. Start a /bin/bash session in a new network namespace and connect it to br0, br1, and br2 host bridge devices. IP addresses are assigned automatically for the interfaces connected to br1 and b2 +#endif .TP \f\firejail \-\-list List all sandboxed processes. @@ -3115,7 +3125,6 @@ sandboxes. Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces. - Listed below are the available fields (columns) in alphabetical order for \-\-top and \-\-netstats options: @@ -3233,7 +3242,7 @@ Child process initialized .RE See \fBman 5 firejail-profile\fR for profile file syntax information. - +#ifdef HAVE_NETWORK .SH TRAFFIC SHAPING Network bandwidth is an expensive resource shared among all sandboxes running on a system. Traffic shaping allows the user to increase network performance by controlling @@ -3275,7 +3284,7 @@ Example: $ firejail \-\-bandwidth=mybrowser status .br $ firejail \-\-bandwidth=mybrowser clear eth0 - +#endif .SH LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP -- cgit v1.2.3-70-g09d2