From 129af459ad895b329afb62f3fe9cbcbd6a578072 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 4 Dec 2015 12:36:44 -0500 Subject: --profile-path option --- src/man/firejail-profile.txt | 88 +++++++++++++++++++++++++++----------------- src/man/firejail.txt | 30 +++++++++++---- 2 files changed, 77 insertions(+), 41 deletions(-) (limited to 'src/man') diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1713b74dd..91c151fe8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -81,7 +81,7 @@ file in user home directory. Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. .TP -\f\noblacklist file_name +\f\ noblacklist file_name If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. Example: "noblacklist ${HOME}/.mozilla" @@ -102,37 +102,31 @@ Use \fBprivate\fR to set private mode. File globbing is supported, and PATH and HOME directories are searched. Examples: .TP -\f\blacklist /usr/bin -Remove /usr/bin directory. -.TP -\f\blacklist /etc/passwd -Remove /etc/passwd file. -.TP -\f\read-only /etc/passwd -Read-only /etc/passwd file. -.TP -tmpfs /etc -Mount an empty tmpfs filesystem on top of /etc directory. -.TP -bind /root/config/ssh,/etc/ssh -Mount-bind /root/config/ssh on /etc/ssh. +\f\blacklist file_or_directory +Blacklist directory or file. Examples: +.br + +.br +blacklist /usr/bin +.br +blacklist /usr/bin/gcc* +.br +blacklist ${PATH}/ifconfig +.br +blacklist ${HOME}/.ssh + .TP -\f\blacklist /usr/bin/gcc* -Remove all gcc files in /usr/bin (file globbing). +\f\read-only file_or_directory +Make directory or file read-only. .TP -\f\blacklist ${PATH}/ifconfig -Remove ifconfig command from the regular path directories. +\f\ tmpfs directory +Mount an empty tmpfs filesystem on top of directory. .TP -\f\blacklist ${HOME}/.ssh -Remove .ssh directory from user home directory. +\f\bind directory1,directory2 +Mount-bind directory1 on top of directory2. This option is only available when running as root. .TP -\f\noblacklist ${HOME}/config/evince -Prevent any new blacklist commands from blacklisting -config/evince in the user home directory. Useful for defining -exceptions before including a large blacklist from a file. Note -that blacklisting ${HOME}/config can still make -${HOME}/config/evince effectively unreachable through filesystem -traversal. +\f\bind file1,file2 +Mount-bind file1 on top of file2. This option is only available when running as root. .TP \f\private Mount new /root and /home/user directories in temporary @@ -153,7 +147,7 @@ new home. All modifications are discarded when the sandbox is closed. .TP \f\private-dev -Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. +Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. .TP \f\private-etc file,directory Build a new /etc in a temporary @@ -240,10 +234,8 @@ The sandbox is placed in g1 control group. .SH User Environment .TP -env LD_LIBRARY_PATH=/opt/test/lib -Set environment variable. -.br -Examples: +env name=value +Set environment variable. Examples: .br .br @@ -284,6 +276,36 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. hostname name Set a hostname for the sandbox. +.SH RELOCATING PROFILES +For various reasons some users might want to keep the profile files in a different directory. +Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles +into this directory. + +This is an example of relocating the profile files into a new +directory, /home/netblue/myprofiles. Start by creating the new directory and copy all +the profile files in: +.br + +.br +$ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* . +.br + +.br +Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands: +.br + +.br +$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile +.br +$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc +.br + +.br +Start Firejail using the new path: +.br + +.br +$ firejail --profile-path=~/myprofile .SH FILES /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 62225c407..e2382eb9f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -52,7 +52,7 @@ Only /home and /tmp are writable. As it starts up, Firejail tries to find a security profile based on the name of the application. If an appropriate profile is not found, Firejail will use a default profile. The default profile is quite restrictive. In case the application doesn't work, use --noprofile option -to disable it. For more information, please see SECURITY PROFILES section. +to disable it. For more information, please see \fBSECURITY PROFILES\fR section. .PP If a program argument is not specified, Firejail starts /bin/bash shell. Examples: @@ -69,10 +69,10 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox Signal the end of options and disables further option processing. .TP \fB\-\-bandwidth=name -Set bandwidth limits for the sandbox identified by name, see TRAFFIC SHAPING section for more details. +Set bandwidth limits for the sandbox identified by name, see \fBTRAFFIC SHAPING\fR section for more details. .TP \fB\-\-bandwidth=pid -Set bandwidth limits for the sandbox identified by PID, see TRAFFIC SHAPING section for more details. +Set bandwidth limits for the sandbox identified by PID, see \fBTRAFFIC SHAPING\fR section for more details. .TP \fB\-\-bind=dirname1,dirname2 Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root. @@ -478,7 +478,7 @@ $ firejail \-\-join=3272 .TP \fB\-\-list -List all sandboxes, see MONITORING section for more details. +List all sandboxes, see \fBMONITORING\fR section for more details. .br .br @@ -645,7 +645,7 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\ --net=eth0 firefox .TP \fB\-\-netstats -Monitor network namespace statistics, see MONITORING section for more details. +Monitor network namespace statistics, see \fBMONITORING\fR section for more details. .br .br @@ -919,7 +919,7 @@ nsswitch.conf,passwd,resolv.conf .TP \fB\-\-profile=filename Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. -For more information, see SECURITY PROFILES section below. +For more information, see \fBSECURITY PROFILES\fR section below. .br .br @@ -927,6 +927,20 @@ Example: .br $ firejail \-\-profile=myprofile +.TP +\fB\-\-profile-path=directory +Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. +For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in +\fBman 5 firejail-profile\fR. +.br + +.br +Example: +.br +$ firejail \-\-profile-path=~/myprofiles +.br +$ firejail \-\-profile-path=/home/netblue/myprofiles + .TP \fB\-\-protocol=protocol,protocol,protocol Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. @@ -1255,7 +1269,7 @@ Example: $ firejail \-\-tmpfs=/var .TP \fB\-\-top -Monitor the most CPU-intensive sandboxes, see MONITORING section for more details. +Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. .br .br @@ -1321,7 +1335,7 @@ Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe fi [...] .TP \fB\-\-tree -Print a tree of all sandboxed processes, see MONITORING section for more details. +Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. .br .br -- cgit v1.2.3-54-g00ecf