From a344c555ff282c23a8274d10ad0f75eb4fae6836 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 10:08:53 -0400 Subject: --noexec --- src/man/firejail-profile.txt | 3 +++ src/man/firejail.txt | 15 +++++++++++++++ 2 files changed, 18 insertions(+) (limited to 'src/man') diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 98fa17908..504842a9e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -157,6 +157,9 @@ whitelist ~/.cache/mozilla/firefox Similar to mkdir, this command creates a file in user home before the sandbox is started. The file is created if it doesn't already exist. .TP +\fBnoexec file_or_directory +Remount the file or the directory noexec, nodev and nosuid. +.TP \fBprivate Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7c9cd98de..cd9ea6a8a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -850,6 +850,21 @@ $ nc dict.org 2628 .br 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 .br +.TP +\fB\-\-noexec=dirname_or_filename +Remount directory or file noexec, nodev and nosuid. +.br + +.br +Example: +.br +$ firejail \-\-noexec=/tmp +.br + +.br +/etc and /var are noexec by default. If there are more than one mount operation +on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox. + .TP \fB\-\-nogroups Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the -- cgit v1.2.3-70-g09d2