From cfbcbf2c95455373aa2570827c52b7b87d80cfef Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Mon, 22 May 2017 01:48:27 -0500 Subject: --novideo option Still a work in progress. Code needs cleanup and improvement, but it does block /dev/video* in all of my tests so far. --- src/man/firejail-profile.txt | 13 ++++---- src/man/firejail.txt | 78 +++++++++++++++++++++++--------------------- 2 files changed, 46 insertions(+), 45 deletions(-) (limited to 'src/man') diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index bb1bd86b9..cbffa9ce4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -50,7 +50,7 @@ Parent pid 8553, child pid 8554 .br Child process initialized .br -[...] +[...] .br .br @@ -92,7 +92,7 @@ Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profi System configuration files in ${CFG} are overwritten during software installation. Persistent configuration at system level is handled in ".local" files. For every -profile file in ${CFG} directory, the user can create a corresponding .local file +profile file in ${CFG} directory, the user can create a corresponding .local file storing modifications to the persistent configuration. Persistent .local files are included at the start of regular profile files. @@ -255,7 +255,7 @@ Blacklist violations logged to syslog. \fBwhitelist file_or_directory Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, -everything else is discarded when the sandbox is closed. The top directory could be +everything else is discarded when the sandbox is closed. The top directory could be user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. .br @@ -405,6 +405,8 @@ Enable IPC namespace. \fBnosound Disable sound system. .TP +\fBnovideo +Disable video devices. \fBno3d Disable 3D hardware acceleration. @@ -533,7 +535,7 @@ really need network access. .TP \fBveth-name name -Use this name for the interface connected to the bridge for --net=bridge_interface commands, +Use this name for the interface connected to the bridge for --net=bridge_interface commands, instead of the default one. .SH Other @@ -585,6 +587,3 @@ Homepage: http://firejail.wordpress.com \&\flfiremon\fR\|(1), \&\flfirecfg\fR\|(1), \&\flfirejail-login\fR\|(5) - - - diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 38bb6a19e..de300d47b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -42,7 +42,7 @@ and it is integrated with Linux Control Groups. .PP Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. -It can sandbox any type of processes: servers, graphical applications, and even user login sessions. +It can sandbox any type of processes: servers, graphical applications, and even user login sessions. .PP Firejail allows the user to manage application security using security profiles. Each profile defines a set of permissions for a specific application or group @@ -52,13 +52,13 @@ Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. .SH USAGE Without any options, the sandbox consists of a filesystem build in a new mount namespace, and new PID and UTS namespaces. IPC, network and user namespaces can be added using the -command line options. The default Firejail filesystem is based on the host filesystem with the main -system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, +command line options. The default Firejail filesystem is based on the host filesystem with the main +system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home and /tmp are writable. .PP As it starts up, Firejail tries to find a security profile based on the name of the application. If an appropriate profile is not found, Firejail will use a default profile. -The default profile is quite restrictive. In case the application doesn't work, use --noprofile option +The default profile is quite restrictive. In case the application doesn't work, use --noprofile option to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. .PP If a program argument is not specified, Firejail starts /bin/bash shell. @@ -657,7 +657,7 @@ $ sudo firejail --join-network=browser ip addr .br Switching to pid 1932, the first child process inside the sandbox .br -1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default .br link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 .br @@ -665,11 +665,11 @@ Switching to pid 1932, the first child process inside the sandbox .br valid_lft forever preferred_lft forever .br - inet6 ::1/128 scope host + inet6 ::1/128 scope host .br valid_lft forever preferred_lft forever .br -2: eth0-1931: mtu 1500 qdisc noqueue state UNKNOWN group default +2: eth0-1931: mtu 1500 qdisc noqueue state UNKNOWN group default .br link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff .br @@ -677,7 +677,7 @@ Switching to pid 1932, the first child process inside the sandbox .br valid_lft forever preferred_lft forever .br - inet6 fe80::7458:14ff:fe42:78e4/64 scope link + inet6 fe80::7458:14ff:fe42:78e4/64 scope link .br valid_lft forever preferred_lft forever @@ -702,13 +702,13 @@ Example: .br $ firejail \-\-list .br -7015:netblue:firejail firefox +7015:netblue:firejail firefox .br -7056:netblue:firejail \-\-net=eth0 transmission-gtk +7056:netblue:firejail \-\-net=eth0 transmission-gtk .br -7064:netblue:firejail \-\-noroot xterm +7064:netblue:firejail \-\-noroot xterm .br -$ +$ .TP \fB\-\-mac=address Assign MAC addresses to the last network interface defined by a \-\-net option. @@ -998,7 +998,7 @@ $ .TP \fB\-\-noprofile -Do not use a security profile. +Do not use a security profile. .br .br @@ -1012,7 +1012,7 @@ Parent pid 8553, child pid 8554 .br Child process initialized .br -[...] +[...] .br .br @@ -1066,6 +1066,11 @@ Example: .br $ firejail \-\-nosound firefox +.TP +\fB\-\-novideo +Disable video devices. +.br + .TP \fB\-\-nowhitelist=dirname_or_filename Disable whitelist for this directory or file. @@ -1200,7 +1205,7 @@ $ firejail \-\-private-home=.mozilla firefox Build a new /bin in a temporary filesystem, and copy the programs in the list. If no listed file is found, /bin directory will be empty. The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. -All modifications are discarded when the sandbox is closed. +All modifications are discarded when the sandbox is closed. .br .br @@ -1240,7 +1245,7 @@ $ Build a new /etc in a temporary filesystem, and copy the files and directories in the list. If no listed file is found, /etc directory will be empty. -All modifications are discarded when the sandbox is closed. +All modifications are discarded when the sandbox is closed. .br .br @@ -1255,7 +1260,7 @@ nsswitch.conf,passwd,resolv.conf Build a new /opt in a temporary filesystem, and copy the files and directories in the list. If no listed file is found, /opt directory will be empty. -All modifications are discarded when the sandbox is closed. +All modifications are discarded when the sandbox is closed. .br .br @@ -1268,7 +1273,7 @@ $ firejail --private-opt=firefox /opt/firefox/firefox Build a new /srv in a temporary filesystem, and copy the files and directories in the list. If no listed file is found, /srv directory will be empty. -All modifications are discarded when the sandbox is closed. +All modifications are discarded when the sandbox is closed. .br .br @@ -1573,7 +1578,7 @@ SECCOMP Filter: .br RETURN_ALLOW .br -$ +$ .TP \fB\-\-shell=none Run the program directly, without a user shell. @@ -1665,7 +1670,7 @@ parent is shutting down, bye... .TP \fB\-\-tracelog This option enables auditing blacklisted files and directories. A message -is sent to syslog in case the file or the directory is accessed. +is sent to syslog in case the file or the directory is accessed. .br .br @@ -1698,13 +1703,13 @@ $ firejail \-\-tree .br 11903:netblue:firejail iceweasel .br - 11904:netblue:iceweasel + 11904:netblue:iceweasel .br 11957:netblue:/usr/lib/iceweasel/plugin-container .br -11969:netblue:firejail \-\-net=eth0 transmission-gtk +11969:netblue:firejail \-\-net=eth0 transmission-gtk .br - 11970:netblue:transmission-gtk + 11970:netblue:transmission-gtk .TP \fB\-\-version @@ -1720,7 +1725,7 @@ firejail version 0.9.27 .TP \fB\-\-veth-name=name -Use this name for the interface connected to the bridge for --net=bridge_interface commands, +Use this name for the interface connected to the bridge for --net=bridge_interface commands, instead of the default one. .br @@ -1733,7 +1738,7 @@ $ firejail \-\-net=br0 --veth-name=if0 \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, -everything else is discarded when the sandbox is closed. The top directory could be +everything else is discarded when the sandbox is closed. The top directory could be user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. .br @@ -1789,7 +1794,7 @@ Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing clients running outside the sandbox. Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. -If all fails, Firejail will not attempt to use Xvfb or X11 security extension. +If all fails, Firejail will not attempt to use Xvfb or X11 security extension. .br .br @@ -1828,7 +1833,7 @@ A security profile for OpenBox is provided. .br Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. -This feature is not available when running as root. +This feature is not available when running as root. .br .br @@ -1838,9 +1843,9 @@ $ firejail \-\-x11=xephyr --net=eth0 openbox .TP \fB\-\-x11=xorg -Sandbox the application using the untrusted mode implemented by X11 security extension. +Sandbox the application using the untrusted mode implemented by X11 security extension. The extension is available in Xorg package -and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted +and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted connection model. Untrusted clients are restricted in certain ways to prevent them from reading window contents of other clients, stealing input events, etc. @@ -1875,9 +1880,9 @@ $ firejail \-\-x11=xpra --net=eth0 firefox .TP \fB\-\-x11=xvfb -Start Xvfb X11 server and attach the sandbox to this server. -Xvfb, short for X virtual framebuffer, performs all graphical operations in memory -without showing any screen output. Xvfb is mainly used for remote access and software +Start Xvfb X11 server and attach the sandbox to this server. +Xvfb, short for X virtual framebuffer, performs all graphical operations in memory +without showing any screen output. Xvfb is mainly used for remote access and software testing on headless servers. .br @@ -1992,7 +1997,7 @@ $ firejail --tree .br 1190:netblue:firejail firefox .br - 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox" + 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox" .br 1221:netblue:/usr/lib/firefox/firefox .RE @@ -2246,7 +2251,7 @@ Parent pid 8553, child pid 8554 .br Child process initialized .br -[...] +[...] .br .br @@ -2260,7 +2265,7 @@ Child process initialized .RE See man 5 firejail-profile for profile file syntax information. - + .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in /etc/passwd file for each user that needs to be restricted. Alternatively, @@ -2307,6 +2312,3 @@ Homepage: http://firejail.wordpress.com \&\flfirecfg\fR\|(1), \&\flfirejail-profile\fR\|(5), \&\flfirejail-login\fR\|(5) - - - -- cgit v1.2.3-70-g09d2