From 0e88d053e806b2f2b5589f92683e6ad5f934b09d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Mar 2016 08:07:20 -0500 Subject: nosound support in profile files --- src/firejail/profile.c | 5 +++++ src/man/firejail-profile.txt | 26 ++++++++++++-------------- 2 files changed, 17 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 28df9f03e..461bcb941 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -163,6 +163,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_nogroups = 1; return 0; } + else if (strcmp(ptr, "nosound") == 0) { + arg_nosound = 1; + arg_private_dev = 1; + return 0; + } else if (strcmp(ptr, "netfilter") == 0) { #ifdef HAVE_NETWORK arg_netfilter = 1; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8897efc09..c5de79118 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -223,9 +223,13 @@ Enable seccomp filter and whitelist the system calls in the list. Use this command to enable an user namespace. The namespace has only one user, the current user. There is no root account (uid 0) defined in the namespace. -.SH Resource limits +.SH Resource limits, CPU affinity, Control Groups These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. -The limits can be modified inside the sandbox using the regular \fBulimit\fR command. Example: +The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command +configures the CPU cores available, and \fBcgroup\fR command +place the sandbox in an existing control group. + +Examples: .TP \fBrlimit-fsize 1024 @@ -239,23 +243,14 @@ Set the maximum number of files that can be opened by a process to 500. .TP \fBrlimit-sigpending 200 Set the maximum number of processes that can be created for the real user ID of the calling process to 200. - -.SH CPU Affinity -Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples: - .TP -cpu 1,2,3 +\fBcpu 1,2,3 Use only CPU cores 0, 1 and 2. - .TP -nice -5 +\fBnice -5 Set a nice value of -5 to all processes running inside the sandbox. - -.SH Control Groups -Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example: - .TP -cgroup /sys/fs/cgroup/g1/tasks +\fBcgroup /sys/fs/cgroup/g1/tasks The sandbox is placed in g1 control group. .SH User Environment @@ -286,6 +281,9 @@ Run the program directly, without a shell. .TP \fBipc-namespace Enable IPC namespace. +.TP +\fBnosound +Disable sound system. .SH Networking Networking features available in profile files. -- cgit v1.2.3-54-g00ecf