From 2aa7ec97db26c567a6b2d45cd906c062960584dd Mon Sep 17 00:00:00 2001 From: sarneaud Date: Tue, 1 Sep 2015 15:07:30 +1000 Subject: Add noblacklist command to firejail. * Basic implementation * Updates to standard profiles * Update to firejail-profile manpage --- src/man/firejail-profile.txt | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src') diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5167a4c42..64565ab0b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -87,6 +87,7 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" These profile entries define a chroot filesystem built on top of the existing host filesystem. Each line describes a file element that is removed from the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), +a filter for finer control of blacklisting (\fBnoblacklist\fR), a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), or mount-bind a directory or file on top of another directory or file (\fBbind\fR). Use \fBprivate\fR to set private mode. @@ -117,6 +118,14 @@ Remove ifconfig command from the regular path directories. \f\blacklist ${HOME}/.ssh Remove .ssh directory from user home directory. .TP +\f\ noblacklist ${HOME}/config/evince +Prevent any new blacklist commands from blacklisting +config/evince in the user home directory. Useful for defining +exceptions before including a large blacklist from a file. Note +that blacklisting ${HOME}/config can still make +${HOME}/config/evince effectively unreachable through filesystem +traversal. +.TP \f\private Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is -- cgit v1.2.3-54-g00ecf