From a344c555ff282c23a8274d10ad0f75eb4fae6836 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 10:08:53 -0400 Subject: --noexec --- src/firejail/usage.c | 4 +++- src/man/firejail-profile.txt | 3 +++ src/man/firejail.txt | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6b7a666db..f7a93174f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -147,9 +147,11 @@ void usage(void) { printf(" --nice=value - set nice value\n\n"); printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); printf("\tfile.\n\n"); + printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n"); + printf("\tnosuid and nodev\n\n"); printf(" --nogroups - disable supplementary groups. Without this option,\n"); printf("\tsupplementary groups are enabled for the user starting the sandbox.\n"); - printf("\t For root, groups are always disabled.\n\n"); + printf("\tFor root, groups are always disabled.\n\n"); printf(" --noprofile - do not use a profile. Profile priority is use the one\n"); printf("\tspecified on the command line, next try to find one that\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 98fa17908..504842a9e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -157,6 +157,9 @@ whitelist ~/.cache/mozilla/firefox Similar to mkdir, this command creates a file in user home before the sandbox is started. The file is created if it doesn't already exist. .TP +\fBnoexec file_or_directory +Remount the file or the directory noexec, nodev and nosuid. +.TP \fBprivate Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7c9cd98de..cd9ea6a8a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -850,6 +850,21 @@ $ nc dict.org 2628 .br 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 .br +.TP +\fB\-\-noexec=dirname_or_filename +Remount directory or file noexec, nodev and nosuid. +.br + +.br +Example: +.br +$ firejail \-\-noexec=/tmp +.br + +.br +/etc and /var are noexec by default. If there are more than one mount operation +on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox. + .TP \fB\-\-nogroups Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the -- cgit v1.2.3-70-g09d2