netblue30 · Dieterbe · Oct 1, 2022 · Oct 4, 2022 · kmk3 · Jun 18, 2024
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
@@ -254,6 +254,16 @@ blacklist /usr/bin/gcc*
 blacklist ${PATH}/ifconfig
 .br
 blacklist ${HOME}/.ssh
+.br
+
+.br
+Blacklisted files are visible, but will get ownership set to root:root
+(unless the noroot option is active, in which case it'll be nobody:nobody).
+They get a size of 0 bytes, permissions 400, and reset timestamps and extended attributes.
+I/O operations (including deletes) on them will fail.
+.br
+Blacklisted directories are visible, but get permissions 400,
+ownership set to root:root and reset timestamps. I/O operations on them will fail. 
 
-.br
-
-.br
-Blacklisted files are visible, but will get ownership set to root:root
-(unless the noroot option is active, in which case it'll be nobody:nobody).
-They get a size of 0 bytes, permissions 400, and reset timestamps and extended attributes.
-I/O operations (including deletes) on them will fail.
-.br
-Blacklisted directories are visible, but get permissions 400,
-ownership set to root:root and reset timestamps. I/O operations on them will fail. 
+.PP
+When a path that does not exist is blacklisted, nothing is done.
+When a path that exists is blacklisted, an empty file or directory is
+bind-mounted on top of the original one inside of the sandbox.
+.PP
+The empty file and directory are located in the following paths:
+.PP
+/run/firejail/firejail.ro.file
+/run/firejail/firejail.ro.dir
+.PP
+They are created only once and are bind-mounted on top of all blacklisted
+files/directories in all sandboxes, so the timestamps of all blacklisted paths
+are identical.
+Both are owned by root:root (or nobody:nobody if the \fBnoroot\fR option is
+active).
+Their permissions are set to 400 and they likely have no extended attributes.
+Since the bind-mounted file is empty, blacklisted files appear to have a size
+of 0 bytes.
+Given their ownership and permissions, I/O operations (including deletion) on
+blacklisted paths will fail.
-.br
-
-.br
-Blacklisted files are visible, but will get ownership set to root:root
-(unless the noroot option is active, in which case it'll be nobody:nobody).
-They get a size of 0 bytes, permissions 400, and reset timestamps and extended attributes.
-I/O operations (including deletes) on them will fail.
-.br
-Blacklisted directories are visible, but get permissions 400,
-ownership set to root:root and reset timestamps. I/O operations on them will fail. 
+.PP
+When a path that does not exist is blacklisted, nothing is done.
+When a path that exists is blacklisted, an empty file or directory is
+bind-mounted on top of the original one inside of the sandbox.
+.PP
+The empty file and directory are located in the following paths:
+.PP
+/run/firejail/firejail.ro.file
+/run/firejail/firejail.ro.dir
+.PP
+They are created only once and are bind-mounted on top of all blacklisted
+files/directories in all sandboxes, so the timestamps of all blacklisted paths
+are identical.
+Both are owned by root:root (or nobody:nobody if the \fBnoroot\fR option is
+active).
+Their permissions are set to 400 and they likely have no extended attributes.
+Since the bind-mounted file is empty, blacklisted files appear to have a size
+of 0 bytes.
+Given their ownership and permissions, I/O operations (including deletion) on
+blacklisted paths will fail.
 .TP
 \fBblacklist-nolog file_or_directory
@@ -269,9 +279,13 @@ blacklist-nolog /usr/bin/gcc*
 .TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
+Directories will retain the ownership and permissions of the original directory being mounted over (directory2).
+After termination, modificationss affect the overlay directory (directory1).
-After termination, modificationss affect the overlay directory (directory1).
+After termination, modifications affect the overlay directory (directory1).
-After termination, modificationss affect the overlay directory (directory1).
+After termination, modifications affect the overlay directory (directory1).
 .TP
 \fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
+Files will retain the ownership and permissions of the original file being mounted over (file2).
+After termination, deletes do not persist but writes affect the overlayed file (file1).
 .TP
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
@@ -434,7 +448,9 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
+Mount an empty tmpfs filesystem on top of directory. Changes do not persist after termination.
+Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
+This directive has no effect for files (they appear unmodified and changes persist after termination).
-Mount an empty tmpfs filesystem on top of directory. Changes do not persist after termination.
-Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
-This directive has no effect for files (they appear unmodified and changes persist after termination).
+Mount an empty tmpfs filesystem on top of directory.
+Changes do not persist after termination.
+Directories outside of the user home or not owned by the user are not allowed.
+Sandboxes running as root are exempt from these restrictions.
+This directive has no effect for files (they appear unmodified and changes
+persist after termination).
-Mount an empty tmpfs filesystem on top of directory. Changes do not persist after termination.
-Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
-This directive has no effect for files (they appear unmodified and changes persist after termination).
+Mount an empty tmpfs filesystem on top of directory.
+Changes do not persist after termination.
+Directories outside of the user home or not owned by the user are not allowed.
+Sandboxes running as root are exempt from these restrictions.
+This directive has no effect for files (they appear unmodified and changes
+persist after termination).
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.