Firejail: Our documentation

OK, let's make readthedocs the official documentation site for firejail. I have no idea what we need to do to set it up, so let's make @Fred-Barclay the boss. Once is started I'll clean up the wordpress site. Over there we need only release announcements, download links, some simple docs for beginners, videos and blogs.

What are the plans then for the manpages?
At least I find them useful and I think many advanced users are likely to look something up there first.

I like the idea of having also more beginner-friendly documentation online, and also for different versions.
You suggested another repository for that. Could the .rst/.md files also be kept in this repository to make distribution within the source tarballs easier?

@reinerh I think this is more in lieu of the documentation currently on the firejail website. As I understand it, this will not replace the man pages.

Alrighty then, I'll get started. :smile:
@reinerh the man pages stay, no worries. As @chiraag-nataraj said, this is just for online documentation.
Also I've realised that we will in fact need the docs in this repo in a docs/ folder, not in a separate repo.

@Fred-Barclay I'd love to help get this up and running!

@chiraag-nataraj Thanks -- that would be great! I'll make sure I get what I've done so far (which isn't much) up by Friday at the latest. Had some plans change unexpectedly since my last comment here so I've not been able to put in as much time as I expected. :wink:

My man-page gripes:

--blacklist=dirname_or_filename
              Blacklist directory or file.

Obviously we're blacklisting something, but what does it mean to blacklist something? What's the difference between being blacklisted and not being whitelisted? Man page should make this clear. Also, to have dirname_or_filename on the right hand side with underscores is not a good style because underscores imply code or something literal. I would replace the underscores with spaces and put the RHS in angle brackets.

--debug-blacklists
              Debug blacklisting.

              Example:
              $ firejail --debug-blacklists firefox

Okay, but what does it mean to debug when the example gives no sample output? To some this could imply stepping through something. It's already evident from the option that we are debugging blacklists. It'd be more clear to say "enable verbose output to list blacklisted elements".

--env=name=value
              Set environment variable in the new sandbox.

              Example:
              $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib

We could use an example for unsetting a variable. Would also be useful to mention that all variables in the parent scope are inherited by the sandboxed shell if that's indeed the case.

--noblacklist=dirname_or_filename
              Disable blacklist for this directory or file.

Should also mention what the effect of this is. Does it mean we have write permission or just read permission? I'm guessing read permission because profiles often noblacklist something and then follow that with whitelisting. An example showing that case and stating that it's to grant write access would help. (side note: why doesn't --whitelist imply --noblacklist? And why doesn't --whitelist=/var/log imply --whitelist-var?).

--whitelist=dirname_or_filename
              Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-
              binded inside. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed.
              The top directory could be user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.

              Symbolic  link handling: with the exception of user home, both the link and the real file should be in the same top direc‐
              tory. For user home, both the link and the real file should be owned by the user.

              Example:
              $ firejail --noprofile --whitelist=~/.mozilla
              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
              $ firejail "--whitelist=/home/username/My Virtual Machines"

Seems to say gives write permission in a very low-level way of saying it. I would keep the detail but replace the obvious and redundant "Whitelist directory or file" with "grant write permission on a file or dir". Also, it's important to say that --whitelist does not work without --whitelist-var in the case of /var/. An example that combines the two would be good.

--trace
              Trace open, access and connect system calls.

Needs to say something like "not compatible with --tracelog."

--tracelog
              This option enables auditing blacklisted files and directories. A message is sent to syslog in case the file or the direc‐
              tory is accessed.

Needs to say something like "not compatible with --tracel."

@libBletchley you've got a lot of questions

• there is no --whitelist-var only --writable-var
• there are two main types of profiles: blacklist and whitelist
  
  
  
  • blacklist removes access to most other program and sensitive files, but leaves everything else accessible
  
  
  • whitelist prevents all access except for what is whitelisted
  
  
  • all official profiles contain noblacklist in whitelist profiles to allow them to be easily converted from whitelist to a blacklist profile if the user wants a less strict profile. See #1569 and #2070
  
  
• trace is more of a debugging/profile writing feature, whereas tracelog is meant to be always on if possible

@libBletchley man contributions welcome 😄

I was happy to bark out orders because I thought we were all piling the work on @Fred-Barclay. So it seems I've been tricked.

Bwahaha! I haven't touched this in too long -- it's still something I want to get in but I just haven't had the time. :(

Let's move the discussion over to #2729.