программа-песочница для пространств имен Linux (Linux namespaces sandbox program)
Использование (Usage)
Without any options, the sandbox consists of a filesystem build
in a new mount namespace, and new PID and UTS namespaces. IPC,
network and user namespaces can be added using the command line
options. The default Firejail filesystem is based on the host
filesystem with the main system directories mounted read-only.
These directories are /etc, /var, /usr, /bin, /sbin, /lib,
/lib32, /libx32 and /lib64. Only /home and /tmp are writable.
Upon execution Firejail first looks in ~/.config/firejail/ for a
profile and if it doesn't find one, it looks in /etc/firejail/.
For profile resolution detail see
https://github.com/netblue30/firejail/wiki/Creating-Profiles#locations-and-types.
If an appropriate profile is not found, Firejail will use a
default profile. The default profile is quite restrictive. In
case the application doesn't work, use --noprofile option to
disable it. For more information, please see SECURITY PROFILES
section below.
If a program argument is not specified, Firejail starts the
user's preferred shell. Examples:
$ firejail [OPTIONS] # starting the program
specified in $SHELL, usually /bin/bash
$ firejail [OPTIONS] firefox # starting Mozilla Firefox
# sudo firejail [OPTIONS] /etc/init.d/nginx start
