private-etc rework: new man page

README.md

@@ -182,6 +182,44 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ## Current development version: 0.9.73
 
+### private-etc rework
+`````
+      --private-etc
+
+       --private-etc=file,directory
+              The files installed by --private-etc are copies of the  original
+              system  files  from  /etc  directory.   By  default, the command
+              brings in a skeleton of files and directories used by most  con‐
+              sole tools:
+
+              $ firejail --private-etc dig debian.org
+
+              For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter.
+              Example:
+
+              $ firejail --private-etc=GUI,python* gimp
+
+              /etc/python* directories are not part of the generic GUI  group.
+              These directories are reuqired by Gimp plugin system. File glob‐
+              bing is supported.
+
+              For games, add GAMES group:
+
+              $ firejail --private-etc=GUI,GAMES warzone2100
+
+              Sound and networking files are  included  automatically,  unless
+              --nosound  or  --net=none  are  specified.   Files for encrypted
+              TLS/SSL protocol are in TLS-CA group.
+
+              $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+
+              Note: The easiest way to extract the list of /etc files accessed
+              by your program is using strace utility:
+
+              $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc
+
+`````
+We keep the list of groups in [src/include/etc_groups.h](https://github.com/netblue30/firejail/blob/master/src/include/etc_groups.h)
 
 ### Profile Statistics
 

src/man/firejail.txt

@@ -2127,22 +2127,34 @@ cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0
 .br
 $
 .TP
+\fB\-\-private-etc
+.TP
 \fB\-\-private-etc=file,directory
-Build a new /etc in a temporary
-filesystem, and copy the files and directories in the list.
-The files and directories in the list must be expressed as relative to
-the /etc directory (e.g., /etc/foo must be expressed as foo).
-If no listed file is found, /etc directory will be empty.
-All modifications are discarded when the sandbox is closed.
-Multiple private-etc commands are allowed and they accumulate.
-.br
+The files installed by \-\-private-etc are copies of the original system files from /etc directory.
+By default, the command brings in a skeleton of files and directories used by most console tools:
 
-.br
-Example:
-.br
-$ firejail --private-etc=group,hostname,localtime, \\
-.br
-nsswitch.conf,passwd,resolv.conf
+$ firejail --private-etc dig debian.org
+
+For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter. Example:
+
+$ firejail --private-etc=GUI,python* gimp
+
+/etc/python* directories are not part of the generic GUI group.
+These directories are reuqired by Gimp plugin system. File globbing is supported.
+
+For games, add GAMES group:
+
+$ firejail --private-etc=GUI,GAMES warzone2100
+
+Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
+Files for encrypted TLS/SSL protocol are in TLS-CA group.
+
+$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+
+
+Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility:
+
+$ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc
 #ifdef HAVE_PRIVATE_HOME
 .TP
 \fB\-\-private-home=file,directory