diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-05-26 11:38:16 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2017-05-26 11:38:16 -0400 |
commit | c1d43f41230cdd0bc929c0050f60024fc98fc37b (patch) | |
tree | f08a4dee4c2733f3d9ddf27a68820a70120142b4 | |
parent | whitelisting ktorrent profile (diff) | |
download | firejail-c1d43f41230cdd0bc929c0050f60024fc98fc37b.tar.gz firejail-c1d43f41230cdd0bc929c0050f60024fc98fc37b.tar.zst firejail-c1d43f41230cdd0bc929c0050f60024fc98fc37b.zip |
fix manpage: removed --seccomp.errno, currently supported by the regular --seccomp=command
-rw-r--r-- | src/man/firejail.txt | 55 |
1 files changed, 44 insertions, 11 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index de300d47b..25992fb3e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1474,6 +1474,31 @@ Enable seccomp filter, blacklist the default list and the syscalls specified by | |||
1474 | Example: | 1474 | Example: |
1475 | .br | 1475 | .br |
1476 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox | 1476 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox |
1477 | .br | ||
1478 | |||
1479 | .br | ||
1480 | Instead of dropping the syscall, a specific error number can be returned | ||
1481 | using \fBsyscall:errorno\fR syntax. | ||
1482 | .br | ||
1483 | |||
1484 | .br | ||
1485 | Example: | ||
1486 | .br | ||
1487 | |||
1488 | .br | ||
1489 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | ||
1490 | .br | ||
1491 | Parent pid 10662, child pid 10663 | ||
1492 | .br | ||
1493 | Child process initialized | ||
1494 | .br | ||
1495 | $ touch testfile | ||
1496 | .br | ||
1497 | $ rm testfile | ||
1498 | .br | ||
1499 | rm: cannot remove `testfile': Operation not permitted | ||
1500 | .br | ||
1501 | |||
1477 | .TP | 1502 | .TP |
1478 | \fB\-\-seccomp.drop=syscall,syscall,syscall | 1503 | \fB\-\-seccomp.drop=syscall,syscall,syscall |
1479 | Enable seccomp filter, and blacklist the syscalls specified by the command. | 1504 | Enable seccomp filter, and blacklist the syscalls specified by the command. |
@@ -1483,26 +1508,19 @@ Enable seccomp filter, and blacklist the syscalls specified by the command. | |||
1483 | Example: | 1508 | Example: |
1484 | .br | 1509 | .br |
1485 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes | 1510 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes |
1486 | .TP | ||
1487 | \fB\-\-seccomp.keep=syscall,syscall,syscall | ||
1488 | Enable seccomp filter, and whitelist the syscalls specified by the command. | ||
1489 | .br | 1511 | .br |
1490 | 1512 | ||
1491 | .br | 1513 | .br |
1492 | Example: | 1514 | Instead of dropping the syscall, a specific error number can be returned |
1493 | .br | 1515 | using \fBsyscall:errorno\fR syntax. |
1494 | $ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk | ||
1495 | .TP | ||
1496 | \fB\-\-seccomp.<errno>=syscall,syscall,syscall | ||
1497 | Enable seccomp filter, and return errno for the syscalls specified by the command. | ||
1498 | .br | 1516 | .br |
1499 | 1517 | ||
1500 | .br | 1518 | .br |
1501 | Example: a Bash shell where deleting files is disabled | 1519 | Example: |
1502 | .br | 1520 | .br |
1503 | 1521 | ||
1504 | .br | 1522 | .br |
1505 | $ firejail --seccomp.eperm=unlinkat | 1523 | $ firejail \-\-seccomp.drop=unlinkat:ENOENT,utimensat,utimes |
1506 | .br | 1524 | .br |
1507 | Parent pid 10662, child pid 10663 | 1525 | Parent pid 10662, child pid 10663 |
1508 | .br | 1526 | .br |
@@ -1513,6 +1531,21 @@ $ touch testfile | |||
1513 | $ rm testfile | 1531 | $ rm testfile |
1514 | .br | 1532 | .br |
1515 | rm: cannot remove `testfile': Operation not permitted | 1533 | rm: cannot remove `testfile': Operation not permitted |
1534 | .br | ||
1535 | |||
1536 | |||
1537 | |||
1538 | |||
1539 | |||
1540 | .TP | ||
1541 | \fB\-\-seccomp.keep=syscall,syscall,syscall | ||
1542 | Enable seccomp filter, and whitelist the syscalls specified by the command. | ||
1543 | .br | ||
1544 | |||
1545 | .br | ||
1546 | Example: | ||
1547 | .br | ||
1548 | $ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk | ||
1516 | 1549 | ||
1517 | .TP | 1550 | .TP |
1518 | \fB\-\-seccomp.print=name|PID | 1551 | \fB\-\-seccomp.print=name|PID |