docs and comment updates

adds sorting to syscall list in firejail man page

5 files changed, 26 insertions, 23 deletions

diff --git a/etc/firejail-default b/etc/firejail-default
index 2e48439f5..5cfb1b5ea 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -21,10 +21,10 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #dbus,
 
 ##########
-# Allows to attach to a running program and modify the process memory.
-# May be needed by chromium crash handler. Uncomment if you need it.
+# With ptrace it is possible to inspect and hijack running programs. Usually this
+# is needed only for debugging. To allow ptrace, uncomment the following line
 ##########
-#ptrace (trace tracedby),
+#ptrace,
 
 ##########
 # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
@@ -133,8 +133,8 @@ network raw,
 signal,
 
 ##########
-# We let Firejail deal with capabilities,
-# but mac_admin should be dropped in any case.
+# We let Firejail deal with capabilities, but ensure that
+# some AppArmor related capabilities will not be available.
 ##########
 capability chown,
 capability dac_override,
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 015709247..c2270ce39 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -25,7 +25,7 @@ seccomp
 shell none
 
 disable-mnt
-#private-dev
+# private-dev - needs /dev/disk
 private-tmp
 
 noexec ${HOME}
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 7040dea18..8cf4fccf3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1078,7 +1078,7 @@ void x11_xorg(void) {
         // check xauth utility is present in the system
         struct stat s;
         if (stat("/usr/bin/xauth", &s) == -1) {
-                fprintf(stderr, "Error: xauth utility not found in PATH.  Please install it:\n"
+                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"
                         "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                 exit(1);
         }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b529f63e3..0217e1353 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -223,7 +223,8 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
 \fBprivate-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
+Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx,
+random, snd, urandom, video, log and shm devices are available.
 .TP
 \fBprivate-etc file,directory
 Build a new /etc in a temporary
@@ -448,6 +449,12 @@ Run the program directly, without a shell.
 \fBipc-namespace
 Enable IPC namespace.
 .TP
+\fBnodbus
+Disable D-Bus access. Only the regular UNIX socket is handled by
+this command. To disable the abstract socket, you would need to
+request a new network namespace using the net command. Another
+option is to remove unix from protocol set.
+.TP
 \fBnosound
 Disable sound system.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2e410061d..d8fed1f31 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1602,20 +1602,16 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
-iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
-add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
-io_destroy, io_getevents, io_submit, io_cancel,
-remap_file_pages, mbind, set_mempolicy,
-migrate_pages, move_pages, vmsplice, chroot,
-tuxcall, reboot, mfsservctl, get_kernel_syms,
-bpf, clock_settime, personality, process_vm_writev, query_module,
-settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old,
-afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
-pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
-security, setdomainname,  sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
-ulimit, vhangup and vserver.
+_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime,
+create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module,
+io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
+kexec_load, keyctl, lock, lookup_dcookie, mbind, mfsservctl, migrate_pages, modify_ldt, mount, move_pages, mpx,
+name_to_handle_at, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open,
+personality, pivot_root, process_vm_readv, process_vm_writev, process_vm_writev, prof, profil, ptrace, putpmsg,
+query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr,
+security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot,
+swapoff, swapon, switch_endian, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup,
+vm86, vm86old, vmsplice and vserver.
 
 .br
 To help creating useful seccomp filters more easily, the following
@@ -1698,7 +1694,7 @@ Bad system call
 .br
 
 .TP
-\fB\-\-seccomp.block_secondary
+\fB\-\-seccomp.block-secondary
 Enable seccomp filter and filter system call architectures so that
 only the native architecture is allowed. For example, on amd64, i386
 and x32 system calls are blocked as well as changing the execution