diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-08-23 14:00:41 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-08-23 14:00:41 -0400 |
| commit | 5865c565bd8f8dfb024e4b399c1031746110dea7 (patch) | |
| tree | 2c614f905c424e050a6c6afb4287aa7570aa7a99 | |
| parent | enforce seccomp (diff) | |
| download | firejail-5865c565bd8f8dfb024e4b399c1031746110dea7.tar.gz firejail-5865c565bd8f8dfb024e4b399c1031746110dea7.tar.zst firejail-5865c565bd8f8dfb024e4b399c1031746110dea7.zip | |
man page
| -rw-r--r-- | src/man/firejail.txt | 19 |
1 files changed, 7 insertions, 12 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index dd21951ec..9ae5d6782 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1587,8 +1587,8 @@ Example: | |||
| 1587 | .br | 1587 | .br |
| 1588 | $ firejail \-\-seccomp | 1588 | $ firejail \-\-seccomp |
| 1589 | .TP | 1589 | .TP |
| 1590 | \fB\-\-seccomp=syscall,syscall,syscall | 1590 | \fB\-\-seccomp=syscall,@group |
| 1591 | Enable seccomp filter, blacklist the default list (@default) and the syscalls specified by the command. | 1591 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. |
| 1592 | .br | 1592 | .br |
| 1593 | 1593 | ||
| 1594 | .br | 1594 | .br |
| @@ -1596,6 +1596,8 @@ Example: | |||
| 1596 | .br | 1596 | .br |
| 1597 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox | 1597 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox |
| 1598 | .br | 1598 | .br |
| 1599 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk | ||
| 1600 | .br | ||
| 1599 | 1601 | ||
| 1600 | .br | 1602 | .br |
| 1601 | Instead of dropping the syscall, a specific error number can be returned | 1603 | Instead of dropping the syscall, a specific error number can be returned |
| @@ -1604,9 +1606,6 @@ using \fBsyscall:errorno\fR syntax. | |||
| 1604 | 1606 | ||
| 1605 | .br | 1607 | .br |
| 1606 | Example: | 1608 | Example: |
| 1607 | .br | ||
| 1608 | |||
| 1609 | .br | ||
| 1610 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | 1609 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes |
| 1611 | .br | 1610 | .br |
| 1612 | Parent pid 10662, child pid 10663 | 1611 | Parent pid 10662, child pid 10663 |
| @@ -1629,8 +1628,6 @@ system calls later. | |||
| 1629 | .br | 1628 | .br |
| 1630 | Example: | 1629 | Example: |
| 1631 | .br | 1630 | .br |
| 1632 | |||
| 1633 | .br | ||
| 1634 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | 1631 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash |
| 1635 | .br | 1632 | .br |
| 1636 | Parent pid 32751, child pid 32752 | 1633 | Parent pid 32751, child pid 32752 |
| @@ -1655,14 +1652,14 @@ domain with personality(2) system call. | |||
| 1655 | .br | 1652 | .br |
| 1656 | 1653 | ||
| 1657 | .TP | 1654 | .TP |
| 1658 | \fB\-\-seccomp.drop=syscall,syscall,syscall | 1655 | \fB\-\-seccomp.drop=syscall,@group |
| 1659 | Enable seccomp filter, and blacklist the syscalls specified by the command. | 1656 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. |
| 1660 | .br | 1657 | .br |
| 1661 | 1658 | ||
| 1662 | .br | 1659 | .br |
| 1663 | Example: | 1660 | Example: |
| 1664 | .br | 1661 | .br |
| 1665 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes | 1662 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock |
| 1666 | .br | 1663 | .br |
| 1667 | 1664 | ||
| 1668 | .br | 1665 | .br |
| @@ -1673,8 +1670,6 @@ using \fBsyscall:errorno\fR syntax. | |||
| 1673 | .br | 1670 | .br |
| 1674 | Example: | 1671 | Example: |
| 1675 | .br | 1672 | .br |
| 1676 | |||
| 1677 | .br | ||
| 1678 | $ firejail \-\-seccomp.drop=unlinkat:ENOENT,utimensat,utimes | 1673 | $ firejail \-\-seccomp.drop=unlinkat:ENOENT,utimensat,utimes |
| 1679 | .br | 1674 | .br |
| 1680 | Parent pid 10662, child pid 10663 | 1675 | Parent pid 10662, child pid 10663 |