seccomp man page update

* move everything related to modification of the default seccomp filter from --seccomp to --seccomp= entry * update errno descriptions
author: smitsohu <smitsohu@gmail.com> 2021-06-26 12:56:41 +0200
committer: smitsohu <smitsohu@gmail.com> 2021-06-26 12:56:41 +0200
commit: 925c9fe6b075a719f23bffde699652375b6bfe5f (patch)
tree: 3c91601b1a178065b33e2828151db3a22eeab58b
parent: augment seccomp lists in firejail.config (diff)
download: firejail-925c9fe6b075a719f23bffde699652375b6bfe5f.tar.gz
firejail-925c9fe6b075a719f23bffde699652375b6bfe5f.tar.zst
firejail-925c9fe6b075a719f23bffde699652375b6bfe5f.zip
1 files changed, 27 insertions, 20 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 7d7a1eb31..d4c2a5bc8 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2176,7 +2176,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless allow-debuggers is specified,
+which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 .br
@@ -2187,18 +2187,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
+.br
-In addition, a system call can be specified by its number instead of
-name with prefix $, so for example $165 would be equal to mount on i386.
-Exceptions can be allowed with prefix !.
 .br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
+and AMD64 both 32-bit and 64-bit filters are installed.
-architecture, an additional filter for 32 bit system calls can be
-installed with \-\-seccomp.32.
 .br
 .br
@@ -2217,9 +2212,10 @@ also globally in /etc/firejail/firejail.config file.
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, whitelist "syscall2", but blacklist the default
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
-list and the syscalls or syscall groups specified by the
+specified by the command, but don't blacklist "syscall2". On a 64 bit
-command.
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 .br
@@ -2229,6 +2225,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
+.br
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
 .br
 Instead of dropping the syscall by returning EPERM, another error
@@ -2241,6 +2244,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -2249,9 +2253,13 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 .br
@@ -2264,7 +2272,7 @@ filters.
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -2276,8 +2284,7 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
+Operation not permitted
-.br
 .TP
 \fB\-\-seccomp.block-secondary
@@ -2321,15 +2328,15 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
author	smitsohu <smitsohu@gmail.com>	2021-06-26 12:56:41 +0200
committer	smitsohu <smitsohu@gmail.com>	2021-06-26 12:56:41 +0200
commit	925c9fe6b075a719f23bffde699652375b6bfe5f (patch)
tree	3c91601b1a178065b33e2828151db3a22eeab58b
parent	augment seccomp lists in firejail.config (diff)
download	firejail-925c9fe6b075a719f23bffde699652375b6bfe5f.tar.gz firejail-925c9fe6b075a719f23bffde699652375b6bfe5f.tar.zst firejail-925c9fe6b075a719f23bffde699652375b6bfe5f.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7d7a1eb31..d4c2a5bc8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -2176,7 +2176,7 @@ $ firejail \-\-net=eth0 \-\-scan
2176	.TP	2176	.TP
2177	\fB\-\-seccomp	2177	\fB\-\-seccomp
2178	Enable seccomp filter and blacklist the syscalls in the default list,	2178	Enable seccomp filter and blacklist the syscalls in the default list,
2179	which is @default-nodebuggers unless allow-debuggers is specified,	2179	which is @default-nodebuggers unless \-\-allow-debuggers is specified,
2180	then it is @default.	2180	then it is @default.
2181		2181
2182	.br	2182	.br
@@ -2187,18 +2187,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
2187	@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,	2187	@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
2188	@resources, @setuid, @swap, @sync, @system-service and @timer.	2188	@resources, @setuid, @swap, @sync, @system-service and @timer.
2189	More information about groups can be found in /usr/share/doc/firejail/syscalls.txt	2189	More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
2190		2190	.br
2191	In addition, a system call can be specified by its number instead of
2192	name with prefix $, so for example $165 would be equal to mount on i386.
2193	Exceptions can be allowed with prefix !.
2194		2191
2195	.br	2192	.br
2196	System architecture is strictly imposed only if flag	2193	System architecture is strictly imposed only if flag
2197	\-\-seccomp.block-secondary is used. The filter is applied at run time	2194	\-\-seccomp.block-secondary is used. The filter is applied at run time
2198	only if the correct architecture was detected. For the case of I386	2195	only if the correct architecture was detected. For the case of I386
2199	and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit	2196	and AMD64 both 32-bit and 64-bit filters are installed.
2200	architecture, an additional filter for 32 bit system calls can be
2201	installed with \-\-seccomp.32.
2202	.br	2197	.br
2203		2198
2204	.br	2199	.br
@@ -2217,9 +2212,10 @@ also globally in /etc/firejail/firejail.config file.
2217		2212
2218	.TP	2213	.TP
2219	\fB\-\-seccomp=syscall,@group,!syscall2	2214	\fB\-\-seccomp=syscall,@group,!syscall2
2220	Enable seccomp filter, whitelist "syscall2", but blacklist the default	2215	Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
2221	list and the syscalls or syscall groups specified by the	2216	specified by the command, but don't blacklist "syscall2". On a 64 bit
2222	command.	2217	architecture, an additional filter for 32 bit system calls can be
		2218	installed with \-\-seccomp.32.
2223	.br	2219	.br
2224		2220
2225	.br	2221	.br
@@ -2229,6 +2225,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
2229	.br	2225	.br
2230	$ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk	2226	$ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
2231	.br	2227	.br
		2228	$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
		2229	.br
		2230
		2231	.br
		2232	Syscalls can be specified by their number if prefix $ is added,
		2233	so for example $165 would be equal to mount on i386.
		2234	.br
2232		2235
2233	.br	2236	.br
2234	Instead of dropping the syscall by returning EPERM, another error	2237	Instead of dropping the syscall by returning EPERM, another error
@@ -2241,6 +2244,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
2241		2244
2242	.br	2245	.br
2243	Example:	2246	Example:
		2247	.br
2244	$ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes	2248	$ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
2245	.br	2249	.br
2246	Parent pid 10662, child pid 10663	2250	Parent pid 10662, child pid 10663
@@ -2249,9 +2253,13 @@ Child process initialized
2249	.br	2253	.br
2250	$ touch testfile	2254	$ touch testfile
2251	.br	2255	.br
		2256	$ ls testfile
		2257	.br
		2258	testfile
		2259	.br
2252	$ rm testfile	2260	$ rm testfile
2253	.br	2261	.br
2254	rm: cannot remove `testfile': Operation not permitted	2262	rm: cannot remove `testfile': No such file or directory
2255	.br	2263	.br
2256		2264
2257	.br	2265	.br
@@ -2264,7 +2272,7 @@ filters.
2264	.br	2272	.br
2265	Example:	2273	Example:
2266	.br	2274	.br
2267	$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash	2275	$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
2268	.br	2276	.br
2269	Parent pid 32751, child pid 32752	2277	Parent pid 32751, child pid 32752
2270	.br	2278	.br
@@ -2276,8 +2284,7 @@ Child process initialized in 46.44 ms
2276	.br	2284	.br
2277	$ ls	2285	$ ls
2278	.br	2286	.br
2279	Bad system call	2287	Operation not permitted
2280	.br
2281		2288
2282	.TP	2289	.TP
2283	\fB\-\-seccomp.block-secondary	2290	\fB\-\-seccomp.block-secondary
@@ -2321,15 +2328,15 @@ Child process initialized
2321	.br	2328	.br
2322	$ touch testfile	2329	$ touch testfile
2323	.br	2330	.br
		2331	$ ls testfile
		2332	.br
		2333	testfile
		2334	.br
2324	$ rm testfile	2335	$ rm testfile
2325	.br	2336	.br
2326	rm: cannot remove `testfile': Operation not permitted	2337	rm: cannot remove `testfile': No such file or directory
2327	.br	2338	.br
2328		2339
2329
2330
2331
2332
2333	.TP	2340	.TP
2334	\fB\-\-seccomp.keep=syscall,@group,!syscall2	2341	\fB\-\-seccomp.keep=syscall,@group,!syscall2
2335	Enable seccomp filter, blacklist all syscall not listed and "syscall2".	2342	Enable seccomp filter, blacklist all syscall not listed and "syscall2".