diff options
author | startx2017 <vradu.startx@yandex.com> | 2020-09-03 16:02:14 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2020-09-03 16:02:14 -0400 |
commit | 0421623058694cb15d1b857f67f21e683e2aab55 (patch) | |
tree | 3c7ee0dd2e841e58bcd6d114cf66d53a6c51db95 /src/man/firejail-profile.txt | |
parent | manpages: configuration for tunnel, chroot, private-home (diff) | |
download | firejail-0421623058694cb15d1b857f67f21e683e2aab55.tar.gz firejail-0421623058694cb15d1b857f67f21e683e2aab55.tar.zst firejail-0421623058694cb15d1b857f67f21e683e2aab55.zip |
manpages: configuration for user namespace, x11
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 283b4ba15..bc8067f91 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -401,10 +401,12 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes | |||
401 | cannot acquire new privileges using execve(2); in particular, | 401 | cannot acquire new privileges using execve(2); in particular, |
402 | this means that calling a suid binary (or one with file capabilities) | 402 | this means that calling a suid binary (or one with file capabilities) |
403 | does not result in an increase of privilege. | 403 | does not result in an increase of privilege. |
404 | #ifdef HAVE_USERNS | ||
404 | .TP | 405 | .TP |
405 | \fBnoroot | 406 | \fBnoroot |
406 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 407 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
407 | There is no root account (uid 0) defined in the namespace. | 408 | There is no root account (uid 0) defined in the namespace. |
409 | #endif | ||
408 | .TP | 410 | .TP |
409 | \fBprotocol protocol1,protocol2,protocol3 | 411 | \fBprotocol protocol1,protocol2,protocol3 |
410 | Enable protocol filter. The filter is based on seccomp and checks the | 412 | Enable protocol filter. The filter is based on seccomp and checks the |
@@ -443,6 +445,7 @@ Enable seccomp filter and whitelist the system calls in the list for 32 bit syst | |||
443 | Return a different error instead of EPERM to the process, kill it when | 445 | Return a different error instead of EPERM to the process, kill it when |
444 | an attempt is made to call a blocked system call, or allow but log the | 446 | an attempt is made to call a blocked system call, or allow but log the |
445 | attempt. | 447 | attempt. |
448 | #ifdef HAVE_X11 | ||
446 | .TP | 449 | .TP |
447 | \fBx11 | 450 | \fBx11 |
448 | Enable X11 sandboxing. | 451 | Enable X11 sandboxing. |
@@ -476,7 +479,7 @@ Example: | |||
476 | xephyr-screen 640x480 | 479 | xephyr-screen 640x480 |
477 | .br | 480 | .br |
478 | x11 xephyr | 481 | x11 xephyr |
479 | 482 | #endif | |
480 | .SH DBus filtering | 483 | .SH DBus filtering |
481 | 484 | ||
482 | Access to the session and system DBus UNIX sockets can be allowed, filtered or | 485 | Access to the session and system DBus UNIX sockets can be allowed, filtered or |