diff options
| author |  startx2017 <vradu.startx@yandex.com> | 2020-09-03 16:02:14 -0400 |
|---|---|---|
| committer | startx2017 <vradu.startx@yandex.com> | 2020-09-03 16:02:14 -0400 |
| commit | 0421623058694cb15d1b857f67f21e683e2aab55 (patch) | |
| tree | 3c7ee0dd2e841e58bcd6d114cf66d53a6c51db95 /src/man/firejail-profile.txt | |
| parent | manpages: configuration for tunnel, chroot, private-home (diff) | |
| download | firejail-0421623058694cb15d1b857f67f21e683e2aab55.tar.gz firejail-0421623058694cb15d1b857f67f21e683e2aab55.tar.zst firejail-0421623058694cb15d1b857f67f21e683e2aab55.zip | |
manpages: configuration for user namespace, x11
Diffstat (limited to 'src/man/firejail-profile.txt')
| -rw-r--r-- | src/man/firejail-profile.txt | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 283b4ba15..bc8067f91 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -401,10 +401,12 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes | |||
| 401 | cannot acquire new privileges using execve(2); in particular, | 401 | cannot acquire new privileges using execve(2); in particular, |
| 402 | this means that calling a suid binary (or one with file capabilities) | 402 | this means that calling a suid binary (or one with file capabilities) |
| 403 | does not result in an increase of privilege. | 403 | does not result in an increase of privilege. |
| 404 | #ifdef HAVE_USERNS | ||
| 404 | .TP | 405 | .TP |
| 405 | \fBnoroot | 406 | \fBnoroot |
| 406 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 407 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
| 407 | There is no root account (uid 0) defined in the namespace. | 408 | There is no root account (uid 0) defined in the namespace. |
| 409 | #endif | ||
| 408 | .TP | 410 | .TP |
| 409 | \fBprotocol protocol1,protocol2,protocol3 | 411 | \fBprotocol protocol1,protocol2,protocol3 |
| 410 | Enable protocol filter. The filter is based on seccomp and checks the | 412 | Enable protocol filter. The filter is based on seccomp and checks the |
| @@ -443,6 +445,7 @@ Enable seccomp filter and whitelist the system calls in the list for 32 bit syst | |||
| 443 | Return a different error instead of EPERM to the process, kill it when | 445 | Return a different error instead of EPERM to the process, kill it when |
| 444 | an attempt is made to call a blocked system call, or allow but log the | 446 | an attempt is made to call a blocked system call, or allow but log the |
| 445 | attempt. | 447 | attempt. |
| 448 | #ifdef HAVE_X11 | ||
| 446 | .TP | 449 | .TP |
| 447 | \fBx11 | 450 | \fBx11 |
| 448 | Enable X11 sandboxing. | 451 | Enable X11 sandboxing. |
| @@ -476,7 +479,7 @@ Example: | |||
| 476 | xephyr-screen 640x480 | 479 | xephyr-screen 640x480 |
| 477 | .br | 480 | .br |
| 478 | x11 xephyr | 481 | x11 xephyr |
| 479 | 482 | #endif | |
| 480 | .SH DBus filtering | 483 | .SH DBus filtering |
| 481 | 484 | ||
| 482 | Access to the session and system DBus UNIX sockets can be allowed, filtered or | 485 | Access to the session and system DBus UNIX sockets can be allowed, filtered or |