introduce new option restrict-namespaces

author: smitsohu <smitsohu@gmail.com> 2022-07-19 15:19:24 +0200
committer: smitsohu <smitsohu@gmail.com> 2022-07-23 16:21:14 +0200
commit: 87afef810c2dfbf67420dc76a67c707fbb7353db (patch)
tree: d44aed25d9c050967eb6abe31b4081c0956f4a74 /src/man/firejail-profile.txt
parent: protocol filter: add x32 ABI handling (diff)
download: firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.gz
firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.zst
firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5c8b6031d..be1f55f0f 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -520,6 +520,12 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR.
 Multiple protocol commands are allowed and they accumulate.
 .TP
+\fBrestrict-namespaces
+Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+.TP
+\fBrestrict-namespaces cgroup,ipc,net,mnt,pid,time,user,uts
+Install a seccomp filter that blocks attempts to create any of the specified namespaces.
+.TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
 .TP
author	smitsohu <smitsohu@gmail.com>	2022-07-19 15:19:24 +0200
committer	smitsohu <smitsohu@gmail.com>	2022-07-23 16:21:14 +0200
commit	87afef810c2dfbf67420dc76a67c707fbb7353db (patch)
tree	d44aed25d9c050967eb6abe31b4081c0956f4a74 /src/man/firejail-profile.txt
parent	protocol filter: add x32 ABI handling (diff)
download	firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.gz firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.zst firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.zip

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5c8b6031d..be1f55f0f 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -520,6 +520,12 @@ first argument to socket system call. Recognized values: \fBunix\fR,
520	\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR.	520	\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR.
521	Multiple protocol commands are allowed and they accumulate.	521	Multiple protocol commands are allowed and they accumulate.
522	.TP	522	.TP
		523	\fBrestrict-namespaces
		524	Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
		525	.TP
		526	\fBrestrict-namespaces cgroup,ipc,net,mnt,pid,time,user,uts
		527	Install a seccomp filter that blocks attempts to create any of the specified namespaces.
		528	.TP
523	\fBseccomp	529	\fBseccomp
524	Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.	530	Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
525	.TP	531	.TP