diff options
| author |  smitsohu <smitsohu@gmail.com> | 2021-06-26 16:37:13 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2021-06-26 16:37:13 +0200 |
| commit | 46712f70d9dcc4f5be23d474846c2ff9d88db0d3 (patch) | |
| tree | cb27faaaf17cdd1dc708a9173e10d24331e4abfd /src/man/firejail.txt | |
| parent | Merge pull request #4374 from smitsohu/euid (diff) | |
| parent | RELNOTES (diff) | |
| download | firejail-46712f70d9dcc4f5be23d474846c2ff9d88db0d3.tar.gz firejail-46712f70d9dcc4f5be23d474846c2ff9d88db0d3.tar.zst firejail-46712f70d9dcc4f5be23d474846c2ff9d88db0d3.zip | |
Merge pull request #4340 from smitsohu/kcmp
augment seccomp lists in firejail.config
Diffstat (limited to 'src/man/firejail.txt')
| -rw-r--r-- | src/man/firejail.txt | 53 |
1 files changed, 33 insertions, 20 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d18811316..0462705c0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
| 2178 | .TP | 2178 | .TP |
| 2179 | \fB\-\-seccomp | 2179 | \fB\-\-seccomp |
| 2180 | Enable seccomp filter and blacklist the syscalls in the default list, | 2180 | Enable seccomp filter and blacklist the syscalls in the default list, |
| 2181 | which is @default-nodebuggers unless allow-debuggers is specified, | 2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
| 2182 | then it is @default. | 2182 | then it is @default. |
| 2183 | 2183 | ||
| 2184 | .br | 2184 | .br |
| @@ -2189,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
| 2189 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 2189 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
| 2190 | @resources, @setuid, @swap, @sync, @system-service and @timer. | 2190 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
| 2191 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt | 2191 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt |
| 2192 | 2192 | .br | |
| 2193 | In addition, a system call can be specified by its number instead of | ||
| 2194 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
| 2195 | Exceptions can be allowed with prefix !. | ||
| 2196 | 2193 | ||
| 2197 | .br | 2194 | .br |
| 2198 | System architecture is strictly imposed only if flag | 2195 | System architecture is strictly imposed only if flag |
| 2199 | \-\-seccomp.block-secondary is used. The filter is applied at run time | 2196 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
| 2200 | only if the correct architecture was detected. For the case of I386 | 2197 | only if the correct architecture was detected. For the case of I386 |
| 2201 | and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit | 2198 | and AMD64 both 32-bit and 64-bit filters are installed. |
| 2202 | architecture, an additional filter for 32 bit system calls can be | ||
| 2203 | installed with \-\-seccomp.32. | ||
| 2204 | .br | 2199 | .br |
| 2205 | 2200 | ||
| 2206 | .br | 2201 | .br |
| @@ -2211,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil | |||
| 2211 | Example: | 2206 | Example: |
| 2212 | .br | 2207 | .br |
| 2213 | $ firejail \-\-seccomp | 2208 | $ firejail \-\-seccomp |
| 2209 | .br | ||
| 2210 | |||
| 2211 | .br | ||
| 2212 | The default list can be customized, see \-\-seccomp= for a description. It can be customized | ||
| 2213 | also globally in /etc/firejail/firejail.config file. | ||
| 2214 | |||
| 2214 | .TP | 2215 | .TP |
| 2215 | \fB\-\-seccomp=syscall,@group,!syscall2 | 2216 | \fB\-\-seccomp=syscall,@group,!syscall2 |
| 2216 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 2217 | Enable seccomp filter, blacklist the default list and the syscalls or syscall groups |
| 2217 | list and the syscalls or syscall groups specified by the | 2218 | specified by the command, but don't blacklist "syscall2". On a 64 bit |
| 2218 | command. | 2219 | architecture, an additional filter for 32 bit system calls can be |
| 2220 | installed with \-\-seccomp.32. | ||
| 2219 | .br | 2221 | .br |
| 2220 | 2222 | ||
| 2221 | .br | 2223 | .br |
| @@ -2225,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox | |||
| 2225 | .br | 2227 | .br |
| 2226 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk | 2228 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk |
| 2227 | .br | 2229 | .br |
| 2230 | $ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious | ||
| 2231 | .br | ||
| 2232 | |||
| 2233 | .br | ||
| 2234 | Syscalls can be specified by their number if prefix $ is added, | ||
| 2235 | so for example $165 would be equal to mount on i386. | ||
| 2236 | .br | ||
| 2228 | 2237 | ||
| 2229 | .br | 2238 | .br |
| 2230 | Instead of dropping the syscall by returning EPERM, another error | 2239 | Instead of dropping the syscall by returning EPERM, another error |
| @@ -2237,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with | |||
| 2237 | 2246 | ||
| 2238 | .br | 2247 | .br |
| 2239 | Example: | 2248 | Example: |
| 2249 | .br | ||
| 2240 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | 2250 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes |
| 2241 | .br | 2251 | .br |
| 2242 | Parent pid 10662, child pid 10663 | 2252 | Parent pid 10662, child pid 10663 |
| @@ -2245,9 +2255,13 @@ Child process initialized | |||
| 2245 | .br | 2255 | .br |
| 2246 | $ touch testfile | 2256 | $ touch testfile |
| 2247 | .br | 2257 | .br |
| 2258 | $ ls testfile | ||
| 2259 | .br | ||
| 2260 | testfile | ||
| 2261 | .br | ||
| 2248 | $ rm testfile | 2262 | $ rm testfile |
| 2249 | .br | 2263 | .br |
| 2250 | rm: cannot remove `testfile': Operation not permitted | 2264 | rm: cannot remove `testfile': No such file or directory |
| 2251 | .br | 2265 | .br |
| 2252 | 2266 | ||
| 2253 | .br | 2267 | .br |
| @@ -2260,7 +2274,7 @@ filters. | |||
| 2260 | .br | 2274 | .br |
| 2261 | Example: | 2275 | Example: |
| 2262 | .br | 2276 | .br |
| 2263 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | 2277 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh |
| 2264 | .br | 2278 | .br |
| 2265 | Parent pid 32751, child pid 32752 | 2279 | Parent pid 32751, child pid 32752 |
| 2266 | .br | 2280 | .br |
| @@ -2272,8 +2286,7 @@ Child process initialized in 46.44 ms | |||
| 2272 | .br | 2286 | .br |
| 2273 | $ ls | 2287 | $ ls |
| 2274 | .br | 2288 | .br |
| 2275 | Bad system call | 2289 | Operation not permitted |
| 2276 | .br | ||
| 2277 | 2290 | ||
| 2278 | .TP | 2291 | .TP |
| 2279 | \fB\-\-seccomp.block-secondary | 2292 | \fB\-\-seccomp.block-secondary |
| @@ -2317,15 +2330,15 @@ Child process initialized | |||
| 2317 | .br | 2330 | .br |
| 2318 | $ touch testfile | 2331 | $ touch testfile |
| 2319 | .br | 2332 | .br |
| 2333 | $ ls testfile | ||
| 2334 | .br | ||
| 2335 | testfile | ||
| 2336 | .br | ||
| 2320 | $ rm testfile | 2337 | $ rm testfile |
| 2321 | .br | 2338 | .br |
| 2322 | rm: cannot remove `testfile': Operation not permitted | 2339 | rm: cannot remove `testfile': No such file or directory |
| 2323 | .br | 2340 | .br |
| 2324 | 2341 | ||
| 2325 | |||
| 2326 | |||
| 2327 | |||
| 2328 | |||
| 2329 | .TP | 2342 | .TP |
| 2330 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 2343 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
| 2331 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 2344 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |