Merge branch 'master' into ls

author: smitsohu <smitsohu@gmail.com> 2020-08-19 01:46:35 +0200
committer: GitHub <noreply@github.com> 2020-08-19 01:46:35 +0200
commit: ef9fdc4a1f367ec4a0495ca51e3ed44338df0408 (patch)
tree: 2e3e93b374815c085f9f76ccbc8532bf20fb9b74 /src/man/firejail.txt
parent: cat option (diff)
parent: Merge pull request #3592 from onovy/signal-audio-video (diff)
download: firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.tar.gz
firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.tar.zst
firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.zip
1 files changed, 7 insertions, 5 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f5f092bd9..abb73b5e2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1063,7 +1063,7 @@ that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
 the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
 and shmat system calls and returns error EPERM to the process (or
-kills it, see \-\-seccomp-error-action below) if necessary.
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
 .br
 .br
@@ -2126,8 +2126,8 @@ Instead of dropping the syscall by returning EPERM, another error
 number can be returned using \fBsyscall:errno\fR syntax. This can be
 also changed globally with \-\-seccomp-error-action or
 in /etc/firejail/firejail.config file.  The process can also be killed
-by using \fBsyscall:kill\fR syntax.
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 .br
@@ -2197,7 +2197,8 @@ Instead of dropping the syscall by returning EPERM, another error
 number can be returned using \fBsyscall:errno\fR syntax. This can be
 also changed globally with \-\-seccomp-error-action or
 in /etc/firejail/firejail.config file.  The process can also be killed
-by using \fBsyscall:kill\fR syntax.
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 .br
@@ -2406,7 +2407,8 @@ By default, if a seccomp filter blocks a system call, the process gets
 EPERM as the error. With \-\-seccomp-error-action=error, another error
 number can be returned, for example ENOSYS or EACCES. The process can
 also be killed (like in versions <0.9.63 of Firejail) by using
-\-\-seccomp-error-action=kill syntax. Not killing the process weakens
+\-\-seccomp-error-action=kill syntax, or the attempt may be logged
+with \-\-seccomp-error-action=log. Not killing the process weakens
 Firejail slightly when trying to contain intrusion, but it may also
 allow tighter filters if the only alternative is to allow a system
 call.
author	smitsohu <smitsohu@gmail.com>	2020-08-19 01:46:35 +0200
committer	GitHub <noreply@github.com>	2020-08-19 01:46:35 +0200
commit	ef9fdc4a1f367ec4a0495ca51e3ed44338df0408 (patch)
tree	2e3e93b374815c085f9f76ccbc8532bf20fb9b74 /src/man/firejail.txt
parent	cat option (diff)
parent	Merge pull request #3592 from onovy/signal-audio-video (diff)
download	firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.tar.gz firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.tar.zst firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f5f092bd9..abb73b5e2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1063,7 +1063,7 @@ that are both writable and executable, to change mappings to be
1063	executable, or to create executable shared memory. The filter examines	1063	executable, or to create executable shared memory. The filter examines
1064	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create	1064	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
1065	and shmat system calls and returns error EPERM to the process (or	1065	and shmat system calls and returns error EPERM to the process (or
1066	kills it, see \-\-seccomp-error-action below) if necessary.	1066	kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
1067	.br	1067	.br
1068		1068
1069	.br	1069	.br
@@ -2126,8 +2126,8 @@ Instead of dropping the syscall by returning EPERM, another error
2126	number can be returned using \fBsyscall:errno\fR syntax. This can be	2126	number can be returned using \fBsyscall:errno\fR syntax. This can be
2127	also changed globally with \-\-seccomp-error-action or	2127	also changed globally with \-\-seccomp-error-action or
2128	in /etc/firejail/firejail.config file. The process can also be killed	2128	in /etc/firejail/firejail.config file. The process can also be killed
2129	by using \fBsyscall:kill\fR syntax.	2129	by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
2130		2130	\fBsyscall:log\fR.
2131	.br	2131	.br
2132		2132
2133	.br	2133	.br
@@ -2197,7 +2197,8 @@ Instead of dropping the syscall by returning EPERM, another error
2197	number can be returned using \fBsyscall:errno\fR syntax. This can be	2197	number can be returned using \fBsyscall:errno\fR syntax. This can be
2198	also changed globally with \-\-seccomp-error-action or	2198	also changed globally with \-\-seccomp-error-action or
2199	in /etc/firejail/firejail.config file. The process can also be killed	2199	in /etc/firejail/firejail.config file. The process can also be killed
2200	by using \fBsyscall:kill\fR syntax.	2200	by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
		2201	\fBsyscall:log\fR.
2201	.br	2202	.br
2202		2203
2203	.br	2204	.br
@@ -2406,7 +2407,8 @@ By default, if a seccomp filter blocks a system call, the process gets
2406	EPERM as the error. With \-\-seccomp-error-action=error, another error	2407	EPERM as the error. With \-\-seccomp-error-action=error, another error
2407	number can be returned, for example ENOSYS or EACCES. The process can	2408	number can be returned, for example ENOSYS or EACCES. The process can
2408	also be killed (like in versions <0.9.63 of Firejail) by using	2409	also be killed (like in versions <0.9.63 of Firejail) by using
2409	\-\-seccomp-error-action=kill syntax. Not killing the process weakens	2410	\-\-seccomp-error-action=kill syntax, or the attempt may be logged
		2411	with \-\-seccomp-error-action=log. Not killing the process weakens
2410	Firejail slightly when trying to contain intrusion, but it may also	2412	Firejail slightly when trying to contain intrusion, but it may also
2411	allow tighter filters if the only alternative is to allow a system	2413	allow tighter filters if the only alternative is to allow a system
2412	call.	2414	call.