diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-06 21:58:35 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-06 23:24:20 +0300 |
commit | 34ee8e03f58c4c51c3aa29f553e06570d0654db2 (patch) | |
tree | 05b191c778a7b871e339bdf6c6017606404a917e /src/man/firejail.txt | |
parent | private-lib fixes (diff) | |
download | firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.gz firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.zst firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.zip |
Seccomp: system call grouping and call numbers
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index af2724aa9..a03556caf 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -76,9 +76,10 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
76 | Signal the end of options and disables further option processing. | 76 | Signal the end of options and disables further option processing. |
77 | .TP | 77 | .TP |
78 | \fB\-\-allow-debuggers | 78 | \fB\-\-allow-debuggers |
79 | Allow tools such as strace and gdb inside the sandbox. This option is only available | 79 | Allow tools such as strace and gdb inside the sandbox by whitelisting |
80 | when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full | 80 | system calls ptrace and process_vm_readv. This option is only |
81 | bypass of the seccomp filter. | 81 | available when running on Linux kernels 4.8 or newer - a kernel bug in |
82 | ptrace system call allows a full bypass of the seccomp filter. | ||
82 | .br | 83 | .br |
83 | 84 | ||
84 | .br | 85 | .br |
@@ -1482,7 +1483,7 @@ Example: | |||
1482 | $ firejail \-\-net=eth0 \-\-scan | 1483 | $ firejail \-\-net=eth0 \-\-scan |
1483 | .TP | 1484 | .TP |
1484 | \fB\-\-seccomp | 1485 | \fB\-\-seccomp |
1485 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: | 1486 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: |
1486 | mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, | 1487 | mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, |
1487 | iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, | 1488 | iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, |
1488 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | 1489 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, |
@@ -1496,9 +1497,14 @@ settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old, | |||
1496 | afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, | 1497 | afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, |
1497 | pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, | 1498 | pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, |
1498 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, | 1499 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, |
1499 | ulimit, vhangup and vserver | 1500 | ulimit, vhangup and vserver. |
1500 | 1501 | ||
1501 | .br | 1502 | .br |
1503 | To help creating useful seccomp filters more easily, the following | ||
1504 | system call groups are defined: @default, @default-nodebuggers and | ||
1505 | @default-keep. In addtion, a system call can be specified by its | ||
1506 | number instead of name with prefix $, so for example $165 would be | ||
1507 | equal to mount on i386. | ||
1502 | 1508 | ||
1503 | .br | 1509 | .br |
1504 | System architecture is not strictly imposed. The filter is applied | 1510 | System architecture is not strictly imposed. The filter is applied |
@@ -1516,7 +1522,7 @@ Example: | |||
1516 | $ firejail \-\-seccomp | 1522 | $ firejail \-\-seccomp |
1517 | .TP | 1523 | .TP |
1518 | \fB\-\-seccomp=syscall,syscall,syscall | 1524 | \fB\-\-seccomp=syscall,syscall,syscall |
1519 | Enable seccomp filter, blacklist the default list and the syscalls specified by the command. | 1525 | Enable seccomp filter, blacklist the default list (@default) and the syscalls specified by the command. |
1520 | .br | 1526 | .br |
1521 | 1527 | ||
1522 | .br | 1528 | .br |
@@ -1588,7 +1594,9 @@ rm: cannot remove `testfile': Operation not permitted | |||
1588 | 1594 | ||
1589 | .TP | 1595 | .TP |
1590 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1596 | \fB\-\-seccomp.keep=syscall,syscall,syscall |
1591 | Enable seccomp filter, and whitelist the syscalls specified by the command. | 1597 | Enable seccomp filter, and whitelist the syscalls specified by the |
1598 | command. The system calls needed by Firejail (group @default-keep: | ||
1599 | dup, prctl, setgid, setgroups, setuid) are always whitelisted. | ||
1592 | .br | 1600 | .br |
1593 | 1601 | ||
1594 | .br | 1602 | .br |