diff options
author | Glenn Washburn <development@efficientek.com> | 2019-08-29 22:02:08 -0500 |
---|---|---|
committer | Glenn Washburn <development@efficientek.com> | 2019-08-29 22:02:08 -0500 |
commit | 96505fd6765a124016cc7e64ea8191f38efb09a5 (patch) | |
tree | 3c02cacc6f942d00d2dfecb2085ab5a2d6dd439a /src/man/firejail.txt | |
parent | Allow firejail --trace option to take an optional parameter which is the trac... (diff) | |
download | firejail-96505fd6765a124016cc7e64ea8191f38efb09a5.tar.gz firejail-96505fd6765a124016cc7e64ea8191f38efb09a5.tar.zst firejail-96505fd6765a124016cc7e64ea8191f38efb09a5.zip |
Update man page to note that --trace can now take an optional parameter.
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 40 |
1 files changed, 17 insertions, 23 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 500850413..9f9d8e6ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -71,10 +71,10 @@ If an appropriate profile is not found, Firejail will use a default profile. | |||
71 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 71 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
72 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. | 72 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
73 | .PP | 73 | .PP |
74 | If a program argument is not specified, Firejail starts the default shell from the current user. | 74 | If a program argument is not specified, Firejail starts /bin/bash shell. |
75 | Examples: | 75 | Examples: |
76 | .PP | 76 | .PP |
77 | $ firejail [OPTIONS] # starting the user default shell (normally /bin/bash) | 77 | $ firejail [OPTIONS] # starting a /bin/bash shell |
78 | .PP | 78 | .PP |
79 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox | 79 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox |
80 | .PP | 80 | .PP |
@@ -1776,14 +1776,11 @@ vm86, vm86old, vmsplice and vserver. | |||
1776 | 1776 | ||
1777 | .br | 1777 | .br |
1778 | To help creating useful seccomp filters more easily, the following | 1778 | To help creating useful seccomp filters more easily, the following |
1779 | system call groups are defined: @aio, @basic-io, @chown, @clock, | 1779 | system call groups are defined: @clock, @cpu-emulation, @debug, |
1780 | @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, | 1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, |
1781 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, | 1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a |
1782 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | ||
1783 | @resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a | ||
1784 | system call can be specified by its number instead of name with prefix | 1782 | system call can be specified by its number instead of name with prefix |
1785 | $, so for example $165 would be equal to mount on i386. Exceptions | 1783 | $, so for example $165 would be equal to mount on i386. |
1786 | can be allowed with prefix !. | ||
1787 | 1784 | ||
1788 | .br | 1785 | .br |
1789 | System architecture is strictly imposed only if flag | 1786 | System architecture is strictly imposed only if flag |
@@ -1801,10 +1798,8 @@ Example: | |||
1801 | .br | 1798 | .br |
1802 | $ firejail \-\-seccomp | 1799 | $ firejail \-\-seccomp |
1803 | .TP | 1800 | .TP |
1804 | \fB\-\-seccomp=syscall,@group,!syscall2 | 1801 | \fB\-\-seccomp=syscall,@group |
1805 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 1802 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. |
1806 | list (@default) and the syscalls or syscall groups specified by the | ||
1807 | command. | ||
1808 | .br | 1803 | .br |
1809 | 1804 | ||
1810 | .br | 1805 | .br |
@@ -1868,9 +1863,8 @@ domain with personality(2) system call. | |||
1868 | .br | 1863 | .br |
1869 | 1864 | ||
1870 | .TP | 1865 | .TP |
1871 | \fB\-\-seccomp.drop=syscall,@group,!syscall2 | 1866 | \fB\-\-seccomp.drop=syscall,@group |
1872 | Enable seccomp filter, whitelist "syscall2" but blacklist the | 1867 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. |
1873 | syscalls or the syscall groups specified by the command. | ||
1874 | .br | 1868 | .br |
1875 | 1869 | ||
1876 | .br | 1870 | .br |
@@ -1905,11 +1899,10 @@ rm: cannot remove `testfile': Operation not permitted | |||
1905 | 1899 | ||
1906 | 1900 | ||
1907 | .TP | 1901 | .TP |
1908 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 1902 | \fB\-\-seccomp.keep=syscall,syscall,syscall |
1909 | Enable seccomp filter, blacklist "syscall2" but whitelist the | 1903 | Enable seccomp filter, and whitelist the syscalls specified by the |
1910 | syscalls or the syscall groups specified by the command. The system | 1904 | command. The system calls needed by Firejail (group @default-keep: |
1911 | calls needed by Firejail (group @default-keep: prctl, execve) are | 1905 | prctl, execve) are handled with the preload library. |
1912 | handled with the preload library. | ||
1913 | .br | 1906 | .br |
1914 | 1907 | ||
1915 | .br | 1908 | .br |
@@ -2149,8 +2142,9 @@ Example: | |||
2149 | .br | 2142 | .br |
2150 | $ firejail \-\-top | 2143 | $ firejail \-\-top |
2151 | .TP | 2144 | .TP |
2152 | \fB\-\-trace | 2145 | \fB\-\-trace[=filename] |
2153 | Trace open, access and connect system calls. | 2146 | Trace open, access and connect system calls. If filename is specified, log |
2147 | trace output to filename, otherwise log to console. | ||
2154 | .br | 2148 | .br |
2155 | 2149 | ||
2156 | .br | 2150 | .br |