diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-13 14:07:31 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-13 17:31:07 +0300 |
commit | 63e9d849f662d1a494c6396d4a439cd4c91dfa7e (patch) | |
tree | 703cc8c9c0eb5b9e528f025961df7f322f797737 /src/man/firejail.txt | |
parent | merges (diff) | |
download | firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.tar.gz firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.tar.zst firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.zip |
Allow any syscall to be blacklisted (#1447)
Allow any syscall to be blacklisted with aid of LD_PRELOAD library,
libpostexecseccomp.so.
Closes: #1447
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2c8dca09a..be73429bc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1578,6 +1578,32 @@ $ rm testfile | |||
1578 | rm: cannot remove `testfile': Operation not permitted | 1578 | rm: cannot remove `testfile': Operation not permitted |
1579 | .br | 1579 | .br |
1580 | 1580 | ||
1581 | .br | ||
1582 | If the blocked system calls would also block Firejail from operating, | ||
1583 | they are handled by adding a preloaded library which performs seccomp | ||
1584 | system calls later. | ||
1585 | .br | ||
1586 | |||
1587 | .br | ||
1588 | Example: | ||
1589 | .br | ||
1590 | |||
1591 | .br | ||
1592 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | ||
1593 | .br | ||
1594 | Parent pid 32751, child pid 32752 | ||
1595 | .br | ||
1596 | Post-exec seccomp protector enabled | ||
1597 | .br | ||
1598 | list in: execve, check list: @default-keep prelist: (null), postlist: execve | ||
1599 | .br | ||
1600 | Child process initialized in 46.44 ms | ||
1601 | .br | ||
1602 | $ ls | ||
1603 | .br | ||
1604 | Bad system call | ||
1605 | .br | ||
1606 | |||
1581 | .TP | 1607 | .TP |
1582 | \fB\-\-seccomp.drop=syscall,syscall,syscall | 1608 | \fB\-\-seccomp.drop=syscall,syscall,syscall |
1583 | Enable seccomp filter, and blacklist the syscalls specified by the command. | 1609 | Enable seccomp filter, and blacklist the syscalls specified by the command. |