Seccomp: system call grouping and call numbers

author: Topi Miettinen <toiwoton@gmail.com> 2017-08-06 21:58:35 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-08-06 23:24:20 +0300
commit: 34ee8e03f58c4c51c3aa29f553e06570d0654db2 (patch)
tree: 05b191c778a7b871e339bdf6c6017606404a917e /src/man
parent: private-lib fixes (diff)
download: firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.gz
firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.zst
firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.zip
1 files changed, 15 insertions, 7 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index af2724aa9..a03556caf 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,9 +76,10 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 Signal the end of options and disables further option processing.
 .TP
 \fB\-\-allow-debuggers
-Allow tools such as strace and gdb inside the sandbox. This option is only available
+Allow tools such as strace and gdb inside the sandbox by whitelisting
-when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full
+system calls ptrace and process_vm_readv. This option is only
-bypass of the seccomp filter.
+available when running on Linux kernels 4.8 or newer - a kernel bug in
+ptrace system call allows a full bypass of the seccomp filter.
 .br
 .br
@@ -1482,7 +1483,7 @@ Example:
 $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
-Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
+Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
 mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
 iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
@@ -1496,9 +1497,14 @@ settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old,
 afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
 pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
 security, setdomainname,  sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
-ulimit, vhangup and vserver
+ulimit, vhangup and vserver.
 .br
+To help creating useful seccomp filters more easily, the following
+system call groups are defined: @default, @default-nodebuggers and
+@default-keep. In addtion, a system call can be specified by its
+number instead of name with prefix $, so for example $165 would be
+equal to mount on i386.
 .br
 System architecture is not strictly imposed. The filter is applied
@@ -1516,7 +1522,7 @@ Example:
 $ firejail \-\-seccomp
 .TP
 \fB\-\-seccomp=syscall,syscall,syscall
-Enable seccomp filter, blacklist the default list and the syscalls specified by the command.
+Enable seccomp filter, blacklist the default list (@default) and the syscalls specified by the command.
 .br
 .br
@@ -1588,7 +1594,9 @@ rm: cannot remove `testfile': Operation not permitted
 .TP
 \fB\-\-seccomp.keep=syscall,syscall,syscall
-Enable seccomp filter, and whitelist the syscalls specified by the command.
+Enable seccomp filter, and whitelist the syscalls specified by the
+command. The system calls needed by Firejail (group @default-keep:
+dup, prctl, setgid, setgroups, setuid) are always whitelisted.
 .br
 .br
author	Topi Miettinen <toiwoton@gmail.com>	2017-08-06 21:58:35 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-08-06 23:24:20 +0300
commit	34ee8e03f58c4c51c3aa29f553e06570d0654db2 (patch)
tree	05b191c778a7b871e339bdf6c6017606404a917e /src/man
parent	private-lib fixes (diff)
download	firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.gz firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.zst firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.zip