diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2019-08-25 18:37:05 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2019-08-25 18:37:05 +0300 |
| commit | 39f9b1a2229f8624f92bdcf823ef755c15e28de2 (patch) | |
| tree | c15cdcdd4abbccfdfbed58764de45827ff2e503c /src/man | |
| parent | Merge pull request #2921 from rusty-snake/allow-common-devel.inc (diff) | |
| download | firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.tar.gz firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.tar.zst firejail-39f9b1a2229f8624f92bdcf823ef755c15e28de2.zip | |
Allow exceptions to seccomp lists
Prefix ! can be used to make exceptions to system call blacklists and
whitelists used by seccomp, seccomp.drop and seccomp.keep.
Closes #1366
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/firejail.txt | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 86b76f58f..afff3d5fa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1780,7 +1780,8 @@ system call groups are defined: @clock, @cpu-emulation, @debug, | |||
| 1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, | 1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, |
| 1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a | 1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a |
| 1782 | system call can be specified by its number instead of name with prefix | 1782 | system call can be specified by its number instead of name with prefix |
| 1783 | $, so for example $165 would be equal to mount on i386. | 1783 | $, so for example $165 would be equal to mount on i386. Exceptions |
| 1784 | can be allowed with prefix !. | ||
| 1784 | 1785 | ||
| 1785 | .br | 1786 | .br |
| 1786 | System architecture is strictly imposed only if flag | 1787 | System architecture is strictly imposed only if flag |
| @@ -1798,8 +1799,10 @@ Example: | |||
| 1798 | .br | 1799 | .br |
| 1799 | $ firejail \-\-seccomp | 1800 | $ firejail \-\-seccomp |
| 1800 | .TP | 1801 | .TP |
| 1801 | \fB\-\-seccomp=syscall,@group | 1802 | \fB\-\-seccomp=syscall,@group,!syscall2 |
| 1802 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. | 1803 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
| 1804 | list (@default) and the syscalls or syscall groups specified by the | ||
| 1805 | command. | ||
| 1803 | .br | 1806 | .br |
| 1804 | 1807 | ||
| 1805 | .br | 1808 | .br |
| @@ -1863,8 +1866,9 @@ domain with personality(2) system call. | |||
| 1863 | .br | 1866 | .br |
| 1864 | 1867 | ||
| 1865 | .TP | 1868 | .TP |
| 1866 | \fB\-\-seccomp.drop=syscall,@group | 1869 | \fB\-\-seccomp.drop=syscall,@group,!syscall2 |
| 1867 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. | 1870 | Enable seccomp filter, whitelist "syscall2" but blacklist the |
| 1871 | syscalls or the syscall groups specified by the command. | ||
| 1868 | .br | 1872 | .br |
| 1869 | 1873 | ||
| 1870 | .br | 1874 | .br |
| @@ -1899,10 +1903,11 @@ rm: cannot remove `testfile': Operation not permitted | |||
| 1899 | 1903 | ||
| 1900 | 1904 | ||
| 1901 | .TP | 1905 | .TP |
| 1902 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1906 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
| 1903 | Enable seccomp filter, and whitelist the syscalls specified by the | 1907 | Enable seccomp filter, blacklist "syscall2" but whitelist the |
| 1904 | command. The system calls needed by Firejail (group @default-keep: | 1908 | syscalls or the syscall groups specified by the command. The system |
| 1905 | prctl, execve) are handled with the preload library. | 1909 | calls needed by Firejail (group @default-keep: prctl, execve) are |
| 1910 | handled with the preload library. | ||
| 1906 | .br | 1911 | .br |
| 1907 | 1912 | ||
| 1908 | .br | 1913 | .br |