diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:22:38 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:33:11 +0300 |
commit | d01216de45884300c87e7d3ccb70e53ebb461449 (patch) | |
tree | 480519f5849df4c6048a7f62ec97f96e51174c3e /src/man | |
parent | Merge update after #1483 (diff) | |
download | firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.gz firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.zst firejail-d01216de45884300c87e7d3ccb70e53ebb461449.zip |
Feature: switch/config option to block secondary architectures
Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.
Closes #1479
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 15 |
2 files changed, 16 insertions, 3 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 2a7d926b9..050c3d7e5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -310,6 +310,10 @@ Enable seccomp filter and blacklist the syscalls in the default list. See man 1 | |||
310 | \fBseccomp syscall,syscall,syscall | 310 | \fBseccomp syscall,syscall,syscall |
311 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 311 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
312 | .TP | 312 | .TP |
313 | \fBseccomp.block-secondary | ||
314 | Enable seccomp filter and filter system call architectures | ||
315 | so that only the native architecture is allowed. | ||
316 | .TP | ||
313 | \fBseccomp.drop syscall,syscall,syscall | 317 | \fBseccomp.drop syscall,syscall,syscall |
314 | Enable seccomp filter and blacklist the system calls in the list. | 318 | Enable seccomp filter and blacklist the system calls in the list. |
315 | .TP | 319 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 89b815e02..d1970c985 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1572,9 +1572,10 @@ system call can be specified by its number instead of name with prefix | |||
1572 | $, so for example $165 would be equal to mount on i386. | 1572 | $, so for example $165 would be equal to mount on i386. |
1573 | 1573 | ||
1574 | .br | 1574 | .br |
1575 | System architecture is not strictly imposed. The filter is applied | 1575 | System architecture is strictly imposed only if flag |
1576 | at run time only if the correct architecture was detected. For the case of I386 and AMD64 | 1576 | \-\-seccomp.block_secondary is used. The filter is applied at run time |
1577 | both 32-bit and 64-bit filters are installed. | 1577 | only if the correct architecture was detected. For the case of I386 |
1578 | and AMD64 both 32-bit and 64-bit filters are installed. | ||
1578 | .br | 1579 | .br |
1579 | 1580 | ||
1580 | .br | 1581 | .br |
@@ -1646,6 +1647,14 @@ Bad system call | |||
1646 | .br | 1647 | .br |
1647 | 1648 | ||
1648 | .TP | 1649 | .TP |
1650 | \fB\-\-seccomp.block_secondary | ||
1651 | Enable seccomp filter and filter system call architectures so that | ||
1652 | only the native architecture is allowed. For example, on amd64, i386 | ||
1653 | and x32 system calls are blocked as well as changing the execution | ||
1654 | domain with personality(2) system call. | ||
1655 | .br | ||
1656 | |||
1657 | .TP | ||
1649 | \fB\-\-seccomp.drop=syscall,syscall,syscall | 1658 | \fB\-\-seccomp.drop=syscall,syscall,syscall |
1650 | Enable seccomp filter, and blacklist the syscalls specified by the command. | 1659 | Enable seccomp filter, and blacklist the syscalls specified by the command. |
1651 | .br | 1660 | .br |