diff options
author | smitsohu <smitsohu@gmail.com> | 2022-07-19 15:19:24 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-07-23 16:21:14 +0200 |
commit | 87afef810c2dfbf67420dc76a67c707fbb7353db (patch) | |
tree | d44aed25d9c050967eb6abe31b4081c0956f4a74 /src/man | |
parent | protocol filter: add x32 ABI handling (diff) | |
download | firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.gz firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.zst firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.zip |
introduce new option restrict-namespaces
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 24 |
2 files changed, 30 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5c8b6031d..be1f55f0f 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -520,6 +520,12 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
520 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR. | 520 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR. |
521 | Multiple protocol commands are allowed and they accumulate. | 521 | Multiple protocol commands are allowed and they accumulate. |
522 | .TP | 522 | .TP |
523 | \fBrestrict-namespaces | ||
524 | Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces. | ||
525 | .TP | ||
526 | \fBrestrict-namespaces cgroup,ipc,net,mnt,pid,time,user,uts | ||
527 | Install a seccomp filter that blocks attempts to create any of the specified namespaces. | ||
528 | .TP | ||
523 | \fBseccomp | 529 | \fBseccomp |
524 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. | 530 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
525 | .TP | 531 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c2c0bc297..087d1c85a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -693,6 +693,7 @@ Example: | |||
693 | .br | 693 | .br |
694 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 694 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
695 | #endif | 695 | #endif |
696 | |||
696 | .TP | 697 | .TP |
697 | \fB\-\-deterministic-exit-code | 698 | \fB\-\-deterministic-exit-code |
698 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 699 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
@@ -2257,6 +2258,29 @@ $ firejail --read-only=~/test --read-write=~/test/a | |||
2257 | 2258 | ||
2258 | 2259 | ||
2259 | .TP | 2260 | .TP |
2261 | \fB\-\-restrict-namespaces | ||
2262 | Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces. | ||
2263 | .br | ||
2264 | |||
2265 | .br | ||
2266 | Example: | ||
2267 | .br | ||
2268 | $ firejail \-\-restrict-namespaces | ||
2269 | |||
2270 | .TP | ||
2271 | \fB\-\-restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts | ||
2272 | Install a seccomp filter that blocks attempts to create any of the specified namespaces. The filter examines | ||
2273 | the arguments of clone, unshare and setns system calls and returns error EPERM to the process | ||
2274 | (or kills it or logs the attempt, see \-\-seccomp-error-action below) if necessary. Note that the filter is not | ||
2275 | able to examine the arguments of clone3 system calls, and always responds to these calls with error ENOSYS. | ||
2276 | .br | ||
2277 | |||
2278 | .br | ||
2279 | Example: | ||
2280 | .br | ||
2281 | $ firejail \-\-restrict-namespaces=user,net | ||
2282 | |||
2283 | .TP | ||
2260 | \fB\-\-rlimit-as=number | 2284 | \fB\-\-rlimit-as=number |
2261 | Set the maximum size of the process's virtual memory (address space) in bytes. | 2285 | Set the maximum size of the process's virtual memory (address space) in bytes. |
2262 | Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | 2286 | Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). |