diff options
author | netblue30 <netblue30@yahoo.com> | 2019-09-15 06:59:31 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-15 06:59:31 -0500 |
commit | 99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b (patch) | |
tree | aab0f8277a0ae1de922b8a9268b01428e8febd73 /src/man | |
parent | Make sure that we are unprivileged before creating the trace log file. (diff) | |
parent | Fix #2899 (diff) | |
download | firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.gz firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.zst firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.zip |
Merge branch 'master' into fix-profile-builder
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail.txt | 43 |
1 files changed, 21 insertions, 22 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9f9d8e6ec..38bc0edc4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1762,25 +1762,22 @@ Example: | |||
1762 | $ firejail \-\-net=eth0 \-\-scan | 1762 | $ firejail \-\-net=eth0 \-\-scan |
1763 | .TP | 1763 | .TP |
1764 | \fB\-\-seccomp | 1764 | \fB\-\-seccomp |
1765 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: | 1765 | Enable seccomp filter and blacklist the syscalls in the default list, |
1766 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, | 1766 | which is @default-nodebuggers unless allow-debuggers is specified, |
1767 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, | 1767 | then it is @default. |
1768 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, | ||
1769 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, | ||
1770 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, | ||
1771 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, | ||
1772 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, | ||
1773 | security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, | ||
1774 | swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, | ||
1775 | vm86, vm86old, vmsplice and vserver. | ||
1776 | 1768 | ||
1777 | .br | 1769 | .br |
1778 | To help creating useful seccomp filters more easily, the following | 1770 | To help creating useful seccomp filters more easily, the following |
1779 | system call groups are defined: @clock, @cpu-emulation, @debug, | 1771 | system call groups are defined: @aio, @basic-io, @chown, @clock, |
1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, | 1772 | @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, |
1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a | 1773 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, |
1782 | system call can be specified by its number instead of name with prefix | 1774 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
1783 | $, so for example $165 would be equal to mount on i386. | 1775 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
1776 | More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt | ||
1777 | |||
1778 | In addition, a system call can be specified by its number instead of | ||
1779 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
1780 | Exceptions can be allowed with prefix !. | ||
1784 | 1781 | ||
1785 | .br | 1782 | .br |
1786 | System architecture is strictly imposed only if flag | 1783 | System architecture is strictly imposed only if flag |
@@ -1798,8 +1795,10 @@ Example: | |||
1798 | .br | 1795 | .br |
1799 | $ firejail \-\-seccomp | 1796 | $ firejail \-\-seccomp |
1800 | .TP | 1797 | .TP |
1801 | \fB\-\-seccomp=syscall,@group | 1798 | \fB\-\-seccomp=syscall,@group,!syscall2 |
1802 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. | 1799 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
1800 | list and the syscalls or syscall groups specified by the | ||
1801 | command. | ||
1803 | .br | 1802 | .br |
1804 | 1803 | ||
1805 | .br | 1804 | .br |
@@ -1899,10 +1898,10 @@ rm: cannot remove `testfile': Operation not permitted | |||
1899 | 1898 | ||
1900 | 1899 | ||
1901 | .TP | 1900 | .TP |
1902 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1901 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1903 | Enable seccomp filter, and whitelist the syscalls specified by the | 1902 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
1904 | command. The system calls needed by Firejail (group @default-keep: | 1903 | The system calls needed by Firejail (group @default-keep: prctl, execve) |
1905 | prctl, execve) are handled with the preload library. | 1904 | are handled with the preload library. |
1906 | .br | 1905 | .br |
1907 | 1906 | ||
1908 | .br | 1907 | .br |