diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-09-05 18:10:42 +0200 |
---|---|---|
committer | rusty-snake <print_hello_world+GitHub@protonmail.com> | 2019-09-13 11:50:34 +0000 |
commit | b394115c0396b2cb6e11d7865444d73ba1cfdd7e (patch) | |
tree | 343524c31811bf8586e456a1fe7add2e736a420c /src/man | |
parent | Fix #2945 (Signal 1.27 Fails to Start) (diff) | |
download | firejail-b394115c0396b2cb6e11d7865444d73ba1cfdd7e.tar.gz firejail-b394115c0396b2cb6e11d7865444d73ba1cfdd7e.tar.zst firejail-b394115c0396b2cb6e11d7865444d73ba1cfdd7e.zip |
update seccomp in man firejail
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail.txt | 33 |
1 files changed, 13 insertions, 20 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 500850413..ed2f776f2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1762,17 +1762,9 @@ Example: | |||
1762 | $ firejail \-\-net=eth0 \-\-scan | 1762 | $ firejail \-\-net=eth0 \-\-scan |
1763 | .TP | 1763 | .TP |
1764 | \fB\-\-seccomp | 1764 | \fB\-\-seccomp |
1765 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: | 1765 | Enable seccomp filter and blacklist the syscalls in the default list, |
1766 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, | 1766 | which is @default-nodebuggers unless allow-debuggers is specified, |
1767 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, | 1767 | then it is @default. |
1768 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, | ||
1769 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, | ||
1770 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, | ||
1771 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, | ||
1772 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, | ||
1773 | security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, | ||
1774 | swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, | ||
1775 | vm86, vm86old, vmsplice and vserver. | ||
1776 | 1768 | ||
1777 | .br | 1769 | .br |
1778 | To help creating useful seccomp filters more easily, the following | 1770 | To help creating useful seccomp filters more easily, the following |
@@ -1780,10 +1772,12 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
1780 | @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, | 1772 | @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, |
1781 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, | 1773 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, |
1782 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 1774 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
1783 | @resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a | 1775 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
1784 | system call can be specified by its number instead of name with prefix | 1776 | More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt |
1785 | $, so for example $165 would be equal to mount on i386. Exceptions | 1777 | |
1786 | can be allowed with prefix !. | 1778 | In addition, a system call can be specified by its number instead of |
1779 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
1780 | Exceptions can be allowed with prefix !. | ||
1787 | 1781 | ||
1788 | .br | 1782 | .br |
1789 | System architecture is strictly imposed only if flag | 1783 | System architecture is strictly imposed only if flag |
@@ -1803,7 +1797,7 @@ $ firejail \-\-seccomp | |||
1803 | .TP | 1797 | .TP |
1804 | \fB\-\-seccomp=syscall,@group,!syscall2 | 1798 | \fB\-\-seccomp=syscall,@group,!syscall2 |
1805 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 1799 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
1806 | list (@default) and the syscalls or syscall groups specified by the | 1800 | list and the syscalls or syscall groups specified by the |
1807 | command. | 1801 | command. |
1808 | .br | 1802 | .br |
1809 | 1803 | ||
@@ -1906,10 +1900,9 @@ rm: cannot remove `testfile': Operation not permitted | |||
1906 | 1900 | ||
1907 | .TP | 1901 | .TP |
1908 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 1902 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1909 | Enable seccomp filter, blacklist "syscall2" but whitelist the | 1903 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
1910 | syscalls or the syscall groups specified by the command. The system | 1904 | The system calls needed by Firejail (group @default-keep: prctl, execve) |
1911 | calls needed by Firejail (group @default-keep: prctl, execve) are | 1905 | are handled with the preload library. |
1912 | handled with the preload library. | ||
1913 | .br | 1906 | .br |
1914 | 1907 | ||
1915 | .br | 1908 | .br |