diff options
author | smitsohu <smitsohu@gmail.com> | 2020-08-19 01:46:35 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-19 01:46:35 +0200 |
commit | ef9fdc4a1f367ec4a0495ca51e3ed44338df0408 (patch) | |
tree | 2e3e93b374815c085f9f76ccbc8532bf20fb9b74 /src/man | |
parent | cat option (diff) | |
parent | Merge pull request #3592 from onovy/signal-audio-video (diff) | |
download | firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.tar.gz firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.tar.zst firejail-ef9fdc4a1f367ec4a0495ca51e3ed44338df0408.zip |
Merge branch 'master' into ls
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
2 files changed, 11 insertions, 7 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7b5653942..0784e7fd7 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list. | |||
433 | \fBseccomp.32.keep syscall,syscall,syscall | 433 | \fBseccomp.32.keep syscall,syscall,syscall |
434 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 434 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
435 | .TP | 435 | .TP |
436 | \fBseccomp-error-action kill | ERRNO | 436 | \fBseccomp-error-action kill | log | ERRNO |
437 | Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call. | 437 | Return a different error instead of EPERM to the process, kill it when |
438 | an attempt is made to call a blocked system call, or allow but log the | ||
439 | attempt. | ||
438 | .TP | 440 | .TP |
439 | \fBx11 | 441 | \fBx11 |
440 | Enable X11 sandboxing. | 442 | Enable X11 sandboxing. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f5f092bd9..abb73b5e2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1063,7 +1063,7 @@ that are both writable and executable, to change mappings to be | |||
1063 | executable, or to create executable shared memory. The filter examines | 1063 | executable, or to create executable shared memory. The filter examines |
1064 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | 1064 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create |
1065 | and shmat system calls and returns error EPERM to the process (or | 1065 | and shmat system calls and returns error EPERM to the process (or |
1066 | kills it, see \-\-seccomp-error-action below) if necessary. | 1066 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. |
1067 | .br | 1067 | .br |
1068 | 1068 | ||
1069 | .br | 1069 | .br |
@@ -2126,8 +2126,8 @@ Instead of dropping the syscall by returning EPERM, another error | |||
2126 | number can be returned using \fBsyscall:errno\fR syntax. This can be | 2126 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
2127 | also changed globally with \-\-seccomp-error-action or | 2127 | also changed globally with \-\-seccomp-error-action or |
2128 | in /etc/firejail/firejail.config file. The process can also be killed | 2128 | in /etc/firejail/firejail.config file. The process can also be killed |
2129 | by using \fBsyscall:kill\fR syntax. | 2129 | by using \fBsyscall:kill\fR syntax, or the attempt may be logged with |
2130 | 2130 | \fBsyscall:log\fR. | |
2131 | .br | 2131 | .br |
2132 | 2132 | ||
2133 | .br | 2133 | .br |
@@ -2197,7 +2197,8 @@ Instead of dropping the syscall by returning EPERM, another error | |||
2197 | number can be returned using \fBsyscall:errno\fR syntax. This can be | 2197 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
2198 | also changed globally with \-\-seccomp-error-action or | 2198 | also changed globally with \-\-seccomp-error-action or |
2199 | in /etc/firejail/firejail.config file. The process can also be killed | 2199 | in /etc/firejail/firejail.config file. The process can also be killed |
2200 | by using \fBsyscall:kill\fR syntax. | 2200 | by using \fBsyscall:kill\fR syntax, or the attempt may be logged with |
2201 | \fBsyscall:log\fR. | ||
2201 | .br | 2202 | .br |
2202 | 2203 | ||
2203 | .br | 2204 | .br |
@@ -2406,7 +2407,8 @@ By default, if a seccomp filter blocks a system call, the process gets | |||
2406 | EPERM as the error. With \-\-seccomp-error-action=error, another error | 2407 | EPERM as the error. With \-\-seccomp-error-action=error, another error |
2407 | number can be returned, for example ENOSYS or EACCES. The process can | 2408 | number can be returned, for example ENOSYS or EACCES. The process can |
2408 | also be killed (like in versions <0.9.63 of Firejail) by using | 2409 | also be killed (like in versions <0.9.63 of Firejail) by using |
2409 | \-\-seccomp-error-action=kill syntax. Not killing the process weakens | 2410 | \-\-seccomp-error-action=kill syntax, or the attempt may be logged |
2411 | with \-\-seccomp-error-action=log. Not killing the process weakens | ||
2410 | Firejail slightly when trying to contain intrusion, but it may also | 2412 | Firejail slightly when trying to contain intrusion, but it may also |
2411 | allow tighter filters if the only alternative is to allow a system | 2413 | allow tighter filters if the only alternative is to allow a system |
2412 | call. | 2414 | call. |