diff options
| author |  Glenn Washburn <development@efficientek.com> | 2019-08-29 22:02:08 -0500 |
|---|---|---|
| committer | Glenn Washburn <development@efficientek.com> | 2019-08-29 22:02:08 -0500 |
| commit | 96505fd6765a124016cc7e64ea8191f38efb09a5 (patch) | |
| tree | 3c02cacc6f942d00d2dfecb2085ab5a2d6dd439a /src | |
| parent | Allow firejail --trace option to take an optional parameter which is the trac... (diff) | |
| download | firejail-96505fd6765a124016cc7e64ea8191f38efb09a5.tar.gz firejail-96505fd6765a124016cc7e64ea8191f38efb09a5.tar.zst firejail-96505fd6765a124016cc7e64ea8191f38efb09a5.zip | |
Update man page to note that --trace can now take an optional parameter.
Diffstat (limited to 'src')
| -rw-r--r-- | src/man/firejail.txt | 40 |
1 files changed, 17 insertions, 23 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 500850413..9f9d8e6ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -71,10 +71,10 @@ If an appropriate profile is not found, Firejail will use a default profile. | |||
| 71 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 71 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
| 72 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. | 72 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
| 73 | .PP | 73 | .PP |
| 74 | If a program argument is not specified, Firejail starts the default shell from the current user. | 74 | If a program argument is not specified, Firejail starts /bin/bash shell. |
| 75 | Examples: | 75 | Examples: |
| 76 | .PP | 76 | .PP |
| 77 | $ firejail [OPTIONS] # starting the user default shell (normally /bin/bash) | 77 | $ firejail [OPTIONS] # starting a /bin/bash shell |
| 78 | .PP | 78 | .PP |
| 79 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox | 79 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox |
| 80 | .PP | 80 | .PP |
| @@ -1776,14 +1776,11 @@ vm86, vm86old, vmsplice and vserver. | |||
| 1776 | 1776 | ||
| 1777 | .br | 1777 | .br |
| 1778 | To help creating useful seccomp filters more easily, the following | 1778 | To help creating useful seccomp filters more easily, the following |
| 1779 | system call groups are defined: @aio, @basic-io, @chown, @clock, | 1779 | system call groups are defined: @clock, @cpu-emulation, @debug, |
| 1780 | @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, | 1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, |
| 1781 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, | 1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a |
| 1782 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | ||
| 1783 | @resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a | ||
| 1784 | system call can be specified by its number instead of name with prefix | 1782 | system call can be specified by its number instead of name with prefix |
| 1785 | $, so for example $165 would be equal to mount on i386. Exceptions | 1783 | $, so for example $165 would be equal to mount on i386. |
| 1786 | can be allowed with prefix !. | ||
| 1787 | 1784 | ||
| 1788 | .br | 1785 | .br |
| 1789 | System architecture is strictly imposed only if flag | 1786 | System architecture is strictly imposed only if flag |
| @@ -1801,10 +1798,8 @@ Example: | |||
| 1801 | .br | 1798 | .br |
| 1802 | $ firejail \-\-seccomp | 1799 | $ firejail \-\-seccomp |
| 1803 | .TP | 1800 | .TP |
| 1804 | \fB\-\-seccomp=syscall,@group,!syscall2 | 1801 | \fB\-\-seccomp=syscall,@group |
| 1805 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 1802 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. |
| 1806 | list (@default) and the syscalls or syscall groups specified by the | ||
| 1807 | command. | ||
| 1808 | .br | 1803 | .br |
| 1809 | 1804 | ||
| 1810 | .br | 1805 | .br |
| @@ -1868,9 +1863,8 @@ domain with personality(2) system call. | |||
| 1868 | .br | 1863 | .br |
| 1869 | 1864 | ||
| 1870 | .TP | 1865 | .TP |
| 1871 | \fB\-\-seccomp.drop=syscall,@group,!syscall2 | 1866 | \fB\-\-seccomp.drop=syscall,@group |
| 1872 | Enable seccomp filter, whitelist "syscall2" but blacklist the | 1867 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. |
| 1873 | syscalls or the syscall groups specified by the command. | ||
| 1874 | .br | 1868 | .br |
| 1875 | 1869 | ||
| 1876 | .br | 1870 | .br |
| @@ -1905,11 +1899,10 @@ rm: cannot remove `testfile': Operation not permitted | |||
| 1905 | 1899 | ||
| 1906 | 1900 | ||
| 1907 | .TP | 1901 | .TP |
| 1908 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 1902 | \fB\-\-seccomp.keep=syscall,syscall,syscall |
| 1909 | Enable seccomp filter, blacklist "syscall2" but whitelist the | 1903 | Enable seccomp filter, and whitelist the syscalls specified by the |
| 1910 | syscalls or the syscall groups specified by the command. The system | 1904 | command. The system calls needed by Firejail (group @default-keep: |
| 1911 | calls needed by Firejail (group @default-keep: prctl, execve) are | 1905 | prctl, execve) are handled with the preload library. |
| 1912 | handled with the preload library. | ||
| 1913 | .br | 1906 | .br |
| 1914 | 1907 | ||
| 1915 | .br | 1908 | .br |
| @@ -2149,8 +2142,9 @@ Example: | |||
| 2149 | .br | 2142 | .br |
| 2150 | $ firejail \-\-top | 2143 | $ firejail \-\-top |
| 2151 | .TP | 2144 | .TP |
| 2152 | \fB\-\-trace | 2145 | \fB\-\-trace[=filename] |
| 2153 | Trace open, access and connect system calls. | 2146 | Trace open, access and connect system calls. If filename is specified, log |
| 2147 | trace output to filename, otherwise log to console. | ||
| 2154 | .br | 2148 | .br |
| 2155 | 2149 | ||
| 2156 | .br | 2150 | .br |