diff options
| -rw-r--r-- | src/man/firejail.txt | 55 |
1 files changed, 44 insertions, 11 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index de300d47b..25992fb3e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1474,6 +1474,31 @@ Enable seccomp filter, blacklist the default list and the syscalls specified by | |||
| 1474 | Example: | 1474 | Example: |
| 1475 | .br | 1475 | .br |
| 1476 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox | 1476 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox |
| 1477 | .br | ||
| 1478 | |||
| 1479 | .br | ||
| 1480 | Instead of dropping the syscall, a specific error number can be returned | ||
| 1481 | using \fBsyscall:errorno\fR syntax. | ||
| 1482 | .br | ||
| 1483 | |||
| 1484 | .br | ||
| 1485 | Example: | ||
| 1486 | .br | ||
| 1487 | |||
| 1488 | .br | ||
| 1489 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | ||
| 1490 | .br | ||
| 1491 | Parent pid 10662, child pid 10663 | ||
| 1492 | .br | ||
| 1493 | Child process initialized | ||
| 1494 | .br | ||
| 1495 | $ touch testfile | ||
| 1496 | .br | ||
| 1497 | $ rm testfile | ||
| 1498 | .br | ||
| 1499 | rm: cannot remove `testfile': Operation not permitted | ||
| 1500 | .br | ||
| 1501 | |||
| 1477 | .TP | 1502 | .TP |
| 1478 | \fB\-\-seccomp.drop=syscall,syscall,syscall | 1503 | \fB\-\-seccomp.drop=syscall,syscall,syscall |
| 1479 | Enable seccomp filter, and blacklist the syscalls specified by the command. | 1504 | Enable seccomp filter, and blacklist the syscalls specified by the command. |
| @@ -1483,26 +1508,19 @@ Enable seccomp filter, and blacklist the syscalls specified by the command. | |||
| 1483 | Example: | 1508 | Example: |
| 1484 | .br | 1509 | .br |
| 1485 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes | 1510 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes |
| 1486 | .TP | ||
| 1487 | \fB\-\-seccomp.keep=syscall,syscall,syscall | ||
| 1488 | Enable seccomp filter, and whitelist the syscalls specified by the command. | ||
| 1489 | .br | 1511 | .br |
| 1490 | 1512 | ||
| 1491 | .br | 1513 | .br |
| 1492 | Example: | 1514 | Instead of dropping the syscall, a specific error number can be returned |
| 1493 | .br | 1515 | using \fBsyscall:errorno\fR syntax. |
| 1494 | $ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk | ||
| 1495 | .TP | ||
| 1496 | \fB\-\-seccomp.<errno>=syscall,syscall,syscall | ||
| 1497 | Enable seccomp filter, and return errno for the syscalls specified by the command. | ||
| 1498 | .br | 1516 | .br |
| 1499 | 1517 | ||
| 1500 | .br | 1518 | .br |
| 1501 | Example: a Bash shell where deleting files is disabled | 1519 | Example: |
| 1502 | .br | 1520 | .br |
| 1503 | 1521 | ||
| 1504 | .br | 1522 | .br |
| 1505 | $ firejail --seccomp.eperm=unlinkat | 1523 | $ firejail \-\-seccomp.drop=unlinkat:ENOENT,utimensat,utimes |
| 1506 | .br | 1524 | .br |
| 1507 | Parent pid 10662, child pid 10663 | 1525 | Parent pid 10662, child pid 10663 |
| 1508 | .br | 1526 | .br |
| @@ -1513,6 +1531,21 @@ $ touch testfile | |||
| 1513 | $ rm testfile | 1531 | $ rm testfile |
| 1514 | .br | 1532 | .br |
| 1515 | rm: cannot remove `testfile': Operation not permitted | 1533 | rm: cannot remove `testfile': Operation not permitted |
| 1534 | .br | ||
| 1535 | |||
| 1536 | |||
| 1537 | |||
| 1538 | |||
| 1539 | |||
| 1540 | .TP | ||
| 1541 | \fB\-\-seccomp.keep=syscall,syscall,syscall | ||
| 1542 | Enable seccomp filter, and whitelist the syscalls specified by the command. | ||
| 1543 | .br | ||
| 1544 | |||
| 1545 | .br | ||
| 1546 | Example: | ||
| 1547 | .br | ||
| 1548 | $ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk | ||
| 1516 | 1549 | ||
| 1517 | .TP | 1550 | .TP |
| 1518 | \fB\-\-seccomp.print=name|PID | 1551 | \fB\-\-seccomp.print=name|PID |