2 files changed, 105 insertions, 103 deletions
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
index 89784a984..4d725ed99 100644
--- a/src/man/firejail-profile.5.in
+++ b/src/man/firejail-profile.5.in
@@ -668,20 +668,20 @@ Enable filtered access to the system DBus. Filters can be specified with the dbu
 \fBdbus-system none
 Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
 .TP
+\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+.TP
 \fBdbus-system.own org.gnome.ghex.*
 Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
 .TP
-\fBdbus-system.talk org.freedesktop.Notifications
-Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
-.TP
 \fBdbus-system.see org.freedesktop.Notifications
 Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.
 .TP
-\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+\fBdbus-system.talk org.freedesktop.Notifications
-Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
-.TP
-\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-user filter
 Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -689,20 +689,20 @@ Enable filtered access to the session DBus. Filters can be specified with the db
 \fBdbus-user none
 Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
 .TP
+\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+.TP
 \fBdbus-user.own org.gnome.ghex.*
 Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
 .TP
-\fBdbus-user.talk org.freedesktop.Notifications
-Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
-.TP
 \fBdbus-user.see org.freedesktop.Notifications
 Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.
 .TP
-\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+\fBdbus-user.talk org.freedesktop.Notifications
-Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
-.TP
-\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
 .TP
 \fBnodbus \fR(deprecated)
 Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
@@ -867,20 +867,6 @@ net eth0
 ip 10.10.20.56
 .TP
-\fBip none
-No IP address and no default gateway are configured for the last interface
-defined by a net command. Use this option
-in case you intend to start an external DHCP client in the sandbox.
-.br
-.br
-Example:
-.br
-net eth0
-.br
-ip none
-.TP
 \fBip dhcp
 Acquire an IP address and default gateway for the last interface defined by a
 net command, as well as set the DNS servers according to the DHCP response.
@@ -908,6 +894,20 @@ a DHCP client and releasing the lease manually in conjunction with the
 net none command.
 .TP
+\fBip none
+No IP address and no default gateway are configured for the last interface
+defined by a net command. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip none
+.TP
 \fBip6 address
 Assign IPv6 addresses to the last network interface defined by a net command.
 .br
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 16ea26288..bf447be93 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -611,8 +611,9 @@ Example:
 $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
 .TP
-\fB\-\-dbus-user.talk=name
+\fB\-\-dbus-user.see=name
-Allows the application to talk to the specified well-known name on the session DBus.
+Allows the application to see, but not talk to the specified well-known name on
+the session DBus.
 The name may have a .* suffix to match all names underneath it, including itself
 (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
 not "foobar").
@@ -621,14 +622,13 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.talk=\\
+$ firejail --dbus-user=filter --dbus-user.see=\\
 .br
 org.freedesktop.Notifications
 .TP
-\fB\-\-dbus-user.see=name
+\fB\-\-dbus-user.talk=name
-Allows the application to see, but not talk to the specified well-known name on
+Allows the application to talk to the specified well-known name on the session DBus.
-the session DBus.
 The name may have a .* suffix to match all names underneath it, including itself
 (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
 not "foobar").
@@ -637,7 +637,7 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.see=\\
+$ firejail --dbus-user=filter --dbus-user.talk=\\
 .br
 org.freedesktop.Notifications
 #endif
@@ -888,6 +888,32 @@ Example:
 .br
 $ firejail \-\-hosts-file=~/myhosts firefox
+.TP
+\fB\-\-icmptrace[=name|pid]
+Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+.br
+Example
+.br
+$ sudo firejail --icmptrace
+.br
+20:53:54  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
+.br
+20:53:54  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
+.br
+20:53:55  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
+.br
+20:53:55  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
+.br
+20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
+.br
 #ifdef HAVE_IDS
 .TP
 \fB\-\-ids-check
@@ -925,32 +951,6 @@ $ firejail \-\-ignore="net eth0" firefox
 #endif
 .TP
-\fB\-\-icmptrace[=name|pid]
-Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
-created with \-\-net are supported. This option is only available when running the sandbox as root.
-.br
-.br
-Without a name/pid, Firejail will monitor the main system network namespace.
-.br
-.br
-Example
-.br
-$ sudo firejail --icmptrace
-.br
-20:53:54  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
-.br
-20:53:54  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
-.br
-20:53:55  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
-.br
-20:53:55  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
-.br
-20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
-.br
-.TP
 \fB\-\-\include=file.profile
 Include a profile file before the regular profiles are used.
 .br
@@ -984,23 +984,6 @@ Example:
 $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox
 .TP
-\fB\-\-ip=none
-No IP address and no default gateway are configured for the last interface
-defined by a \-\-net option. Use this option
-in case you intend to start an external DHCP client in the sandbox.
-.br
-.br
-Example:
-.br
-$ firejail \-\-net=eth0 \-\-\ip=none
-.br
-.br
-If the corresponding interface doesn't have an IP address configured, this
-option is enabled by default.
-.TP
 \fB\-\-ip=dhcp
 Acquire an IP address and default gateway for the last interface defined by a
 \-\-net option, as well as set the DNS servers according to the DHCP response.
@@ -1026,6 +1009,23 @@ a DHCP client and releasing the lease manually in conjunction with the
 \-\-net=none option.
 .TP
+\fB\-\-ip=none
+No IP address and no default gateway are configured for the last interface
+defined by a \-\-net option. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-\ip=none
+.br
+.br
+If the corresponding interface doesn't have an IP address configured, this
+option is enabled by default.
+.TP
 \fB\-\-ip6=address
 Assign IPv6 addresses to the last network interface defined by a \-\-net option.
 .br
@@ -1324,6 +1324,21 @@ Example:
 $ firejail \-\-machine-id
 .TP
+\fB\-\-memory-deny-write-execute
+Install a seccomp filter to block attempts to create memory mappings
+that are both writable and executable, to change mappings to be
+executable, or to create executable shared memory. The filter examines
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
+and shmat system calls and returns error EPERM to the process (or
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
+.br
+.br
+Note: shmat is not implemented
+as a system call on some platforms including i386, and it cannot be
+handled by seccomp-bpf.
+.TP
 \fB\-\-mkdir=dirname
 Create a directory in user home. Parent directories are created as needed.
 .br
@@ -1343,20 +1358,6 @@ Example:
 .br
 $ firejail --mkfile=~/work/project/readme
-.TP
-\fB\-\-memory-deny-write-execute
-Install a seccomp filter to block attempts to create memory mappings
-that are both writable and executable, to change mappings to be
-executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
-and shmat system calls and returns error EPERM to the process (or
-kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
-.br
-.br
-Note: shmat is not implemented
-as a system call on some platforms including i386, and it cannot be
-handled by seccomp-bpf.
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-mtu=number
@@ -1792,15 +1793,6 @@ Example:
 .br
 $ firejail \-\-nodvd
 .TP
-\fB\-\-noinput
-Disable input devices.
-.br
-.br
-Example:
-.br
-$ firejail \-\-noinput
-.TP
 \fB\-\-noexec=dirname_or_filename
 Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
@@ -1845,6 +1837,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
 $
 .TP
+\fB\-\-noinput
+Disable input devices.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noinput
+.TP
 \fB\-\-nonewprivs
 Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,

diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 89784a984..4d725ed99 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in
@@ -668,20 +668,20 @@ Enable filtered access to the system DBus. Filters can be specified with the dbu
668	\fBdbus-system none	668	\fBdbus-system none
669	Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.	669	Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
670	.TP	670	.TP
		671	\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
		672	Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
		673	.TP
		674	\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
		675	Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
		676	.TP
671	\fBdbus-system.own org.gnome.ghex.*	677	\fBdbus-system.own org.gnome.ghex.*
672	Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.	678	Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
673	.TP	679	.TP
674	\fBdbus-system.talk org.freedesktop.Notifications
675	Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
676	.TP
677	\fBdbus-system.see org.freedesktop.Notifications	680	\fBdbus-system.see org.freedesktop.Notifications
678	Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.	681	Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.
679	.TP	682	.TP
680	\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications	683	\fBdbus-system.talk org.freedesktop.Notifications
681	Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.	684	Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
682	.TP
683	\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
684	Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
685	.TP	685	.TP
686	\fBdbus-user filter	686	\fBdbus-user filter
687	Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.	687	Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -689,20 +689,20 @@ Enable filtered access to the session DBus. Filters can be specified with the db
689	\fBdbus-user none	689	\fBdbus-user none
690	Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.	690	Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
691	.TP	691	.TP
		692	\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
		693	Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
		694	.TP
		695	\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
		696	Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
		697	.TP
692	\fBdbus-user.own org.gnome.ghex.*	698	\fBdbus-user.own org.gnome.ghex.*
693	Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.	699	Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
694	.TP	700	.TP
695	\fBdbus-user.talk org.freedesktop.Notifications
696	Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
697	.TP
698	\fBdbus-user.see org.freedesktop.Notifications	701	\fBdbus-user.see org.freedesktop.Notifications
699	Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.	702	Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.
700	.TP	703	.TP
701	\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications	704	\fBdbus-user.talk org.freedesktop.Notifications
702	Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.	705	Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
703	.TP
704	\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
705	Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
706	.TP	706	.TP
707	\fBnodbus \fR(deprecated)	707	\fBnodbus \fR(deprecated)
708	Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.	708	Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
@@ -867,20 +867,6 @@ net eth0
867	ip 10.10.20.56	867	ip 10.10.20.56
868		868
869	.TP	869	.TP
870	\fBip none
871	No IP address and no default gateway are configured for the last interface
872	defined by a net command. Use this option
873	in case you intend to start an external DHCP client in the sandbox.
874	.br
875
876	.br
877	Example:
878	.br
879	net eth0
880	.br
881	ip none
882
883	.TP
884	\fBip dhcp	870	\fBip dhcp
885	Acquire an IP address and default gateway for the last interface defined by a	871	Acquire an IP address and default gateway for the last interface defined by a
886	net command, as well as set the DNS servers according to the DHCP response.	872	net command, as well as set the DNS servers according to the DHCP response.
@@ -908,6 +894,20 @@ a DHCP client and releasing the lease manually in conjunction with the
908	net none command.	894	net none command.
909		895
910	.TP	896	.TP
		897	\fBip none
		898	No IP address and no default gateway are configured for the last interface
		899	defined by a net command. Use this option
		900	in case you intend to start an external DHCP client in the sandbox.
		901	.br
		902
		903	.br
		904	Example:
		905	.br
		906	net eth0
		907	.br
		908	ip none
		909
		910	.TP
911	\fBip6 address	911	\fBip6 address
912	Assign IPv6 addresses to the last network interface defined by a net command.	912	Assign IPv6 addresses to the last network interface defined by a net command.
913	.br	913	.br


diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 16ea26288..bf447be93 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in
@@ -611,8 +611,9 @@ Example:
611	$ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*	611	$ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
612		612
613	.TP	613	.TP
614	\fB\-\-dbus-user.talk=name	614	\fB\-\-dbus-user.see=name
615	Allows the application to talk to the specified well-known name on the session DBus.	615	Allows the application to see, but not talk to the specified well-known name on
		616	the session DBus.
616	The name may have a .* suffix to match all names underneath it, including itself	617	The name may have a .* suffix to match all names underneath it, including itself
617	(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but	618	(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
618	not "foobar").	619	not "foobar").
@@ -621,14 +622,13 @@ not "foobar").
621	.br	622	.br
622	Example:	623	Example:
623	.br	624	.br
624	$ firejail --dbus-user=filter --dbus-user.talk=\\	625	$ firejail --dbus-user=filter --dbus-user.see=\\
625	.br	626	.br
626	org.freedesktop.Notifications	627	org.freedesktop.Notifications
627		628
628	.TP	629	.TP
629	\fB\-\-dbus-user.see=name	630	\fB\-\-dbus-user.talk=name
630	Allows the application to see, but not talk to the specified well-known name on	631	Allows the application to talk to the specified well-known name on the session DBus.
631	the session DBus.
632	The name may have a .* suffix to match all names underneath it, including itself	632	The name may have a .* suffix to match all names underneath it, including itself
633	(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but	633	(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
634	not "foobar").	634	not "foobar").
@@ -637,7 +637,7 @@ not "foobar").
637	.br	637	.br
638	Example:	638	Example:
639	.br	639	.br
640	$ firejail --dbus-user=filter --dbus-user.see=\\	640	$ firejail --dbus-user=filter --dbus-user.talk=\\
641	.br	641	.br
642	org.freedesktop.Notifications	642	org.freedesktop.Notifications
643	#endif	643	#endif
@@ -888,6 +888,32 @@ Example:
888	.br	888	.br
889	$ firejail \-\-hosts-file=~/myhosts firefox	889	$ firejail \-\-hosts-file=~/myhosts firefox
890		890
		891	.TP
		892	\fB\-\-icmptrace[=name\|pid]
		893	Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
		894	created with \-\-net are supported. This option is only available when running the sandbox as root.
		895	.br
		896
		897	.br
		898	Without a name/pid, Firejail will monitor the main system network namespace.
		899	.br
		900
		901	.br
		902	Example
		903	.br
		904	$ sudo firejail --icmptrace
		905	.br
		906	20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
		907	.br
		908	20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
		909	.br
		910	20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
		911	.br
		912	20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
		913	.br
		914	20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
		915	.br
		916
891	#ifdef HAVE_IDS	917	#ifdef HAVE_IDS
892	.TP	918	.TP
893	\fB\-\-ids-check	919	\fB\-\-ids-check
@@ -925,32 +951,6 @@ $ firejail \-\-ignore="net eth0" firefox
925	#endif	951	#endif
926		952
927	.TP	953	.TP
928	\fB\-\-icmptrace[=name\|pid]
929	Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
930	created with \-\-net are supported. This option is only available when running the sandbox as root.
931	.br
932
933	.br
934	Without a name/pid, Firejail will monitor the main system network namespace.
935	.br
936
937	.br
938	Example
939	.br
940	$ sudo firejail --icmptrace
941	.br
942	20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
943	.br
944	20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
945	.br
946	20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
947	.br
948	20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
949	.br
950	20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
951	.br
952
953	.TP
954	\fB\-\-\include=file.profile	954	\fB\-\-\include=file.profile
955	Include a profile file before the regular profiles are used.	955	Include a profile file before the regular profiles are used.
956	.br	956	.br
@@ -984,23 +984,6 @@ Example:
984	$ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox	984	$ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox
985		985
986	.TP	986	.TP
987	\fB\-\-ip=none
988	No IP address and no default gateway are configured for the last interface
989	defined by a \-\-net option. Use this option
990	in case you intend to start an external DHCP client in the sandbox.
991	.br
992
993	.br
994	Example:
995	.br
996	$ firejail \-\-net=eth0 \-\-\ip=none
997	.br
998
999	.br
1000	If the corresponding interface doesn't have an IP address configured, this
1001	option is enabled by default.
1002
1003	.TP
1004	\fB\-\-ip=dhcp	987	\fB\-\-ip=dhcp
1005	Acquire an IP address and default gateway for the last interface defined by a	988	Acquire an IP address and default gateway for the last interface defined by a
1006	\-\-net option, as well as set the DNS servers according to the DHCP response.	989	\-\-net option, as well as set the DNS servers according to the DHCP response.
@@ -1026,6 +1009,23 @@ a DHCP client and releasing the lease manually in conjunction with the
1026	\-\-net=none option.	1009	\-\-net=none option.
1027		1010
1028	.TP	1011	.TP
		1012	\fB\-\-ip=none
		1013	No IP address and no default gateway are configured for the last interface
		1014	defined by a \-\-net option. Use this option
		1015	in case you intend to start an external DHCP client in the sandbox.
		1016	.br
		1017
		1018	.br
		1019	Example:
		1020	.br
		1021	$ firejail \-\-net=eth0 \-\-\ip=none
		1022	.br
		1023
		1024	.br
		1025	If the corresponding interface doesn't have an IP address configured, this
		1026	option is enabled by default.
		1027
		1028	.TP
1029	\fB\-\-ip6=address	1029	\fB\-\-ip6=address
1030	Assign IPv6 addresses to the last network interface defined by a \-\-net option.	1030	Assign IPv6 addresses to the last network interface defined by a \-\-net option.
1031	.br	1031	.br
@@ -1324,6 +1324,21 @@ Example:
1324	$ firejail \-\-machine-id	1324	$ firejail \-\-machine-id
1325		1325
1326	.TP	1326	.TP
		1327	\fB\-\-memory-deny-write-execute
		1328	Install a seccomp filter to block attempts to create memory mappings
		1329	that are both writable and executable, to change mappings to be
		1330	executable, or to create executable shared memory. The filter examines
		1331	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
		1332	and shmat system calls and returns error EPERM to the process (or
		1333	kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
		1334	.br
		1335
		1336	.br
		1337	Note: shmat is not implemented
		1338	as a system call on some platforms including i386, and it cannot be
		1339	handled by seccomp-bpf.
		1340
		1341	.TP
1327	\fB\-\-mkdir=dirname	1342	\fB\-\-mkdir=dirname
1328	Create a directory in user home. Parent directories are created as needed.	1343	Create a directory in user home. Parent directories are created as needed.
1329	.br	1344	.br
@@ -1343,20 +1358,6 @@ Example:
1343	.br	1358	.br
1344	$ firejail --mkfile=~/work/project/readme	1359	$ firejail --mkfile=~/work/project/readme
1345		1360
1346	.TP
1347	\fB\-\-memory-deny-write-execute
1348	Install a seccomp filter to block attempts to create memory mappings
1349	that are both writable and executable, to change mappings to be
1350	executable, or to create executable shared memory. The filter examines
1351	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
1352	and shmat system calls and returns error EPERM to the process (or
1353	kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
1354	.br
1355
1356	.br
1357	Note: shmat is not implemented
1358	as a system call on some platforms including i386, and it cannot be
1359	handled by seccomp-bpf.
1360	#ifdef HAVE_NETWORK	1361	#ifdef HAVE_NETWORK
1361	.TP	1362	.TP
1362	\fB\-\-mtu=number	1363	\fB\-\-mtu=number
@@ -1792,15 +1793,6 @@ Example:
1792	.br	1793	.br
1793	$ firejail \-\-nodvd	1794	$ firejail \-\-nodvd
1794	.TP	1795	.TP
1795	\fB\-\-noinput
1796	Disable input devices.
1797	.br
1798
1799	.br
1800	Example:
1801	.br
1802	$ firejail \-\-noinput
1803	.TP
1804	\fB\-\-noexec=dirname_or_filename	1796	\fB\-\-noexec=dirname_or_filename
1805	Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.	1797	Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
1806	.br	1798	.br
@@ -1845,6 +1837,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
1845	$	1837	$
1846		1838
1847	.TP	1839	.TP
		1840	\fB\-\-noinput
		1841	Disable input devices.
		1842	.br
		1843
		1844	.br
		1845	Example:
		1846	.br
		1847	$ firejail \-\-noinput
		1848
		1849	.TP
1848	\fB\-\-nonewprivs	1850	\fB\-\-nonewprivs
1849	Sets the NO_NEW_PRIVS prctl. This ensures that child processes	1851	Sets the NO_NEW_PRIVS prctl. This ensures that child processes
1850	cannot acquire new privileges using execve(2); in particular,	1852	cannot acquire new privileges using execve(2); in particular,