diff options
-rw-r--r-- | src/man/firejail.txt | 47 |
1 files changed, 27 insertions, 20 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7d7a1eb31..d4c2a5bc8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2176,7 +2176,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
2176 | .TP | 2176 | .TP |
2177 | \fB\-\-seccomp | 2177 | \fB\-\-seccomp |
2178 | Enable seccomp filter and blacklist the syscalls in the default list, | 2178 | Enable seccomp filter and blacklist the syscalls in the default list, |
2179 | which is @default-nodebuggers unless allow-debuggers is specified, | 2179 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
2180 | then it is @default. | 2180 | then it is @default. |
2181 | 2181 | ||
2182 | .br | 2182 | .br |
@@ -2187,18 +2187,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
2187 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 2187 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
2188 | @resources, @setuid, @swap, @sync, @system-service and @timer. | 2188 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
2189 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt | 2189 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt |
2190 | 2190 | .br | |
2191 | In addition, a system call can be specified by its number instead of | ||
2192 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
2193 | Exceptions can be allowed with prefix !. | ||
2194 | 2191 | ||
2195 | .br | 2192 | .br |
2196 | System architecture is strictly imposed only if flag | 2193 | System architecture is strictly imposed only if flag |
2197 | \-\-seccomp.block-secondary is used. The filter is applied at run time | 2194 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
2198 | only if the correct architecture was detected. For the case of I386 | 2195 | only if the correct architecture was detected. For the case of I386 |
2199 | and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit | 2196 | and AMD64 both 32-bit and 64-bit filters are installed. |
2200 | architecture, an additional filter for 32 bit system calls can be | ||
2201 | installed with \-\-seccomp.32. | ||
2202 | .br | 2197 | .br |
2203 | 2198 | ||
2204 | .br | 2199 | .br |
@@ -2217,9 +2212,10 @@ also globally in /etc/firejail/firejail.config file. | |||
2217 | 2212 | ||
2218 | .TP | 2213 | .TP |
2219 | \fB\-\-seccomp=syscall,@group,!syscall2 | 2214 | \fB\-\-seccomp=syscall,@group,!syscall2 |
2220 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 2215 | Enable seccomp filter, blacklist the default list and the syscalls or syscall groups |
2221 | list and the syscalls or syscall groups specified by the | 2216 | specified by the command, but don't blacklist "syscall2". On a 64 bit |
2222 | command. | 2217 | architecture, an additional filter for 32 bit system calls can be |
2218 | installed with \-\-seccomp.32. | ||
2223 | .br | 2219 | .br |
2224 | 2220 | ||
2225 | .br | 2221 | .br |
@@ -2229,6 +2225,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox | |||
2229 | .br | 2225 | .br |
2230 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk | 2226 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk |
2231 | .br | 2227 | .br |
2228 | $ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious | ||
2229 | .br | ||
2230 | |||
2231 | .br | ||
2232 | Syscalls can be specified by their number if prefix $ is added, | ||
2233 | so for example $165 would be equal to mount on i386. | ||
2234 | .br | ||
2232 | 2235 | ||
2233 | .br | 2236 | .br |
2234 | Instead of dropping the syscall by returning EPERM, another error | 2237 | Instead of dropping the syscall by returning EPERM, another error |
@@ -2241,6 +2244,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with | |||
2241 | 2244 | ||
2242 | .br | 2245 | .br |
2243 | Example: | 2246 | Example: |
2247 | .br | ||
2244 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | 2248 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes |
2245 | .br | 2249 | .br |
2246 | Parent pid 10662, child pid 10663 | 2250 | Parent pid 10662, child pid 10663 |
@@ -2249,9 +2253,13 @@ Child process initialized | |||
2249 | .br | 2253 | .br |
2250 | $ touch testfile | 2254 | $ touch testfile |
2251 | .br | 2255 | .br |
2256 | $ ls testfile | ||
2257 | .br | ||
2258 | testfile | ||
2259 | .br | ||
2252 | $ rm testfile | 2260 | $ rm testfile |
2253 | .br | 2261 | .br |
2254 | rm: cannot remove `testfile': Operation not permitted | 2262 | rm: cannot remove `testfile': No such file or directory |
2255 | .br | 2263 | .br |
2256 | 2264 | ||
2257 | .br | 2265 | .br |
@@ -2264,7 +2272,7 @@ filters. | |||
2264 | .br | 2272 | .br |
2265 | Example: | 2273 | Example: |
2266 | .br | 2274 | .br |
2267 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | 2275 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh |
2268 | .br | 2276 | .br |
2269 | Parent pid 32751, child pid 32752 | 2277 | Parent pid 32751, child pid 32752 |
2270 | .br | 2278 | .br |
@@ -2276,8 +2284,7 @@ Child process initialized in 46.44 ms | |||
2276 | .br | 2284 | .br |
2277 | $ ls | 2285 | $ ls |
2278 | .br | 2286 | .br |
2279 | Bad system call | 2287 | Operation not permitted |
2280 | .br | ||
2281 | 2288 | ||
2282 | .TP | 2289 | .TP |
2283 | \fB\-\-seccomp.block-secondary | 2290 | \fB\-\-seccomp.block-secondary |
@@ -2321,15 +2328,15 @@ Child process initialized | |||
2321 | .br | 2328 | .br |
2322 | $ touch testfile | 2329 | $ touch testfile |
2323 | .br | 2330 | .br |
2331 | $ ls testfile | ||
2332 | .br | ||
2333 | testfile | ||
2334 | .br | ||
2324 | $ rm testfile | 2335 | $ rm testfile |
2325 | .br | 2336 | .br |
2326 | rm: cannot remove `testfile': Operation not permitted | 2337 | rm: cannot remove `testfile': No such file or directory |
2327 | .br | 2338 | .br |
2328 | 2339 | ||
2329 | |||
2330 | |||
2331 | |||
2332 | |||
2333 | .TP | 2340 | .TP |
2334 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 2341 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
2335 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 2342 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |