diff options
-rw-r--r-- | etc/firejail.config | 2 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/inc/whitelist-usr-share-common.inc | 2 | ||||
-rw-r--r-- | etc/profile-a-l/gtk-youtube-viewer | 18 | ||||
-rw-r--r-- | etc/profile-a-l/gtk2-youtube-viewer | 18 | ||||
-rw-r--r-- | etc/profile-a-l/gtk3-youtube-viewer | 18 | ||||
-rw-r--r-- | etc/profile-m-z/youtube-viewer.profile | 57 | ||||
-rwxr-xr-x | mkdeb.sh.in | 6 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/firejail/shutdown.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/fseccomp/main.c | 4 | ||||
-rw-r--r-- | src/include/seccomp.h | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
19 files changed, 148 insertions, 15 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index b2a96612f..731e744dd 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -107,7 +107,7 @@ | |||
107 | # Enable or disable seccomp support, default enabled. | 107 | # Enable or disable seccomp support, default enabled. |
108 | # seccomp yes | 108 | # seccomp yes |
109 | 109 | ||
110 | # Seccomp error action, kill or errno (EPERM, ENOSYS etc) | 110 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) |
111 | # seccomp-error-action EPERM | 111 | # seccomp-error-action EPERM |
112 | 112 | ||
113 | # Enable or disable user namespace support, default enabled. | 113 | # Enable or disable user namespace support, default enabled. |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e911be93a..e5dd9cb59 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -396,6 +396,7 @@ blacklist ${HOME}/.config/yandex-browser | |||
396 | blacklist ${HOME}/.config/yandex-browser-beta | 396 | blacklist ${HOME}/.config/yandex-browser-beta |
397 | blacklist ${HOME}/.config/yelp | 397 | blacklist ${HOME}/.config/yelp |
398 | blacklist ${HOME}/.config/youtube-dl | 398 | blacklist ${HOME}/.config/youtube-dl |
399 | blacklist ${HOME}/.config/youtube-viewer | ||
399 | blacklist ${HOME}/.config/zathura | 400 | blacklist ${HOME}/.config/zathura |
400 | blacklist ${HOME}/.config/zoomus.conf | 401 | blacklist ${HOME}/.config/zoomus.conf |
401 | blacklist ${HOME}/.config/Zulip | 402 | blacklist ${HOME}/.config/Zulip |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index c9c8bdedf..ceeb14dcc 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -41,6 +41,8 @@ whitelist /usr/share/misc | |||
41 | whitelist /usr/share/Modules | 41 | whitelist /usr/share/Modules |
42 | whitelist /usr/share/myspell | 42 | whitelist /usr/share/myspell |
43 | whitelist /usr/share/p11-kit | 43 | whitelist /usr/share/p11-kit |
44 | whitelist /usr/share/perl | ||
45 | whitelist /usr/share/perl5 | ||
44 | whitelist /usr/share/pixmaps | 46 | whitelist /usr/share/pixmaps |
45 | whitelist /usr/share/pki | 47 | whitelist /usr/share/pki |
46 | whitelist /usr/share/plasma | 48 | whitelist /usr/share/plasma |
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer new file mode 100644 index 000000000..023f10d3d --- /dev/null +++ b/etc/profile-a-l/gtk-youtube-viewer | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for gtk-youtube-viewer | ||
2 | # Description: Gtk front-end to youtube-viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk-youtube-viewer.local | ||
6 | # Persistent global definitions | ||
7 | # include globals.local | ||
8 | |||
9 | ignore quiet | ||
10 | |||
11 | noblacklist /tmp/.X11-unix | ||
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | ||
14 | |||
15 | include whitelist-runuser-common.inc | ||
16 | |||
17 | # Redirect | ||
18 | include youtube-viewer.profile \ No newline at end of file | ||
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer new file mode 100644 index 000000000..331e73218 --- /dev/null +++ b/etc/profile-a-l/gtk2-youtube-viewer | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for gtk2-youtube-viewer | ||
2 | # Description: Gtk front-end to youtube-viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk2-youtube-viewer.local | ||
6 | # Persistent global definitions | ||
7 | # include globals.local | ||
8 | |||
9 | ignore quiet | ||
10 | |||
11 | noblacklist /tmp/.X11-unix | ||
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | ||
14 | |||
15 | include whitelist-runuser-common.inc | ||
16 | |||
17 | # Redirect | ||
18 | include youtube-viewer.profile \ No newline at end of file | ||
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer new file mode 100644 index 000000000..4c5bde55f --- /dev/null +++ b/etc/profile-a-l/gtk3-youtube-viewer | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for gtk3-youtube-viewer | ||
2 | # Description: Gtk front-end to youtube-viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk3-youtube-viewer.local | ||
6 | # Persistent global definitions | ||
7 | # include globals.local | ||
8 | |||
9 | ignore quiet | ||
10 | |||
11 | noblacklist /tmp/.X11-unix | ||
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | ||
14 | |||
15 | include whitelist-runuser-common.inc | ||
16 | |||
17 | # Redirect | ||
18 | include youtube-viewer.profile \ No newline at end of file | ||
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile new file mode 100644 index 000000000..513cb0f6e --- /dev/null +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for youtube-viewer | ||
2 | # Description: Trizen's CLI Youtube viewer with login support | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include youtube-viewer.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
14 | noblacklist ${HOME}/.config/youtube-viewer | ||
15 | |||
16 | include allow-perl.inc | ||
17 | include allow-python2.inc | ||
18 | include allow-python3.inc | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | include disable-programs.inc | ||
26 | include disable-xdg.inc | ||
27 | |||
28 | mkdir ${HOME}/.config/youtube-viewer | ||
29 | whitelist ${HOME}/.config/youtube-viewer | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | netfilter | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6 | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | # private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none \ No newline at end of file | ||
diff --git a/mkdeb.sh.in b/mkdeb.sh.in index efb477920..a19dee620 100755 --- a/mkdeb.sh.in +++ b/mkdeb.sh.in | |||
@@ -52,12 +52,12 @@ echo "*****************************************" | |||
52 | mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian | 52 | mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian |
53 | gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian | 53 | gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian |
54 | rm $INSTALL_DIR/usr/share/doc/firejail/COPYING | 54 | rm $INSTALL_DIR/usr/share/doc/firejail/COPYING |
55 | install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. | 55 | install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. |
56 | mkdir -p $DEBIAN_CTRL_DIR | 56 | mkdir -p $DEBIAN_CTRL_DIR |
57 | sed "s/FIREJAILVER/$VERSION/g" platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control | 57 | sed "s/FIREJAILVER/$VERSION/g" $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control |
58 | 58 | ||
59 | mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ | 59 | mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ |
60 | install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail | 60 | install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail |
61 | 61 | ||
62 | find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles | 62 | find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles |
63 | chmod 644 $DEBIAN_CTRL_DIR/conffiles | 63 | chmod 644 $DEBIAN_CTRL_DIR/conffiles |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 05c5681d5..0574daae6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -327,6 +327,9 @@ gradio | |||
327 | gramps | 327 | gramps |
328 | gravity-beams-and-evaporating-stars | 328 | gravity-beams-and-evaporating-stars |
329 | gthumb | 329 | gthumb |
330 | gtk-youtube-viewer | ||
331 | gtk2-youtube-viewer | ||
332 | gtk3-youtube-viewer | ||
330 | guayadeque | 333 | guayadeque |
331 | gucharmap | 334 | gucharmap |
332 | gummi | 335 | gummi |
@@ -816,6 +819,7 @@ xviewer | |||
816 | yandex-browser | 819 | yandex-browser |
817 | yelp | 820 | yelp |
818 | youtube-dl | 821 | youtube-dl |
822 | youtube-viewer | ||
819 | zaproxy | 823 | zaproxy |
820 | zart | 824 | zart |
821 | zathura | 825 | zathura |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 5d6b4af66..f6b3b3252 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -229,6 +229,8 @@ int checkcfg(int val) { | |||
229 | #ifdef HAVE_SECCOMP | 229 | #ifdef HAVE_SECCOMP |
230 | if (strcmp(ptr + 21, "kill") == 0) | 230 | if (strcmp(ptr + 21, "kill") == 0) |
231 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; | 231 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; |
232 | else if (strcmp(ptr + 21, "log") == 0) | ||
233 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG; | ||
232 | else { | 234 | else { |
233 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21); | 235 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21); |
234 | if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1) | 236 | if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9c5a050b4..c98f80d13 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -186,7 +186,7 @@ typedef struct config_t { | |||
186 | char *seccomp_list_drop, *seccomp_list_drop32; // seccomp drop list | 186 | char *seccomp_list_drop, *seccomp_list_drop32; // seccomp drop list |
187 | char *seccomp_list_keep, *seccomp_list_keep32; // seccomp keep list | 187 | char *seccomp_list_keep, *seccomp_list_keep32; // seccomp keep list |
188 | char *protocol; // protocol list | 188 | char *protocol; // protocol list |
189 | char *seccomp_error_action; // error action: kill or errno | 189 | char *seccomp_error_action; // error action: kill, log or errno |
190 | 190 | ||
191 | // rlimits | 191 | // rlimits |
192 | long long unsigned rlimit_cpu; | 192 | long long unsigned rlimit_cpu; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index f37d1ca52..b9cb43444 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1441,6 +1441,8 @@ int main(int argc, char **argv, char **envp) { | |||
1441 | if (config_seccomp_error_action == -1) { | 1441 | if (config_seccomp_error_action == -1) { |
1442 | if (strcmp(argv[i] + 23, "kill") == 0) | 1442 | if (strcmp(argv[i] + 23, "kill") == 0) |
1443 | arg_seccomp_error_action = SECCOMP_RET_KILL; | 1443 | arg_seccomp_error_action = SECCOMP_RET_KILL; |
1444 | else if (strcmp(argv[i] + 23, "log") == 0) | ||
1445 | arg_seccomp_error_action = SECCOMP_RET_LOG; | ||
1444 | else { | 1446 | else { |
1445 | arg_seccomp_error_action = errno_find_name(argv[i] + 23); | 1447 | arg_seccomp_error_action = errno_find_name(argv[i] + 23); |
1446 | if (arg_seccomp_error_action == -1) | 1448 | if (arg_seccomp_error_action == -1) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 70acd8a2a..970033899 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -991,6 +991,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
991 | if (config_seccomp_error_action == -1) { | 991 | if (config_seccomp_error_action == -1) { |
992 | if (strcmp(ptr + 21, "kill") == 0) | 992 | if (strcmp(ptr + 21, "kill") == 0) |
993 | arg_seccomp_error_action = SECCOMP_RET_KILL; | 993 | arg_seccomp_error_action = SECCOMP_RET_KILL; |
994 | else if (strcmp(ptr + 21, "log") == 0) | ||
995 | arg_seccomp_error_action = SECCOMP_RET_LOG; | ||
994 | else { | 996 | else { |
995 | arg_seccomp_error_action = errno_find_name(ptr + 21); | 997 | arg_seccomp_error_action = errno_find_name(ptr + 21); |
996 | if (arg_seccomp_error_action == -1) | 998 | if (arg_seccomp_error_action == -1) |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index a7d0b2fbe..7e9628007 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -63,7 +63,9 @@ void shut(pid_t pid) { | |||
63 | sleep(1); | 63 | sleep(1); |
64 | monsec--; | 64 | monsec--; |
65 | 65 | ||
66 | EUID_ROOT(); | ||
66 | FILE *fp = fopen(monfile, "r"); | 67 | FILE *fp = fopen(monfile, "r"); |
68 | EUID_USER(); | ||
67 | if (!fp) { | 69 | if (!fp) { |
68 | killdone = 1; | 70 | killdone = 1; |
69 | break; | 71 | break; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 4ab464289..73c9a6a8b 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -224,7 +224,8 @@ static char *usage_str = | |||
224 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 224 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
225 | "\tidentified by name or PID.\n" | 225 | "\tidentified by name or PID.\n" |
226 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 226 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
227 | " --seccomp-error-action=errno|kill - change error code or kill process.\n" | 227 | " --seccomp-error-action=errno|kill|log - change error code, kill process\n" |
228 | "\tor log the attempt.\n" | ||
228 | #endif | 229 | #endif |
229 | " --shell=none - run the program directly without a user shell.\n" | 230 | " --shell=none - run the program directly without a user shell.\n" |
230 | " --shell=program - set default user shell.\n" | 231 | " --shell=program - set default user shell.\n" |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 892a88e25..3b3c92b46 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -20,7 +20,7 @@ | |||
20 | #include "fseccomp.h" | 20 | #include "fseccomp.h" |
21 | #include "../include/seccomp.h" | 21 | #include "../include/seccomp.h" |
22 | int arg_quiet = 0; | 22 | int arg_quiet = 0; |
23 | int arg_seccomp_error_action = EPERM; // error action: errno or kill | 23 | int arg_seccomp_error_action = EPERM; // error action: errno, log or kill |
24 | 24 | ||
25 | static void usage(void) { | 25 | static void usage(void) { |
26 | printf("Usage:\n"); | 26 | printf("Usage:\n"); |
@@ -73,6 +73,8 @@ printf("\n"); | |||
73 | if (error_action) { | 73 | if (error_action) { |
74 | if (strcmp(error_action, "kill") == 0) | 74 | if (strcmp(error_action, "kill") == 0) |
75 | arg_seccomp_error_action = SECCOMP_RET_KILL; | 75 | arg_seccomp_error_action = SECCOMP_RET_KILL; |
76 | else if (strcmp(error_action, "log") == 0) | ||
77 | arg_seccomp_error_action = SECCOMP_RET_LOG; | ||
76 | else { | 78 | else { |
77 | arg_seccomp_error_action = errno_find_name(error_action); | 79 | arg_seccomp_error_action = errno_find_name(error_action); |
78 | if (arg_seccomp_error_action == -1) | 80 | if (arg_seccomp_error_action == -1) |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 50920ce3a..29b858c70 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -274,7 +274,7 @@ struct seccomp_data { | |||
274 | #define RETURN_ERRNO(nr) \ | 274 | #define RETURN_ERRNO(nr) \ |
275 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | 275 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) |
276 | 276 | ||
277 | extern int arg_seccomp_error_action; // error action: errno or kill | 277 | extern int arg_seccomp_error_action; // error action: errno, log or kill |
278 | #define KILL_OR_RETURN_ERRNO \ | 278 | #define KILL_OR_RETURN_ERRNO \ |
279 | BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) | 279 | BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) |
280 | 280 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7b5653942..0784e7fd7 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list. | |||
433 | \fBseccomp.32.keep syscall,syscall,syscall | 433 | \fBseccomp.32.keep syscall,syscall,syscall |
434 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 434 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
435 | .TP | 435 | .TP |
436 | \fBseccomp-error-action kill | ERRNO | 436 | \fBseccomp-error-action kill | log | ERRNO |
437 | Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call. | 437 | Return a different error instead of EPERM to the process, kill it when |
438 | an attempt is made to call a blocked system call, or allow but log the | ||
439 | attempt. | ||
438 | .TP | 440 | .TP |
439 | \fBx11 | 441 | \fBx11 |
440 | Enable X11 sandboxing. | 442 | Enable X11 sandboxing. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 69cd4a7bc..e216531ae 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1059,7 +1059,7 @@ that are both writable and executable, to change mappings to be | |||
1059 | executable, or to create executable shared memory. The filter examines | 1059 | executable, or to create executable shared memory. The filter examines |
1060 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | 1060 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create |
1061 | and shmat system calls and returns error EPERM to the process (or | 1061 | and shmat system calls and returns error EPERM to the process (or |
1062 | kills it, see \-\-seccomp-error-action below) if necessary. | 1062 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. |
1063 | .br | 1063 | .br |
1064 | 1064 | ||
1065 | .br | 1065 | .br |
@@ -2122,8 +2122,8 @@ Instead of dropping the syscall by returning EPERM, another error | |||
2122 | number can be returned using \fBsyscall:errno\fR syntax. This can be | 2122 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
2123 | also changed globally with \-\-seccomp-error-action or | 2123 | also changed globally with \-\-seccomp-error-action or |
2124 | in /etc/firejail/firejail.config file. The process can also be killed | 2124 | in /etc/firejail/firejail.config file. The process can also be killed |
2125 | by using \fBsyscall:kill\fR syntax. | 2125 | by using \fBsyscall:kill\fR syntax, or the attempt may be logged with |
2126 | 2126 | \fBsyscall:log\fR. | |
2127 | .br | 2127 | .br |
2128 | 2128 | ||
2129 | .br | 2129 | .br |
@@ -2193,7 +2193,8 @@ Instead of dropping the syscall by returning EPERM, another error | |||
2193 | number can be returned using \fBsyscall:errno\fR syntax. This can be | 2193 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
2194 | also changed globally with \-\-seccomp-error-action or | 2194 | also changed globally with \-\-seccomp-error-action or |
2195 | in /etc/firejail/firejail.config file. The process can also be killed | 2195 | in /etc/firejail/firejail.config file. The process can also be killed |
2196 | by using \fBsyscall:kill\fR syntax. | 2196 | by using \fBsyscall:kill\fR syntax, or the attempt may be logged with |
2197 | \fBsyscall:log\fR. | ||
2197 | .br | 2198 | .br |
2198 | 2199 | ||
2199 | .br | 2200 | .br |
@@ -2402,7 +2403,8 @@ By default, if a seccomp filter blocks a system call, the process gets | |||
2402 | EPERM as the error. With \-\-seccomp-error-action=error, another error | 2403 | EPERM as the error. With \-\-seccomp-error-action=error, another error |
2403 | number can be returned, for example ENOSYS or EACCES. The process can | 2404 | number can be returned, for example ENOSYS or EACCES. The process can |
2404 | also be killed (like in versions <0.9.63 of Firejail) by using | 2405 | also be killed (like in versions <0.9.63 of Firejail) by using |
2405 | \-\-seccomp-error-action=kill syntax. Not killing the process weakens | 2406 | \-\-seccomp-error-action=kill syntax, or the attempt may be logged |
2407 | with \-\-seccomp-error-action=log. Not killing the process weakens | ||
2406 | Firejail slightly when trying to contain intrusion, but it may also | 2408 | Firejail slightly when trying to contain intrusion, but it may also |
2407 | allow tighter filters if the only alternative is to allow a system | 2409 | allow tighter filters if the only alternative is to allow a system |
2408 | call. | 2410 | call. |