1 files changed, 19 insertions, 5 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 46da19ecd..f85e10171 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -1,4 +1,4 @@
-.TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
+.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
 .SH NAME
 profile \- Profile file syntax for Firejail
@@ -15,8 +15,19 @@ directory and ~/.config/firejail directory.
 Include and comment support:
 .TP
-\f\include other.profile
+\f\include other.profile exclude-token
-Include other.profile file.
+Include other.profile file. exclued-token disables blacklist commands in other.profile
+if exclude-token word is found in the name section of blacklist command.
+exclude-tyoken is optional.
+Example: "include /etc/firejail/disable-common.inc .filezilla"
+loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file.
+other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the
+file in user home directory.
+Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
 .TP
 # this is a comment
@@ -81,14 +92,17 @@ Enable default Linux capabilities filter.
 caps.drop all
 Blacklist all Linux capabilities.
 .TP
-caps.drop capability,capability,capability
+caps.keep capability,capability,capability
 Blacklist Linux capabilities filter.
 .TP
 caps.drop capability,capability,capability
 Whitelist Linux capabilities filter.
 .TP
 \f\seccomp
-Enable default seccomp filter.
+Enable default seccomp filter.  The default list is as follows:
+mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
+iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
+sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \f\seccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 46da19ecd..f85e10171 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -1,4 +1,4 @@
1	.TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page"	1	.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
2	.SH NAME	2	.SH NAME
3	profile \- Profile file syntax for Firejail	3	profile \- Profile file syntax for Firejail
4		4
@@ -15,8 +15,19 @@ directory and ~/.config/firejail directory.
15	Include and comment support:	15	Include and comment support:
16		16
17	.TP	17	.TP
18	\f\include other.profile	18	\f\include other.profile exclude-token
19	Include other.profile file.	19	Include other.profile file. exclued-token disables blacklist commands in other.profile
		20	if exclude-token word is found in the name section of blacklist command.
		21	exclude-tyoken is optional.
		22
		23	Example: "include /etc/firejail/disable-common.inc .filezilla"
		24	loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file.
		25
		26	other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the
		27	file in user home directory.
		28
		29	Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
		30
20	.TP	31	.TP
21	# this is a comment	32	# this is a comment
22		33
@@ -81,14 +92,17 @@ Enable default Linux capabilities filter.
81	caps.drop all	92	caps.drop all
82	Blacklist all Linux capabilities.	93	Blacklist all Linux capabilities.
83	.TP	94	.TP
84	caps.drop capability,capability,capability	95	caps.keep capability,capability,capability
85	Blacklist Linux capabilities filter.	96	Blacklist Linux capabilities filter.
86	.TP	97	.TP
87	caps.drop capability,capability,capability	98	caps.drop capability,capability,capability
88	Whitelist Linux capabilities filter.	99	Whitelist Linux capabilities filter.
89	.TP	100	.TP
90	\f\seccomp	101	\f\seccomp
91	Enable default seccomp filter.	102	Enable default seccomp filter. The default list is as follows:
		103	mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
		104	iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
		105	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
92	.TP	106	.TP
93	\f\seccomp syscall,syscall,syscall	107	\f\seccomp syscall,syscall,syscall
94	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.	108	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.