diff options
Diffstat (limited to 'src/man/firejail.txt')
| -rw-r--r-- | src/man/firejail.txt | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2c8dca09a..be73429bc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1578,6 +1578,32 @@ $ rm testfile | |||
| 1578 | rm: cannot remove `testfile': Operation not permitted | 1578 | rm: cannot remove `testfile': Operation not permitted |
| 1579 | .br | 1579 | .br |
| 1580 | 1580 | ||
| 1581 | .br | ||
| 1582 | If the blocked system calls would also block Firejail from operating, | ||
| 1583 | they are handled by adding a preloaded library which performs seccomp | ||
| 1584 | system calls later. | ||
| 1585 | .br | ||
| 1586 | |||
| 1587 | .br | ||
| 1588 | Example: | ||
| 1589 | .br | ||
| 1590 | |||
| 1591 | .br | ||
| 1592 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | ||
| 1593 | .br | ||
| 1594 | Parent pid 32751, child pid 32752 | ||
| 1595 | .br | ||
| 1596 | Post-exec seccomp protector enabled | ||
| 1597 | .br | ||
| 1598 | list in: execve, check list: @default-keep prelist: (null), postlist: execve | ||
| 1599 | .br | ||
| 1600 | Child process initialized in 46.44 ms | ||
| 1601 | .br | ||
| 1602 | $ ls | ||
| 1603 | .br | ||
| 1604 | Bad system call | ||
| 1605 | .br | ||
| 1606 | |||
| 1581 | .TP | 1607 | .TP |
| 1582 | \fB\-\-seccomp.drop=syscall,syscall,syscall | 1608 | \fB\-\-seccomp.drop=syscall,syscall,syscall |
| 1583 | Enable seccomp filter, and blacklist the syscalls specified by the command. | 1609 | Enable seccomp filter, and blacklist the syscalls specified by the command. |