1 files changed, 27 insertions, 6 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1bed40015..02c1d27b2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -814,8 +814,9 @@ $ firejail \-\-machine-id
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
-shmat system calls and kills the process if necessary.
+and shmat system calls and returns error EPERM to the process (or
+kills it, see \-\-seccomp-error-action below) if necessary.
 .br
 .br
@@ -1865,8 +1866,12 @@ $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
 .br
-Instead of dropping the syscall, a specific error number can be returned
+Instead of dropping the syscall by returning EPERM, another error
-using \fBsyscall:errorno\fR syntax.
+number can be returned using \fBsyscall:errno\fR syntax. This can be
+also changed globally with \-\-seccomp-error-action or
+in /etc/firejail/firejail.config file.  The process can also be killed
+by using \fBsyscall:kill\fR syntax.
 .br
 .br
@@ -1932,8 +1937,11 @@ $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock
 .br
 .br
-Instead of dropping the syscall, a specific error number can be returned
+Instead of dropping the syscall by returning EPERM, another error
-using \fBsyscall:errorno\fR syntax.
+number can be returned using \fBsyscall:errno\fR syntax. This can be
+also changed globally with \-\-seccomp-error-action or
+in /etc/firejail/firejail.config file.  The process can also be killed
+by using \fBsyscall:kill\fR syntax.
 .br
 .br
@@ -2135,6 +2143,19 @@ $ firejail --seccomp.print=browser
 0049: 06 00 01 00000000   ret KILL
 .br
 $
+.TP
+\fB\-\-seccomp-error-action= kill | ERRNO
+By default, if a seccomp filter blocks a system call, the process gets
+EPERM as the error. With \-\-seccomp-error-action=error, another error
+number can be returned, for example ENOSYS or EACCES. The process can
+also be killed (like in versions <0.9.63 of Firejail) by using
+\-\-seccomp-error-action=kill syntax. Not killing the process weakens
+Firejail slightly when trying to contain intrusion, but it may also
+allow tighter filters if the only alternative is to allow a system
+call.
+.br
 .TP
 \fB\-\-shell=none
 Run the program directly, without a user shell.

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1bed40015..02c1d27b2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -814,8 +814,9 @@ $ firejail \-\-machine-id
814	Install a seccomp filter to block attempts to create memory mappings	814	Install a seccomp filter to block attempts to create memory mappings
815	that are both writable and executable, to change mappings to be	815	that are both writable and executable, to change mappings to be
816	executable, or to create executable shared memory. The filter examines	816	executable, or to create executable shared memory. The filter examines
817	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and	817	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
818	shmat system calls and kills the process if necessary.	818	and shmat system calls and returns error EPERM to the process (or
		819	kills it, see \-\-seccomp-error-action below) if necessary.
819	.br	820	.br
820		821
821	.br	822	.br
@@ -1865,8 +1866,12 @@ $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
1865	.br	1866	.br
1866		1867
1867	.br	1868	.br
1868	Instead of dropping the syscall, a specific error number can be returned	1869	Instead of dropping the syscall by returning EPERM, another error
1869	using \fBsyscall:errorno\fR syntax.	1870	number can be returned using \fBsyscall:errno\fR syntax. This can be
		1871	also changed globally with \-\-seccomp-error-action or
		1872	in /etc/firejail/firejail.config file. The process can also be killed
		1873	by using \fBsyscall:kill\fR syntax.
		1874
1870	.br	1875	.br
1871		1876
1872	.br	1877	.br
@@ -1932,8 +1937,11 @@ $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock
1932	.br	1937	.br
1933		1938
1934	.br	1939	.br
1935	Instead of dropping the syscall, a specific error number can be returned	1940	Instead of dropping the syscall by returning EPERM, another error
1936	using \fBsyscall:errorno\fR syntax.	1941	number can be returned using \fBsyscall:errno\fR syntax. This can be
		1942	also changed globally with \-\-seccomp-error-action or
		1943	in /etc/firejail/firejail.config file. The process can also be killed
		1944	by using \fBsyscall:kill\fR syntax.
1937	.br	1945	.br
1938		1946
1939	.br	1947	.br
@@ -2135,6 +2143,19 @@ $ firejail --seccomp.print=browser
2135	0049: 06 00 01 00000000 ret KILL	2143	0049: 06 00 01 00000000 ret KILL
2136	.br	2144	.br
2137	$	2145	$
		2146
		2147	.TP
		2148	\fB\-\-seccomp-error-action= kill \| ERRNO
		2149	By default, if a seccomp filter blocks a system call, the process gets
		2150	EPERM as the error. With \-\-seccomp-error-action=error, another error
		2151	number can be returned, for example ENOSYS or EACCES. The process can
		2152	also be killed (like in versions <0.9.63 of Firejail) by using
		2153	\-\-seccomp-error-action=kill syntax. Not killing the process weakens
		2154	Firejail slightly when trying to contain intrusion, but it may also
		2155	allow tighter filters if the only alternative is to allow a system
		2156	call.
		2157	.br
		2158
2138	.TP	2159	.TP
2139	\fB\-\-shell=none	2160	\fB\-\-shell=none
2140	Run the program directly, without a user shell.	2161	Run the program directly, without a user shell.