diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b0c12ee11..500850413 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1782,7 +1782,8 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
1782 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 1782 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
1783 | @resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a | 1783 | @resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a |
1784 | system call can be specified by its number instead of name with prefix | 1784 | system call can be specified by its number instead of name with prefix |
1785 | $, so for example $165 would be equal to mount on i386. | 1785 | $, so for example $165 would be equal to mount on i386. Exceptions |
1786 | can be allowed with prefix !. | ||
1786 | 1787 | ||
1787 | .br | 1788 | .br |
1788 | System architecture is strictly imposed only if flag | 1789 | System architecture is strictly imposed only if flag |
@@ -1800,8 +1801,10 @@ Example: | |||
1800 | .br | 1801 | .br |
1801 | $ firejail \-\-seccomp | 1802 | $ firejail \-\-seccomp |
1802 | .TP | 1803 | .TP |
1803 | \fB\-\-seccomp=syscall,@group | 1804 | \fB\-\-seccomp=syscall,@group,!syscall2 |
1804 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. | 1805 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
1806 | list (@default) and the syscalls or syscall groups specified by the | ||
1807 | command. | ||
1805 | .br | 1808 | .br |
1806 | 1809 | ||
1807 | .br | 1810 | .br |
@@ -1865,8 +1868,9 @@ domain with personality(2) system call. | |||
1865 | .br | 1868 | .br |
1866 | 1869 | ||
1867 | .TP | 1870 | .TP |
1868 | \fB\-\-seccomp.drop=syscall,@group | 1871 | \fB\-\-seccomp.drop=syscall,@group,!syscall2 |
1869 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. | 1872 | Enable seccomp filter, whitelist "syscall2" but blacklist the |
1873 | syscalls or the syscall groups specified by the command. | ||
1870 | .br | 1874 | .br |
1871 | 1875 | ||
1872 | .br | 1876 | .br |
@@ -1901,10 +1905,11 @@ rm: cannot remove `testfile': Operation not permitted | |||
1901 | 1905 | ||
1902 | 1906 | ||
1903 | .TP | 1907 | .TP |
1904 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1908 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1905 | Enable seccomp filter, and whitelist the syscalls specified by the | 1909 | Enable seccomp filter, blacklist "syscall2" but whitelist the |
1906 | command. The system calls needed by Firejail (group @default-keep: | 1910 | syscalls or the syscall groups specified by the command. The system |
1907 | prctl, execve) are handled with the preload library. | 1911 | calls needed by Firejail (group @default-keep: prctl, execve) are |
1912 | handled with the preload library. | ||
1908 | .br | 1913 | .br |
1909 | 1914 | ||
1910 | .br | 1915 | .br |