diff options
Diffstat (limited to 'src/man/firejail.txt')
| -rw-r--r-- | src/man/firejail.txt | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b0c12ee11..500850413 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1782,7 +1782,8 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
| 1782 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 1782 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
| 1783 | @resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a | 1783 | @resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a |
| 1784 | system call can be specified by its number instead of name with prefix | 1784 | system call can be specified by its number instead of name with prefix |
| 1785 | $, so for example $165 would be equal to mount on i386. | 1785 | $, so for example $165 would be equal to mount on i386. Exceptions |
| 1786 | can be allowed with prefix !. | ||
| 1786 | 1787 | ||
| 1787 | .br | 1788 | .br |
| 1788 | System architecture is strictly imposed only if flag | 1789 | System architecture is strictly imposed only if flag |
| @@ -1800,8 +1801,10 @@ Example: | |||
| 1800 | .br | 1801 | .br |
| 1801 | $ firejail \-\-seccomp | 1802 | $ firejail \-\-seccomp |
| 1802 | .TP | 1803 | .TP |
| 1803 | \fB\-\-seccomp=syscall,@group | 1804 | \fB\-\-seccomp=syscall,@group,!syscall2 |
| 1804 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. | 1805 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
| 1806 | list (@default) and the syscalls or syscall groups specified by the | ||
| 1807 | command. | ||
| 1805 | .br | 1808 | .br |
| 1806 | 1809 | ||
| 1807 | .br | 1810 | .br |
| @@ -1865,8 +1868,9 @@ domain with personality(2) system call. | |||
| 1865 | .br | 1868 | .br |
| 1866 | 1869 | ||
| 1867 | .TP | 1870 | .TP |
| 1868 | \fB\-\-seccomp.drop=syscall,@group | 1871 | \fB\-\-seccomp.drop=syscall,@group,!syscall2 |
| 1869 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. | 1872 | Enable seccomp filter, whitelist "syscall2" but blacklist the |
| 1873 | syscalls or the syscall groups specified by the command. | ||
| 1870 | .br | 1874 | .br |
| 1871 | 1875 | ||
| 1872 | .br | 1876 | .br |
| @@ -1901,10 +1905,11 @@ rm: cannot remove `testfile': Operation not permitted | |||
| 1901 | 1905 | ||
| 1902 | 1906 | ||
| 1903 | .TP | 1907 | .TP |
| 1904 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1908 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
| 1905 | Enable seccomp filter, and whitelist the syscalls specified by the | 1909 | Enable seccomp filter, blacklist "syscall2" but whitelist the |
| 1906 | command. The system calls needed by Firejail (group @default-keep: | 1910 | syscalls or the syscall groups specified by the command. The system |
| 1907 | prctl, execve) are handled with the preload library. | 1911 | calls needed by Firejail (group @default-keep: prctl, execve) are |
| 1912 | handled with the preload library. | ||
| 1908 | .br | 1913 | .br |
| 1909 | 1914 | ||
| 1910 | .br | 1915 | .br |