diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 69cd4a7bc..e216531ae 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1059,7 +1059,7 @@ that are both writable and executable, to change mappings to be | |||
1059 | executable, or to create executable shared memory. The filter examines | 1059 | executable, or to create executable shared memory. The filter examines |
1060 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | 1060 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create |
1061 | and shmat system calls and returns error EPERM to the process (or | 1061 | and shmat system calls and returns error EPERM to the process (or |
1062 | kills it, see \-\-seccomp-error-action below) if necessary. | 1062 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. |
1063 | .br | 1063 | .br |
1064 | 1064 | ||
1065 | .br | 1065 | .br |
@@ -2122,8 +2122,8 @@ Instead of dropping the syscall by returning EPERM, another error | |||
2122 | number can be returned using \fBsyscall:errno\fR syntax. This can be | 2122 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
2123 | also changed globally with \-\-seccomp-error-action or | 2123 | also changed globally with \-\-seccomp-error-action or |
2124 | in /etc/firejail/firejail.config file. The process can also be killed | 2124 | in /etc/firejail/firejail.config file. The process can also be killed |
2125 | by using \fBsyscall:kill\fR syntax. | 2125 | by using \fBsyscall:kill\fR syntax, or the attempt may be logged with |
2126 | 2126 | \fBsyscall:log\fR. | |
2127 | .br | 2127 | .br |
2128 | 2128 | ||
2129 | .br | 2129 | .br |
@@ -2193,7 +2193,8 @@ Instead of dropping the syscall by returning EPERM, another error | |||
2193 | number can be returned using \fBsyscall:errno\fR syntax. This can be | 2193 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
2194 | also changed globally with \-\-seccomp-error-action or | 2194 | also changed globally with \-\-seccomp-error-action or |
2195 | in /etc/firejail/firejail.config file. The process can also be killed | 2195 | in /etc/firejail/firejail.config file. The process can also be killed |
2196 | by using \fBsyscall:kill\fR syntax. | 2196 | by using \fBsyscall:kill\fR syntax, or the attempt may be logged with |
2197 | \fBsyscall:log\fR. | ||
2197 | .br | 2198 | .br |
2198 | 2199 | ||
2199 | .br | 2200 | .br |
@@ -2402,7 +2403,8 @@ By default, if a seccomp filter blocks a system call, the process gets | |||
2402 | EPERM as the error. With \-\-seccomp-error-action=error, another error | 2403 | EPERM as the error. With \-\-seccomp-error-action=error, another error |
2403 | number can be returned, for example ENOSYS or EACCES. The process can | 2404 | number can be returned, for example ENOSYS or EACCES. The process can |
2404 | also be killed (like in versions <0.9.63 of Firejail) by using | 2405 | also be killed (like in versions <0.9.63 of Firejail) by using |
2405 | \-\-seccomp-error-action=kill syntax. Not killing the process weakens | 2406 | \-\-seccomp-error-action=kill syntax, or the attempt may be logged |
2407 | with \-\-seccomp-error-action=log. Not killing the process weakens | ||
2406 | Firejail slightly when trying to contain intrusion, but it may also | 2408 | Firejail slightly when trying to contain intrusion, but it may also |
2407 | allow tighter filters if the only alternative is to allow a system | 2409 | allow tighter filters if the only alternative is to allow a system |
2408 | call. | 2410 | call. |