diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2c8dca09a..be73429bc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1578,6 +1578,32 @@ $ rm testfile | |||
1578 | rm: cannot remove `testfile': Operation not permitted | 1578 | rm: cannot remove `testfile': Operation not permitted |
1579 | .br | 1579 | .br |
1580 | 1580 | ||
1581 | .br | ||
1582 | If the blocked system calls would also block Firejail from operating, | ||
1583 | they are handled by adding a preloaded library which performs seccomp | ||
1584 | system calls later. | ||
1585 | .br | ||
1586 | |||
1587 | .br | ||
1588 | Example: | ||
1589 | .br | ||
1590 | |||
1591 | .br | ||
1592 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | ||
1593 | .br | ||
1594 | Parent pid 32751, child pid 32752 | ||
1595 | .br | ||
1596 | Post-exec seccomp protector enabled | ||
1597 | .br | ||
1598 | list in: execve, check list: @default-keep prelist: (null), postlist: execve | ||
1599 | .br | ||
1600 | Child process initialized in 46.44 ms | ||
1601 | .br | ||
1602 | $ ls | ||
1603 | .br | ||
1604 | Bad system call | ||
1605 | .br | ||
1606 | |||
1581 | .TP | 1607 | .TP |
1582 | \fB\-\-seccomp.drop=syscall,syscall,syscall | 1608 | \fB\-\-seccomp.drop=syscall,syscall,syscall |
1583 | Enable seccomp filter, and blacklist the syscalls specified by the command. | 1609 | Enable seccomp filter, and blacklist the syscalls specified by the command. |