diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 926e9b2cc..13dcf09ee 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -35,7 +35,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree} | |||
35 | Miscellaneous: | 35 | Miscellaneous: |
36 | .PP | 36 | .PP |
37 | .RS | 37 | .RS |
38 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version} | 38 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} |
39 | .RE | 39 | .RE |
40 | .SH DESCRIPTION | 40 | .SH DESCRIPTION |
41 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 41 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
@@ -386,6 +386,10 @@ Example: | |||
386 | .br | 386 | .br |
387 | $ firejail \-\-debug-syscalls | 387 | $ firejail \-\-debug-syscalls |
388 | .TP | 388 | .TP |
389 | \fB\-\-debug-syscalls32 | ||
390 | Print all recognized 32 bit system calls in the current Firejail software build and exit. | ||
391 | .br | ||
392 | .TP | ||
389 | \fB\-\-debug-whitelists\fR | 393 | \fB\-\-debug-whitelists\fR |
390 | Debug whitelisting. | 394 | Debug whitelisting. |
391 | .br | 395 | .br |
@@ -1832,7 +1836,9 @@ Exceptions can be allowed with prefix !. | |||
1832 | System architecture is strictly imposed only if flag | 1836 | System architecture is strictly imposed only if flag |
1833 | \-\-seccomp.block-secondary is used. The filter is applied at run time | 1837 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
1834 | only if the correct architecture was detected. For the case of I386 | 1838 | only if the correct architecture was detected. For the case of I386 |
1835 | and AMD64 both 32-bit and 64-bit filters are installed. | 1839 | and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit |
1840 | architecture, an additional filter for 32 bit system calls can be | ||
1841 | installed with \-\-seccomp.32. | ||
1836 | .br | 1842 | .br |
1837 | 1843 | ||
1838 | .br | 1844 | .br |
@@ -1881,7 +1887,8 @@ rm: cannot remove `testfile': Operation not permitted | |||
1881 | .br | 1887 | .br |
1882 | If the blocked system calls would also block Firejail from operating, | 1888 | If the blocked system calls would also block Firejail from operating, |
1883 | they are handled by adding a preloaded library which performs seccomp | 1889 | they are handled by adding a preloaded library which performs seccomp |
1884 | system calls later. | 1890 | system calls later. However, this is incompatible with 32 bit seccomp |
1891 | filters. | ||
1885 | .br | 1892 | .br |
1886 | 1893 | ||
1887 | .br | 1894 | .br |
@@ -1912,7 +1919,10 @@ domain with personality(2) system call. | |||
1912 | 1919 | ||
1913 | .TP | 1920 | .TP |
1914 | \fB\-\-seccomp.drop=syscall,@group | 1921 | \fB\-\-seccomp.drop=syscall,@group |
1915 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. | 1922 | Enable seccomp filter, and blacklist the syscalls or the syscall |
1923 | groups specified by the command. On a 64 bit architecture, an | ||
1924 | additional filter for 32 bit system calls can be installed with | ||
1925 | \-\-seccomp.32.drop. | ||
1916 | .br | 1926 | .br |
1917 | 1927 | ||
1918 | .br | 1928 | .br |
@@ -1950,7 +1960,9 @@ rm: cannot remove `testfile': Operation not permitted | |||
1950 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 1960 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1951 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 1961 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
1952 | The system calls needed by Firejail (group @default-keep: prctl, execve) | 1962 | The system calls needed by Firejail (group @default-keep: prctl, execve) |
1953 | are handled with the preload library. | 1963 | are handled with the preload library. On a 64 bit architecture, an |
1964 | additional filter for 32 bit system calls can be installed with | ||
1965 | \-\-seccomp.32.keep. | ||
1954 | .br | 1966 | .br |
1955 | 1967 | ||
1956 | .br | 1968 | .br |