1 files changed, 64 insertions, 3 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 60c21cbc1..f978661dc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 Signal the end of options and disables further option processing.
 .TP
 \fB\-\-allow-debuggers
-Allow tools such as strace and gdb inside the sandbox.
+Allow tools such as strace and gdb inside the sandbox. This option is only available
+when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full
+bypass of the seccomp filter.
 .br
 .br
@@ -190,7 +192,7 @@ Define a custom blacklist Linux capabilities filter.
 .br
 Example:
 .br
-$ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw
+$ firejail \-\-caps.drop=net_broadcast,net_admin,net_raw
 .TP
 \fB\-\-caps.keep=capability,capability,capability
@@ -451,6 +453,39 @@ $ firejail \-\-fs.print=3272
 \fB\-\-get=name|pid filename
 Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.
+.TP
+\fB\-\-git-install
+Download, compile and install mainline git version of Firejail from the official repository on GitHub.
+The software is installed in /usr/local/bin, and takes precedence over the (old) version
+installed in /usr/bin. If for any reason the new version doesn't work, the user can uninstall it
+using \-\-git-uninstall command and revert to the old version.
+.br
+.br
+Prerequisites: git and compile support are required for this command to work. On Debian/Ubuntu
+systems this support is installed using "sudo apt-get install build-essential git".
+.br
+.br
+Example:
+.br
+.br
+$ firejail \-\-git-install
+.TP
+\fB\-\-git-uninstall
+Remove the Firejail version previously installed in /usr/local/bin using \-\-git-install command.
+.br
+.br
+Example:
+.br
+.br
+$ firejail \-\-git-uninstall
 .TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
@@ -467,6 +502,16 @@ Example:
 $ firejail \-\-hostname=officepc firefox
 .TP
+\fB\-\-hosts-file=file
+Use file as /etc/hosts.
+.br
+.br
+Example:
+.br
+$ firejail \-\-hosts-file=~/myhosts firefox
+.TP
 \fB\-\-ignore=command
 Ignore command in profile file.
 .br
@@ -676,7 +721,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 .TP
 \fB\-\-machine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 .br
 .br
@@ -759,6 +804,11 @@ Example:
 $ firejail \-\-net=none vlc
 .TP
+\fB\-\-netns=name
+Run the program in a named, persistent network namespace.  These can
+be created and configured using "ip netns".
+.TP
 \fB\-\-netfilter
 Enable a default client network filter in the new network namespace.
 New network namespaces are created using \-\-net option. If a new network namespaces is not created,
@@ -1708,6 +1758,17 @@ Example:
 .br
 $ sudo firejail --writable-var
+.TP
+\fB\-\-writable-var-log
+Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
+directory, and a skeleton filesystem is created based on the original /var/log.
+.br
+.br
+Example:
+.br
+$ sudo firejail --writable-var-log
 .TP
 \fB\-\-x11

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 60c21cbc1..f978661dc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
76	Signal the end of options and disables further option processing.	76	Signal the end of options and disables further option processing.
77	.TP	77	.TP
78	\fB\-\-allow-debuggers	78	\fB\-\-allow-debuggers
79	Allow tools such as strace and gdb inside the sandbox.	79	Allow tools such as strace and gdb inside the sandbox. This option is only available
		80	when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full
		81	bypass of the seccomp filter.
80	.br	82	.br
81		83
82	.br	84	.br
@@ -190,7 +192,7 @@ Define a custom blacklist Linux capabilities filter.
190	.br	192	.br
191	Example:	193	Example:
192	.br	194	.br
193	$ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw	195	$ firejail \-\-caps.drop=net_broadcast,net_admin,net_raw
194		196
195	.TP	197	.TP
196	\fB\-\-caps.keep=capability,capability,capability	198	\fB\-\-caps.keep=capability,capability,capability
@@ -451,6 +453,39 @@ $ firejail \-\-fs.print=3272
451	\fB\-\-get=name\|pid filename	453	\fB\-\-get=name\|pid filename
452	Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.	454	Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.
453		455
		456
		457	.TP
		458	\fB\-\-git-install
		459	Download, compile and install mainline git version of Firejail from the official repository on GitHub.
		460	The software is installed in /usr/local/bin, and takes precedence over the (old) version
		461	installed in /usr/bin. If for any reason the new version doesn't work, the user can uninstall it
		462	using \-\-git-uninstall command and revert to the old version.
		463	.br
		464
		465	.br
		466	Prerequisites: git and compile support are required for this command to work. On Debian/Ubuntu
		467	systems this support is installed using "sudo apt-get install build-essential git".
		468	.br
		469
		470	.br
		471	Example:
		472	.br
		473
		474	.br
		475	$ firejail \-\-git-install
		476
		477	.TP
		478	\fB\-\-git-uninstall
		479	Remove the Firejail version previously installed in /usr/local/bin using \-\-git-install command.
		480	.br
		481
		482	.br
		483	Example:
		484	.br
		485
		486	.br
		487	$ firejail \-\-git-uninstall
		488
454	.TP	489	.TP
455	\fB\-?\fR, \fB\-\-help\fR	490	\fB\-?\fR, \fB\-\-help\fR
456	Print options end exit.	491	Print options end exit.
@@ -467,6 +502,16 @@ Example:
467	$ firejail \-\-hostname=officepc firefox	502	$ firejail \-\-hostname=officepc firefox
468		503
469	.TP	504	.TP
		505	\fB\-\-hosts-file=file
		506	Use file as /etc/hosts.
		507	.br
		508
		509	.br
		510	Example:
		511	.br
		512	$ firejail \-\-hosts-file=~/myhosts firefox
		513
		514	.TP
470	\fB\-\-ignore=command	515	\fB\-\-ignore=command
471	Ignore command in profile file.	516	Ignore command in profile file.
472	.br	517	.br
@@ -676,7 +721,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
676		721
677	.TP	722	.TP
678	\fB\-\-machine-id	723	\fB\-\-machine-id
679	Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.	724	Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
680	.br	725	.br
681		726
682	.br	727	.br
@@ -759,6 +804,11 @@ Example:
759	$ firejail \-\-net=none vlc	804	$ firejail \-\-net=none vlc
760		805
761	.TP	806	.TP
		807	\fB\-\-netns=name
		808	Run the program in a named, persistent network namespace. These can
		809	be created and configured using "ip netns".
		810
		811	.TP
762	\fB\-\-netfilter	812	\fB\-\-netfilter
763	Enable a default client network filter in the new network namespace.	813	Enable a default client network filter in the new network namespace.
764	New network namespaces are created using \-\-net option. If a new network namespaces is not created,	814	New network namespaces are created using \-\-net option. If a new network namespaces is not created,
@@ -1708,6 +1758,17 @@ Example:
1708	.br	1758	.br
1709	$ sudo firejail --writable-var	1759	$ sudo firejail --writable-var
1710		1760
		1761	.TP
		1762	\fB\-\-writable-var-log
		1763	Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
		1764	directory, and a skeleton filesystem is created based on the original /var/log.
		1765	.br
		1766
		1767	.br
		1768	Example:
		1769	.br
		1770	$ sudo firejail --writable-var-log
		1771
1711		1772
1712	.TP	1773	.TP
1713	\fB\-\-x11	1774	\fB\-\-x11