1 files changed, 12 insertions, 3 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 89b815e02..d1970c985 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1572,9 +1572,10 @@ system call can be specified by its number instead of name with prefix
 $, so for example $165 would be equal to mount on i386.
 .br
-System architecture is not strictly imposed. The filter is applied
+System architecture is strictly imposed only if flag
-at run time only if the correct architecture was detected. For the case of I386 and AMD64
+\-\-seccomp.block_secondary is used. The filter is applied at run time
-both 32-bit and 64-bit filters are installed.
+only if the correct architecture was detected. For the case of I386
+and AMD64 both 32-bit and 64-bit filters are installed.
 .br
 .br
@@ -1646,6 +1647,14 @@ Bad system call
 .br
 .TP
+\fB\-\-seccomp.block_secondary
+Enable seccomp filter and filter system call architectures so that
+only the native architecture is allowed. For example, on amd64, i386
+and x32 system calls are blocked as well as changing the execution
+domain with personality(2) system call.
+.br
+.TP
 \fB\-\-seccomp.drop=syscall,syscall,syscall
 Enable seccomp filter, and blacklist the syscalls specified by the command.
 .br

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 89b815e02..d1970c985 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1572,9 +1572,10 @@ system call can be specified by its number instead of name with prefix
1572	$, so for example $165 would be equal to mount on i386.	1572	$, so for example $165 would be equal to mount on i386.
1573		1573
1574	.br	1574	.br
1575	System architecture is not strictly imposed. The filter is applied	1575	System architecture is strictly imposed only if flag
1576	at run time only if the correct architecture was detected. For the case of I386 and AMD64	1576	\-\-seccomp.block_secondary is used. The filter is applied at run time
1577	both 32-bit and 64-bit filters are installed.	1577	only if the correct architecture was detected. For the case of I386
		1578	and AMD64 both 32-bit and 64-bit filters are installed.
1578	.br	1579	.br
1579		1580
1580	.br	1581	.br
@@ -1646,6 +1647,14 @@ Bad system call
1646	.br	1647	.br
1647		1648
1648	.TP	1649	.TP
		1650	\fB\-\-seccomp.block_secondary
		1651	Enable seccomp filter and filter system call architectures so that
		1652	only the native architecture is allowed. For example, on amd64, i386
		1653	and x32 system calls are blocked as well as changing the execution
		1654	domain with personality(2) system call.
		1655	.br
		1656
		1657	.TP
1649	\fB\-\-seccomp.drop=syscall,syscall,syscall	1658	\fB\-\-seccomp.drop=syscall,syscall,syscall
1650	Enable seccomp filter, and blacklist the syscalls specified by the command.	1659	Enable seccomp filter, and blacklist the syscalls specified by the command.
1651	.br	1660	.br