1 files changed, 24 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c2c0bc297..087d1c85a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -693,6 +693,7 @@ Example:
 .br
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 #endif
 .TP
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
@@ -2257,6 +2258,29 @@ $ firejail --read-only=~/test --read-write=~/test/a
 .TP
+\fB\-\-restrict-namespaces
+Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+.br
+.br
+Example:
+.br
+$ firejail \-\-restrict-namespaces
+.TP
+\fB\-\-restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
+Install a seccomp filter that blocks attempts to create any of the specified namespaces. The filter examines
+the arguments of clone, unshare and setns system calls and returns error EPERM to the process
+(or kills it or logs the attempt, see \-\-seccomp-error-action below) if necessary. Note that the filter is not
+able to examine the arguments of clone3 system calls, and always responds to these calls with error ENOSYS.
+.br
+.br
+Example:
+.br
+$ firejail \-\-restrict-namespaces=user,net
+.TP
 \fB\-\-rlimit-as=number
 Set the maximum size of the process's virtual memory (address space) in bytes.
 Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c2c0bc297..087d1c85a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -693,6 +693,7 @@ Example:
693	.br	693	.br
694	$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox	694	$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
695	#endif	695	#endif
		696
696	.TP	697	.TP
697	\fB\-\-deterministic-exit-code	698	\fB\-\-deterministic-exit-code
698	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.	699	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
@@ -2257,6 +2258,29 @@ $ firejail --read-only=~/test --read-write=~/test/a
2257		2258
2258		2259
2259	.TP	2260	.TP
		2261	\fB\-\-restrict-namespaces
		2262	Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
		2263	.br
		2264
		2265	.br
		2266	Example:
		2267	.br
		2268	$ firejail \-\-restrict-namespaces
		2269
		2270	.TP
		2271	\fB\-\-restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
		2272	Install a seccomp filter that blocks attempts to create any of the specified namespaces. The filter examines
		2273	the arguments of clone, unshare and setns system calls and returns error EPERM to the process
		2274	(or kills it or logs the attempt, see \-\-seccomp-error-action below) if necessary. Note that the filter is not
		2275	able to examine the arguments of clone3 system calls, and always responds to these calls with error ENOSYS.
		2276	.br
		2277
		2278	.br
		2279	Example:
		2280	.br
		2281	$ firejail \-\-restrict-namespaces=user,net
		2282
		2283	.TP
2260	\fB\-\-rlimit-as=number	2284	\fB\-\-rlimit-as=number
2261	Set the maximum size of the process's virtual memory (address space) in bytes.	2285	Set the maximum size of the process's virtual memory (address space) in bytes.
2262	Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).	2286	Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).