diff options
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 53 |
1 files changed, 33 insertions, 20 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d18811316..0462705c0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
2178 | .TP | 2178 | .TP |
2179 | \fB\-\-seccomp | 2179 | \fB\-\-seccomp |
2180 | Enable seccomp filter and blacklist the syscalls in the default list, | 2180 | Enable seccomp filter and blacklist the syscalls in the default list, |
2181 | which is @default-nodebuggers unless allow-debuggers is specified, | 2181 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
2182 | then it is @default. | 2182 | then it is @default. |
2183 | 2183 | ||
2184 | .br | 2184 | .br |
@@ -2189,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
2189 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 2189 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
2190 | @resources, @setuid, @swap, @sync, @system-service and @timer. | 2190 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
2191 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt | 2191 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt |
2192 | 2192 | .br | |
2193 | In addition, a system call can be specified by its number instead of | ||
2194 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
2195 | Exceptions can be allowed with prefix !. | ||
2196 | 2193 | ||
2197 | .br | 2194 | .br |
2198 | System architecture is strictly imposed only if flag | 2195 | System architecture is strictly imposed only if flag |
2199 | \-\-seccomp.block-secondary is used. The filter is applied at run time | 2196 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
2200 | only if the correct architecture was detected. For the case of I386 | 2197 | only if the correct architecture was detected. For the case of I386 |
2201 | and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit | 2198 | and AMD64 both 32-bit and 64-bit filters are installed. |
2202 | architecture, an additional filter for 32 bit system calls can be | ||
2203 | installed with \-\-seccomp.32. | ||
2204 | .br | 2199 | .br |
2205 | 2200 | ||
2206 | .br | 2201 | .br |
@@ -2211,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil | |||
2211 | Example: | 2206 | Example: |
2212 | .br | 2207 | .br |
2213 | $ firejail \-\-seccomp | 2208 | $ firejail \-\-seccomp |
2209 | .br | ||
2210 | |||
2211 | .br | ||
2212 | The default list can be customized, see \-\-seccomp= for a description. It can be customized | ||
2213 | also globally in /etc/firejail/firejail.config file. | ||
2214 | |||
2214 | .TP | 2215 | .TP |
2215 | \fB\-\-seccomp=syscall,@group,!syscall2 | 2216 | \fB\-\-seccomp=syscall,@group,!syscall2 |
2216 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 2217 | Enable seccomp filter, blacklist the default list and the syscalls or syscall groups |
2217 | list and the syscalls or syscall groups specified by the | 2218 | specified by the command, but don't blacklist "syscall2". On a 64 bit |
2218 | command. | 2219 | architecture, an additional filter for 32 bit system calls can be |
2220 | installed with \-\-seccomp.32. | ||
2219 | .br | 2221 | .br |
2220 | 2222 | ||
2221 | .br | 2223 | .br |
@@ -2225,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox | |||
2225 | .br | 2227 | .br |
2226 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk | 2228 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk |
2227 | .br | 2229 | .br |
2230 | $ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious | ||
2231 | .br | ||
2232 | |||
2233 | .br | ||
2234 | Syscalls can be specified by their number if prefix $ is added, | ||
2235 | so for example $165 would be equal to mount on i386. | ||
2236 | .br | ||
2228 | 2237 | ||
2229 | .br | 2238 | .br |
2230 | Instead of dropping the syscall by returning EPERM, another error | 2239 | Instead of dropping the syscall by returning EPERM, another error |
@@ -2237,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with | |||
2237 | 2246 | ||
2238 | .br | 2247 | .br |
2239 | Example: | 2248 | Example: |
2249 | .br | ||
2240 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | 2250 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes |
2241 | .br | 2251 | .br |
2242 | Parent pid 10662, child pid 10663 | 2252 | Parent pid 10662, child pid 10663 |
@@ -2245,9 +2255,13 @@ Child process initialized | |||
2245 | .br | 2255 | .br |
2246 | $ touch testfile | 2256 | $ touch testfile |
2247 | .br | 2257 | .br |
2258 | $ ls testfile | ||
2259 | .br | ||
2260 | testfile | ||
2261 | .br | ||
2248 | $ rm testfile | 2262 | $ rm testfile |
2249 | .br | 2263 | .br |
2250 | rm: cannot remove `testfile': Operation not permitted | 2264 | rm: cannot remove `testfile': No such file or directory |
2251 | .br | 2265 | .br |
2252 | 2266 | ||
2253 | .br | 2267 | .br |
@@ -2260,7 +2274,7 @@ filters. | |||
2260 | .br | 2274 | .br |
2261 | Example: | 2275 | Example: |
2262 | .br | 2276 | .br |
2263 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | 2277 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh |
2264 | .br | 2278 | .br |
2265 | Parent pid 32751, child pid 32752 | 2279 | Parent pid 32751, child pid 32752 |
2266 | .br | 2280 | .br |
@@ -2272,8 +2286,7 @@ Child process initialized in 46.44 ms | |||
2272 | .br | 2286 | .br |
2273 | $ ls | 2287 | $ ls |
2274 | .br | 2288 | .br |
2275 | Bad system call | 2289 | Operation not permitted |
2276 | .br | ||
2277 | 2290 | ||
2278 | .TP | 2291 | .TP |
2279 | \fB\-\-seccomp.block-secondary | 2292 | \fB\-\-seccomp.block-secondary |
@@ -2317,15 +2330,15 @@ Child process initialized | |||
2317 | .br | 2330 | .br |
2318 | $ touch testfile | 2331 | $ touch testfile |
2319 | .br | 2332 | .br |
2333 | $ ls testfile | ||
2334 | .br | ||
2335 | testfile | ||
2336 | .br | ||
2320 | $ rm testfile | 2337 | $ rm testfile |
2321 | .br | 2338 | .br |
2322 | rm: cannot remove `testfile': Operation not permitted | 2339 | rm: cannot remove `testfile': No such file or directory |
2323 | .br | 2340 | .br |
2324 | 2341 | ||
2325 | |||
2326 | |||
2327 | |||
2328 | |||
2329 | .TP | 2342 | .TP |
2330 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 2343 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
2331 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 2344 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |