diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 26 |
2 files changed, 19 insertions, 16 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b529f63e3..0217e1353 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -223,7 +223,8 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list. | |||
223 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 223 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
224 | .TP | 224 | .TP |
225 | \fBprivate-dev | 225 | \fBprivate-dev |
226 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. | 226 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, |
227 | random, snd, urandom, video, log and shm devices are available. | ||
227 | .TP | 228 | .TP |
228 | \fBprivate-etc file,directory | 229 | \fBprivate-etc file,directory |
229 | Build a new /etc in a temporary | 230 | Build a new /etc in a temporary |
@@ -448,6 +449,12 @@ Run the program directly, without a shell. | |||
448 | \fBipc-namespace | 449 | \fBipc-namespace |
449 | Enable IPC namespace. | 450 | Enable IPC namespace. |
450 | .TP | 451 | .TP |
452 | \fBnodbus | ||
453 | Disable D-Bus access. Only the regular UNIX socket is handled by | ||
454 | this command. To disable the abstract socket, you would need to | ||
455 | request a new network namespace using the net command. Another | ||
456 | option is to remove unix from protocol set. | ||
457 | .TP | ||
451 | \fBnosound | 458 | \fBnosound |
452 | Disable sound system. | 459 | Disable sound system. |
453 | .TP | 460 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2e410061d..d8fed1f31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1602,20 +1602,16 @@ $ firejail \-\-net=eth0 \-\-scan | |||
1602 | .TP | 1602 | .TP |
1603 | \fB\-\-seccomp | 1603 | \fB\-\-seccomp |
1604 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: | 1604 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: |
1605 | mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, | 1605 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, |
1606 | iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, | 1606 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, |
1607 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | 1607 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, |
1608 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1608 | kexec_load, keyctl, lock, lookup_dcookie, mbind, mfsservctl, migrate_pages, modify_ldt, mount, move_pages, mpx, |
1609 | io_destroy, io_getevents, io_submit, io_cancel, | 1609 | name_to_handle_at, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, |
1610 | remap_file_pages, mbind, set_mempolicy, | 1610 | personality, pivot_root, process_vm_readv, process_vm_writev, process_vm_writev, prof, profil, ptrace, putpmsg, |
1611 | migrate_pages, move_pages, vmsplice, chroot, | 1611 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, |
1612 | tuxcall, reboot, mfsservctl, get_kernel_syms, | 1612 | security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, |
1613 | bpf, clock_settime, personality, process_vm_writev, query_module, | 1613 | swapoff, swapon, switch_endian, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, |
1614 | settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old, | 1614 | vm86, vm86old, vmsplice and vserver. |
1615 | afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, | ||
1616 | pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, | ||
1617 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, | ||
1618 | ulimit, vhangup and vserver. | ||
1619 | 1615 | ||
1620 | .br | 1616 | .br |
1621 | To help creating useful seccomp filters more easily, the following | 1617 | To help creating useful seccomp filters more easily, the following |
@@ -1698,7 +1694,7 @@ Bad system call | |||
1698 | .br | 1694 | .br |
1699 | 1695 | ||
1700 | .TP | 1696 | .TP |
1701 | \fB\-\-seccomp.block_secondary | 1697 | \fB\-\-seccomp.block-secondary |
1702 | Enable seccomp filter and filter system call architectures so that | 1698 | Enable seccomp filter and filter system call architectures so that |
1703 | only the native architecture is allowed. For example, on amd64, i386 | 1699 | only the native architecture is allowed. For example, on amd64, i386 |
1704 | and x32 system calls are blocked as well as changing the execution | 1700 | and x32 system calls are blocked as well as changing the execution |