diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail.txt | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 86b76f58f..afff3d5fa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1780,7 +1780,8 @@ system call groups are defined: @clock, @cpu-emulation, @debug, | |||
1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, | 1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, |
1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a | 1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a |
1782 | system call can be specified by its number instead of name with prefix | 1782 | system call can be specified by its number instead of name with prefix |
1783 | $, so for example $165 would be equal to mount on i386. | 1783 | $, so for example $165 would be equal to mount on i386. Exceptions |
1784 | can be allowed with prefix !. | ||
1784 | 1785 | ||
1785 | .br | 1786 | .br |
1786 | System architecture is strictly imposed only if flag | 1787 | System architecture is strictly imposed only if flag |
@@ -1798,8 +1799,10 @@ Example: | |||
1798 | .br | 1799 | .br |
1799 | $ firejail \-\-seccomp | 1800 | $ firejail \-\-seccomp |
1800 | .TP | 1801 | .TP |
1801 | \fB\-\-seccomp=syscall,@group | 1802 | \fB\-\-seccomp=syscall,@group,!syscall2 |
1802 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. | 1803 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
1804 | list (@default) and the syscalls or syscall groups specified by the | ||
1805 | command. | ||
1803 | .br | 1806 | .br |
1804 | 1807 | ||
1805 | .br | 1808 | .br |
@@ -1863,8 +1866,9 @@ domain with personality(2) system call. | |||
1863 | .br | 1866 | .br |
1864 | 1867 | ||
1865 | .TP | 1868 | .TP |
1866 | \fB\-\-seccomp.drop=syscall,@group | 1869 | \fB\-\-seccomp.drop=syscall,@group,!syscall2 |
1867 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. | 1870 | Enable seccomp filter, whitelist "syscall2" but blacklist the |
1871 | syscalls or the syscall groups specified by the command. | ||
1868 | .br | 1872 | .br |
1869 | 1873 | ||
1870 | .br | 1874 | .br |
@@ -1899,10 +1903,11 @@ rm: cannot remove `testfile': Operation not permitted | |||
1899 | 1903 | ||
1900 | 1904 | ||
1901 | .TP | 1905 | .TP |
1902 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1906 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1903 | Enable seccomp filter, and whitelist the syscalls specified by the | 1907 | Enable seccomp filter, blacklist "syscall2" but whitelist the |
1904 | command. The system calls needed by Firejail (group @default-keep: | 1908 | syscalls or the syscall groups specified by the command. The system |
1905 | prctl, execve) are handled with the preload library. | 1909 | calls needed by Firejail (group @default-keep: prctl, execve) are |
1910 | handled with the preload library. | ||
1906 | .br | 1911 | .br |
1907 | 1912 | ||
1908 | .br | 1913 | .br |