diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 13 |
2 files changed, 12 insertions, 6 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 283b4ba15..bc8067f91 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -401,10 +401,12 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes | |||
401 | cannot acquire new privileges using execve(2); in particular, | 401 | cannot acquire new privileges using execve(2); in particular, |
402 | this means that calling a suid binary (or one with file capabilities) | 402 | this means that calling a suid binary (or one with file capabilities) |
403 | does not result in an increase of privilege. | 403 | does not result in an increase of privilege. |
404 | #ifdef HAVE_USERNS | ||
404 | .TP | 405 | .TP |
405 | \fBnoroot | 406 | \fBnoroot |
406 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 407 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
407 | There is no root account (uid 0) defined in the namespace. | 408 | There is no root account (uid 0) defined in the namespace. |
409 | #endif | ||
408 | .TP | 410 | .TP |
409 | \fBprotocol protocol1,protocol2,protocol3 | 411 | \fBprotocol protocol1,protocol2,protocol3 |
410 | Enable protocol filter. The filter is based on seccomp and checks the | 412 | Enable protocol filter. The filter is based on seccomp and checks the |
@@ -443,6 +445,7 @@ Enable seccomp filter and whitelist the system calls in the list for 32 bit syst | |||
443 | Return a different error instead of EPERM to the process, kill it when | 445 | Return a different error instead of EPERM to the process, kill it when |
444 | an attempt is made to call a blocked system call, or allow but log the | 446 | an attempt is made to call a blocked system call, or allow but log the |
445 | attempt. | 447 | attempt. |
448 | #ifdef HAVE_X11 | ||
446 | .TP | 449 | .TP |
447 | \fBx11 | 450 | \fBx11 |
448 | Enable X11 sandboxing. | 451 | Enable X11 sandboxing. |
@@ -476,7 +479,7 @@ Example: | |||
476 | xephyr-screen 640x480 | 479 | xephyr-screen 640x480 |
477 | .br | 480 | .br |
478 | x11 xephyr | 481 | x11 xephyr |
479 | 482 | #endif | |
480 | .SH DBus filtering | 483 | .SH DBus filtering |
481 | 484 | ||
482 | Access to the session and system DBus UNIX sockets can be allowed, filtered or | 485 | Access to the session and system DBus UNIX sockets can be allowed, filtered or |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 5c4947694..8951dd25f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -137,8 +137,9 @@ $ firejail --appimage krita-3.0-x86_64.appimage | |||
137 | .br | 137 | .br |
138 | $ firejail --appimage --private krita-3.0-x86_64.appimage | 138 | $ firejail --appimage --private krita-3.0-x86_64.appimage |
139 | .br | 139 | .br |
140 | #ifdef HAVE_X11 | ||
140 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | 141 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage |
141 | 142 | #endif | |
142 | .TP | 143 | .TP |
143 | \fB\-\-audit | 144 | \fB\-\-audit |
144 | Audit the sandbox, see \fBAUDIT\fR section for more details. | 145 | Audit the sandbox, see \fBAUDIT\fR section for more details. |
@@ -1029,8 +1030,10 @@ $ firejail \-\-list | |||
1029 | .br | 1030 | .br |
1030 | 7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk | 1031 | 7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk |
1031 | .br | 1032 | .br |
1033 | #ifdef HAVE_USERNS | ||
1032 | 7064:netblue::firejail \-\-noroot xterm | 1034 | 7064:netblue::firejail \-\-noroot xterm |
1033 | .br | 1035 | .br |
1036 | #endif | ||
1034 | .TP | 1037 | .TP |
1035 | \fB\-\-ls=name|pid dir_or_filename | 1038 | \fB\-\-ls=name|pid dir_or_filename |
1036 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | 1039 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. |
@@ -1514,7 +1517,7 @@ Parent pid 8553, child pid 8554 | |||
1514 | Child process initialized | 1517 | Child process initialized |
1515 | .br | 1518 | .br |
1516 | [...] | 1519 | [...] |
1517 | 1520 | #if HAVE_USERNS | |
1518 | .TP | 1521 | .TP |
1519 | \fB\-\-noroot | 1522 | \fB\-\-noroot |
1520 | Install a user namespace with a single user - the current user. | 1523 | Install a user namespace with a single user - the current user. |
@@ -1538,7 +1541,7 @@ $ ping google.com | |||
1538 | ping: icmp open socket: Operation not permitted | 1541 | ping: icmp open socket: Operation not permitted |
1539 | .br | 1542 | .br |
1540 | $ | 1543 | $ |
1541 | 1544 | #endif | |
1542 | .TP | 1545 | .TP |
1543 | \fB\-\-nosound | 1546 | \fB\-\-nosound |
1544 | Disable sound system. | 1547 | Disable sound system. |
@@ -2684,7 +2687,7 @@ Example: | |||
2684 | .br | 2687 | .br |
2685 | $ sudo firejail --writable-var-log | 2688 | $ sudo firejail --writable-var-log |
2686 | 2689 | ||
2687 | 2690 | #ifdef HAVE_X11 | |
2688 | .TP | 2691 | .TP |
2689 | \fB\-\-x11 | 2692 | \fB\-\-x11 |
2690 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. | 2693 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. |
@@ -2845,7 +2848,7 @@ Example: | |||
2845 | .br | 2848 | .br |
2846 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | 2849 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox |
2847 | .br | 2850 | .br |
2848 | 2851 | #endif | |
2849 | #ifdef HAVE_APPARMOR | 2852 | #ifdef HAVE_APPARMOR |
2850 | .SH APPARMOR | 2853 | .SH APPARMOR |
2851 | .TP | 2854 | .TP |