diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 10 | ||||
-rw-r--r-- | src/man/firejail.txt | 26 |
2 files changed, 19 insertions, 17 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9c416b0f3..98fa17908 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -224,15 +224,7 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
224 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. | 224 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. |
225 | .TP | 225 | .TP |
226 | \fBseccomp | 226 | \fBseccomp |
227 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: | 227 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
228 | mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, | ||
229 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, | ||
230 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | ||
231 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | ||
232 | io_destroy, io_getevents, io_submit, io_cancel, | ||
233 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | ||
234 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, | ||
235 | tuxcall, reboot, mfsservctl and get_kernel_syms. | ||
236 | .TP | 228 | .TP |
237 | \fBseccomp syscall,syscall,syscall | 229 | \fBseccomp syscall,syscall,syscall |
238 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 230 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e915ab6cb..8d20cf36b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1172,6 +1172,15 @@ make the whitelist read-only. Example: | |||
1172 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work | 1172 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work |
1173 | 1173 | ||
1174 | .TP | 1174 | .TP |
1175 | \fB\-\-read-write=dirname_or_filename | ||
1176 | By default, the sandbox mounts system directories read-only. | ||
1177 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | ||
1178 | Use this option to mount read-write files or directories inside the system directories. | ||
1179 | |||
1180 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1181 | cases the system directories are mounted read-write. | ||
1182 | |||
1183 | .TP | ||
1175 | \fB\-\-rlimit-fsize=number | 1184 | \fB\-\-rlimit-fsize=number |
1176 | Set the maximum file size that can be created by a process. | 1185 | Set the maximum file size that can be created by a process. |
1177 | .TP | 1186 | .TP |
@@ -1185,13 +1194,14 @@ Set the maximum number of processes that can be created for the real user ID of | |||
1185 | Set the maximum number of pending signals for a process. | 1194 | Set the maximum number of pending signals for a process. |
1186 | 1195 | ||
1187 | .TP | 1196 | .TP |
1188 | \fB\-\-read-write=dirname_or_filename | 1197 | \fB\-\-rmenv=name |
1189 | By default, the sandbox mounts system directories read-only. | 1198 | Remove environment variable in the new sandbox. |
1190 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | 1199 | .br |
1191 | Use this option to mount read-write files or directories inside the system directories. | ||
1192 | 1200 | ||
1193 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | 1201 | .br |
1194 | cases the system directories are mounted read-write. | 1202 | Example: |
1203 | .br | ||
1204 | $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS | ||
1195 | 1205 | ||
1196 | .TP | 1206 | .TP |
1197 | \fB\-\-scan | 1207 | \fB\-\-scan |
@@ -1206,8 +1216,8 @@ $ firejail \-\-net=eth0 \-\-scan | |||
1206 | .TP | 1216 | .TP |
1207 | \fB\-\-seccomp | 1217 | \fB\-\-seccomp |
1208 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: | 1218 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: |
1209 | mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, | 1219 | mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, |
1210 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, | 1220 | iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, |
1211 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | 1221 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, |
1212 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1222 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, |
1213 | io_destroy, io_getevents, io_submit, io_cancel, | 1223 | io_destroy, io_getevents, io_submit, io_cancel, |