diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail.txt | 19 |
1 files changed, 7 insertions, 12 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index dd21951ec..9ae5d6782 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1587,8 +1587,8 @@ Example: | |||
1587 | .br | 1587 | .br |
1588 | $ firejail \-\-seccomp | 1588 | $ firejail \-\-seccomp |
1589 | .TP | 1589 | .TP |
1590 | \fB\-\-seccomp=syscall,syscall,syscall | 1590 | \fB\-\-seccomp=syscall,@group |
1591 | Enable seccomp filter, blacklist the default list (@default) and the syscalls specified by the command. | 1591 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. |
1592 | .br | 1592 | .br |
1593 | 1593 | ||
1594 | .br | 1594 | .br |
@@ -1596,6 +1596,8 @@ Example: | |||
1596 | .br | 1596 | .br |
1597 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox | 1597 | $ firejail \-\-seccomp=utime,utimensat,utimes firefox |
1598 | .br | 1598 | .br |
1599 | $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk | ||
1600 | .br | ||
1599 | 1601 | ||
1600 | .br | 1602 | .br |
1601 | Instead of dropping the syscall, a specific error number can be returned | 1603 | Instead of dropping the syscall, a specific error number can be returned |
@@ -1604,9 +1606,6 @@ using \fBsyscall:errorno\fR syntax. | |||
1604 | 1606 | ||
1605 | .br | 1607 | .br |
1606 | Example: | 1608 | Example: |
1607 | .br | ||
1608 | |||
1609 | .br | ||
1610 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes | 1609 | $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes |
1611 | .br | 1610 | .br |
1612 | Parent pid 10662, child pid 10663 | 1611 | Parent pid 10662, child pid 10663 |
@@ -1629,8 +1628,6 @@ system calls later. | |||
1629 | .br | 1628 | .br |
1630 | Example: | 1629 | Example: |
1631 | .br | 1630 | .br |
1632 | |||
1633 | .br | ||
1634 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash | 1631 | $ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash |
1635 | .br | 1632 | .br |
1636 | Parent pid 32751, child pid 32752 | 1633 | Parent pid 32751, child pid 32752 |
@@ -1655,14 +1652,14 @@ domain with personality(2) system call. | |||
1655 | .br | 1652 | .br |
1656 | 1653 | ||
1657 | .TP | 1654 | .TP |
1658 | \fB\-\-seccomp.drop=syscall,syscall,syscall | 1655 | \fB\-\-seccomp.drop=syscall,@group |
1659 | Enable seccomp filter, and blacklist the syscalls specified by the command. | 1656 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. |
1660 | .br | 1657 | .br |
1661 | 1658 | ||
1662 | .br | 1659 | .br |
1663 | Example: | 1660 | Example: |
1664 | .br | 1661 | .br |
1665 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes | 1662 | $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock |
1666 | .br | 1663 | .br |
1667 | 1664 | ||
1668 | .br | 1665 | .br |
@@ -1673,8 +1670,6 @@ using \fBsyscall:errorno\fR syntax. | |||
1673 | .br | 1670 | .br |
1674 | Example: | 1671 | Example: |
1675 | .br | 1672 | .br |
1676 | |||
1677 | .br | ||
1678 | $ firejail \-\-seccomp.drop=unlinkat:ENOENT,utimensat,utimes | 1673 | $ firejail \-\-seccomp.drop=unlinkat:ENOENT,utimensat,utimes |
1679 | .br | 1674 | .br |
1680 | Parent pid 10662, child pid 10663 | 1675 | Parent pid 10662, child pid 10663 |