diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-config.txt | 8 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 7 |
3 files changed, 21 insertions, 0 deletions
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index fcf4109ee..dcede2ec6 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt | |||
@@ -49,6 +49,14 @@ Enable or disable user namespace support, default enabled. | |||
49 | Enable or disable X11 sandboxing support, default enabled. | 49 | Enable or disable X11 sandboxing support, default enabled. |
50 | 50 | ||
51 | .TP | 51 | .TP |
52 | \fBforce-nonewprivs | ||
53 | Force use of nonewprivs. This mitigates the possibility of | ||
54 | a user abusing firejail's features to trick a privileged (suid | ||
55 | or file capabilities) process into loading code or configuration | ||
56 | that is partially under their control. Default disabled. | ||
57 | |||
58 | |||
59 | .TP | ||
52 | \fBxephyr-screen | 60 | \fBxephyr-screen |
53 | Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for | 61 | Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for |
54 | a full list of resolutions available on your specific setup. Examples: | 62 | a full list of resolutions available on your specific setup. Examples: |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4d1de76f5..1f7c8beac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -239,6 +239,12 @@ Enable seccomp filter and blacklist the system calls in the list. | |||
239 | \fBseccomp.keep syscall,syscall,syscall | 239 | \fBseccomp.keep syscall,syscall,syscall |
240 | Enable seccomp filter and whitelist the system calls in the list. | 240 | Enable seccomp filter and whitelist the system calls in the list. |
241 | .TP | 241 | .TP |
242 | \fBnonewprivs | ||
243 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | ||
244 | cannot acquire new privileges using execve(2); in particular, | ||
245 | this means that calling a suid binary (or one with file capabilities) | ||
246 | does not results in an increase of privilege. | ||
247 | .TP | ||
242 | \fBnoroot | 248 | \fBnoroot |
243 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 249 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
244 | There is no root account (uid 0) defined in the namespace. | 250 | There is no root account (uid 0) defined in the namespace. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2ea15ff2b..7b22a5bf2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -904,6 +904,13 @@ ping: icmp open socket: Operation not permitted | |||
904 | $ | 904 | $ |
905 | 905 | ||
906 | .TP | 906 | .TP |
907 | \fB\-\-nonewprivs | ||
908 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | ||
909 | cannot acquire new privileges using execve(2); in particular, | ||
910 | this means that calling a suid binary (or one with file capabilities) | ||
911 | does not results in an increase of privilege. | ||
912 | |||
913 | .TP | ||
907 | \fB\-\-nosound | 914 | \fB\-\-nosound |
908 | Disable sound system. | 915 | Disable sound system. |
909 | .br | 916 | .br |