2 files changed, 47 insertions, 160 deletions
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 2825ca4cf..6cd9ce3cb 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo
 Example:
-        netblue:--debug --net=none
+        netblue:--net=none --protocol=unix
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 509461f0d..60c53378a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -161,8 +161,8 @@ make the whitelist read-only. Example:
 .br
 $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work
 .TP
-\fB\-\-caps.print=name
+\fB\-\-caps.print=name|pid
-Print the caps filter for the sandbox identified by name.
+Print the caps filter for the sandbox identified by name or by PID.
 .br
 .br
@@ -170,13 +170,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-caps.print=mygame
-.TP
-\fB\-\-caps.print=pid
-Print the caps filter for a sandbox identified by PID.
 .br
 .br
@@ -221,6 +215,28 @@ Example:
 $ firejail \-\-cpu=0,1 handbrake
 .TP
+\fB\-\-cpu.print=name|pid
+Print the CPU cores in use by the sandbox identified by name or by PID.
+.br
+.br
+Example:
+.br
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+$ firejail \-\-cpu.print=mygame
+.br
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+3272:netblue:firejail \-\-private firefox
+.br
+$ firejail \-\-cpu.print=3272
+.TP
 \fB\-\-csh
 Use /bin/csh as default user shell.
 .br
@@ -327,8 +343,8 @@ Example:
 $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox
 .TP
-\fB\-\-dns.print=name
+\fB\-\-dns.print=name|pid
-Print DNS configuration for a sandbox identified by name.
+Print DNS configuration for a sandbox identified by name or by PID.
 .br
 .br
@@ -336,13 +352,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-dns.print=mygame
-.TP
-\fB\-\-dns.print=pid
-Print DNS configuration for a sandbox identified by PID.
 .br
 .br
@@ -372,8 +382,8 @@ There could be lots of reasons for it to fail, for example if the existing sandb
 admin capabilities, SUID binaries, or if it runs seccomp.
 .TP
-\fB\-\-fs.print=name
+\fB\-\-fs.print=name|print
-Print the filesystem log for the sandbox identified by name.
+Print the filesystem log for the sandbox identified by name or by PID.
 .br
 .br
@@ -381,13 +391,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-fs.print=mygame
-.TP
-\fB\-\-fs.print=pid
-Print the filesystem log for a sandbox identified by PID.
 .br
 .br
@@ -496,13 +500,12 @@ Example:
 .br
 $ firejail \-\-ipc-namespace firefox
 .TP
-\fB\-\-join=name
+\fB\-\-join=name|pid
-Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
 all security filters are configured for the new process the same they are configured in the sandbox.
 If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
 to the process joining the sandbox.
 .br
 .br
@@ -510,18 +513,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-join=mygame
-.TP
-\fB\-\-join=pid
-Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
-all security filters are configured for the new process the same they are configured in the sandbox.
-If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
-to the process joining the sandbox.
 .br
 .br
@@ -534,19 +526,13 @@ $ firejail \-\-list
 $ firejail \-\-join=3272
 .TP
-\fB\-\-join-filesystem=name
+\fB\-\-join-filesystem=name|pid
-Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
 .TP
-\fB\-\-join-filesystem=pid
+\fB\-\-join-network=name|PID
-Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
-.TP
-\fB\-\-join-network=name
 Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:
@@ -602,19 +588,9 @@ Switching to pid 1932, the first child process inside the sandbox
       valid_lft forever preferred_lft forever
 .TP
-\fB\-\-join-network=pid
-Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
-.TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
-\fB
 .TP
 \fB\-\-list
 List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -1119,8 +1095,8 @@ Example:
 .br
 $ firejail \-\-protocol=unix,inet,inet6 firefox
 .TP
-\fB\-\-protocol.print=name
+\fB\-\-protocol.print=name|pid
-Print the protocol filter for the sandbox identified by name.
+Print the protocol filter for the sandbox identified by name or PID.
 .br
 .br
@@ -1128,15 +1104,9 @@ Example:
 .br
 $ firejail \-\-name=mybrowser firefox &
 .br
-[...]
-.br
 $ firejail \-\-protocol.print=mybrowser
 .br
 unix,inet,inet6,netlink
-.TP
-\fB\-\-protocol.print=pid
-Print the protocol filter for a sandbox identified by PID.
 .br
 .br
@@ -1256,8 +1226,8 @@ $ rm testfile
 rm: cannot remove `testfile': Operation not permitted
 .TP
-\fB\-\-seccomp.print=name
+\fB\-\-seccomp.print=name|PID
-Print the seccomp filter for the sandbox started using \-\-name option.
+Print the seccomp filter for the sandbox identified by name or PID.
 .br
 .br
@@ -1321,72 +1291,6 @@ SECCOMP Filter:
 .br
 $ 
 .TP
-\fB\-\-seccomp.print=pid
-Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
-.br
-.br
-Example:
-.br
-$ firejail \-\-list
-.br
-10786:netblue:firejail \-\-name=browser firefox 
-$ firejail \-\-seccomp.print=10786
-.br
-SECCOMP Filter:
-.br
-  VALIDATE_ARCHITECTURE
-.br
-  EXAMINE_SYSCAL
-.br
-  BLACKLIST 165 mount
-.br
-  BLACKLIST 166 umount2
-.br
-  BLACKLIST 101 ptrace
-.br
-  BLACKLIST 246 kexec_load
-.br
-  BLACKLIST 304 open_by_handle_at
-.br
-  BLACKLIST 175 init_module
-.br
-  BLACKLIST 176 delete_module
-.br
-  BLACKLIST 172 iopl
-.br
-  BLACKLIST 173 ioperm
-.br
-  BLACKLIST 167 swapon
-.br
-  BLACKLIST 168 swapoff
-.br
-  BLACKLIST 103 syslog
-.br
-  BLACKLIST 310 process_vm_readv
-.br
-  BLACKLIST 311 process_vm_writev
-.br
-  BLACKLIST 133 mknod
-.br
-  BLACKLIST 139 sysfs
-.br
-  BLACKLIST 156 _sysctl
-.br
-  BLACKLIST 159 adjtimex
-.br
-  BLACKLIST 305 clock_adjtime
-.br
-  BLACKLIST 212 lookup_dcookie
-.br
-  BLACKLIST 298 perf_event_open
-.br
-  BLACKLIST 300 fanotify_init
-.br
-  RETURN_ALLOW
-.br
-$ 
-.TP
 \fB\-\-shell=none
 Run the program directly, without a user shell.
 .br
@@ -1407,8 +1311,8 @@ shell.
 Example:
 $firejail \-\-shell=/bin/dash script.sh
 .TP
-\fB\-\-shutdown=name
+\fB\-\-shutdown=name|PID
-Shutdown the sandbox started using \-\-name option.
+Shutdown the sandbox identified by name or PID.
 .br
 .br
@@ -1416,12 +1320,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-shutdown=mygame
-.TP
-\fB\-\-shutdown=pid
-Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
 .br
 .br
@@ -1682,25 +1581,13 @@ These features allow the user to inspect the filesystem container of an existing
 and transfer files from the container to the host filesystem.
 .TP
-\fB\-\-get=name filename
+\fB\-\-get=name|pid filename
-Retrieve the container file and store it on the host in the current working directory.
-The container is specified by name (\-\-name option). Full path is needed for filename.
-.TP
-\fB\-\-get=pid filename
 Retrieve the container file and store it on the host in the current working directory.
-The container is specified by process ID. Full path is needed for filename.
+The container is specified by name or PID. Full path is needed for filename.
 .TP
-\fB\-\-ls=name dir_or_filename
+\fB\-\-ls=name|pid dir_or_filename
-List container files.
+List container files. The container is specified by name or PID.
-The container is specified by name (\-\-name option).
-Full path is needed for dir_or_filename.
-.TP
-\fB\-\-ls=pid dir_or_filename
-List container files.
-The container is specified by process ID.
 Full path is needed for dir_or_filename.
 .TP
@@ -1739,15 +1626,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
 Set rate-limits:
-        firejail --bandwidth={name|pid} set network download upload
+        firejail --bandwidth=name|pid set network download upload
 Clear rate-limits:
-        firejail --bandwidth={name|pid} clear network
+        firejail --bandwidth=name|pid clear network
 Status:
-        firejail --bandwidth={name|pid} status
+        firejail --bandwidth=name|pid status
 where:
 .br

diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 2825ca4cf..6cd9ce3cb 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt
@@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo
11		11
12	Example:	12	Example:
13		13
14	netblue:--debug --net=none	14	netblue:--net=none --protocol=unix
15		15
16	.SH RESTRICTED SHELL	16	.SH RESTRICTED SHELL
17	To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in	17	To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 509461f0d..60c53378a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -161,8 +161,8 @@ make the whitelist read-only. Example:
161	.br	161	.br
162	$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work	162	$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work
163	.TP	163	.TP
164	\fB\-\-caps.print=name	164	\fB\-\-caps.print=name\|pid
165	Print the caps filter for the sandbox identified by name.	165	Print the caps filter for the sandbox identified by name or by PID.
166	.br	166	.br
167		167
168	.br	168	.br
@@ -170,13 +170,7 @@ Example:
170	.br	170	.br
171	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &	171	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
172	.br	172	.br
173	[...]
174	.br
175	$ firejail \-\-caps.print=mygame	173	$ firejail \-\-caps.print=mygame
176
177	.TP
178	\fB\-\-caps.print=pid
179	Print the caps filter for a sandbox identified by PID.
180	.br	174	.br
181		175
182	.br	176	.br
@@ -221,6 +215,28 @@ Example:
221	$ firejail \-\-cpu=0,1 handbrake	215	$ firejail \-\-cpu=0,1 handbrake
222		216
223	.TP	217	.TP
		218	\fB\-\-cpu.print=name\|pid
		219	Print the CPU cores in use by the sandbox identified by name or by PID.
		220	.br
		221
		222	.br
		223	Example:
		224	.br
		225	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
		226	.br
		227	$ firejail \-\-cpu.print=mygame
		228	.br
		229
		230	.br
		231	Example:
		232	.br
		233	$ firejail \-\-list
		234	.br
		235	3272:netblue:firejail \-\-private firefox
		236	.br
		237	$ firejail \-\-cpu.print=3272
		238
		239	.TP
224	\fB\-\-csh	240	\fB\-\-csh
225	Use /bin/csh as default user shell.	241	Use /bin/csh as default user shell.
226	.br	242	.br
@@ -327,8 +343,8 @@ Example:
327	$ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox	343	$ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox
328		344
329	.TP	345	.TP
330	\fB\-\-dns.print=name	346	\fB\-\-dns.print=name\|pid
331	Print DNS configuration for a sandbox identified by name.	347	Print DNS configuration for a sandbox identified by name or by PID.
332	.br	348	.br
333		349
334	.br	350	.br
@@ -336,13 +352,7 @@ Example:
336	.br	352	.br
337	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &	353	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
338	.br	354	.br
339	[...]
340	.br
341	$ firejail \-\-dns.print=mygame	355	$ firejail \-\-dns.print=mygame
342
343	.TP
344	\fB\-\-dns.print=pid
345	Print DNS configuration for a sandbox identified by PID.
346	.br	356	.br
347		357
348	.br	358	.br
@@ -372,8 +382,8 @@ There could be lots of reasons for it to fail, for example if the existing sandb
372	admin capabilities, SUID binaries, or if it runs seccomp.	382	admin capabilities, SUID binaries, or if it runs seccomp.
373		383
374	.TP	384	.TP
375	\fB\-\-fs.print=name	385	\fB\-\-fs.print=name\|print
376	Print the filesystem log for the sandbox identified by name.	386	Print the filesystem log for the sandbox identified by name or by PID.
377	.br	387	.br
378		388
379	.br	389	.br
@@ -381,13 +391,7 @@ Example:
381	.br	391	.br
382	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &	392	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
383	.br	393	.br
384	[...]
385	.br
386	$ firejail \-\-fs.print=mygame	394	$ firejail \-\-fs.print=mygame
387
388	.TP
389	\fB\-\-fs.print=pid
390	Print the filesystem log for a sandbox identified by PID.
391	.br	395	.br
392		396
393	.br	397	.br
@@ -496,13 +500,12 @@ Example:
496	.br	500	.br
497	$ firejail \-\-ipc-namespace firefox	501	$ firejail \-\-ipc-namespace firefox
498	.TP	502	.TP
499	\fB\-\-join=name	503	\fB\-\-join=name\|pid
500	Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.	504	Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
501	If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,	505	If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
502	all security filters are configured for the new process the same they are configured in the sandbox.	506	all security filters are configured for the new process the same they are configured in the sandbox.
503	If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied	507	If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
504	to the process joining the sandbox.	508	to the process joining the sandbox.
505
506	.br	509	.br
507		510
508	.br	511	.br
@@ -510,18 +513,7 @@ Example:
510	.br	513	.br
511	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &	514	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
512	.br	515	.br
513	[...]
514	.br
515	$ firejail \-\-join=mygame	516	$ firejail \-\-join=mygame
516
517
518	.TP
519	\fB\-\-join=pid
520	Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
521	If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
522	all security filters are configured for the new process the same they are configured in the sandbox.
523	If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
524	to the process joining the sandbox.
525	.br	517	.br
526		518
527	.br	519	.br
@@ -534,19 +526,13 @@ $ firejail \-\-list
534	$ firejail \-\-join=3272	526	$ firejail \-\-join=3272
535		527
536	.TP	528	.TP
537	\fB\-\-join-filesystem=name	529	\fB\-\-join-filesystem=name\|pid
538	Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.	530	Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
539	If a program is specified, the program is run in the sandbox. This command is available only to root user.	531	If a program is specified, the program is run in the sandbox. This command is available only to root user.
540	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.	532	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
541		533
542	.TP	534	.TP
543	\fB\-\-join-filesystem=pid	535	\fB\-\-join-network=name\|PID
544	Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
545	If a program is specified, the program is run in the sandbox. This command is available only to root user.
546	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
547
548	.TP
549	\fB\-\-join-network=name
550	Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.	536	Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
551	If a program is specified, the program is run in the sandbox. This command is available only to root user.	537	If a program is specified, the program is run in the sandbox. This command is available only to root user.
552	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:	538	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:
@@ -602,19 +588,9 @@ Switching to pid 1932, the first child process inside the sandbox
602	valid_lft forever preferred_lft forever	588	valid_lft forever preferred_lft forever
603		589
604	.TP	590	.TP
605	\fB\-\-join-network=pid
606	Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
607	If a program is specified, the program is run in the sandbox. This command is available only to root user.
608	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
609
610
611
612	.TP
613	\fB\-\-ls=name\|pid dir_or_filename	591	\fB\-\-ls=name\|pid dir_or_filename
614	List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.	592	List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
615		593
616	\fB
617
618	.TP	594	.TP
619	\fB\-\-list	595	\fB\-\-list
620	List all sandboxes, see \fBMONITORING\fR section for more details.	596	List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -1119,8 +1095,8 @@ Example:
1119	.br	1095	.br
1120	$ firejail \-\-protocol=unix,inet,inet6 firefox	1096	$ firejail \-\-protocol=unix,inet,inet6 firefox
1121	.TP	1097	.TP
1122	\fB\-\-protocol.print=name	1098	\fB\-\-protocol.print=name\|pid
1123	Print the protocol filter for the sandbox identified by name.	1099	Print the protocol filter for the sandbox identified by name or PID.
1124	.br	1100	.br
1125		1101
1126	.br	1102	.br
@@ -1128,15 +1104,9 @@ Example:
1128	.br	1104	.br
1129	$ firejail \-\-name=mybrowser firefox &	1105	$ firejail \-\-name=mybrowser firefox &
1130	.br	1106	.br
1131	[...]
1132	.br
1133	$ firejail \-\-protocol.print=mybrowser	1107	$ firejail \-\-protocol.print=mybrowser
1134	.br	1108	.br
1135	unix,inet,inet6,netlink	1109	unix,inet,inet6,netlink
1136
1137	.TP
1138	\fB\-\-protocol.print=pid
1139	Print the protocol filter for a sandbox identified by PID.
1140	.br	1110	.br
1141		1111
1142	.br	1112	.br
@@ -1256,8 +1226,8 @@ $ rm testfile
1256	rm: cannot remove `testfile': Operation not permitted	1226	rm: cannot remove `testfile': Operation not permitted
1257		1227
1258	.TP	1228	.TP
1259	\fB\-\-seccomp.print=name	1229	\fB\-\-seccomp.print=name\|PID
1260	Print the seccomp filter for the sandbox started using \-\-name option.	1230	Print the seccomp filter for the sandbox identified by name or PID.
1261	.br	1231	.br
1262		1232
1263	.br	1233	.br
@@ -1321,72 +1291,6 @@ SECCOMP Filter:
1321	.br	1291	.br
1322	$	1292	$
1323	.TP	1293	.TP
1324	\fB\-\-seccomp.print=pid
1325	Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
1326	.br
1327
1328	.br
1329	Example:
1330	.br
1331	$ firejail \-\-list
1332	.br
1333	10786:netblue:firejail \-\-name=browser firefox
1334	$ firejail \-\-seccomp.print=10786
1335	.br
1336	SECCOMP Filter:
1337	.br
1338	VALIDATE_ARCHITECTURE
1339	.br
1340	EXAMINE_SYSCAL
1341	.br
1342	BLACKLIST 165 mount
1343	.br
1344	BLACKLIST 166 umount2
1345	.br
1346	BLACKLIST 101 ptrace
1347	.br
1348	BLACKLIST 246 kexec_load
1349	.br
1350	BLACKLIST 304 open_by_handle_at
1351	.br
1352	BLACKLIST 175 init_module
1353	.br
1354	BLACKLIST 176 delete_module
1355	.br
1356	BLACKLIST 172 iopl
1357	.br
1358	BLACKLIST 173 ioperm
1359	.br
1360	BLACKLIST 167 swapon
1361	.br
1362	BLACKLIST 168 swapoff
1363	.br
1364	BLACKLIST 103 syslog
1365	.br
1366	BLACKLIST 310 process_vm_readv
1367	.br
1368	BLACKLIST 311 process_vm_writev
1369	.br
1370	BLACKLIST 133 mknod
1371	.br
1372	BLACKLIST 139 sysfs
1373	.br
1374	BLACKLIST 156 _sysctl
1375	.br
1376	BLACKLIST 159 adjtimex
1377	.br
1378	BLACKLIST 305 clock_adjtime
1379	.br
1380	BLACKLIST 212 lookup_dcookie
1381	.br
1382	BLACKLIST 298 perf_event_open
1383	.br
1384	BLACKLIST 300 fanotify_init
1385	.br
1386	RETURN_ALLOW
1387	.br
1388	$
1389	.TP
1390	\fB\-\-shell=none	1294	\fB\-\-shell=none
1391	Run the program directly, without a user shell.	1295	Run the program directly, without a user shell.
1392	.br	1296	.br
@@ -1407,8 +1311,8 @@ shell.
1407	Example:	1311	Example:
1408	$firejail \-\-shell=/bin/dash script.sh	1312	$firejail \-\-shell=/bin/dash script.sh
1409	.TP	1313	.TP
1410	\fB\-\-shutdown=name	1314	\fB\-\-shutdown=name\|PID
1411	Shutdown the sandbox started using \-\-name option.	1315	Shutdown the sandbox identified by name or PID.
1412	.br	1316	.br
1413		1317
1414	.br	1318	.br
@@ -1416,12 +1320,7 @@ Example:
1416	.br	1320	.br
1417	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &	1321	$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
1418	.br	1322	.br
1419	[...]
1420	.br
1421	$ firejail \-\-shutdown=mygame	1323	$ firejail \-\-shutdown=mygame
1422	.TP
1423	\fB\-\-shutdown=pid
1424	Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
1425	.br	1324	.br
1426		1325
1427	.br	1326	.br
@@ -1682,25 +1581,13 @@ These features allow the user to inspect the filesystem container of an existing
1682	and transfer files from the container to the host filesystem.	1581	and transfer files from the container to the host filesystem.
1683		1582
1684	.TP	1583	.TP
1685	\fB\-\-get=name filename	1584	\fB\-\-get=name\|pid filename
1686	Retrieve the container file and store it on the host in the current working directory.
1687	The container is specified by name (\-\-name option). Full path is needed for filename.
1688
1689	.TP
1690	\fB\-\-get=pid filename
1691	Retrieve the container file and store it on the host in the current working directory.	1585	Retrieve the container file and store it on the host in the current working directory.
1692	The container is specified by process ID. Full path is needed for filename.	1586	The container is specified by name or PID. Full path is needed for filename.
1693		1587
1694	.TP	1588	.TP
1695	\fB\-\-ls=name dir_or_filename	1589	\fB\-\-ls=name\|pid dir_or_filename
1696	List container files.	1590	List container files. The container is specified by name or PID.
1697	The container is specified by name (\-\-name option).
1698	Full path is needed for dir_or_filename.
1699
1700	.TP
1701	\fB\-\-ls=pid dir_or_filename
1702	List container files.
1703	The container is specified by process ID.
1704	Full path is needed for dir_or_filename.	1591	Full path is needed for dir_or_filename.
1705		1592
1706	.TP	1593	.TP
@@ -1739,15 +1626,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
1739		1626
1740	Set rate-limits:	1627	Set rate-limits:
1741		1628
1742	firejail --bandwidth={name\|pid} set network download upload	1629	firejail --bandwidth=name\|pid set network download upload
1743		1630
1744	Clear rate-limits:	1631	Clear rate-limits:
1745		1632
1746	firejail --bandwidth={name\|pid} clear network	1633	firejail --bandwidth=name\|pid clear network
1747		1634
1748	Status:	1635	Status:
1749		1636
1750	firejail --bandwidth={name\|pid} status	1637	firejail --bandwidth=name\|pid status
1751		1638
1752	where:	1639	where:
1753	.br	1640	.br