aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/firejail/x11.c2
-rw-r--r--src/man/firejail-profile.txt9
-rw-r--r--src/man/firejail.txt26
3 files changed, 20 insertions, 17 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 7040dea18..8cf4fccf3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1078,7 +1078,7 @@ void x11_xorg(void) {
1078 // check xauth utility is present in the system 1078 // check xauth utility is present in the system
1079 struct stat s; 1079 struct stat s;
1080 if (stat("/usr/bin/xauth", &s) == -1) { 1080 if (stat("/usr/bin/xauth", &s) == -1) {
1081 fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n" 1081 fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"
1082 " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); 1082 " Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
1083 exit(1); 1083 exit(1);
1084 } 1084 }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b529f63e3..0217e1353 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -223,7 +223,8 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list.
223The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. 223The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
224.TP 224.TP
225\fBprivate-dev 225\fBprivate-dev
226Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. 226Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx,
227random, snd, urandom, video, log and shm devices are available.
227.TP 228.TP
228\fBprivate-etc file,directory 229\fBprivate-etc file,directory
229Build a new /etc in a temporary 230Build a new /etc in a temporary
@@ -448,6 +449,12 @@ Run the program directly, without a shell.
448\fBipc-namespace 449\fBipc-namespace
449Enable IPC namespace. 450Enable IPC namespace.
450.TP 451.TP
452\fBnodbus
453Disable D-Bus access. Only the regular UNIX socket is handled by
454this command. To disable the abstract socket, you would need to
455request a new network namespace using the net command. Another
456option is to remove unix from protocol set.
457.TP
451\fBnosound 458\fBnosound
452Disable sound system. 459Disable sound system.
453.TP 460.TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2e410061d..d8fed1f31 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1602,20 +1602,16 @@ $ firejail \-\-net=eth0 \-\-scan
1602.TP 1602.TP
1603\fB\-\-seccomp 1603\fB\-\-seccomp
1604Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: 1604Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
1605mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, 1605_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime,
1606iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, 1606create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module,
1607sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, 1607io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
1608add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, 1608kexec_load, keyctl, lock, lookup_dcookie, mbind, mfsservctl, migrate_pages, modify_ldt, mount, move_pages, mpx,
1609io_destroy, io_getevents, io_submit, io_cancel, 1609name_to_handle_at, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open,
1610remap_file_pages, mbind, set_mempolicy, 1610personality, pivot_root, process_vm_readv, process_vm_writev, process_vm_writev, prof, profil, ptrace, putpmsg,
1611migrate_pages, move_pages, vmsplice, chroot, 1611query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr,
1612tuxcall, reboot, mfsservctl, get_kernel_syms, 1612security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot,
1613bpf, clock_settime, personality, process_vm_writev, query_module, 1613swapoff, swapon, switch_endian, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup,
1614settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old, 1614vm86, vm86old, vmsplice and vserver.
1615afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
1616pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
1617security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
1618ulimit, vhangup and vserver.
1619 1615
1620.br 1616.br
1621To help creating useful seccomp filters more easily, the following 1617To help creating useful seccomp filters more easily, the following
@@ -1698,7 +1694,7 @@ Bad system call
1698.br 1694.br
1699 1695
1700.TP 1696.TP
1701\fB\-\-seccomp.block_secondary 1697\fB\-\-seccomp.block-secondary
1702Enable seccomp filter and filter system call architectures so that 1698Enable seccomp filter and filter system call architectures so that
1703only the native architecture is allowed. For example, on amd64, i386 1699only the native architecture is allowed. For example, on amd64, i386
1704and x32 system calls are blocked as well as changing the execution 1700and x32 system calls are blocked as well as changing the execution
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-07 23:53:05 +0000