From b394115c0396b2cb6e11d7865444d73ba1cfdd7e Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Thu, 5 Sep 2019 18:10:42 +0200 Subject: update seccomp in man firejail --- src/man/firejail.txt | 33 +++++++++++++-------------------- 1 file changed, 13 insertions(+), 20 deletions(-) (limited to 'src/man/firejail.txt') diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 500850413..ed2f776f2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1762,17 +1762,9 @@ Example: $ firejail \-\-net=eth0 \-\-scan .TP \fB\-\-seccomp -Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: -_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, -create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, -io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, -kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, -name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, -personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, -query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, -security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, -swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, -vm86, vm86old, vmsplice and vserver. +Enable seccomp filter and blacklist the syscalls in the default list, +which is @default-nodebuggers unless allow-debuggers is specified, +then it is @default. .br To help creating useful seccomp filters more easily, the following @@ -1780,10 +1772,12 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, -@resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a -system call can be specified by its number instead of name with prefix -$, so for example $165 would be equal to mount on i386. Exceptions -can be allowed with prefix !. +@resources, @setuid, @swap, @sync, @system-service and @timer. +More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt + +In addition, a system call can be specified by its number instead of +name with prefix $, so for example $165 would be equal to mount on i386. +Exceptions can be allowed with prefix !. .br System architecture is strictly imposed only if flag @@ -1803,7 +1797,7 @@ $ firejail \-\-seccomp .TP \fB\-\-seccomp=syscall,@group,!syscall2 Enable seccomp filter, whitelist "syscall2", but blacklist the default -list (@default) and the syscalls or syscall groups specified by the +list and the syscalls or syscall groups specified by the command. .br @@ -1906,10 +1900,9 @@ rm: cannot remove `testfile': Operation not permitted .TP \fB\-\-seccomp.keep=syscall,@group,!syscall2 -Enable seccomp filter, blacklist "syscall2" but whitelist the -syscalls or the syscall groups specified by the command. The system -calls needed by Firejail (group @default-keep: prctl, execve) are -handled with the preload library. +Enable seccomp filter, blacklist all syscall not listed and "syscall2". +The system calls needed by Firejail (group @default-keep: prctl, execve) +are handled with the preload library. .br .br -- cgit v1.2.3-54-g00ecf