From 63e9d849f662d1a494c6396d4a439cd4c91dfa7e Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 13 Aug 2017 14:07:31 +0300
Subject: Allow any syscall to be blacklisted (#1447)

Allow any syscall to be blacklisted with aid of LD_PRELOAD library,
libpostexecseccomp.so.

Closes: #1447
---
 src/man/firejail.txt | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'src/man')

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2c8dca09a..be73429bc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1578,6 +1578,32 @@ $ rm testfile
 rm: cannot remove `testfile': Operation not permitted
 .br
 
+.br
+If the blocked system calls would also block Firejail from operating,
+they are handled by adding a preloaded library which performs seccomp
+system calls later.
+.br
+
+.br
+Example:
+.br
+
+.br
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+.br
+Parent pid 32751, child pid 32752
+.br
+Post-exec seccomp protector enabled
+.br
+list in: execve, check list: @default-keep prelist: (null), postlist: execve
+.br
+Child process initialized in 46.44 ms
+.br
+$ ls
+.br
+Bad system call
+.br
+
 .TP
 \fB\-\-seccomp.drop=syscall,syscall,syscall
 Enable seccomp filter, and blacklist the syscalls specified by the command.
-- 
cgit v1.2.3-70-g09d2