From 5395e525f68f2fcf78e933f731b1da0009f64149 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Fri, 20 Apr 2018 20:32:43 +0200 Subject: docs and comment updates adds sorting to syscall list in firejail man page --- src/firejail/x11.c | 2 +- src/man/firejail-profile.txt | 9 ++++++++- src/man/firejail.txt | 26 +++++++++++--------------- 3 files changed, 20 insertions(+), 17 deletions(-) (limited to 'src') diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 7040dea18..8cf4fccf3 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -1078,7 +1078,7 @@ void x11_xorg(void) { // check xauth utility is present in the system struct stat s; if (stat("/usr/bin/xauth", &s) == -1) { - fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n" + fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n" " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); exit(1); } diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b529f63e3..0217e1353 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -223,7 +223,8 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. .TP \fBprivate-dev -Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. +Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, +random, snd, urandom, video, log and shm devices are available. .TP \fBprivate-etc file,directory Build a new /etc in a temporary @@ -448,6 +449,12 @@ Run the program directly, without a shell. \fBipc-namespace Enable IPC namespace. .TP +\fBnodbus +Disable D-Bus access. Only the regular UNIX socket is handled by +this command. To disable the abstract socket, you would need to +request a new network namespace using the net command. Another +option is to remove unix from protocol set. +.TP \fBnosound Disable sound system. .TP diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2e410061d..d8fed1f31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1602,20 +1602,16 @@ $ firejail \-\-net=eth0 \-\-scan .TP \fB\-\-seccomp Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: -mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, -iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, -sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, -add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, -io_destroy, io_getevents, io_submit, io_cancel, -remap_file_pages, mbind, set_mempolicy, -migrate_pages, move_pages, vmsplice, chroot, -tuxcall, reboot, mfsservctl, get_kernel_syms, -bpf, clock_settime, personality, process_vm_writev, query_module, -settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old, -afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, -pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, -security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, -ulimit, vhangup and vserver. +_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, +create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, +io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, +kexec_load, keyctl, lock, lookup_dcookie, mbind, mfsservctl, migrate_pages, modify_ldt, mount, move_pages, mpx, +name_to_handle_at, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, +personality, pivot_root, process_vm_readv, process_vm_writev, process_vm_writev, prof, profil, ptrace, putpmsg, +query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, +security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, +swapoff, swapon, switch_endian, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, +vm86, vm86old, vmsplice and vserver. .br To help creating useful seccomp filters more easily, the following @@ -1698,7 +1694,7 @@ Bad system call .br .TP -\fB\-\-seccomp.block_secondary +\fB\-\-seccomp.block-secondary Enable seccomp filter and filter system call architectures so that only the native architecture is allowed. For example, on amd64, i386 and x32 system calls are blocked as well as changing the execution -- cgit v1.2.3-54-g00ecf