From 96505fd6765a124016cc7e64ea8191f38efb09a5 Mon Sep 17 00:00:00 2001 From: Glenn Washburn Date: Thu, 29 Aug 2019 22:02:08 -0500 Subject: Update man page to note that --trace can now take an optional parameter. --- src/man/firejail.txt | 40 +++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 23 deletions(-) (limited to 'src') diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 500850413..9f9d8e6ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -71,10 +71,10 @@ If an appropriate profile is not found, Firejail will use a default profile. The default profile is quite restrictive. In case the application doesn't work, use --noprofile option to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. .PP -If a program argument is not specified, Firejail starts the default shell from the current user. +If a program argument is not specified, Firejail starts /bin/bash shell. Examples: .PP -$ firejail [OPTIONS] # starting the user default shell (normally /bin/bash) +$ firejail [OPTIONS] # starting a /bin/bash shell .PP $ firejail [OPTIONS] firefox # starting Mozilla Firefox .PP @@ -1776,14 +1776,11 @@ vm86, vm86old, vmsplice and vserver. .br To help creating useful seccomp filters more easily, the following -system call groups are defined: @aio, @basic-io, @chown, @clock, -@cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, -@file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, -@network-io, @obsolete, @privileged, @process, @raw-io, @reboot, -@resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a +system call groups are defined: @clock, @cpu-emulation, @debug, +@default, @default-nodebuggers, @default-keep, @module, @obsolete, +@privileged, @raw-io, @reboot, @resources and @swap. In addition, a system call can be specified by its number instead of name with prefix -$, so for example $165 would be equal to mount on i386. Exceptions -can be allowed with prefix !. +$, so for example $165 would be equal to mount on i386. .br System architecture is strictly imposed only if flag @@ -1801,10 +1798,8 @@ Example: .br $ firejail \-\-seccomp .TP -\fB\-\-seccomp=syscall,@group,!syscall2 -Enable seccomp filter, whitelist "syscall2", but blacklist the default -list (@default) and the syscalls or syscall groups specified by the -command. +\fB\-\-seccomp=syscall,@group +Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. .br .br @@ -1868,9 +1863,8 @@ domain with personality(2) system call. .br .TP -\fB\-\-seccomp.drop=syscall,@group,!syscall2 -Enable seccomp filter, whitelist "syscall2" but blacklist the -syscalls or the syscall groups specified by the command. +\fB\-\-seccomp.drop=syscall,@group +Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. .br .br @@ -1905,11 +1899,10 @@ rm: cannot remove `testfile': Operation not permitted .TP -\fB\-\-seccomp.keep=syscall,@group,!syscall2 -Enable seccomp filter, blacklist "syscall2" but whitelist the -syscalls or the syscall groups specified by the command. The system -calls needed by Firejail (group @default-keep: prctl, execve) are -handled with the preload library. +\fB\-\-seccomp.keep=syscall,syscall,syscall +Enable seccomp filter, and whitelist the syscalls specified by the +command. The system calls needed by Firejail (group @default-keep: +prctl, execve) are handled with the preload library. .br .br @@ -2149,8 +2142,9 @@ Example: .br $ firejail \-\-top .TP -\fB\-\-trace -Trace open, access and connect system calls. +\fB\-\-trace[=filename] +Trace open, access and connect system calls. If filename is specified, log +trace output to filename, otherwise log to console. .br .br -- cgit v1.2.3-54-g00ecf