From c1d43f41230cdd0bc929c0050f60024fc98fc37b Mon Sep 17 00:00:00 2001 From: startx2017 Date: Fri, 26 May 2017 11:38:16 -0400 Subject: fix manpage: removed --seccomp.errno, currently supported by the regular --seccomp=command --- src/man/firejail.txt | 55 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/man/firejail.txt b/src/man/firejail.txt index de300d47b..25992fb3e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1474,6 +1474,31 @@ Enable seccomp filter, blacklist the default list and the syscalls specified by Example: .br $ firejail \-\-seccomp=utime,utimensat,utimes firefox +.br + +.br +Instead of dropping the syscall, a specific error number can be returned +using \fBsyscall:errorno\fR syntax. +.br + +.br +Example: +.br + +.br +$ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes +.br +Parent pid 10662, child pid 10663 +.br +Child process initialized +.br +$ touch testfile +.br +$ rm testfile +.br +rm: cannot remove `testfile': Operation not permitted +.br + .TP \fB\-\-seccomp.drop=syscall,syscall,syscall Enable seccomp filter, and blacklist the syscalls specified by the command. @@ -1483,26 +1508,19 @@ Enable seccomp filter, and blacklist the syscalls specified by the command. Example: .br $ firejail \-\-seccomp.drop=utime,utimensat,utimes -.TP -\fB\-\-seccomp.keep=syscall,syscall,syscall -Enable seccomp filter, and whitelist the syscalls specified by the command. .br .br -Example: -.br -$ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk -.TP -\fB\-\-seccomp.=syscall,syscall,syscall -Enable seccomp filter, and return errno for the syscalls specified by the command. +Instead of dropping the syscall, a specific error number can be returned +using \fBsyscall:errorno\fR syntax. .br .br -Example: a Bash shell where deleting files is disabled +Example: .br .br -$ firejail --seccomp.eperm=unlinkat +$ firejail \-\-seccomp.drop=unlinkat:ENOENT,utimensat,utimes .br Parent pid 10662, child pid 10663 .br @@ -1513,6 +1531,21 @@ $ touch testfile $ rm testfile .br rm: cannot remove `testfile': Operation not permitted +.br + + + + + +.TP +\fB\-\-seccomp.keep=syscall,syscall,syscall +Enable seccomp filter, and whitelist the syscalls specified by the command. +.br + +.br +Example: +.br +$ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk .TP \fB\-\-seccomp.print=name|PID -- cgit v1.2.3-70-g09d2