diff options
author | Brian Norris <briannorris@google.com> | 2016-03-16 16:43:49 -0700 |
---|---|---|
committer | Brian Norris <briannorris@google.com> | 2016-03-16 17:00:31 -0700 |
commit | 3b5841b91f89059bd8f9453581e1d58f225e49f0 (patch) | |
tree | 051b0e7b45240a92ce5ec8fc13758419d6386fb8 | |
parent | 69841b31dee412d75b76653dc7bc03126af69df0 (diff) | |
download | minijail-3b5841b91f89059bd8f9453581e1d58f225e49f0.tar.gz |
Add missing options to minijail(1) manpage
We're missing -I, -L, -n, and -U. Borrowed text mostly from the '-h'
usage output, as well as some code comments, and other man pages.
Also fixup one inconsistency in the -h usage output formatting.
Bug: None
TEST=`man ./minijail0.1`; `minijail0 -h`
Change-Id: Ie5a8313486490243d3382726aed82971aad9a466
Signed-off-by: Brian Norris <briannorris@google.com>
-rw-r--r-- | minijail0.1 | 15 | ||||
-rw-r--r-- | minijail0.c | 2 |
2 files changed, 16 insertions, 1 deletions
diff --git a/minijail0.1 b/minijail0.1 index 8d7e188..685b6a6 100644 --- a/minijail0.1 +++ b/minijail0.1 @@ -51,6 +51,9 @@ Print a help message detailing supported system call names for seccomp_filter. (Other direct numbers may be specified if minijail0 is not in sync with the host kernel or something like 32/64-bit compatibility issues exist.) .TP +\fB-I\fR +Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR). +.TP \fB-k <src>,<dest>,<type>[,<flags>]\fR Mount \fIsrc\fR, a \fItype\fR filesystem, into the chroot directory at \fIdest\fR, with optional \fIflags\fR. .TP @@ -63,6 +66,11 @@ You very likely don't need this. Run inside a new IPC namespace. This option makes the program's System V IPC namespace independent. .TP +\fB-L\fR +Report blocked syscalls to syslog when using seccomp filter. This option will +force certain syscalls to be allowed in order to achieve this, depending on the +system. +.TP \fB-m "<uid> <loweruid> <count>[,<uid> <loweruid> <count>]"\fR Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as \fBnewuidmap(1)\fR. Multiple mappings should be separated by ','. @@ -71,6 +79,10 @@ Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as \fBnewgidmap(1)\fR. Multiple mappings should be separated by ','. .TP +\fB-n\fR +Set the process's \fIno_new_privs\fR bit. See \fBprctl(2)\fR and the kernel +source file \fIDocumentation/prctl/no_new_privs.txt\fR for more info. +.TP \fB-p\fR Run inside a new PID namespace. This option will make it impossible for the program to see or affect processes that are not its descendants. This implies @@ -108,6 +120,9 @@ which should be either 'static' or 'dynamic'. Change users to \fIuser\fR, which may be either a user name or a numeric user ID. .TP +\fB-U\fR +Enter a new user namespace (implies \fB-p\fR). +.TP \fB-v\fR Run inside a new VFS namespace. This option makes the program's mountpoints independent of the rest of the system's. diff --git a/minijail0.c b/minijail0.c index f3caeac..300e921 100644 --- a/minijail0.c +++ b/minijail0.c @@ -145,7 +145,7 @@ static void usage(const char *progn) " -T <type>: Don't access <program> before execve(2), assume <type> ELF binary.\n" " <type> must be 'static' or 'dynamic'.\n" " -u <user>: Change uid to <user>.\n" - " -U Enter new user namespace (implies -p).\n" + " -U: Enter new user namespace (implies -p).\n" " -v: Enter new mount namespace.\n" " -V <file>: Enter specified mount namespace.\n"); } |