Merge pull request #82 from jvvv/master
nsjail.1: update manpage to match README
This commit is contained in:
commit
1ac94e7f61
46
nsjail.1
46
nsjail.1
@ -19,17 +19,17 @@ Execution mode (default: o [MODE_STANDALONE_ONCE]):
|
|||||||
\fBl\fR: Wait for connections on a TCP port (specified with \fB\-\-port\fR) [MODE_LISTEN_TCP]
|
\fBl\fR: Wait for connections on a TCP port (specified with \fB\-\-port\fR) [MODE_LISTEN_TCP]
|
||||||
.PP
|
.PP
|
||||||
.IP
|
.IP
|
||||||
\fBo\fR: Immediately launch a single process on the console using clone/execve [MODE_STANDALONE_ONCE]
|
\fBo\fR: Launch a single process on the console using clone/execve [MODE_STANDALONE_ONCE]
|
||||||
.PP
|
.PP
|
||||||
.IP
|
.IP
|
||||||
\fBe\fR: Immediately launch a single process on the console using execve [MODE_STANDALONE_EXECVE]
|
\fBe\fR: Launch a single process on the console using execve [MODE_STANDALONE_EXECVE]
|
||||||
.PP
|
.PP
|
||||||
.IP
|
.IP
|
||||||
\fBr\fR: Immediately launch a single process on the console, keep doing it forever [MODE_STANDALONE_RERUN]
|
\fBr\fR: Launch a single process on the console with clone/execve, keep doing it forever [MODE_STANDALONE_RERUN]
|
||||||
.PP
|
.PP
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-config\fR|\fB\-C\fR VALUE
|
\fB\-\-config\fR|\fB\-C\fR VALUE
|
||||||
Configuration file in the config.proto ProtoBuf format
|
Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-exec_file\fR|\fB\-x\fR VALUE
|
\fB\-\-exec_file\fR|\fB\-x\fR VALUE
|
||||||
File to exec (default: argv[0])
|
File to exec (default: argv[0])
|
||||||
@ -89,25 +89,25 @@ Log warning and more important messages only
|
|||||||
Log fatal messages only
|
Log fatal messages only
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-keep_env\fR|\fB\-e\fR
|
\fB\-\-keep_env\fR|\fB\-e\fR
|
||||||
Should all environment variables be passed to the child?
|
Pass all environment variables be passed process (default: all envvars are cleared)
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-env\fR|\fB\-E\fR VALUE
|
\fB\-\-env\fR|\fB\-E\fR VALUE
|
||||||
Environment variable (can be used multiple times)
|
Additional environment variable (can be used multiple times)
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-keep_caps\fR
|
\fB\-\-keep_caps\fR
|
||||||
Don't drop capabilities in the local namespace
|
Don't drop any capabilities
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-cap\fR VALUE
|
\fB\-\-cap\fR VALUE
|
||||||
Retain this capability in local namespace (e.g. CAP_PTRACE). Can be specified multiple times
|
Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-silent\fR
|
\fB\-\-silent\fR
|
||||||
Redirect child's fd:0/1/2 to /dev/null
|
Redirect child process' fd:0/1/2 to /dev/null
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-skip_setsid\fR
|
\fB\-\-skip_setsid\fR
|
||||||
Don't call setsid(), allows for terminal signal handling in the sandboxed process
|
Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-pass_fd\fR VALUE
|
\fB\-\-pass_fd\fR VALUE
|
||||||
Don't close this FD before executing child (can be specified multiple times), by default: 0/1/2 are kept open
|
Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-disable_no_new_privs\fR
|
\fB\-\-disable_no_new_privs\fR
|
||||||
Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)
|
Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)
|
||||||
@ -149,7 +149,7 @@ personality(ADDR_LIMIT_3GB)
|
|||||||
personality(ADDR_NO_RANDOMIZE)
|
personality(ADDR_NO_RANDOMIZE)
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-disable_clone_newnet\fR|\-N
|
\fB\-\-disable_clone_newnet\fR|\-N
|
||||||
Don't use CLONE_NEWNET. Enable networking inside the jail
|
Don't use CLONE_NEWNET. Enable global networking inside the jail
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-disable_clone_newuser\fR
|
\fB\-\-disable_clone_newuser\fR
|
||||||
Don't use CLONE_NEWUSER. Requires euid==0
|
Don't use CLONE_NEWUSER. Requires euid==0
|
||||||
@ -170,10 +170,10 @@ Don't use CLONE_NEWUTS
|
|||||||
Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6
|
Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-uid_mapping\fR|\fB\-U\fR VALUE
|
\fB\-\-uid_mapping\fR|\fB\-U\fR VALUE
|
||||||
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap to be present
|
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-gid_mapping\fR|\fB\-G\fR VALUE
|
\fB\-\-gid_mapping\fR|\fB\-G\fR VALUE
|
||||||
Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap to be present
|
Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-bindmount_ro\fR|\fB\-R\fR VALUE
|
\fB\-\-bindmount_ro\fR|\fB\-R\fR VALUE
|
||||||
List of mountpoints to be mounted \fB\-\-bind\fR (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
List of mountpoints to be mounted \fB\-\-bind\fR (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
||||||
@ -182,22 +182,22 @@ List of mountpoints to be mounted \fB\-\-bind\fR (ro) inside the container. Can
|
|||||||
List of mountpoints to be mounted \fB\-\-bind\fR (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
List of mountpoints to be mounted \fB\-\-bind\fR (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-tmpfsmount\fR|\fB\-T\fR VALUE
|
\fB\-\-tmpfsmount\fR|\fB\-T\fR VALUE
|
||||||
List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax
|
List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'
|
||||||
.TP
|
|
||||||
\fB\-\-tmpfs_size\fR VALUE
|
|
||||||
Number of bytes to allocate for tmpfsmounts (default: 4194304)
|
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-mount\fR|\fB\-m\fR VALUE
|
\fB\-\-mount\fR|\fB\-m\fR VALUE
|
||||||
Arbitrary mount, format src:dst:fs_type:options
|
Arbitrary mount, format src:dst:fs_type:options
|
||||||
.TP
|
.TP
|
||||||
|
\fB\-\-symlink\fR|\f\B\-s\fR VALUE
|
||||||
|
Symlink, format src:dst
|
||||||
|
.TP
|
||||||
\fB\-\-disable_proc\fR
|
\fB\-\-disable_proc\fR
|
||||||
Disable mounting \fI/proc\fP in the jail
|
Disable mounting procfs in the jail
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-proc_path\fR VALUE
|
\fB\-\-proc_path\fR VALUE
|
||||||
Path used to mount procfs (default: '/proc')
|
Path used to mount procfs (default: '/proc')
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-proc_rw\fR
|
\fB\-\-proc_rw\fR
|
||||||
Is procfs mount as R/W (default: R/O)
|
Is procfs mounted as R/W (default: R/O)
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-seccomp_policy\fR|\fB\-P\fR VALUE
|
\fB\-\-seccomp_policy\fR|\fB\-P\fR VALUE
|
||||||
Path to file containing seccomp\-bpf policy (see kafel/)
|
Path to file containing seccomp\-bpf policy (see kafel/)
|
||||||
@ -238,14 +238,14 @@ Which pre\-existing net_cls cgroup to use as a parent (default: 'NSJAIL')
|
|||||||
\fB\-\-cgroup_cpu_ms_per_sec\fR VALUE
|
\fB\-\-cgroup_cpu_ms_per_sec\fR VALUE
|
||||||
Number of us that the process group can use per second (default: '0' - disabled)
|
Number of us that the process group can use per second (default: '0' - disabled)
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-cpu_mount\fR VALUE
|
\fB\-\-cgroup_cpu_mount\fR VALUE
|
||||||
Location of cpu cgroup FS (default: '/sys/fs/cgroup/net_cls')
|
Location of cpu cgroup FS (default: '/sys/fs/cgroup/net_cls')
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-cpu_parent\fR VALUE
|
\fB\-\-cgroup_cpu_parent\fR VALUE
|
||||||
Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')
|
Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-iface_no_lo\fR
|
\fB\-\-iface_no_lo\fR
|
||||||
Don't bring up the 'lo' interface
|
Don't bring the 'lo' interface up
|
||||||
.TP
|
.TP
|
||||||
\fB\-\-iface_own\fR VALUE
|
\fB\-\-iface_own\fR VALUE
|
||||||
Move this existing network interface into the new NET namespace. Can be specified multiple times
|
Move this existing network interface into the new NET namespace. Can be specified multiple times
|
||||||
|
Loading…
Reference in New Issue
Block a user