commit 2df5394ebe2a2435001e3e77ace5ccd466c18d88
author Brian Norris <briannorris@google.com> Thu Mar 17 17:10:01 2016 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Mar 17 17:10:02 2016 +0000
tree 485bac85d879703e15a6e2f6fc0f25f267ae353d
parent 6b0de9b30aec11d4736557bd7fde0c36ea238ada
parent 3b5841b91f89059bd8f9453581e1d58f225e49f0

Merge "Add missing options to minijail(1) manpage"

minijail0.1

diff --git a/minijail0.1 b/minijail0.1
index 8d7e188..685b6a6 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -51,6 +51,9 @@
 (Other direct numbers may be specified if minijail0 is not in sync with the
  host kernel or something like 32/64-bit compatibility issues exist.)
 .TP
+\fB-I\fR
+Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR).
+.TP
 \fB-k <src>,<dest>,<type>[,<flags>]\fR
 Mount \fIsrc\fR, a \fItype\fR filesystem, into the chroot directory at \fIdest\fR, with optional \fIflags\fR.
 .TP
@@ -63,6 +66,11 @@
 Run inside a new IPC namespace. This option makes the program's System V IPC
 namespace independent.
 .TP
+\fB-L\fR
+Report blocked syscalls to syslog when using seccomp filter. This option will
+force certain syscalls to be allowed in order to achieve this, depending on the
+system.
+.TP
 \fB-m "<uid> <loweruid> <count>[,<uid> <loweruid> <count>]"\fR
 Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as
 \fBnewuidmap(1)\fR. Multiple mappings should be separated by ','.
@@ -71,6 +79,10 @@
 Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as
 \fBnewgidmap(1)\fR. Multiple mappings should be separated by ','.
 .TP
+\fB-n\fR
+Set the process's \fIno_new_privs\fR bit. See \fBprctl(2)\fR and the kernel
+source file \fIDocumentation/prctl/no_new_privs.txt\fR for more info.
+.TP
 \fB-p\fR
 Run inside a new PID namespace. This option will make it impossible for the
 program to see or affect processes that are not its descendants. This implies
@@ -108,6 +120,9 @@
 Change users to \fIuser\fR, which may be either a user name or a numeric user
 ID.
 .TP
+\fB-U\fR
+Enter a new user namespace (implies \fB-p\fR).
+.TP
 \fB-v\fR
 Run inside a new VFS namespace. This option makes the program's mountpoints
 independent of the rest of the system's.

minijail0.c

diff --git a/minijail0.c b/minijail0.c
index f3caeac..300e921 100644
--- a/minijail0.c
+++ b/minijail0.c
@@ -145,7 +145,7 @@
 	       "  -T <type>:  Don't access <program> before execve(2), assume <type> ELF binary.\n"
 	       "              <type> must be 'static' or 'dynamic'.\n"
 	       "  -u <user>:  Change uid to <user>.\n"
-	       "  -U          Enter new user namespace (implies -p).\n"
+	       "  -U:         Enter new user namespace (implies -p).\n"
 	       "  -v:         Enter new mount namespace.\n"
 	       "  -V <file>:  Enter specified mount namespace.\n");
 }