Skip to content

Commit 507a8d4

Browse files
committed
Improve documentation a bit
Mainly fix formatting, typos and inconsistencies.
1 parent 676c4c3 commit 507a8d4

File tree

1 file changed

+23
-28
lines changed

1 file changed

+23
-28
lines changed

doc/sio2jail.1.scd

Lines changed: 23 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -33,21 +33,21 @@ of the hardware sio2jail runs on.
3333

3434
*-s, --stderr*
3535
Pass stderr from the sandboxed program,
36-
instead of redirecting it to stderr.
36+
instead of redirecting it to /dev/null.
3737

3838
*-o* _format_, *--output* _format_
3939
Use the specified _format_ for outputting the execution report.
4040

41-
* --stimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
42-
* --utimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
41+
*--stimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
42+
*--utimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
4343
*--ustimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
44-
* --rtimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
44+
*--rtimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*]
4545
Set system (*stimelimit*), user (*utimelimit*),
4646
user+system (*ustimelimit*) or real (*rtimelimit*)
4747
time limit to _limit_.
4848

4949
Use *u*/*ms*/*s*/*m*/*h*/*d* (case-insensitive) unit suffices
50-
to specify time in microseconds, miliseconds, seconds, minutes,
50+
to specify time in microseconds, milliseconds, seconds, minutes,
5151
hours and days respectively.
5252
Defaults to microseconds if unit is not specified.
5353

@@ -56,8 +56,8 @@ of the hardware sio2jail runs on.
5656
*--output-limit* _limit_[*b*|*k*|*m*|*g*]
5757
Set the output file size limit to _limit_.
5858

59-
Use with *k*/*m*/*g* (case-insensitive) unit suffices
60-
for 1, 1024, 1024**2, 1024**3 bytes respectively. Default is kibibytes.
59+
Use with *b*/*k*/*m*/*g* (case-insensitive) unit suffices
60+
for 1024\*\*{0,1,2,3} bytes respectively. Default is kibibytes.
6161

6262
This is currently implemented as an rlimit of maximum created file
6363
size (See: *RLIMIT\_FSIZE* in *getrlimit*(2)), which means:
@@ -82,7 +82,7 @@ of the hardware sio2jail runs on.
8282
*--instruction-count-limit* _limit_[*k*|*m*|*g*]
8383
Set instruction count limit. Requires *--perf*.
8484

85-
Use with *k*/*m*/*g* sufixes for 10**{3,6,9} respectively.
85+
Use with *k*/*m*/*g* suffixes for 10\*\*{3,6,9} respectively.
8686

8787
Use 0 for no limit (the default).
8888

@@ -107,7 +107,7 @@ of the hardware sio2jail runs on.
107107
To select syscall policy use *--policy*.
108108

109109
*-p* _policy_, *--policy* _policy_
110-
Select *seccomp*(2) syscall policy. Requires seccomp.
110+
Select *seccomp*(2) syscall policy. Requires *--seccomp*.
111111

112112
_policy_ must be one of available syscall policies:
113113

@@ -120,17 +120,17 @@ of the hardware sio2jail runs on.
120120

121121
Ptrace is used for two purposes:
122122

123-
- restoring normal singal behaviour when pid-namespaces are in use
123+
- restoring normal signal behaviour when PID namespaces are in use
124124

125125
- providing seccomp policy more flexibility by using the *TRACE*
126126
seccomp action and making the decision whether to allow
127127
the syscall in userspace
128128

129129
*-m* _limit_, *--memory-limit* _limit_
130-
Set memory limit to _limit_. Requires seccomp.
130+
Set memory limit to _limit_. Requires *--seccomp*.
131131

132-
Use with *k*/*m*/*g* (case-insensitive) unit suffices
133-
for 1, 1024, 1024**2, 1024**3 bytes respectively. Default is kibibytes.
132+
Use with *b*/*k*/*m*/*g* (case-insensitive) unit suffices
133+
for 1024\*\*{0,1,2,3} bytes respectively. Default is kibibytes.
134134

135135
Use 0 for no limit.
136136

@@ -156,9 +156,9 @@ of the hardware sio2jail runs on.
156156
a separate view of the filesystem (kinda like chroot).
157157

158158
This prevents the sandboxed program from seeing or manipulating
159-
files which were not explicitely made accessible to it,
159+
files which were not explicitly made accessible to it,
160160
and allows for use of runtime environments different than
161-
those installed systemwite (eg. different compiler version).
161+
those installed systemwide (eg. a different compiler version).
162162

163163
*-b* _path-outside_:_path-inside_[:_flags_]
164164
*--bind* _path-outside_:_path-inside_[:_flags_]
@@ -168,19 +168,14 @@ of the hardware sio2jail runs on.
168168
This option can be passed multiple times to define multiple
169169
bind-mounts.
170170

171-
_path-inside_ must be a valid mountpoint.
172-
173-
This means that it must be either an empty directory,
174-
if _path-outside_ is a directory
171+
_path-inside_ must be a valid mountpoint. This means that it must be
172+
either an empty directory, if _path-outside_ is a directory
175173
or a regular file, if _path-outside_ is a regular file.
176174

177-
_flags_, if specified, must be of form (*ro*|*rw*)[*,dev*]
178-
179-
*ro* - mount read-only (the default)
180-
181-
*rw* - mount read-write
182-
183-
*dev* - allow the mounted file to behave as a device node
175+
_flags_, if specified, must be of form (*ro*|*rw*)[*,dev*], where:
176+
- *ro* - mount read-only (the default)
177+
- *rw* - mount read-write
178+
- *dev* - allow the mounted file to behave as a device node
184179

185180
By default, unless *-B* is specified, the file to be executed
186181
is mounted read-only at /exe, as if the following was passed:
@@ -223,7 +218,7 @@ of the hardware sio2jail runs on.
223218
*--uts-namespace* *on*|*off*
224219
Enable or disable use of UTS namespaces to eliminate the impact of
225220
hostname and other UTS metadata on the sandboxed program.
226-
Requiers *--user-namespace*. Enabled by default.
221+
Requires *--user-namespace*. Enabled by default.
227222

228223
When enabled, this option sets the hostname and domainname
229224
inside the sandbox to "sio2jail".
@@ -241,7 +236,7 @@ of the hardware sio2jail runs on.
241236
network isolated from anything outside the sandbox.
242237

243238
*--ipc-namespace* *on*|*off*
244-
Enable or disable the ose of IPC namespaces.
239+
Enable or disable the use of IPC namespaces.
245240
Requires *--user-namespace*. Enabled by default.
246241

247242
This confines the sandboxed program to a view of IPC

0 commit comments

Comments
 (0)