@@ -33,21 +33,21 @@ of the hardware sio2jail runs on.
33
33
34
34
* -s, --stderr*
35
35
Pass stderr from the sandboxed program,
36
- instead of redirecting it to stderr .
36
+ instead of redirecting it to /dev/null .
37
37
38
38
* -o* _ format_ , * --output* _ format_
39
39
Use the specified _ format_ for outputting the execution report.
40
40
41
- * --stimelimit* _ limit_ [ * u* |* ms* |* s* |* m* |* h* |* d* ] ++
42
- * --utimelimit* _ limit_ [ * u* |* ms* |* s* |* m* |* h* |* d* ] ++
41
+ * --stimelimit* _ limit_ [ * u* |* ms* |* s* |* m* |* h* |* d* ] ++
42
+ * --utimelimit* _ limit_ [ * u* |* ms* |* s* |* m* |* h* |* d* ] ++
43
43
* --ustimelimit* _ limit_ [ * u* |* ms* |* s* |* m* |* h* |* d* ] ++
44
- * --rtimelimit* _ limit_ [ * u* |* ms* |* s* |* m* |* h* |* d* ] ++
44
+ * --rtimelimit* _ limit_ [ * u* |* ms* |* s* |* m* |* h* |* d* ]
45
45
Set system (* stimelimit* ), user (* utimelimit* ),
46
46
user+system (* ustimelimit* ) or real (* rtimelimit* )
47
47
time limit to _ limit_ .
48
48
49
49
Use *u*/*ms*/*s*/*m*/*h*/*d* (case-insensitive) unit suffices
50
- to specify time in microseconds, miliseconds , seconds, minutes,
50
+ to specify time in microseconds, milliseconds , seconds, minutes,
51
51
hours and days respectively.
52
52
Defaults to microseconds if unit is not specified.
53
53
@@ -56,8 +56,8 @@ of the hardware sio2jail runs on.
56
56
* --output-limit* _ limit_ [ * b* |* k* |* m* |* g* ]
57
57
Set the output file size limit to _ limit_ .
58
58
59
- Use with *k*/*m*/*g* (case-insensitive) unit suffices
60
- for 1, 1024, 1024**2, 1024**3 bytes respectively. Default is kibibytes.
59
+ Use with *b*/* k*/*m*/*g* (case-insensitive) unit suffices
60
+ for 1024\*\*{0,1,2,3} bytes respectively. Default is kibibytes.
61
61
62
62
This is currently implemented as an rlimit of maximum created file
63
63
size (See: *RLIMIT\_FSIZE* in *getrlimit*(2)), which means:
@@ -82,7 +82,7 @@ of the hardware sio2jail runs on.
82
82
* --instruction-count-limit* _ limit_ [ * k* |* m* |* g* ]
83
83
Set instruction count limit. Requires * --perf* .
84
84
85
- Use with *k*/*m*/*g* sufixes for 10* *{3,6,9} respectively.
85
+ Use with *k*/*m*/*g* suffixes for 10\*\ *{3,6,9} respectively.
86
86
87
87
Use 0 for no limit (the default).
88
88
@@ -107,7 +107,7 @@ of the hardware sio2jail runs on.
107
107
To select syscall policy use *--policy*.
108
108
109
109
* -p* _ policy_ , * --policy* _ policy_
110
- Select * seccomp* (2) syscall policy. Requires seccomp.
110
+ Select * seccomp* (2) syscall policy. Requires * -- seccomp* .
111
111
112
112
_policy_ must be one of available syscall policies:
113
113
@@ -120,17 +120,17 @@ of the hardware sio2jail runs on.
120
120
121
121
Ptrace is used for two purposes:
122
122
123
- - restoring normal singal behaviour when pid- namespaces are in use
123
+ - restoring normal signal behaviour when PID namespaces are in use
124
124
125
125
- providing seccomp policy more flexibility by using the *TRACE*
126
126
seccomp action and making the decision whether to allow
127
127
the syscall in userspace
128
128
129
129
* -m* _ limit_ , * --memory-limit* _ limit_
130
- Set memory limit to _ limit_ . Requires seccomp.
130
+ Set memory limit to _ limit_ . Requires * -- seccomp* .
131
131
132
- Use with *k*/*m*/*g* (case-insensitive) unit suffices
133
- for 1, 1024, 1024**2, 1024**3 bytes respectively. Default is kibibytes.
132
+ Use with *b*/* k*/*m*/*g* (case-insensitive) unit suffices
133
+ for 1024\*\*{0,1,2,3} bytes respectively. Default is kibibytes.
134
134
135
135
Use 0 for no limit.
136
136
@@ -156,9 +156,9 @@ of the hardware sio2jail runs on.
156
156
a separate view of the filesystem (kinda like chroot).
157
157
158
158
This prevents the sandboxed program from seeing or manipulating
159
- files which were not explicitely made accessible to it,
159
+ files which were not explicitly made accessible to it,
160
160
and allows for use of runtime environments different than
161
- those installed systemwite (eg. different compiler version).
161
+ those installed systemwide (eg. a different compiler version).
162
162
163
163
* -b* _ path-outside_ :_ path-inside_ [ :_ flags_ ]
164
164
* --bind* _ path-outside_ :_ path-inside_ [ :_ flags_ ]
@@ -168,19 +168,14 @@ of the hardware sio2jail runs on.
168
168
This option can be passed multiple times to define multiple
169
169
bind-mounts.
170
170
171
- _path-inside_ must be a valid mountpoint.
172
-
173
- This means that it must be either an empty directory,
174
- if _path-outside_ is a directory
171
+ _path-inside_ must be a valid mountpoint. This means that it must be
172
+ either an empty directory, if _path-outside_ is a directory
175
173
or a regular file, if _path-outside_ is a regular file.
176
174
177
- _flags_, if specified, must be of form (*ro*|*rw*)[*,dev*]
178
-
179
- *ro* - mount read-only (the default)
180
-
181
- *rw* - mount read-write
182
-
183
- *dev* - allow the mounted file to behave as a device node
175
+ _flags_, if specified, must be of form (*ro*|*rw*)[*,dev*], where:
176
+ - *ro* - mount read-only (the default)
177
+ - *rw* - mount read-write
178
+ - *dev* - allow the mounted file to behave as a device node
184
179
185
180
By default, unless *-B* is specified, the file to be executed
186
181
is mounted read-only at /exe, as if the following was passed:
@@ -223,7 +218,7 @@ of the hardware sio2jail runs on.
223
218
* --uts-namespace* * on* |* off*
224
219
Enable or disable use of UTS namespaces to eliminate the impact of
225
220
hostname and other UTS metadata on the sandboxed program.
226
- Requiers * --user-namespace* . Enabled by default.
221
+ Requires * --user-namespace* . Enabled by default.
227
222
228
223
When enabled, this option sets the hostname and domainname
229
224
inside the sandbox to "sio2jail".
@@ -241,7 +236,7 @@ of the hardware sio2jail runs on.
241
236
network isolated from anything outside the sandbox.
242
237
243
238
* --ipc-namespace* * on* |* off*
244
- Enable or disable the ose of IPC namespaces.
239
+ Enable or disable the use of IPC namespaces.
245
240
Requires * --user-namespace* . Enabled by default.
246
241
247
242
This confines the sandboxed program to a view of IPC
0 commit comments