Update the manpage

A few entries were missing. Not anymore!

Bug: None
Test: Visual inspection
Change-Id: I232177d528e6fc5347c09740583d13971343b7db
diff --git a/minijail0.1 b/minijail0.1
index ce8e67c..0329997 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -19,13 +19,25 @@
 If the destination does not exist, it will be created as a file or directory
 based on the \fIsrc\fR type (including missing parent directories).
 .TP
+\fB-B <mask>\fR
+Skip setting securebits in \fImask\fR when restricting capabilities (\fB-c\fR).
+\fImask\fR is a hex constant that represents the mask of securebits that will
+be preserved.  See \fBcapabilities\fR(7) for the complete list.  By default,
+\fBSECURE_NOROOT\fR, \fBSECURE_NO_SETUID_FIXUP\fR, and \fBSECURE_KEEP_CAPS\fR
+(together with their respective locks) are set.
+\fBSECBIT_NO_CAP_AMBIENT_RAISE\fR (and its respective lock) is never set
+because the permitted and inheritable capability sets have already been set
+through \fB-c\fR.
+.TP
 \fB-c <caps>\fR
-Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and
-\fB-g\fR, this allows a program to have access to only certain parts of root's
-default privileges while running as another user and group ID altogether. Note
-that these capabilities are not inherited by subprocesses of the process given
-capabilities unless those subprocesses have POSIX file capabilities. See
-\fBcapabilities\fR(7).
+Restrict capabilities to \fIcaps\fR, which is a hex constant that represents
+the capability mask that will be used as the permitted, effective, and
+inheritable sets.  When used in conjunction with \fB-u\fR and \fB-g\fR, this
+allows a program to have access to only certain parts of root's default
+privileges while running as another user and group ID altogether.  Note that
+these capabilities are not inherited by subprocesses of the process given
+capabilities unless those subprocesses have POSIX file capabilities or the
+\fB--ambient\fR flag is also passed.  See \fBcapabilities\fR(7).
 .TP
 \fB-C <dir>\fR
 Change root (using \fBchroot\fR(2)) to \fIdir\fR.
@@ -61,6 +73,10 @@
 (Other direct numbers may be specified if minijail0 is not in sync with the
 host kernel or something like 32/64-bit compatibility issues exist.)
 .TP
+\fB-i\fR
+Exit immediately after \fBfork\fR(2).  The jailed process will keep running in
+the background.
+.TP
 \fB-I\fR
 Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR).
 .TP
@@ -205,6 +221,17 @@
 \fB-Y\fR
 Synchronize seccomp filters across thread group.
 .TP
+\fB-z\fR
+Don't forward any signals to the jailed process.  For example, when not using
+\fB-i\fR, sending \fBSIGINT\fR (e.g., CTRL-C on the terminal), will kill the
+minijail0 process, not the jailed process.
+.TP
+\fB--ambient\fR
+Raise ambient capabilities to match the mask specified by \fB-c\fR.  Since
+ambient capabilities are preserved across \fBexecve\fR(2), this allows for
+process trees to have a restricted set of capabilities, even if they are
+capability-dumb binaries.  See \fBcapabilities\fR(7).
+.TP
 \fB--uts[=hostname]\fR
 Create a new UTS/hostname namespace, and optionally set the hostname in the new
 namespace to \fIhostname\fR.
diff --git a/minijail0_cli.c b/minijail0_cli.c
index b6aa593..e366533 100644
--- a/minijail0_cli.c
+++ b/minijail0_cli.c
@@ -390,7 +390,8 @@
 	       "                Not compatible with -G.\n"
 	       "  -h:           Help (this message).\n"
 	       "  -H:           Seccomp filter help message.\n"
-	       "  -i:           Exit immediately after fork (do not act as init).\n"
+	       "  -i:           Exit immediately after fork(2). The jailed process will run\n"
+	       "                in the background.\n"
 	       "  -I:           Run <program> as init (pid 1) inside a new pid namespace (implies -p).\n"
 	       "  -K:           Do not change share mode of any existing mounts.\n"
 	       "  -K<mode>:     Mark all existing mounts as <mode> instead of MS_PRIVATE.\n"