Update the manpage
A few entries were missing. Not anymore!
Test: Visual inspection
diff --git a/minijail0.1 b/minijail0.1
index ce8e67c..0329997 100644
@@ -19,13 +19,25 @@
If the destination does not exist, it will be created as a file or directory
based on the \fIsrc\fR type (including missing parent directories).
+Skip setting securebits in \fImask\fR when restricting capabilities (\fB-c\fR).
+\fImask\fR is a hex constant that represents the mask of securebits that will
+be preserved. See \fBcapabilities\fR(7) for the complete list. By default,
+\fBSECURE_NOROOT\fR, \fBSECURE_NO_SETUID_FIXUP\fR, and \fBSECURE_KEEP_CAPS\fR
+(together with their respective locks) are set.
+\fBSECBIT_NO_CAP_AMBIENT_RAISE\fR (and its respective lock) is never set
+because the permitted and inheritable capability sets have already been set
-Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and
-\fB-g\fR, this allows a program to have access to only certain parts of root's
-default privileges while running as another user and group ID altogether. Note
-that these capabilities are not inherited by subprocesses of the process given
-capabilities unless those subprocesses have POSIX file capabilities. See
+Restrict capabilities to \fIcaps\fR, which is a hex constant that represents
+the capability mask that will be used as the permitted, effective, and
+inheritable sets. When used in conjunction with \fB-u\fR and \fB-g\fR, this
+allows a program to have access to only certain parts of root's default
+privileges while running as another user and group ID altogether. Note that
+these capabilities are not inherited by subprocesses of the process given
+capabilities unless those subprocesses have POSIX file capabilities or the
+\fB--ambient\fR flag is also passed. See \fBcapabilities\fR(7).
Change root (using \fBchroot\fR(2)) to \fIdir\fR.
@@ -61,6 +73,10 @@
(Other direct numbers may be specified if minijail0 is not in sync with the
host kernel or something like 32/64-bit compatibility issues exist.)
+Exit immediately after \fBfork\fR(2). The jailed process will keep running in
Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR).
@@ -205,6 +221,17 @@
Synchronize seccomp filters across thread group.
+Don't forward any signals to the jailed process. For example, when not using
+\fB-i\fR, sending \fBSIGINT\fR (e.g., CTRL-C on the terminal), will kill the
+minijail0 process, not the jailed process.
+Raise ambient capabilities to match the mask specified by \fB-c\fR. Since
+ambient capabilities are preserved across \fBexecve\fR(2), this allows for
+process trees to have a restricted set of capabilities, even if they are
+capability-dumb binaries. See \fBcapabilities\fR(7).
Create a new UTS/hostname namespace, and optionally set the hostname in the new
namespace to \fIhostname\fR.
diff --git a/minijail0_cli.c b/minijail0_cli.c
index b6aa593..e366533 100644
@@ -390,7 +390,8 @@
" Not compatible with -G.\n"
" -h: Help (this message).\n"
" -H: Seccomp filter help message.\n"
- " -i: Exit immediately after fork (do not act as init).\n"
+ " -i: Exit immediately after fork(2). The jailed process will run\n"
+ " in the background.\n"
" -I: Run <program> as init (pid 1) inside a new pid namespace (implies -p).\n"
" -K: Do not change share mode of any existing mounts.\n"
" -K<mode>: Mark all existing mounts as <mode> instead of MS_PRIVATE.\n"