Merge pull request #37 from A-dead-pixel/Documentation-PR

Improve documentation a bit
sio2project · Feb 10, 2024 · b5903c6 · b5903c6
2 parents f74a90f + 507a8d4
commit b5903c6
Showing 1 changed file with 23 additions and 28 deletions.
diff --git a/doc/sio2jail.1.scd b/doc/sio2jail.1.scd
@@ -36,21 +36,21 @@ of the hardware sio2jail runs on.
 
 *-s, --stderr*
 	Pass stderr from the sandboxed program,
-	instead of redirecting it to stderr.
+	instead of redirecting it to /dev/null.
 
 *-o* _format_, *--output* _format_
 	Use the specified _format_ for outputting the execution report.
 
-* --stimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
-* --utimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
+*--stimelimit*  _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
+*--utimelimit*  _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
 *--ustimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
-* --rtimelimit* _limit_[*u*|*ms*|*s*|*m*|*h*|*d*] ++
+*--rtimelimit*  _limit_[*u*|*ms*|*s*|*m*|*h*|*d*]
 	Set system (*stimelimit*), user (*utimelimit*),
 	user+system (*ustimelimit*) or real (*rtimelimit*)
 	time limit to _limit_.
 
 	Use *u*/*ms*/*s*/*m*/*h*/*d* (case-insensitive) unit suffices
-	to specify time in microseconds, miliseconds, seconds, minutes,
+	to specify time in microseconds, milliseconds, seconds, minutes,
 	hours and days respectively.
 	Defaults to microseconds if unit is not specified.
 
@@ -59,8 +59,8 @@ of the hardware sio2jail runs on.
 *--output-limit* _limit_[*b*|*k*|*m*|*g*]
 	Set the output file size limit to _limit_.
 
-	Use with *k*/*m*/*g* (case-insensitive) unit suffices
-	for 1, 1024, 1024**2, 1024**3 bytes respectively. Default is kibibytes.
+	Use with *b*/*k*/*m*/*g* (case-insensitive) unit suffices
+	for 1024\*\*{0,1,2,3} bytes respectively. Default is kibibytes.
 
 	This is currently implemented as an rlimit of maximum created file
 	size (See: *RLIMIT\_FSIZE* in *getrlimit*(2)), which means:
@@ -85,7 +85,7 @@ of the hardware sio2jail runs on.
 *--instruction-count-limit* _limit_[*k*|*m*|*g*]
 	Set instruction count limit. Requires *--perf*.
 
-	Use with *k*/*m*/*g* sufixes for 10**{3,6,9} respectively.
+	Use with *k*/*m*/*g* suffixes for 10\*\*{3,6,9} respectively.
 
 	Use 0 for no limit (the default).
 
@@ -110,7 +110,7 @@ of the hardware sio2jail runs on.
 	To select syscall policy use *--policy*.
 
 *-p* _policy_, *--policy* _policy_
-	Select *seccomp*(2) syscall policy. Requires seccomp.
+	Select *seccomp*(2) syscall policy. Requires *--seccomp*.
 
 	_policy_ must be one of available syscall policies:
 
@@ -123,17 +123,17 @@ of the hardware sio2jail runs on.
 
 	Ptrace is used for two purposes:
 
-	- restoring normal singal behaviour when pid-namespaces are in use
+	- restoring normal signal behaviour when PID namespaces are in use
 
 	- providing seccomp policy more flexibility by using the *TRACE*
 	  seccomp action and making the decision whether to allow
 	  the syscall in userspace
 
 *-m* _limit_, *--memory-limit* _limit_
-	Set memory limit to _limit_. Requires seccomp.
+	Set memory limit to _limit_. Requires *--seccomp*.
 
-	Use with *k*/*m*/*g* (case-insensitive) unit suffices
-	for 1, 1024, 1024**2, 1024**3 bytes respectively. Default is kibibytes.
+	Use with *b*/*k*/*m*/*g* (case-insensitive) unit suffices
+	for 1024\*\*{0,1,2,3} bytes respectively. Default is kibibytes.
 
 	Use 0 for no limit.
 
@@ -159,9 +159,9 @@ of the hardware sio2jail runs on.
 	a separate view of the filesystem (kinda like chroot).
 
 	This prevents the sandboxed program from seeing or manipulating
-	files which were not explicitely made accessible to it,
+	files which were not explicitly made accessible to it,
 	and allows for use of runtime environments different than
-	those installed systemwite (eg. different compiler version).
+	those installed systemwide (eg. a different compiler version).
 
 *-b* _path-outside_:_path-inside_[:_flags_]
 *--bind* _path-outside_:_path-inside_[:_flags_]
@@ -171,19 +171,14 @@ of the hardware sio2jail runs on.
 	This option can be passed multiple times to define multiple
 	bind-mounts.
 
-	_path-inside_ must be a valid mountpoint.
-
-	This means that it must be either an empty directory,
-	if _path-outside_ is a directory
+	_path-inside_ must be a valid mountpoint. This means that it must be
+	either an empty directory, if _path-outside_ is a directory
 	or a regular file, if _path-outside_ is a regular file.
 
-	_flags_, if specified, must be of form (*ro*|*rw*)[*,dev*]
-
-	*ro* - mount read-only (the default)
-
-	*rw* - mount read-write
-
-	*dev* - allow the mounted file to behave as a device node
+	_flags_, if specified, must be of form (*ro*|*rw*)[*,dev*], where:
+	- *ro* - mount read-only (the default)
+	- *rw* - mount read-write
+	- *dev* - allow the mounted file to behave as a device node
 
 	By default, unless *-B* is specified, the file to be executed
 	is mounted read-only at /exe, as if the following was passed:
@@ -226,7 +221,7 @@ of the hardware sio2jail runs on.
 *--uts-namespace* *on*|*off*
 	Enable or disable use of UTS namespaces to eliminate the impact of
 	hostname and other UTS metadata on the sandboxed program.
-	Requiers *--user-namespace*. Enabled by default.
+	Requires *--user-namespace*. Enabled by default.
 
 	When enabled, this option sets the hostname and domainname
 	inside the sandbox to "sio2jail".
@@ -244,7 +239,7 @@ of the hardware sio2jail runs on.
 	network isolated from anything outside the sandbox.
 
 *--ipc-namespace* *on*|*off*
-	Enable or disable the ose of IPC namespaces.
+	Enable or disable the use of IPC namespaces.
 	Requires *--user-namespace*. Enabled by default.
 
 	This confines the sandboxed program to a view of IPC