Use new seccomp syntax from #2926

author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-08-25 19:12:00 +0200
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2019-08-30 21:01:10 +0200
commit: 511cad9ed24a544f607193d74bfef8a449fe3a0b (patch)
tree: 0a50f9868ebaabb043009cce790f21fddf17593e
parent: Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download: firejail-511cad9ed24a544f607193d74bfef8a449fe3a0b.tar.gz
firejail-511cad9ed24a544f607193d74bfef8a449fe3a0b.tar.zst
firejail-511cad9ed24a544f607193d74bfef8a449fe3a0b.zip
10 files changed, 10 insertions, 10 deletions
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 466eff22d..34933f283 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -36,7 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # chroot syscalls are needed for setting up the built-in sandbox
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 4f1b05c88..0de3bc480 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -42,7 +42,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/falkon.profile b/etc/falkon.profile
index ddcda6228..0024b6660 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -34,7 +34,7 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
 private-dev
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 6ad4a9bc2..02d6199a0 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -46,7 +46,7 @@ notv
 ?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
 # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
 #tracelog
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile
index db8f7880c..8b7b12882 100644
--- a/etc/kiwix-desktop.profile
+++ b/etc/kiwix-desktop.profile
@@ -39,7 +39,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index a7ba18292..95c189458 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -36,5 +36,5 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 8a45f2465..fe9ededa4 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -25,7 +25,7 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index 1c2a2cd10..a8b5d109e 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -28,7 +28,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index b34d15731..c1c666f58 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -33,7 +33,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 8485c0c4c..1183cd2f7 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -42,7 +42,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-08-25 19:12:00 +0200
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2019-08-30 21:01:10 +0200
commit	511cad9ed24a544f607193d74bfef8a449fe3a0b (patch)
tree	0a50f9868ebaabb043009cce790f21fddf17593e
parent	Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download	firejail-511cad9ed24a544f607193d74bfef8a449fe3a0b.tar.gz firejail-511cad9ed24a544f607193d74bfef8a449fe3a0b.tar.zst firejail-511cad9ed24a544f607193d74bfef8a449fe3a0b.zip

diff --git a/etc/akregator.profile b/etc/akregator.profile index 466eff22d..34933f283 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile
@@ -36,7 +36,7 @@ nou2f
36	novideo	36	novideo
37	protocol unix,inet,inet6,netlink	37	protocol unix,inet,inet6,netlink
38	# chroot syscalls are needed for setting up the built-in sandbox	38	# chroot syscalls are needed for setting up the built-in sandbox
39	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	39	seccomp !chroot
40	shell none	40	shell none
41		41
42	disable-mnt	42	disable-mnt


diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 4f1b05c88..0de3bc480 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile
@@ -42,7 +42,7 @@ notv
42	nou2f	42	nou2f
43	novideo	43	novideo
44	protocol unix,inet,inet6,netlink	44	protocol unix,inet,inet6,netlink
45	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	45	seccomp !chroot
46	shell none	46	shell none
47		47
48	disable-mnt	48	disable-mnt


diff --git a/etc/falkon.profile b/etc/falkon.profile index ddcda6228..0024b6660 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile
@@ -34,7 +34,7 @@ notv
34	nou2f	34	nou2f
35	protocol unix,inet,inet6,netlink	35	protocol unix,inet,inet6,netlink
36	# blacklisting of chroot system calls breaks falkon	36	# blacklisting of chroot system calls breaks falkon
37	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	37	seccomp !chroot
38	# tracelog	38	# tracelog
39		39
40	private-dev	40	private-dev


diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 6ad4a9bc2..02d6199a0 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile
@@ -46,7 +46,7 @@ notv
46	?BROWSER_DISABLE_U2F: nou2f	46	?BROWSER_DISABLE_U2F: nou2f
47	protocol unix,inet,inet6,netlink	47	protocol unix,inet,inet6,netlink
48	# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.	48	# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
49	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	49	seccomp !chroot
50	shell none	50	shell none
51	# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.	51	# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
52	#tracelog	52	#tracelog


diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile index db8f7880c..8b7b12882 100644 --- a/etc/kiwix-desktop.profile +++ b/etc/kiwix-desktop.profile
@@ -39,7 +39,7 @@ notv
39	nou2f	39	nou2f
40	novideo	40	novideo
41	protocol unix,inet,inet6,netlink	41	protocol unix,inet,inet6,netlink
42	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	42	seccomp !chroot
43	shell none	43	shell none
44		44
45	disable-mnt	45	disable-mnt


diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index a7ba18292..95c189458 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile
@@ -36,5 +36,5 @@ noroot
36	notv	36	notv
37	protocol unix,inet,inet6,netlink	37	protocol unix,inet,inet6,netlink
38	# blacklisting of chroot system calls breaks qt webengine	38	# blacklisting of chroot system calls breaks qt webengine
39	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	39	seccomp !chroot
40	# tracelog	40	# tracelog


diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 8a45f2465..fe9ededa4 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile
@@ -25,7 +25,7 @@ nonewprivs
25	noroot	25	noroot
26	notv	26	notv
27	protocol unix,inet,inet6,netlink	27	protocol unix,inet,inet6,netlink
28	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	28	seccomp !chroot
29	shell none	29	shell none
30		30
31	disable-mnt	31	disable-mnt


diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 1c2a2cd10..a8b5d109e 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile
@@ -28,7 +28,7 @@ notv
28	nou2f	28	nou2f
29	novideo	29	novideo
30	protocol unix,inet,inet6	30	protocol unix,inet,inet6
31	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	31	seccomp !chroot
32	shell none	32	shell none
33	# tracelog may cause issues, see github issue #1930	33	# tracelog may cause issues, see github issue #1930
34	#tracelog	34	#tracelog


diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index b34d15731..c1c666f58 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile
@@ -33,7 +33,7 @@ notv
33	nou2f	33	nou2f
34	novideo	34	novideo
35	protocol unix,inet,inet6,netlink	35	protocol unix,inet,inet6,netlink
36	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	36	seccomp !chroot
37	shell none	37	shell none
38		38
39	disable-mnt	39	disable-mnt


diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 8485c0c4c..1183cd2f7 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile
@@ -42,7 +42,7 @@ notv
42	nou2f	42	nou2f
43	novideo	43	novideo
44	protocol unix,inet,inet6	44	protocol unix,inet,inet6
45	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	45	seccomp !chroot
46	shell none	46	shell none
47	# tracelog may cause issues, see github issue #1930	47	# tracelog may cause issues, see github issue #1930
48	#tracelog	48	#tracelog