diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-08 10:33:18 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-08 10:33:18 -0500 |
commit | 3dbeb2f2559934eff1fd62d63430a5c7548b0934 (patch) | |
tree | c567faeeb212868ce515ef02f3e41f856e17cc87 | |
parent | 0.9.38 released (diff) | |
download | firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.gz firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.zst firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.zip |
default seccomp filter update
-rw-r--r-- | README.md | 4 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 21 | ||||
-rw-r--r-- | src/firejail/usage.c | 13 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
6 files changed, 39 insertions, 23 deletions
@@ -34,3 +34,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
34 | 34 | ||
35 | # Current development version: 0.9.39 | 35 | # Current development version: 0.9.39 |
36 | 36 | ||
37 | ## Default seccomp blacklist filter update | ||
38 | |||
39 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). | ||
40 | |||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.38. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.39. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.38' | 583 | PACKAGE_VERSION='0.9.39' |
584 | PACKAGE_STRING='firejail 0.9.38' | 584 | PACKAGE_STRING='firejail 0.9.39' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1242,7 +1242,7 @@ if test "$ac_init_help" = "long"; then | |||
1242 | # Omit some internal or obsolete options to make the list less imposing. | 1242 | # Omit some internal or obsolete options to make the list less imposing. |
1243 | # This message is too long to be a string in the A/UX 3.1 sh. | 1243 | # This message is too long to be a string in the A/UX 3.1 sh. |
1244 | cat <<_ACEOF | 1244 | cat <<_ACEOF |
1245 | \`configure' configures firejail 0.9.38 to adapt to many kinds of systems. | 1245 | \`configure' configures firejail 0.9.39 to adapt to many kinds of systems. |
1246 | 1246 | ||
1247 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1247 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1248 | 1248 | ||
@@ -1303,7 +1303,7 @@ fi | |||
1303 | 1303 | ||
1304 | if test -n "$ac_init_help"; then | 1304 | if test -n "$ac_init_help"; then |
1305 | case $ac_init_help in | 1305 | case $ac_init_help in |
1306 | short | recursive ) echo "Configuration of firejail 0.9.38:";; | 1306 | short | recursive ) echo "Configuration of firejail 0.9.39:";; |
1307 | esac | 1307 | esac |
1308 | cat <<\_ACEOF | 1308 | cat <<\_ACEOF |
1309 | 1309 | ||
@@ -1395,7 +1395,7 @@ fi | |||
1395 | test -n "$ac_init_help" && exit $ac_status | 1395 | test -n "$ac_init_help" && exit $ac_status |
1396 | if $ac_init_version; then | 1396 | if $ac_init_version; then |
1397 | cat <<\_ACEOF | 1397 | cat <<\_ACEOF |
1398 | firejail configure 0.9.38 | 1398 | firejail configure 0.9.39 |
1399 | generated by GNU Autoconf 2.69 | 1399 | generated by GNU Autoconf 2.69 |
1400 | 1400 | ||
1401 | Copyright (C) 2012 Free Software Foundation, Inc. | 1401 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1697,7 +1697,7 @@ cat >config.log <<_ACEOF | |||
1697 | This file contains any messages produced by compilers while | 1697 | This file contains any messages produced by compilers while |
1698 | running configure, to aid debugging if configure makes a mistake. | 1698 | running configure, to aid debugging if configure makes a mistake. |
1699 | 1699 | ||
1700 | It was created by firejail $as_me 0.9.38, which was | 1700 | It was created by firejail $as_me 0.9.39, which was |
1701 | generated by GNU Autoconf 2.69. Invocation command line was | 1701 | generated by GNU Autoconf 2.69. Invocation command line was |
1702 | 1702 | ||
1703 | $ $0 $@ | 1703 | $ $0 $@ |
@@ -4140,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4140 | # report actual input values of CONFIG_FILES etc. instead of their | 4140 | # report actual input values of CONFIG_FILES etc. instead of their |
4141 | # values after options handling. | 4141 | # values after options handling. |
4142 | ac_log=" | 4142 | ac_log=" |
4143 | This file was extended by firejail $as_me 0.9.38, which was | 4143 | This file was extended by firejail $as_me 0.9.39, which was |
4144 | generated by GNU Autoconf 2.69. Invocation command line was | 4144 | generated by GNU Autoconf 2.69. Invocation command line was |
4145 | 4145 | ||
4146 | CONFIG_FILES = $CONFIG_FILES | 4146 | CONFIG_FILES = $CONFIG_FILES |
@@ -4194,7 +4194,7 @@ _ACEOF | |||
4194 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4194 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4195 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4195 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4196 | ac_cs_version="\\ | 4196 | ac_cs_version="\\ |
4197 | firejail config.status 0.9.38 | 4197 | firejail config.status 0.9.39 |
4198 | configured by $0, generated by GNU Autoconf 2.69, | 4198 | configured by $0, generated by GNU Autoconf 2.69, |
4199 | with options \\"\$ac_cs_config\\" | 4199 | with options \\"\$ac_cs_config\\" |
4200 | 4200 | ||
diff --git a/configure.ac b/configure.ac index 4c0ff4870..f9d0a3f65 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.38, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.39, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7a015963b..b0c960754 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -373,6 +373,10 @@ void seccomp_filter_32(void) { | |||
373 | BLACKLIST(317), // move_pages | 373 | BLACKLIST(317), // move_pages |
374 | BLACKLIST(316), // vmsplice | 374 | BLACKLIST(316), // vmsplice |
375 | BLACKLIST(61), // chroot | 375 | BLACKLIST(61), // chroot |
376 | BLACKLIST(243), // set_thread_area | ||
377 | BLACKLIST(88), // reboot | ||
378 | BLACKLIST(169), // nfsservctl | ||
379 | BLACKLIST(130), // get_kernel_syms | ||
376 | RETURN_ALLOW | 380 | RETURN_ALLOW |
377 | }; | 381 | }; |
378 | 382 | ||
@@ -562,6 +566,23 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
562 | // 32bit | 566 | // 32bit |
563 | // filter_add_blacklist(SYS_personality, 0); // test wine | 567 | // filter_add_blacklist(SYS_personality, 0); // test wine |
564 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine | 568 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine |
569 | |||
570 | // 0.9.39 | ||
571 | #ifdef SYS_set_thread_area | ||
572 | filter_add_blacklist(SYS_set_thread_area, 0); | ||
573 | #endif | ||
574 | #ifdef SYS_tuxcall | ||
575 | filter_add_blacklist(SYS_tuxcall, 0); | ||
576 | #endif | ||
577 | #ifdef SYS_reboot | ||
578 | filter_add_blacklist(SYS_reboot, 0); | ||
579 | #endif | ||
580 | #ifdef SYS_nfsservctl | ||
581 | filter_add_blacklist(SYS_nfsservctl, 0); | ||
582 | #endif | ||
583 | #ifdef SYS_get_kernel_syms | ||
584 | filter_add_blacklist(SYS_get_kernel_syms, 0); | ||
585 | #endif | ||
565 | } | 586 | } |
566 | 587 | ||
567 | // default seccomp filter with additional drop list | 588 | // default seccomp filter with additional drop list |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b773cc146..fa48c55cf 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -257,18 +257,7 @@ void usage(void) { | |||
257 | printf("\t\trunning on the current host.\n\n"); | 257 | printf("\t\trunning on the current host.\n\n"); |
258 | #endif | 258 | #endif |
259 | #ifdef HAVE_SECCOMP | 259 | #ifdef HAVE_SECCOMP |
260 | printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n"); | 260 | printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n"); |
261 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); | ||
262 | printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n"); | ||
263 | printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n"); | ||
264 | printf("\t\tsyslog, process_vm_readv and process_vm_writev\n"); | ||
265 | printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n"); | ||
266 | printf("\t\tperf_event_open, fanotify_init, kcmp, add_key, request_key,\n"); | ||
267 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); | ||
268 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); | ||
269 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); | ||
270 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); | ||
271 | printf("\t\tkexec_file_load, chroot.\n\n"); | ||
272 | 261 | ||
273 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 262 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
274 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 263 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ee019a24f..bab596e96 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1112,7 +1112,9 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif | |||
1112 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1112 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, |
1113 | io_destroy, io_getevents, io_submit, io_cancel, | 1113 | io_destroy, io_getevents, io_submit, io_cancel, |
1114 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | 1114 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, |
1115 | migrate_pages, move_pages, vmsplice, perf_event_open and chroot. | 1115 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, |
1116 | set_thread_area, tuxcall, reboot, mfsservctl and get_kernel_syms. When running on AMD64 architecture, | ||
1117 | an equivalent 32-bit seccomp filter is also installed. | ||
1116 | .br | 1118 | .br |
1117 | 1119 | ||
1118 | .br | 1120 | .br |