diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2019-09-03 12:02:38 +0300 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2019-09-04 21:59:14 +0300 |
commit | 3adae2e04bfc86c689db1c07055c7c2767674dfa (patch) | |
tree | 6e5292a0fd713a4b90a6c32fed18a0b02175fc12 | |
parent | fixup! Use new seccomp syntax from #2926 in more profiles (diff) | |
download | firejail-3adae2e04bfc86c689db1c07055c7c2767674dfa.tar.gz firejail-3adae2e04bfc86c689db1c07055c7c2767674dfa.tar.zst firejail-3adae2e04bfc86c689db1c07055c7c2767674dfa.zip |
Revert changes in #2928 to seccomp group @default
Reconstruct @default by not relying on the changed system call groups
@privileged and @resources.
-rw-r--r-- | src/fseccomp/syscall.c | 49 |
1 files changed, 47 insertions, 2 deletions
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 5d83786bb..1683d3140 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -201,11 +201,14 @@ static const SyscallGroupList sysgroups[] = { | |||
201 | #endif | 201 | #endif |
202 | }, | 202 | }, |
203 | { .name = "@default", .list = | 203 | { .name = "@default", .list = |
204 | "@clock," | ||
204 | "@cpu-emulation," | 205 | "@cpu-emulation," |
205 | "@debug," | 206 | "@debug," |
207 | "@module," | ||
206 | "@obsolete," | 208 | "@obsolete," |
207 | "@privileged," | 209 | "@raw-io," |
208 | "@resources," | 210 | "@reboot," |
211 | "@swap," | ||
209 | #ifdef SYS_open_by_handle_at | 212 | #ifdef SYS_open_by_handle_at |
210 | "open_by_handle_at," | 213 | "open_by_handle_at," |
211 | #endif | 214 | #endif |
@@ -233,6 +236,15 @@ static const SyscallGroupList sysgroups[] = { | |||
233 | #ifdef SYS_request_key | 236 | #ifdef SYS_request_key |
234 | "request_key," | 237 | "request_key," |
235 | #endif | 238 | #endif |
239 | #ifdef SYS_mbind | ||
240 | "mbind," | ||
241 | #endif | ||
242 | #ifdef SYS_migrate_pages | ||
243 | "migrate_pages," | ||
244 | #endif | ||
245 | #ifdef SYS_move_pages | ||
246 | "move_pages," | ||
247 | #endif | ||
236 | #ifdef SYS_keyctl | 248 | #ifdef SYS_keyctl |
237 | "keyctl," | 249 | "keyctl," |
238 | #endif | 250 | #endif |
@@ -254,6 +266,9 @@ static const SyscallGroupList sysgroups[] = { | |||
254 | #ifdef SYS_remap_file_pages | 266 | #ifdef SYS_remap_file_pages |
255 | "remap_file_pages," | 267 | "remap_file_pages," |
256 | #endif | 268 | #endif |
269 | #ifdef SYS_set_mempolicy | ||
270 | "set_mempolicy" | ||
271 | #endif | ||
257 | #ifdef SYS_vmsplice | 272 | #ifdef SYS_vmsplice |
258 | "vmsplice," | 273 | "vmsplice," |
259 | #endif | 274 | #endif |
@@ -263,6 +278,36 @@ static const SyscallGroupList sysgroups[] = { | |||
263 | #ifdef SYS_userfaultfd | 278 | #ifdef SYS_userfaultfd |
264 | "userfaultfd," | 279 | "userfaultfd," |
265 | #endif | 280 | #endif |
281 | #ifdef SYS_acct | ||
282 | "acct," | ||
283 | #endif | ||
284 | #ifdef SYS_bpf | ||
285 | "bpf," | ||
286 | #endif | ||
287 | #ifdef SYS_chroot | ||
288 | "chroot," | ||
289 | #endif | ||
290 | #ifdef SYS_mount | ||
291 | "mount," | ||
292 | #endif | ||
293 | #ifdef SYS_nfsservctl | ||
294 | "nfsservctl," | ||
295 | #endif | ||
296 | #ifdef SYS_pivot_root | ||
297 | "pivot_root," | ||
298 | #endif | ||
299 | #ifdef SYS_setdomainname | ||
300 | "setdomainname," | ||
301 | #endif | ||
302 | #ifdef SYS_sethostname | ||
303 | "sethostname," | ||
304 | #endif | ||
305 | #ifdef SYS_umount2 | ||
306 | "umount2," | ||
307 | #endif | ||
308 | #ifdef SYS_vhangup | ||
309 | "vhangup" | ||
310 | #endif | ||
266 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem | 311 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem |
267 | // "mincore" | 312 | // "mincore" |
268 | //#endif | 313 | //#endif |