diff options
author | smitsohu <smitsohu@gmail.com> | 2020-02-26 23:01:18 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-26 23:01:18 +0100 |
commit | 475cb76e5a3a5091cfe9587875c71e757e1aced7 (patch) | |
tree | 07128332979308d3d0e3881b848919ee04e39625 | |
parent | Update allow-lua.inc (diff) | |
download | firejail-475cb76e5a3a5091cfe9587875c71e757e1aced7.tar.gz firejail-475cb76e5a3a5091cfe9587875c71e757e1aced7.tar.zst firejail-475cb76e5a3a5091cfe9587875c71e757e1aced7.zip |
minor sbox hardening
blacklist process_vm_readv and process_vm_writev
while we're at it also remove duplicate iopl blacklisting
-rw-r--r-- | src/firejail/sbox.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index c3b68f3a8..0c7b13f1c 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -53,11 +53,17 @@ static struct sock_filter filter[] = { | |||
53 | #ifdef SYS_ptrace | 53 | #ifdef SYS_ptrace |
54 | BLACKLIST(SYS_ptrace), // trace processes | 54 | BLACKLIST(SYS_ptrace), // trace processes |
55 | #endif | 55 | #endif |
56 | #ifdef SYS_process_vm_readv | ||
57 | BLACKLIST(SYS_process_vm_readv), | ||
58 | #endif | ||
59 | #ifdef SYS_process_vm_writev | ||
60 | BLACKLIST(SYS_process_vm_writev), | ||
61 | #endif | ||
56 | #ifdef SYS_kexec_file_load | 62 | #ifdef SYS_kexec_file_load |
57 | BLACKLIST(SYS_kexec_file_load), | 63 | BLACKLIST(SYS_kexec_file_load), // loading a different kernel |
58 | #endif | 64 | #endif |
59 | #ifdef SYS_kexec_load | 65 | #ifdef SYS_kexec_load |
60 | BLACKLIST(SYS_kexec_load), // loading a different kernel | 66 | BLACKLIST(SYS_kexec_load), |
61 | #endif | 67 | #endif |
62 | #ifdef SYS_name_to_handle_at | 68 | #ifdef SYS_name_to_handle_at |
63 | BLACKLIST(SYS_name_to_handle_at), | 69 | BLACKLIST(SYS_name_to_handle_at), |
@@ -83,9 +89,6 @@ static struct sock_filter filter[] = { | |||
83 | #ifdef SYS_ioperm | 89 | #ifdef SYS_ioperm |
84 | BLACKLIST(SYS_ioperm), | 90 | BLACKLIST(SYS_ioperm), |
85 | #endif | 91 | #endif |
86 | #ifdef SYS_iopl | ||
87 | BLACKLIST(SYS_iopl), // io permissions | ||
88 | #endif | ||
89 | #ifdef SYS_ioprio_set | 92 | #ifdef SYS_ioprio_set |
90 | BLACKLIST(SYS_ioprio_set), | 93 | BLACKLIST(SYS_ioprio_set), |
91 | #endif | 94 | #endif |