diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-09-01 17:33:20 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-09-01 17:33:20 +0200 |
commit | 6d952144bd5049a95ea1799648ed4a3ee5ad1e76 (patch) | |
tree | 0bb561b021e8ae5bc0c9943257fb54208853f67f | |
parent | shell none: avoid syscalls after seccomp_install_filters (diff) | |
download | firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.tar.gz firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.tar.zst firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.zip |
#3106-1, include @mount in @default insted of all the syscalls
-rw-r--r-- | etc/templates/syscalls.txt | 7 | ||||
-rw-r--r-- | src/lib/syscall.c | 16 |
2 files changed, 4 insertions, 19 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index ea3b5a6b0..c454887dd 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -33,7 +33,7 @@ Definition of groups | |||
33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
36 | @default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | 36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup |
37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
38 | @default-keep=execve,prctl | 38 | @default-keep=execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | 39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes |
@@ -62,15 +62,14 @@ Inheritance of groups | |||
62 | 62 | ||
63 | +---------------+ | 63 | +---------------+ |
64 | | @default-keep | | 64 | | @default-keep | |
65 | | @mount | | ||
66 | +---------------+ | 65 | +---------------+ |
67 | 66 | ||
68 | +----------------+ +---------+ +--------+ +--------------+ | 67 | +----------------+ +---------+ +--------+ +--------------+ |
69 | | @cpu-emulation | | @clock | | @chown | | @aio | | 68 | | @cpu-emulation | | @clock | | @chown | | @aio | |
70 | | @debug | | @module | +--------+ | @basic-io | | 69 | | @debug | | @module | +--------+ | @basic-io | |
71 | | @obsolete | | @raw-io | : : | @file-system | | 70 | | @obsolete | | @raw-io | : : | @file-system | |
72 | +----------------+ | @reboot | : : | @io-event | | 71 | | @mount | | @reboot | : : | @io-event | |
73 | : | @swap | : : | @ipc | | 72 | +----------------+ | @swap | : : | @ipc | |
74 | : +---------+ : : | @keyring | | 73 | : +---------+ : : | @keyring | |
75 | : : : : : | @memlock | | 74 | : : : : : | @memlock | |
76 | : ..............: : : : | @network-io | | 75 | : ..............: : : : | @network-io | |
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 2f8ccaed7..4903971ad 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
@@ -230,6 +230,7 @@ static const SyscallGroupList sysgroups[] = { | |||
230 | "@cpu-emulation," | 230 | "@cpu-emulation," |
231 | "@debug," | 231 | "@debug," |
232 | "@module," | 232 | "@module," |
233 | "@mount," | ||
233 | "@obsolete," | 234 | "@obsolete," |
234 | "@raw-io," | 235 | "@raw-io," |
235 | "@reboot," | 236 | "@reboot," |
@@ -297,9 +298,6 @@ static const SyscallGroupList sysgroups[] = { | |||
297 | #ifdef SYS_vmsplice | 298 | #ifdef SYS_vmsplice |
298 | "vmsplice," | 299 | "vmsplice," |
299 | #endif | 300 | #endif |
300 | #ifdef SYS_umount | ||
301 | "umount," | ||
302 | #endif | ||
303 | #ifdef SYS_userfaultfd | 301 | #ifdef SYS_userfaultfd |
304 | "userfaultfd," | 302 | "userfaultfd," |
305 | #endif | 303 | #endif |
@@ -309,27 +307,15 @@ static const SyscallGroupList sysgroups[] = { | |||
309 | #ifdef SYS_bpf | 307 | #ifdef SYS_bpf |
310 | "bpf," | 308 | "bpf," |
311 | #endif | 309 | #endif |
312 | #ifdef SYS_chroot | ||
313 | "chroot," | ||
314 | #endif | ||
315 | #ifdef SYS_mount | ||
316 | "mount," | ||
317 | #endif | ||
318 | #ifdef SYS_nfsservctl | 310 | #ifdef SYS_nfsservctl |
319 | "nfsservctl," | 311 | "nfsservctl," |
320 | #endif | 312 | #endif |
321 | #ifdef SYS_pivot_root | ||
322 | "pivot_root," | ||
323 | #endif | ||
324 | #ifdef SYS_setdomainname | 313 | #ifdef SYS_setdomainname |
325 | "setdomainname," | 314 | "setdomainname," |
326 | #endif | 315 | #endif |
327 | #ifdef SYS_sethostname | 316 | #ifdef SYS_sethostname |
328 | "sethostname," | 317 | "sethostname," |
329 | #endif | 318 | #endif |
330 | #ifdef SYS_umount2 | ||
331 | "umount2," | ||
332 | #endif | ||
333 | #ifdef SYS_vhangup | 319 | #ifdef SYS_vhangup |
334 | "vhangup" | 320 | "vhangup" |
335 | #endif | 321 | #endif |