diff options
author | netblue30 <netblue30@yahoo.com> | 2019-01-14 09:44:53 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2019-01-14 09:44:53 -0500 |
commit | ae3db84128503c16fd638b5c7bf9408d64ce14ba (patch) | |
tree | c9767454fa6a0555f3bd9784e6d5d7b7433b932e | |
parent | fix error message (diff) | |
download | firejail-ae3db84128503c16fd638b5c7bf9408d64ce14ba.tar.gz firejail-ae3db84128503c16fd638b5c7bf9408d64ce14ba.tar.zst firejail-ae3db84128503c16fd638b5c7bf9408d64ce14ba.zip |
adding mincore syscall to the default seccomp filter and some independent profiles
-rw-r--r-- | README.md | 7 | ||||
-rw-r--r-- | RELNOTES | 6 | ||||
-rw-r--r-- | etc/clementine.profile | 2 | ||||
-rw-r--r-- | etc/firefox-common.profile | 2 | ||||
-rw-r--r-- | etc/kmail.profile | 2 | ||||
-rw-r--r-- | etc/mpd.profile | 2 | ||||
-rw-r--r-- | etc/qutebrowser.profile | 2 | ||||
-rw-r--r-- | etc/torbrowser-launcher.profile | 2 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
10 files changed, 24 insertions, 8 deletions
@@ -144,6 +144,13 @@ The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase | |||
144 | 144 | ||
145 | ## New profiles: | 145 | ## New profiles: |
146 | 146 | ||
147 | ````` | ||
148 | $ ls etc/*.profile | wc -l | ||
149 | 608 | ||
150 | ````` | ||
151 | We have more than 600 application profiles on mainline! | ||
152 | |||
153 | |||
147 | QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min, | 154 | QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min, |
148 | bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep, | 155 | bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep, |
149 | lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat, xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore, | 156 | lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat, xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore, |
@@ -2,6 +2,12 @@ firejail (0.9.56.1) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * --disable-mnt rework | 3 | * --disable-mnt rework |
4 | * --net.print command | 4 | * --net.print command |
5 | * GitLab CI/CD integration: disto specific builds | ||
6 | * profile parser enhancements and conditional handling support | ||
7 | for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F | ||
8 | * profile name support | ||
9 | * added explicit nonewprivs support to join option | ||
10 | * add mincore syscall to default seccomp list | ||
5 | * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms | 11 | * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms |
6 | * new profiles: devilspie, devilspie2, easystroke, github-desktop, min | 12 | * new profiles: devilspie, devilspie2, easystroke, github-desktop, min |
7 | * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat | 13 | * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 147b0de4b..1cf478ead 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -27,7 +27,7 @@ nou2f | |||
27 | novideo | 27 | novideo |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | # blacklisting of ioprio_set system calls breaks clementine | 29 | # blacklisting of ioprio_set system calls breaks clementine |
30 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 30 | seccomp.drop mincore,@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
31 | 31 | ||
32 | private-dev | 32 | private-dev |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index ad8a0a0b7..288afa8a2 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -40,7 +40,7 @@ noroot | |||
40 | notv | 40 | notv |
41 | ?BROWSER_DISABLE_U2F: nou2f | 41 | ?BROWSER_DISABLE_U2F: nou2f |
42 | protocol unix,inet,inet6,netlink | 42 | protocol unix,inet,inet6,netlink |
43 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 43 | seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
44 | shell none | 44 | shell none |
45 | #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930 | 45 | #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930 |
46 | #tracelog | 46 | #tracelog |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 1f8403ef1..85eb74998 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -50,7 +50,7 @@ nou2f | |||
50 | novideo | 50 | novideo |
51 | protocol unix,inet,inet6,netlink | 51 | protocol unix,inet,inet6,netlink |
52 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 52 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
53 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 53 | seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
54 | # tracelog | 54 | # tracelog |
55 | # writable-run-user is needed for signing and encrypting emails | 55 | # writable-run-user is needed for signing and encrypting emails |
56 | writable-run-user | 56 | writable-run-user |
diff --git a/etc/mpd.profile b/etc/mpd.profile index e06b83aa9..c532edeb2 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -30,7 +30,7 @@ novideo | |||
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | # blacklisting of ioprio_set system calls breaks auto-updating of | 31 | # blacklisting of ioprio_set system calls breaks auto-updating of |
32 | # MPD's database when files in music_directory are changed | 32 | # MPD's database when files in music_directory are changed |
33 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 33 | seccomp.drop mincore,@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | #private-bin mpd,bash | 36 | #private-bin mpd,bash |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index ac9f9bfd9..7193a04ed 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -41,5 +41,5 @@ noroot | |||
41 | notv | 41 | notv |
42 | protocol unix,inet,inet6,netlink | 42 | protocol unix,inet,inet6,netlink |
43 | # blacklisting of chroot system calls breaks qt webengine | 43 | # blacklisting of chroot system calls breaks qt webengine |
44 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 44 | seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
45 | # tracelog | 45 | # tracelog |
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index a9244683f..dd444103e 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -41,7 +41,7 @@ notv | |||
41 | nou2f | 41 | nou2f |
42 | novideo | 42 | novideo |
43 | protocol unix,inet,inet6 | 43 | protocol unix,inet,inet6 |
44 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 44 | seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
45 | shell none | 45 | shell none |
46 | # tracelog may cause issues, see github issue #1930 | 46 | # tracelog may cause issues, see github issue #1930 |
47 | #tracelog | 47 | #tracelog |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 3b10c4473..b17d86a0b 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -168,7 +168,10 @@ static const SyscallGroupList sysgroups[] = { | |||
168 | "umount," | 168 | "umount," |
169 | #endif | 169 | #endif |
170 | #ifdef SYS_userfaultfd | 170 | #ifdef SYS_userfaultfd |
171 | "userfaultfd" | 171 | "userfaultfd," |
172 | #endif | ||
173 | #ifdef SYS_mincore // 0.9.57 | ||
174 | "mincore" | ||
172 | #endif | 175 | #endif |
173 | }, | 176 | }, |
174 | { .name = "@default-nodebuggers", .list = | 177 | { .name = "@default-nodebuggers", .list = |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2d0bd26d0..0d402ef36 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1700,7 +1700,7 @@ Enable seccomp filter and blacklist the syscalls in the default list (@default). | |||
1700 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, | 1700 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, |
1701 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, | 1701 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, |
1702 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, | 1702 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, |
1703 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, | 1703 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, mincore, move_pages, mpx, |
1704 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, | 1704 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, |
1705 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, | 1705 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, |
1706 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, | 1706 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, |