removed mknod from default seccomp filter, some software packages are using named pipes created with mknod

author: netblue30 <netblue30@yahoo.com> 2015-08-16 15:43:50 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-16 15:43:50 -0400
commit: 3bfb00f627f5d4ff6879d886165fb751868527b0 (patch)
tree: 85d57bb0b7487af3637936a82a4115b9d0c11341
parent: moved warning under --debug option (diff)
download: firejail-3bfb00f627f5d4ff6879d886165fb751868527b0.tar.gz
firejail-3bfb00f627f5d4ff6879d886165fb751868527b0.tar.zst
firejail-3bfb00f627f5d4ff6879d886165fb751868527b0.zip
4 files changed, 8 insertions, 6 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index c03eb6848..d00a335c6 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -452,9 +452,11 @@ int seccomp_filter_drop(void) {
 #ifdef SYS_process_vm_writev            
                filter_add_blacklist(SYS_process_vm_writev);
 #endif
-#ifdef SYS_mknod                
-                filter_add_blacklist(SYS_mknod);
+// mknod removed in 0.9.29
-#endif
+//#ifdef SYS_mknod              
+//              filter_add_blacklist(SYS_mknod);
+//#endif
                
                // new syscalls in 0.9,23               
 #ifdef SYS_sysfs                
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 9aeb5895d..3afe5580f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -190,7 +190,7 @@ void usage(void) {
        printf("\t\tlist. The default list is as follows: mount, umount2,\n");
        printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n");
        printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n");
-        printf("\t\tmknode, syslog, process_vm_readv and process_vm_writev\n");
+        printf("\t\tsyslog, process_vm_readv and process_vm_writev\n");
        printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n");
        printf("\t\tperf_event_open, fanotify_init and kcmp.\n\n");
        
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4941d8b8b..7be5304c1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -106,7 +106,7 @@ Whitelist Linux capabilities filter.
 \f\seccomp
 Enable default seccomp filter.  The default list is as follows:
 mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
+iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \f\seccomp syscall,syscall,syscall
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3e399db72..0b7ed1434 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -742,7 +742,7 @@ $ firejail \-\-net=eth0 \-\-scan
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
 mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
+iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .br
author	netblue30 <netblue30@yahoo.com>	2015-08-16 15:43:50 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-16 15:43:50 -0400
commit	3bfb00f627f5d4ff6879d886165fb751868527b0 (patch)
tree	85d57bb0b7487af3637936a82a4115b9d0c11341
parent	moved warning under --debug option (diff)
download	firejail-3bfb00f627f5d4ff6879d886165fb751868527b0.tar.gz firejail-3bfb00f627f5d4ff6879d886165fb751868527b0.tar.zst firejail-3bfb00f627f5d4ff6879d886165fb751868527b0.zip

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index c03eb6848..d00a335c6 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -452,9 +452,11 @@ int seccomp_filter_drop(void) {
452	#ifdef SYS_process_vm_writev	452	#ifdef SYS_process_vm_writev
453	filter_add_blacklist(SYS_process_vm_writev);	453	filter_add_blacklist(SYS_process_vm_writev);
454	#endif	454	#endif
455	#ifdef SYS_mknod	455
456	filter_add_blacklist(SYS_mknod);	456	// mknod removed in 0.9.29
457	#endif	457	//#ifdef SYS_mknod
		458	// filter_add_blacklist(SYS_mknod);
		459	//#endif
458		460
459	// new syscalls in 0.9,23	461	// new syscalls in 0.9,23
460	#ifdef SYS_sysfs	462	#ifdef SYS_sysfs


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9aeb5895d..3afe5580f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -190,7 +190,7 @@ void usage(void) {
190	printf("\t\tlist. The default list is as follows: mount, umount2,\n");	190	printf("\t\tlist. The default list is as follows: mount, umount2,\n");
191	printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n");	191	printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n");
192	printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n");	192	printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n");
193	printf("\t\tmknode, syslog, process_vm_readv and process_vm_writev\n");	193	printf("\t\tsyslog, process_vm_readv and process_vm_writev\n");
194	printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n");	194	printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n");
195	printf("\t\tperf_event_open, fanotify_init and kcmp.\n\n");	195	printf("\t\tperf_event_open, fanotify_init and kcmp.\n\n");
196		196


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4941d8b8b..7be5304c1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -106,7 +106,7 @@ Whitelist Linux capabilities filter.
106	\f\seccomp	106	\f\seccomp
107	Enable default seccomp filter. The default list is as follows:	107	Enable default seccomp filter. The default list is as follows:
108	mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,	108	mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
109	iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,	109	iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
110	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.	110	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
111	.TP	111	.TP
112	\f\seccomp syscall,syscall,syscall	112	\f\seccomp syscall,syscall,syscall


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3e399db72..0b7ed1434 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -742,7 +742,7 @@ $ firejail \-\-net=eth0 \-\-scan
742	\fB\-\-seccomp	742	\fB\-\-seccomp
743	Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:	743	Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
744	mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,	744	mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
745	iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,	745	iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
746	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.	746	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
747	.br	747	.br
748		748