default seccomp filter update

author: netblue30 <netblue30@yahoo.com> 2016-02-08 10:33:18 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-08 10:33:18 -0500
commit: 3dbeb2f2559934eff1fd62d63430a5c7548b0934 (patch)
tree: c567faeeb212868ce515ef02f3e41f856e17cc87
parent: 0.9.38 released (diff)
download: firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.gz
firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.zst
firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.zip
6 files changed, 39 insertions, 23 deletions
diff --git a/README.md b/README.md
index 3addca694..ba9939fbf 100644
--- a/README.md
+++ b/README.md
@@ -34,3 +34,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 # Current development version: 0.9.39
+## Default seccomp blacklist filter update
+Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
diff --git a/configure b/configure
index d2147523d..06642abb6 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.38.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.39.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.38'
+PACKAGE_VERSION='0.9.39'
-PACKAGE_STRING='firejail 0.9.38'
+PACKAGE_STRING='firejail 0.9.39'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
@@ -1242,7 +1242,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.38 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.39 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1303,7 +1303,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.38:";;
+     short | recursive ) echo "Configuration of firejail 0.9.39:";;
   esac
  cat <<\_ACEOF
@@ -1395,7 +1395,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.38
+firejail configure 0.9.39
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1697,7 +1697,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.38, which was
+It was created by firejail $as_me 0.9.39, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -4140,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.38, which was
+This file was extended by firejail $as_me 0.9.39, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4194,7 +4194,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.38
+firejail config.status 0.9.39
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index 4c0ff4870..f9d0a3f65 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.38, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.39, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7a015963b..b0c960754 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -373,6 +373,10 @@ void seccomp_filter_32(void) {
                BLACKLIST(317), // move_pages
                BLACKLIST(316), // vmsplice
                BLACKLIST(61),  // chroot
+                BLACKLIST(243), // set_thread_area
+                BLACKLIST(88), // reboot
+                BLACKLIST(169), // nfsservctl
+                BLACKLIST(130), // get_kernel_syms
                RETURN_ALLOW
        };
@@ -562,6 +566,23 @@ int seccomp_filter_drop(int enforce_seccomp) {
 // 32bit
 //              filter_add_blacklist(SYS_personality, 0); // test wine
 //              filter_add_blacklist(SYS_set_thread_area, 0); // test wine
+// 0.9.39
+#ifdef SYS_set_thread_area
+                filter_add_blacklist(SYS_set_thread_area, 0);
+#endif
+#ifdef SYS_tuxcall
+                filter_add_blacklist(SYS_tuxcall, 0);
+#endif
+#ifdef SYS_reboot
+                filter_add_blacklist(SYS_reboot, 0);
+#endif
+#ifdef SYS_nfsservctl
+                filter_add_blacklist(SYS_nfsservctl, 0);
+#endif
+#ifdef SYS_get_kernel_syms
+                filter_add_blacklist(SYS_get_kernel_syms, 0);
+#endif
        }
        // default seccomp filter with additional drop list
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b773cc146..fa48c55cf 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -257,18 +257,7 @@ void usage(void) {
        printf("\t\trunning on the current host.\n\n");
 #endif  
 #ifdef HAVE_SECCOMP
-        printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n");
+        printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n");
-        printf("\t\tlist. The default list is as follows: mount, umount2,\n");
-        printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n");
-        printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n");
-        printf("\t\tsyslog, process_vm_readv and process_vm_writev\n");
-        printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n");
-        printf("\t\tperf_event_open, fanotify_init, kcmp, add_key, request_key,\n");
-        printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n");
-        printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n");
-        printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n");
-        printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n");
-        printf("\t\tkexec_file_load, chroot.\n\n");
        
        printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
        printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ee019a24f..bab596e96 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1112,7 +1112,9 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
+migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+set_thread_area, tuxcall, reboot, mfsservctl and get_kernel_syms. When running on AMD64 architecture,
+an equivalent 32-bit seccomp filter is also installed.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2016-02-08 10:33:18 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-08 10:33:18 -0500
commit	3dbeb2f2559934eff1fd62d63430a5c7548b0934 (patch)
tree	c567faeeb212868ce515ef02f3e41f856e17cc87
parent	0.9.38 released (diff)
download	firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.gz firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.zst firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.zip