Seccomp: split @default into more meaningful smaller groups

2 files changed, 196 insertions, 167 deletions

diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index ecf057ee0..5893a2ea8 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -41,78 +41,81 @@ static const SyscallEntry syslist[] = {
 }; // end of syslist
 
 static const SyscallGroupList sysgroups[] = {
-        { .name = "@default", .list =
-#ifdef SYS_mount
-          "mount,"
-#endif
-#ifdef SYS_umount2
-          "umount2,"
-#endif
-#ifdef SYS_kexec_load
-          "kexec_load,"
-#endif
-#ifdef SYS_kexec_file_load
-          "kexec_file_load,"
-#endif
-#ifdef SYS_open_by_handle_at
-          "open_by_handle_at,"
-#endif
-#ifdef SYS_name_to_handle_at
-          "name_to_handle_at,"
+        { .name = "@clock", .list =
+#ifdef SYS_adjtimex
+          "adjtimex,"
 #endif
-#ifdef SYS_init_module
-          "init_module,"
+#ifdef SYS_clock_adjtime
+          "clock_adjtime,"
 #endif
-#ifdef SYS_finit_module
-          "finit_module,"
+#ifdef SYS_clock_settime
+          "clock_settime,"
 #endif
-#ifdef SYS_create_module
-          "create_module,"
+#ifdef SYS_settimeofday
+          "settimeofday,"
 #endif
-#ifdef SYS_delete_module
-          "delete_module,"
+#ifdef SYS_stime
+          "stime"
 #endif
-#ifdef SYS_iopl
-          "iopl,"
+        },
+        { .name = "@cpu-emulation", .list =
+#ifdef SYS_modify_ldt
+          "modify_ldt,"
 #endif
-#ifdef SYS_ioperm
-          "ioperm,"
+#ifdef SYS_subpage_prot
+          "subpage_prot,"
 #endif
-#ifdef SYS_ioprio_set
-          "ioprio_set,"
+#ifdef SYS_switch_endian
+          "switch_endian,"
 #endif
-#ifdef SYS_ni_syscall
-          "ni_syscall,"
+#ifdef SYS_vm86
+          "vm86,"
 #endif
-#ifdef SYS_swapon
-          "swapon,"
+#ifdef SYS_vm86old
+          "vm86old"
 #endif
-#ifdef SYS_swapoff
-          "swapoff,"
+        },
+        { .name = "@debug", .list =
+#ifdef SYS_lookup_dcookie
+          "lookup_dcookie,"
 #endif
-#ifdef SYS_syslog
-          "syslog,"
+#ifdef SYS_perf_event_open
+          "perf_event_open,"
 #endif
 #ifdef SYS_process_vm_writev
           "process_vm_writev,"
 #endif
-#ifdef SYS_sysfs
-          "sysfs,"
+#ifdef SYS_rtas
+          "rtas,"
 #endif
-#ifdef SYS__sysctl
-          "_sysctl,"
+#ifdef SYS_s390_runtime_instr
+          "s390_runtime_instr,"
 #endif
-#ifdef SYS_adjtimex
-          "adjtimex,"
+#ifdef SYS_sys_debug_setcontext
+          "sys_debug_setcontext,"
 #endif
-#ifdef SYS_clock_adjtime
-          "clock_adjtime,"
+        },
+        { .name = "@default", .list =
+          "@cpu-emulation,"
+          "@debug,"
+          "@module,"
+          "@obsolete,"
+          "@privileged,"
+          "@resources,"
+#ifdef SYS_open_by_handle_at
+          "open_by_handle_at,"
 #endif
-#ifdef SYS_lookup_dcookie
-          "lookup_dcookie,"
+#ifdef SYS_name_to_handle_at
+          "name_to_handle_at,"
 #endif
-#ifdef SYS_perf_event_open
-          "perf_event_open,"
+#ifdef SYS_ioprio_set
+          "ioprio_set,"
+#endif
+#ifdef SYS_ni_syscall
+          "ni_syscall,"
+#endif
+#ifdef SYS_syslog
+          "syslog,"
 #endif
 #ifdef SYS_fanotify_init
           "fanotify_init,"
@@ -129,18 +132,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_keyctl
           "keyctl,"
 #endif
-#ifdef SYS_uselib
-          "uselib,"
-#endif
-#ifdef SYS_acct
-          "acct,"
-#endif
-#ifdef SYS_modify_ldt
-          "modify_ldt,"
-#endif
-#ifdef SYS_pivot_root
-          "pivot_root,"
-#endif
 #ifdef SYS_io_setup
           "io_setup,"
 #endif
@@ -159,71 +150,49 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_remap_file_pages
           "remap_file_pages,"
 #endif
-#ifdef SYS_mbind
-          "mbind,"
-#endif
-#ifdef SYS_set_mempolicy
-          "set_mempolicy,"
-#endif
-#ifdef SYS_migrate_pages
-          "migrate_pages,"
-#endif
-#ifdef SYS_move_pages
-          "move_pages,"
-#endif
 #ifdef SYS_vmsplice
           "vmsplice,"
 #endif
-#ifdef SYS_chroot
-          "chroot,"
-#endif
-#ifdef SYS_tuxcall
-          "tuxcall,"
-#endif
-#ifdef SYS_reboot
-          "reboot,"
-#endif
-#ifdef SYS_nfsservctl
-          "nfsservctl,"
-#endif
-#ifdef SYS_get_kernel_syms
-          "get_kernel_syms,"
-#endif
-#ifdef SYS_bpf
-          "bpf,"
-#endif
-#ifdef SYS_clock_settime
-          "clock_settime,"
-#endif
 #ifdef SYS_personality
           "personality,"
 #endif
-#ifdef SYS_process_vm_writev
-          "process_vm_writev,"
-#endif
-#ifdef SYS_query_module
-          "query_module,"
-#endif
-#ifdef SYS_settimeofday
-          "settimeofday,"
-#endif
-#ifdef SYS_stime
-          "stime,"
-#endif
 #ifdef SYS_umount
           "umount,"
 #endif
 #ifdef SYS_userfaultfd
-          "userfaultfd,"
+          "userfaultfd"
 #endif
-#ifdef SYS_ustat
-          "ustat,"
+        },
+        { .name = "@default-nodebuggers", .list =
+          "@default,"
+#ifdef SYS_ptrace
+          "ptrace,"
 #endif
-#ifdef SYS_vm86
-          "vm86,"
+#ifdef SYS_process_vm_readv
+          "process_vm_readv"
 #endif
-#ifdef SYS_vm86old
-          "vm86old,"
+        },
+        { .name = "@default-keep", .list =
+          "dup,"
+          "prctl,"
+          "setgid,"
+          "setgroups,"
+          "setuid"
+        },
+        { .name = "@module", .list =
+#ifdef SYS_delete_module
+          "delete_module,"
+#endif
+#ifdef SYS_finit_module
+          "finit_module,"
+#endif
+#ifdef SYS_init_module
+          "init_module"
+#endif
+        },
+        { .name = "@obsolete", .list =
+#ifdef SYS__sysctl
+          "_sysctl,"
 #endif
 #ifdef SYS_afs_syscall
           "afs_syscall,"
@@ -234,9 +203,15 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_break
           "break,"
 #endif
+#ifdef SYS_create_module
+          "create_module,"
+#endif
 #ifdef SYS_ftime
           "ftime,"
 #endif
+#ifdef SYS_get_kernel_syms
+          "get_kernel_syms,"
+#endif
 #ifdef SYS_getpmsg
           "getpmsg,"
 #endif
@@ -249,15 +224,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_mpx
           "mpx,"
 #endif
-#ifdef SYS_pciconfig_iobase
-          "pciconfig_iobase,"
-#endif
-#ifdef SYS_pciconfig_read
-          "pciconfig_read,"
-#endif
-#ifdef SYS_pciconfig_write
-          "pciconfig_write,"
-#endif
 #ifdef SYS_prof
           "prof,"
 #endif
@@ -267,27 +233,12 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_putpmsg
           "putpmsg,"
 #endif
-#ifdef SYS_rtas
-          "rtas,"
-#endif
-#ifdef SYS_s390_runtime_instr
-          "s390_runtime_instr,"
-#endif
-#ifdef SYS_s390_mmio_read
-          "s390_mmio_read,"
-#endif
-#ifdef SYS_s390_mmio_write
-          "s390_mmio_write,"
+#ifdef SYS_query_module
+          "query_module,"
 #endif
 #ifdef SYS_security
           "security,"
 #endif
-#ifdef SYS_setdomainname
-          "setdomainname,"
-#endif
-#ifdef SYS_sethostname
-          "sethostname,"
-#endif
 #ifdef SYS_sgetmask
           "sgetmask,"
 #endif
@@ -297,40 +248,117 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_stty
           "stty,"
 #endif
-#ifdef SYS_subpage_prot
-          "subpage_prot,"
-#endif
-#ifdef SYS_switch_endian
-          "switch_endian,"
+#ifdef SYS_sysfs
+          "sysfs,"
 #endif
-#ifdef SYS_sys_debug_setcontext
-          "sys_debug_setcontext,"
+#ifdef SYS_tuxcall
+          "tuxcall,"
 #endif
 #ifdef SYS_ulimit
           "ulimit,"
 #endif
-#ifdef SYS_vhangup
-          "vhangup,"
+#ifdef SYS_uselib
+          "uselib,"
+#endif
+#ifdef SYS_ustat
+          "ustat,"
 #endif
 #ifdef SYS_vserver
           "vserver"
 #endif
         },
-        { .name = "@default-nodebuggers", .list =
-          "@default,"
-#ifdef SYS_ptrace
-          "ptrace,"
+        { .name = "@privileged", .list =
+          "@clock,"
+          "@module,"
+          "@raw-io,"
+          "@reboot,"
+          "@swap,"
+#ifdef SYS_acct
+          "acct,"
 #endif
-#ifdef SYS_process_vm_readv
-          "process_vm_readv"
+#ifdef SYS_bpf
+          "bpf,"
+#endif
+#ifdef SYS_chroot
+          "chroot,"
+#endif
+#ifdef SYS_mount
+          "mount,"
+#endif
+#ifdef SYS_nfsservctl
+          "nfsservctl,"
+#endif
+#ifdef SYS_pivot_root
+          "pivot_root,"
+#endif
+#ifdef SYS_setdomainname
+          "setdomainname,"
+#endif
+#ifdef SYS_sethostname
+          "sethostname,"
+#endif
+#ifdef SYS_umount2
+          "umount2,"
+#endif
+#ifdef SYS_vhangup
+          "vhangup"
 #endif
         },
-        { .name = "@default-keep", .list =
-          "dup,"
-          "prctl,"
-          "setgid,"
-          "setgroups,"
-          "setuid"
+        { .name = "@raw-io", .list =
+#ifdef SYS_ioperm
+          "ioperm,"
+#endif
+#ifdef SYS_iopl
+          "iopl,"
+#endif
+#ifdef SYS_pciconfig_iobase
+          "pciconfig_iobase,"
+#endif
+#ifdef SYS_pciconfig_read
+          "pciconfig_read,"
+#endif
+#ifdef SYS_pciconfig_write
+          "pciconfig_write,"
+#endif
+#ifdef SYS_s390_mmio_read
+          "s390_mmio_read,"
+#endif
+#ifdef SYS_s390_mmio_write
+          "s390_mmio_write"
+#endif
+        },
+        { .name = "@reboot", .list =
+#ifdef SYS_kexec_load
+          "kexec_load,"
+#endif
+#ifdef SYS_kexec_file_load
+          "kexec_file_load,"
+#endif
+#ifdef SYS_reboot
+          "reboot,"
+#endif
+        },
+        { .name = "@resources", .list =
+#ifdef SYS_set_mempolicy
+          "set_mempolicy,"
+#endif
+#ifdef SYS_migrate_pages
+          "migrate_pages,"
+#endif
+#ifdef SYS_move_pages
+          "move_pages,"
+#endif
+#ifdef SYS_mbind
+          "mbind"
+#endif
+        },
+        { .name = "@swap", .list =
+#ifdef SYS_swapon
+          "swapon,"
+#endif
+#ifdef SYS_swapoff
+          "swapoff"
+#endif
         }
 };
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index a03556caf..bf18167b2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1501,10 +1501,11 @@ ulimit, vhangup and vserver.
 
 .br
 To help creating useful seccomp filters more easily, the following
-system call groups are defined: @default, @default-nodebuggers and
-@default-keep. In addtion, a system call can be specified by its
-number instead of name with prefix $, so for example $165 would be
-equal to mount on i386.
+system call groups are defined: @clock, @cpu-emulation, @debug,
+@default, @default-nodebuggers, @default-keep, @module, @obsolete,
+@privileged, @raw-io, @reboot, @resources and @swap. In addtion, a
+system call can be specified by its number instead of name with prefix
+$, so for example $165 would be equal to mount on i386.
 
 .br
 System architecture is not strictly imposed. The filter is applied