removed mincore syscall from default seccomp filter

author: netblue30 <netblue30@yahoo.com> 2019-01-23 11:48:39 -0500
committer: netblue30 <netblue30@yahoo.com> 2019-01-23 11:48:39 -0500
commit: d69d2968066b8be3434864c7bbe7d6ead6ae41d3 (patch)
tree: 2a7cc6478dbb654384569b9571008ccd197aaa53
parent: improve gwenview and dolphin profiles - #2306 #2348 (diff)
download: firejail-d69d2968066b8be3434864c7bbe7d6ead6ae41d3.tar.gz
firejail-d69d2968066b8be3434864c7bbe7d6ead6ae41d3.tar.zst
firejail-d69d2968066b8be3434864c7bbe7d6ead6ae41d3.zip
9 files changed, 10 insertions, 11 deletions
diff --git a/RELNOTES b/RELNOTES
index 3538b99e8..972e7d3a1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,7 +7,6 @@ firejail (0.9.58~rc1) baseline; urgency=low
     for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F
  * profile name support
  * added explicit nonewprivs support to join option
-  * add mincore syscall to default seccomp list
  * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
  * new profiles: devilspie, devilspie2, easystroke, github-desktop, min
  * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 1cf478ead..147b0de4b 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -27,7 +27,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks clementine
-seccomp.drop mincore,@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 private-dev
 private-tmp
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 288afa8a2..ad8a0a0b7 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -40,7 +40,7 @@ noroot
 notv
 ?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
-seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930
 #tracelog
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 85eb74998..1f8403ef1 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -50,7 +50,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
-seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
diff --git a/etc/mpd.profile b/etc/mpd.profile
index c532edeb2..e06b83aa9 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -30,7 +30,7 @@ novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks auto-updating of
 # MPD's database when files in music_directory are changed
-seccomp.drop mincore,@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 shell none
 #private-bin mpd,bash
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 7193a04ed..ac9f9bfd9 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -41,5 +41,5 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
-seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index dd444103e..a9244683f 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -41,7 +41,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index b17d86a0b..3f5fbbbfa 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -170,9 +170,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_userfaultfd
          "userfaultfd,"
 #endif
-#ifdef SYS_mincore      // 0.9.57
+//#ifdef SYS_mincore    // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem
-          "mincore"
+//        "mincore"
-#endif
+//#endif
        },
        { .name = "@default-nodebuggers", .list =
          "@default,"
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0d402ef36..2d0bd26d0 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1700,7 +1700,7 @@ Enable seccomp filter and blacklist the syscalls in the default list (@default).
 _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime,
 create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module,
 io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
-kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, mincore, move_pages, mpx,
+kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx,
 name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open,
 personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg,
 query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr,
author	netblue30 <netblue30@yahoo.com>	2019-01-23 11:48:39 -0500
committer	netblue30 <netblue30@yahoo.com>	2019-01-23 11:48:39 -0500
commit	d69d2968066b8be3434864c7bbe7d6ead6ae41d3 (patch)
tree	2a7cc6478dbb654384569b9571008ccd197aaa53
parent	improve gwenview and dolphin profiles - #2306 #2348 (diff)
download	firejail-d69d2968066b8be3434864c7bbe7d6ead6ae41d3.tar.gz firejail-d69d2968066b8be3434864c7bbe7d6ead6ae41d3.tar.zst firejail-d69d2968066b8be3434864c7bbe7d6ead6ae41d3.zip