seccomp filter update

5 files changed, 23 insertions, 14 deletions

diff --git a/RELNOTES b/RELNOTES
index f93237d43..2ff5ae16c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low
   * Sandbox auditing support (--audit)
   * include /dev/snd in --private-dev
   * added mkfile profile command
+  * seccomp filter updated
   * compile time and run time support to disable whitelists
   * compile time support to disable global configuration file
   * some profiles have been converted to private-bin
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7108b5a05..efe24a211 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -334,12 +334,15 @@ void seccomp_filter_32(void) {
                 BLACKLIST(52), // umount2
                 BLACKLIST(26), // ptrace
                 BLACKLIST(283), // kexec_load
+                BLACKLIST(341), // name_to_handle_at
                 BLACKLIST(342), // open_by_handle_at
+                BLACKLIST(127), // create_module
                 BLACKLIST(128), // init_module
                 BLACKLIST(350), // finit_module
                 BLACKLIST(129), // delete_module
                 BLACKLIST(110), // iopl
                 BLACKLIST(101), // ioperm
+                BLACKLIST(289), // ioprio_set
                 BLACKLIST(87), // swapon
                 BLACKLIST(115), // swapoff
                 BLACKLIST(103), // syslog
@@ -376,6 +379,7 @@ void seccomp_filter_32(void) {
                 BLACKLIST(88), // reboot
                 BLACKLIST(169), // nfsservctl
                 BLACKLIST(130), // get_kernel_syms
+                
                 RETURN_ALLOW
         };
 
@@ -403,11 +407,14 @@ void seccomp_filter_64(void) {
                 BLACKLIST(101), // ptrace
                 BLACKLIST(246), // kexec_load
                 BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(303), // name_to_handle_at
+                BLACKLIST(174), // create_module
                 BLACKLIST(175), // init_module
                 BLACKLIST(313), // finit_module
                 BLACKLIST(176), // delete_module
                 BLACKLIST(172), // iopl
                 BLACKLIST(173), // ioperm
+                BLACKLIST(251), // ioprio_set
                 BLACKLIST(167), // swapon
                 BLACKLIST(168), // swapoff
                 BLACKLIST(103), // syslog
@@ -445,6 +452,7 @@ void seccomp_filter_64(void) {
                 BLACKLIST(169), // reboot
                 BLACKLIST(180), // nfsservctl
                 BLACKLIST(177), // get_kernel_syms
+                
                 RETURN_ALLOW
         };
 
@@ -493,12 +501,18 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef SYS_open_by_handle_at            
                 filter_add_blacklist(SYS_open_by_handle_at, 0);
 #endif
+#ifdef SYS_name_to_handle_at            
+                filter_add_blacklist(SYS_name_to_handle_at, 0);
+#endif
 #ifdef SYS_init_module          
                 filter_add_blacklist(SYS_init_module, 0);
 #endif
 #ifdef SYS_finit_module // introduced in 2013
                 filter_add_blacklist(SYS_finit_module, 0);
 #endif
+#ifdef SYS_create_module
+                filter_add_blacklist(SYS_create_module, 0);
+#endif
 #ifdef SYS_delete_module                
                 filter_add_blacklist(SYS_delete_module, 0);
 #endif
@@ -508,6 +522,9 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef  SYS_ioperm      
                 filter_add_blacklist(SYS_ioperm, 0);
 #endif
+#ifdef  SYS_ioprio_set  
+                filter_add_blacklist(SYS_ioprio_set, 0);
+#endif
 #ifdef SYS_ni_syscall // new io permissions call on arm devices
                 filter_add_blacklist(SYS_ni_syscall, 0);
 #endif
@@ -648,6 +665,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef SYS_get_kernel_syms
                 filter_add_blacklist(SYS_get_kernel_syms, 0);
 #endif
+
         }
 
         // default seccomp filter with additional drop list
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9c416b0f3..98fa17908 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -224,15 +224,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
 .TP
 \fBseccomp
-Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
-add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
-io_destroy, io_getevents, io_submit, io_cancel,
-remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
-tuxcall, reboot, mfsservctl and get_kernel_syms.
+Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
 .TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e915ab6cb..cb555980d 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1206,8 +1206,8 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
+mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
+iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
diff --git a/todo b/todo
index 0a76cd850..8f27fb26a 100644
--- a/todo
+++ b/todo
@@ -164,12 +164,10 @@ $ vblank_mode=0 glxgears
 18. Add nosound in all profiles with private-dev (including server.profile)
 test hedgewars!
 
-19. new syscalls:
+19. new syscalls in 0.9.41:
 create_module
 name_to_handle_at
 ioprio_set, 
-
-???
 146     - sched_get_priority_max
 147     - sched_get_priority_min
 204     - sched_getaffinity