diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-08-22 15:15:14 +0200 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-08-22 15:15:14 +0200 |
commit | 79717102b41cb94fff512f4b7b54dd9494c98f7e (patch) | |
tree | daa7ad6552e65035a5ae4b68d31bfe3393d90505 /etc/templates/syscalls.txt | |
parent | various fixes and improvements (diff) | |
download | firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.tar.gz firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.tar.zst firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.zip |
update syscalls.txt
Diffstat (limited to 'etc/templates/syscalls.txt')
-rw-r--r-- | etc/templates/syscalls.txt | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 30ad6feea..bc45d9f9d 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -1,6 +1,9 @@ | |||
1 | Hints for writing seccomp.drop lines | 1 | Hints for writing seccomp.drop lines |
2 | ==================================== | 2 | ==================================== |
3 | 3 | ||
4 | Definition of groups | ||
5 | -------------------- | ||
6 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 7 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
5 | @module=delete_module,finit_module,init_module | 8 | @module=delete_module,finit_module,init_module |
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | 9 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write |
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines | |||
20 | 23 | ||
21 | @default-keep=execve,prctl | 24 | @default-keep=execve,prctl |
22 | 25 | ||
26 | Inheritance of groups | ||
27 | --------------------- | ||
23 | 28 | ||
24 | +---------+----------------+---------------+ | 29 | +---------+----------------+---------------+ |
25 | | @clock | @cpu-emulation | @default-keep | | 30 | | @clock | @cpu-emulation | @default-keep | |
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines | |||
41 | | @default-nodebuggers | | 46 | | @default-nodebuggers | |
42 | +----------------------+ | 47 | +----------------------+ |
43 | 48 | ||
49 | common used seccomp.drop lines | ||
50 | ------------------------------ | ||
44 | 51 | ||
45 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 52 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
46 | 53 | ||
47 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
55 | |||
56 | Building a seccomp.drop line if seccomp breaks a programm | ||
57 | --------------------------------------------------------- | ||
58 | |||
59 | ``` | ||
60 | $ journalctl --grep=syscall --follow | ||
61 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | ||
62 | $ firejail --debug-syscalls | grep 161 | ||
63 | 161 - chroot | ||
64 | ``` | ||
65 | |||
66 | TODO: write a short explanation | ||
67 | TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible | ||
68 | |||
69 | see also | ||
70 | -------- | ||
71 | |||
72 | - contrib/syscalls.sh | ||
73 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||