aboutsummaryrefslogtreecommitdiffstats
path: root/etc/templates/syscalls.txt
diff options
context:
space:
mode:
authorLibravatar rusty-snake <print_hello_world+Public@protonmail.com>2019-08-22 15:15:14 +0200
committerLibravatar rusty-snake <print_hello_world+Public@protonmail.com>2019-08-22 15:15:14 +0200
commit79717102b41cb94fff512f4b7b54dd9494c98f7e (patch)
treedaa7ad6552e65035a5ae4b68d31bfe3393d90505 /etc/templates/syscalls.txt
parentvarious fixes and improvements (diff)
downloadfirejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.tar.gz
firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.tar.zst
firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.zip
update syscalls.txt
Diffstat (limited to 'etc/templates/syscalls.txt')
-rw-r--r--etc/templates/syscalls.txt26
1 files changed, 26 insertions, 0 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 30ad6feea..bc45d9f9d 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -1,6 +1,9 @@
1Hints for writing seccomp.drop lines 1Hints for writing seccomp.drop lines
2==================================== 2====================================
3 3
4Definition of groups
5--------------------
6
4@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime 7@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
5@module=delete_module,finit_module,init_module 8@module=delete_module,finit_module,init_module
6@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write 9@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines
20 23
21@default-keep=execve,prctl 24@default-keep=execve,prctl
22 25
26Inheritance of groups
27---------------------
23 28
24+---------+----------------+---------------+ 29+---------+----------------+---------------+
25| @clock | @cpu-emulation | @default-keep | 30| @clock | @cpu-emulation | @default-keep |
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines
41| @default-nodebuggers | 46| @default-nodebuggers |
42+----------------------+ 47+----------------------+
43 48
49common used seccomp.drop lines
50------------------------------
44 51
45@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 52@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
46 53
47@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 54@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
55
56Building a seccomp.drop line if seccomp breaks a programm
57---------------------------------------------------------
58
59```
60$ journalctl --grep=syscall --follow
61<...> audit[…]: SECCOMP <...> syscall=161 <...>
62$ firejail --debug-syscalls | grep 161
63161 - chroot
64```
65
66TODO: write a short explanation
67TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible
68
69see also
70--------
71
72 - contrib/syscalls.sh
73 - https://firejail.wordpress.com/documentation-2/seccomp-guide/