update syscalls.txt

author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-08-22 15:15:14 +0200
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2019-08-22 15:15:14 +0200
commit: 79717102b41cb94fff512f4b7b54dd9494c98f7e (patch)
tree: daa7ad6552e65035a5ae4b68d31bfe3393d90505 /etc/templates/syscalls.txt
parent: various fixes and improvements (diff)
download: firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.tar.gz
firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.tar.zst
firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.zip
1 files changed, 26 insertions, 0 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 30ad6feea..bc45d9f9d 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -1,6 +1,9 @@
 Hints for writing seccomp.drop lines
 ====================================
+Definition of groups
+--------------------
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @module=delete_module,finit_module,init_module
 @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines
 @default-keep=execve,prctl
+Inheritance of groups
+---------------------
 +---------+----------------+---------------+
 | @clock  | @cpu-emulation | @default-keep |
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines
 | @default-nodebuggers |
 +----------------------+
+common used seccomp.drop lines
+------------------------------
 @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+Building a seccomp.drop line if seccomp breaks a programm
+---------------------------------------------------------
+```
+$ journalctl --grep=syscall --follow
+<...> audit[…]: SECCOMP <...> syscall=161 <...>
+$ firejail --debug-syscalls | grep 161
+161     - chroot
+```
+TODO: write a short explanation
+TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible
+see also
+--------
+ - contrib/syscalls.sh
+ - https://firejail.wordpress.com/documentation-2/seccomp-guide/
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-08-22 15:15:14 +0200
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2019-08-22 15:15:14 +0200
commit	79717102b41cb94fff512f4b7b54dd9494c98f7e (patch)
tree	daa7ad6552e65035a5ae4b68d31bfe3393d90505 /etc/templates/syscalls.txt
parent	various fixes and improvements (diff)
download	firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.tar.gz firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.tar.zst firejail-79717102b41cb94fff512f4b7b54dd9494c98f7e.zip

diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 30ad6feea..bc45d9f9d 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt
@@ -1,6 +1,9 @@
1	Hints for writing seccomp.drop lines	1	Hints for writing seccomp.drop lines
2	====================================	2	====================================
3		3
		4	Definition of groups
		5	--------------------
		6
4	@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime	7	@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
5	@module=delete_module,finit_module,init_module	8	@module=delete_module,finit_module,init_module
6	@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write	9	@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines
20		23
21	@default-keep=execve,prctl	24	@default-keep=execve,prctl
22		25
		26	Inheritance of groups
		27	---------------------
23		28
24	+---------+----------------+---------------+	29	+---------+----------------+---------------+
25	\| @clock \| @cpu-emulation \| @default-keep \|	30	\| @clock \| @cpu-emulation \| @default-keep \|
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines
41	\| @default-nodebuggers \|	46	\| @default-nodebuggers \|
42	+----------------------+	47	+----------------------+
43		48
		49	common used seccomp.drop lines
		50	------------------------------
44		51
45	@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	52	@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
46		53
47	@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	54	@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
		55
		56	Building a seccomp.drop line if seccomp breaks a programm
		57	---------------------------------------------------------
		58
		59	```
		60	$ journalctl --grep=syscall --follow
		61	<...> audit[…]: SECCOMP <...> syscall=161 <...>
		62	$ firejail --debug-syscalls \| grep 161
		63	161 - chroot
		64	```
		65
		66	TODO: write a short explanation
		67	TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible
		68
		69	see also
		70	--------
		71
		72	- contrib/syscalls.sh
		73	- https://firejail.wordpress.com/documentation-2/seccomp-guide/