Update syscalls.txt

author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-09-05 17:52:53 +0200
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2019-09-05 17:53:13 +0200
commit: 80aab3d21b70545da66e5aa954be0e5928ba9266 (patch)
tree: 3b3476d38d27a218daf173e1d76a44e6df96cd28 /etc/templates/syscalls.txt
parent: remove ~/.config/dconf from whitelist-common.inc (diff)
download: firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.tar.gz
firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.tar.zst
firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.zip
1 files changed, 89 insertions, 53 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index bc45d9f9d..6ab0e72ff 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -1,73 +1,109 @@
-Hints for writing seccomp.drop lines
+Hints to write own seccomp filters
-====================================
+==================================
+The different seccomp commands
+------------------------------
+Always have a look at 'man 1 firejail'.
+ - seccomp
+    Blocks all syscalls in the default-group.
+     - The default-group is @default-nodebuggers, unless allow-debuggers is
+       specified, then @default is used.
+     - Listed syscalls and groups are also blocked.
+     - Exceptions are possible by putting a ! in before the name of a syscall.
+ - seccomp.block-secondary
+    Allows only native syscalls, all syscalls for other architectures are blocked.
+ - seccomp.drop
+    Blocks all listed syscalls.
+     - Exceptions are possible by putting a ! in before the name of a syscall.
+ - seccomp.keep
+    Allows only listed syscalls.
+     To write your own seccomp.keep line, see:
+     - https://firejail.wordpress.com/documentation-2/seccomp-guide/
+     - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh
 Definition of groups
 --------------------
+@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit
+@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
+@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
-@module=delete_module,finit_module,init_module
-@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
-@reboot=kexec_file_load,kexec_load,reboot
-@swap=swapoff,swapon
-@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
-@resources=mbind,migrate_pages,move_pages,set_mempolicy
+@default-nodebuggers=@default,ptrace,personality,process_vm_readv
-@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
-@default-nodebuggers=@default,personality,process_vm_readv,ptrace
 @default-keep=execve,prctl
+@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
+@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
+@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
+@keyring=add_key,keyctl,request_key
+@memlock=mlock,mlock2,mlockall,munlock,munlockall
+@module=delete_module,finit_module,init_module
+@mount=chroot,mount,pivot_root,umount,umount2
+@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
+@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_load,kexec_file_load,reboot
+@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
+@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32
+@signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend
+@swap=swapon,swapoff
+@sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs
+@system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice
+@timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times
 Inheritance of groups
 ---------------------
-+---------+----------------+---------------+
+---------------+
-| @clock  | @cpu-emulation | @default-keep |
+| @default-keep |
-| @module | @debug         |               |
+| @mount        |
-| @raw-io | @obsolete      |               |
+---------------+
-| @reboot | @resources     |               |
-| @swap   |                |               |
+----------------+  +---------+  +--------+  +--------------+
-+---------+----------------+---------------+
+| @cpu-emulation |  | @clock  |  | @chown |  | @aio         |
-     :              :
+| @debug         |  | @module |  +--------+  | @basic-io    |
-+-------------+     :
+| @obsolete      |  | @raw-io |     :  :     | @default     |
-| @privileged |     :
+----------------+  | @reboot |     :  :     | @file-system |
-+-------------+     :
+   :                | @swap   |     :  :     | @io-event    |
-     :              :
+   :                +---------+     :  :     | @ipc         |
-+----------+        :
+   :                  :  :          :  :     | @keyring     |
-| @default |........:
+   :    ..............:  :          :  :     | @memlock     |
-+----------+
+   :    :                :  ........:  :     | @network-io  |
-    :
+   :    :                :  :          :     | @process     |
-+----------------------+
+----------+    +-------------+        :     | @resources   |
-| @default-nodebuggers |
+| @default |    | @privileged |        :     | @setuid      |
-+----------------------+
+----------+    +-------------+        :     | @signal      |
+   :    :                              :     | @sync        |
-common used seccomp.drop lines
+   :    :                              :     | @timer       |
------------------------------
+   :    :...........................   :     +--------------+
+   :                               :   :        :
-@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+   :                               :   :        :
+----------------------+        +-----------------+
-@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+| @default-nodebuggers |        | @system-service |
+----------------------+        +-----------------+
-Building a seccomp.drop line if seccomp breaks a programm
---------------------------------------------------------
+What to do if seccomp breaks a program
+--------------------------------------
 ```
 $ journalctl --grep=syscall --follow
 <...> audit[…]: SECCOMP <...> syscall=161 <...>
 $ firejail --debug-syscalls | grep 161
-161     - chroot
+161 - chroot
 ```
+Profile: `seccomp -> seccomp !chroot`
-TODO: write a short explanation
+Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
-TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible
+program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
+Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You
-see also
+will see something like `NUMBER  - NAME`, because you now know the name of the
--------
+syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
- - contrib/syscalls.sh
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
- - https://firejail.wordpress.com/documentation-2/seccomp-guide/
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-09-05 17:52:53 +0200
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2019-09-05 17:53:13 +0200
commit	80aab3d21b70545da66e5aa954be0e5928ba9266 (patch)
tree	3b3476d38d27a218daf173e1d76a44e6df96cd28 /etc/templates/syscalls.txt
parent	remove ~/.config/dconf from whitelist-common.inc (diff)
download	firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.tar.gz firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.tar.zst firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.zip

diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index bc45d9f9d..6ab0e72ff 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt
@@ -1,73 +1,109 @@
1	Hints for writing seccomp.drop lines	1	Hints to write own seccomp filters
2	====================================	2	==================================
		3
		4
		5	The different seccomp commands
		6	------------------------------
		7
		8	Always have a look at 'man 1 firejail'.
		9
		10	- seccomp
		11	Blocks all syscalls in the default-group.
		12	- The default-group is @default-nodebuggers, unless allow-debuggers is
		13	specified, then @default is used.
		14	- Listed syscalls and groups are also blocked.
		15	- Exceptions are possible by putting a ! in before the name of a syscall.
		16	- seccomp.block-secondary
		17	Allows only native syscalls, all syscalls for other architectures are blocked.
		18	- seccomp.drop
		19	Blocks all listed syscalls.
		20	- Exceptions are possible by putting a ! in before the name of a syscall.
		21	- seccomp.keep
		22	Allows only listed syscalls.
		23	To write your own seccomp.keep line, see:
		24	- https://firejail.wordpress.com/documentation-2/seccomp-guide/
		25	- https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh
3		26
4	Definition of groups	27	Definition of groups
5	--------------------	28	--------------------
6		29
		30	@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit
		31	@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
		32	@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
7	@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime	33	@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
8	@module=delete_module,finit_module,init_module
9	@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
10	@reboot=kexec_file_load,kexec_load,reboot
11	@swap=swapoff,swapon
12
13	@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
14
15	@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old	34	@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
16	@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext	35	@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
17	@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver	36	@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
18	@resources=mbind,migrate_pages,move_pages,set_mempolicy	37	@default-nodebuggers=@default,ptrace,personality,process_vm_readv
19
20	@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
21
22	@default-nodebuggers=@default,personality,process_vm_readv,ptrace
23
24	@default-keep=execve,prctl	38	@default-keep=execve,prctl
		39	@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
		40	@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
		41	@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
		42	@keyring=add_key,keyctl,request_key
		43	@memlock=mlock,mlock2,mlockall,munlock,munlockall
		44	@module=delete_module,finit_module,init_module
		45	@mount=chroot,mount,pivot_root,umount,umount2
		46	@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
		47	@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
		48	@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
		49	@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
		50	@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
		51	@reboot=kexec_load,kexec_file_load,reboot
		52	@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
		53	@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32
		54	@signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend
		55	@swap=swapon,swapoff
		56	@sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs
		57	@system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice
		58	@timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times
25		59
26	Inheritance of groups	60	Inheritance of groups
27	---------------------	61	---------------------
28		62
29	+---------+----------------+---------------+	63	+---------------+
30	\| @clock \| @cpu-emulation \| @default-keep \|	64	\| @default-keep \|
31	\| @module \| @debug \| \|	65	\| @mount \|
32	\| @raw-io \| @obsolete \| \|	66	+---------------+
33	\| @reboot \| @resources \| \|	67
34	\| @swap \| \| \|	68	+----------------+ +---------+ +--------+ +--------------+
35	+---------+----------------+---------------+	69	\| @cpu-emulation \| \| @clock \| \| @chown \| \| @aio \|
36	: :	70	\| @debug \| \| @module \| +--------+ \| @basic-io \|
37	+-------------+ :	71	\| @obsolete \| \| @raw-io \| : : \| @default \|
38	\| @privileged \| :	72	+----------------+ \| @reboot \| : : \| @file-system \|
39	+-------------+ :	73	: \| @swap \| : : \| @io-event \|
40	: :	74	: +---------+ : : \| @ipc \|
41	+----------+ :	75	: : : : : \| @keyring \|
42	\| @default \|........:	76	: ..............: : : : \| @memlock \|
43	+----------+	77	: : : ........: : \| @network-io \|
44	:	78	: : : : : \| @process \|
45	+----------------------+	79	+----------+ +-------------+ : \| @resources \|
46	\| @default-nodebuggers \|	80	\| @default \| \| @privileged \| : \| @setuid \|
47	+----------------------+	81	+----------+ +-------------+ : \| @signal \|
48		82	: : : \| @sync \|
49	common used seccomp.drop lines	83	: : : \| @timer \|
50	------------------------------	84	: :........................... : +--------------+
51		85	: : : :
52	@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	86	: : : :
53		87	+----------------------+ +-----------------+
54	@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	88	\| @default-nodebuggers \| \| @system-service \|
55		89	+----------------------+ +-----------------+
56	Building a seccomp.drop line if seccomp breaks a programm	90
57	---------------------------------------------------------	91
		92	What to do if seccomp breaks a program
		93	--------------------------------------
58		94
59	```	95	```
60	$ journalctl --grep=syscall --follow	96	$ journalctl --grep=syscall --follow
61	<...> audit[…]: SECCOMP <...> syscall=161 <...>	97	<...> audit[…]: SECCOMP <...> syscall=161 <...>
62	$ firejail --debug-syscalls \| grep 161	98	$ firejail --debug-syscalls \| grep 161
63	161 - chroot	99	161 - chroot
64	```	100	```
		101	Profile: `seccomp -> seccomp !chroot`
65		102
66	TODO: write a short explanation	103	Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
67	TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible	104	program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
68		105	Stop journalctl (^C) and execute `firejail --debug-syscalls \| grep NUMBER`. You
69	see also	106	will see something like `NUMBER - NAME`, because you now know the name of the
70	--------	107	syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
71		108
72	- contrib/syscalls.sh	109	If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
73	- https://firejail.wordpress.com/documentation-2/seccomp-guide/