#3106-1, include @mount in @default insted of all the syscalls

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-09-01 17:33:20 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-09-01 17:33:20 +0200
commit: 6d952144bd5049a95ea1799648ed4a3ee5ad1e76 (patch)
tree: 0bb561b021e8ae5bc0c9943257fb54208853f67f /etc/templates
parent: shell none: avoid syscalls after seccomp_install_filters (diff)
download: firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.tar.gz
firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.tar.zst
firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.zip
1 files changed, 3 insertions, 4 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index ea3b5a6b0..c454887dd 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
@@ -62,15 +62,14 @@ Inheritance of groups
 +---------------+
 | @default-keep |
-| @mount        |
 +---------------+
 +----------------+  +---------+  +--------+  +--------------+
 | @cpu-emulation |  | @clock  |  | @chown |  | @aio         |
 | @debug         |  | @module |  +--------+  | @basic-io    |
 | @obsolete      |  | @raw-io |     :  :     | @file-system |
-+----------------+  | @reboot |     :  :     | @io-event    |
+| @mount         |  | @reboot |     :  :     | @io-event    |
-   :                | @swap   |     :  :     | @ipc         |
+----------------+  | @swap   |     :  :     | @ipc         |
   :                +---------+     :  :     | @keyring     |
   :                  :  :          :  :     | @memlock     |
   :    ..............:  :          :  :     | @network-io  |
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-09-01 17:33:20 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-09-01 17:33:20 +0200
commit	6d952144bd5049a95ea1799648ed4a3ee5ad1e76 (patch)
tree	0bb561b021e8ae5bc0c9943257fb54208853f67f /etc/templates
parent	shell none: avoid syscalls after seccomp_install_filters (diff)
download	firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.tar.gz firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.tar.zst firejail-6d952144bd5049a95ea1799648ed4a3ee5ad1e76.zip