diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-07-28 09:30:16 +0200 |
|---|---|---|
| committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-07-28 09:30:16 +0200 |
| commit | bf886377ae43022c066c68b8de36ad1608d2198f (patch) | |
| tree | 0ad03fff3a2f8f9128bfb2b8cfb204442c9b4aa6 /etc/templates | |
| parent | Refactor code.profile as electron redirect (diff) | |
| download | firejail-bf886377ae43022c066c68b8de36ad1608d2198f.tar.gz firejail-bf886377ae43022c066c68b8de36ad1608d2198f.tar.zst firejail-bf886377ae43022c066c68b8de36ad1608d2198f.zip | |
Update etc/templates/syscalls.txt
Rework + suggest --seccomp-error-action=log
Diffstat (limited to 'etc/templates')
| -rw-r--r-- | etc/templates/syscalls.txt | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 3992c984a..38f789923 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
| @@ -89,18 +89,24 @@ Inheritance of groups | |||
| 89 | What to do if seccomp breaks a program | 89 | What to do if seccomp breaks a program |
| 90 | -------------------------------------- | 90 | -------------------------------------- |
| 91 | 91 | ||
| 92 | Start `journalctl --grep=SECCOMP --follow` in a terminal and run | ||
| 93 | `firejail --seccomp-error-action=log /path/to/program` in a second terminal. | ||
| 94 | Now switch back to the first terminal (where `journalctl` is running) and look | ||
| 95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you | ||
| 96 | have found them, you can stop `journalctl` (^C) and execute | ||
| 97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. | ||
| 98 | In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. | ||
| 99 | Now you can add a seccomp exception using `seccomp !NAME`. | ||
| 100 | |||
| 101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||
| 102 | |||
| 92 | ``` | 103 | ``` |
| 93 | $ journalctl --grep=syscall --follow | 104 | term1$ journalctl --grep=SECCOMP --follow |
| 94 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | 105 | term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop |
| 95 | $ firejail --debug-syscalls | grep 161 | 106 | term1$ (journalctl --grep=SECCOMP --follow) |
| 96 | 161 - chroot | 107 | audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ... |
| 108 | ^C | ||
| 109 | term1$ firejail --debug-syscalls | grep "^161[[:space:]]" | ||
| 110 | 161 - chroot | ||
| 97 | ``` | 111 | ``` |
| 98 | Profile: `seccomp -> seccomp !chroot` | 112 | Profile: `seccomp -> seccomp !chroot` |
| 99 | |||
| 100 | Start `journalctl --grep=syscall --follow` in a terminal, then start the broken | ||
| 101 | program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. | ||
| 102 | Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You | ||
| 103 | will see something like `NUMBER - NAME`, because you now know the name of the | ||
| 104 | syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. | ||
| 105 | |||
| 106 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||