diff options
author | netblue30 <netblue30@protonmail.com> | 2021-07-28 19:01:17 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-28 19:01:17 +0000 |
commit | 2b5eb07e078c560a3ae184f4f997b7d7353a1a32 (patch) | |
tree | 0be4523f0ab86740a0c2e1dbe52b742fc9805b24 /etc/templates | |
parent | moved rules from firefox-common.profile to firefox.profile (diff) | |
parent | Merge pull request #4412 from netblue30/Neo00001-patch-1 (diff) | |
download | firejail-2b5eb07e078c560a3ae184f4f997b7d7353a1a32.tar.gz firejail-2b5eb07e078c560a3ae184f4f997b7d7353a1a32.tar.zst firejail-2b5eb07e078c560a3ae184f4f997b7d7353a1a32.zip |
Merge branch 'master' into master
Diffstat (limited to 'etc/templates')
-rw-r--r-- | etc/templates/syscalls.txt | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 3992c984a..38f789923 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -89,18 +89,24 @@ Inheritance of groups | |||
89 | What to do if seccomp breaks a program | 89 | What to do if seccomp breaks a program |
90 | -------------------------------------- | 90 | -------------------------------------- |
91 | 91 | ||
92 | Start `journalctl --grep=SECCOMP --follow` in a terminal and run | ||
93 | `firejail --seccomp-error-action=log /path/to/program` in a second terminal. | ||
94 | Now switch back to the first terminal (where `journalctl` is running) and look | ||
95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you | ||
96 | have found them, you can stop `journalctl` (^C) and execute | ||
97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. | ||
98 | In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. | ||
99 | Now you can add a seccomp exception using `seccomp !NAME`. | ||
100 | |||
101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||
102 | |||
92 | ``` | 103 | ``` |
93 | $ journalctl --grep=syscall --follow | 104 | term1$ journalctl --grep=SECCOMP --follow |
94 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | 105 | term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop |
95 | $ firejail --debug-syscalls | grep 161 | 106 | term1$ (journalctl --grep=SECCOMP --follow) |
96 | 161 - chroot | 107 | audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ... |
108 | ^C | ||
109 | term1$ firejail --debug-syscalls | grep "^161[[:space:]]" | ||
110 | 161 - chroot | ||
97 | ``` | 111 | ``` |
98 | Profile: `seccomp -> seccomp !chroot` | 112 | Profile: `seccomp -> seccomp !chroot` |
99 | |||
100 | Start `journalctl --grep=syscall --follow` in a terminal, then start the broken | ||
101 | program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. | ||
102 | Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You | ||
103 | will see something like `NUMBER - NAME`, because you now know the name of the | ||
104 | syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. | ||
105 | |||
106 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||