diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-09-05 17:52:53 +0200 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-09-05 17:53:13 +0200 |
commit | 80aab3d21b70545da66e5aa954be0e5928ba9266 (patch) | |
tree | 3b3476d38d27a218daf173e1d76a44e6df96cd28 /etc/templates | |
parent | remove ~/.config/dconf from whitelist-common.inc (diff) | |
download | firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.tar.gz firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.tar.zst firejail-80aab3d21b70545da66e5aa954be0e5928ba9266.zip |
Update syscalls.txt
Diffstat (limited to 'etc/templates')
-rw-r--r-- | etc/templates/profile.template | 1 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 142 |
2 files changed, 90 insertions, 53 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0d67e222f..10b5ee2ae 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -138,6 +138,7 @@ include globals.local | |||
138 | # - packet almost never | 138 | # - packet almost never |
139 | #protocol unix,inet,inet6,netlink,packet | 139 | #protocol unix,inet,inet6,netlink,packet |
140 | #seccomp | 140 | #seccomp |
141 | ##seccomp !chroot | ||
141 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 142 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
142 | #shell none | 143 | #shell none |
143 | #tracelog | 144 | #tracelog |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index bc45d9f9d..6ab0e72ff 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -1,73 +1,109 @@ | |||
1 | Hints for writing seccomp.drop lines | 1 | Hints to write own seccomp filters |
2 | ==================================== | 2 | ================================== |
3 | |||
4 | |||
5 | The different seccomp commands | ||
6 | ------------------------------ | ||
7 | |||
8 | Always have a look at 'man 1 firejail'. | ||
9 | |||
10 | - seccomp | ||
11 | Blocks all syscalls in the default-group. | ||
12 | - The default-group is @default-nodebuggers, unless allow-debuggers is | ||
13 | specified, then @default is used. | ||
14 | - Listed syscalls and groups are also blocked. | ||
15 | - Exceptions are possible by putting a ! in before the name of a syscall. | ||
16 | - seccomp.block-secondary | ||
17 | Allows only native syscalls, all syscalls for other architectures are blocked. | ||
18 | - seccomp.drop | ||
19 | Blocks all listed syscalls. | ||
20 | - Exceptions are possible by putting a ! in before the name of a syscall. | ||
21 | - seccomp.keep | ||
22 | Allows only listed syscalls. | ||
23 | To write your own seccomp.keep line, see: | ||
24 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||
25 | - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh | ||
3 | 26 | ||
4 | Definition of groups | 27 | Definition of groups |
5 | -------------------- | 28 | -------------------- |
6 | 29 | ||
30 | @aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit | ||
31 | @basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev | ||
32 | @chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 | ||
7 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
8 | @module=delete_module,finit_module,init_module | ||
9 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
10 | @reboot=kexec_file_load,kexec_load,reboot | ||
11 | @swap=swapoff,swapon | ||
12 | |||
13 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | ||
14 | |||
15 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
16 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
17 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | 36 | @default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup |
18 | @resources=mbind,migrate_pages,move_pages,set_mempolicy | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
19 | |||
20 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | ||
21 | |||
22 | @default-nodebuggers=@default,personality,process_vm_readv,ptrace | ||
23 | |||
24 | @default-keep=execve,prctl | 38 | @default-keep=execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | ||
40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select | ||
41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget | ||
42 | @keyring=add_key,keyctl,request_key | ||
43 | @memlock=mlock,mlock2,mlockall,munlock,munlockall | ||
44 | @module=delete_module,finit_module,init_module | ||
45 | @mount=chroot,mount,pivot_root,umount,umount2 | ||
46 | @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair | ||
47 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | ||
48 | @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup | ||
49 | @process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid | ||
50 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
51 | @reboot=kexec_load,kexec_file_load,reboot | ||
52 | @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy | ||
53 | @setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32 | ||
54 | @signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend | ||
55 | @swap=swapon,swapoff | ||
56 | @sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs | ||
57 | @system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice | ||
58 | @timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times | ||
25 | 59 | ||
26 | Inheritance of groups | 60 | Inheritance of groups |
27 | --------------------- | 61 | --------------------- |
28 | 62 | ||
29 | +---------+----------------+---------------+ | 63 | +---------------+ |
30 | | @clock | @cpu-emulation | @default-keep | | 64 | | @default-keep | |
31 | | @module | @debug | | | 65 | | @mount | |
32 | | @raw-io | @obsolete | | | 66 | +---------------+ |
33 | | @reboot | @resources | | | 67 | |
34 | | @swap | | | | 68 | +----------------+ +---------+ +--------+ +--------------+ |
35 | +---------+----------------+---------------+ | 69 | | @cpu-emulation | | @clock | | @chown | | @aio | |
36 | : : | 70 | | @debug | | @module | +--------+ | @basic-io | |
37 | +-------------+ : | 71 | | @obsolete | | @raw-io | : : | @default | |
38 | | @privileged | : | 72 | +----------------+ | @reboot | : : | @file-system | |
39 | +-------------+ : | 73 | : | @swap | : : | @io-event | |
40 | : : | 74 | : +---------+ : : | @ipc | |
41 | +----------+ : | 75 | : : : : : | @keyring | |
42 | | @default |........: | 76 | : ..............: : : : | @memlock | |
43 | +----------+ | 77 | : : : ........: : | @network-io | |
44 | : | 78 | : : : : : | @process | |
45 | +----------------------+ | 79 | +----------+ +-------------+ : | @resources | |
46 | | @default-nodebuggers | | 80 | | @default | | @privileged | : | @setuid | |
47 | +----------------------+ | 81 | +----------+ +-------------+ : | @signal | |
48 | 82 | : : : | @sync | | |
49 | common used seccomp.drop lines | 83 | : : : | @timer | |
50 | ------------------------------ | 84 | : :........................... : +--------------+ |
51 | 85 | : : : : | |
52 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 86 | : : : : |
53 | 87 | +----------------------+ +-----------------+ | |
54 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 88 | | @default-nodebuggers | | @system-service | |
55 | 89 | +----------------------+ +-----------------+ | |
56 | Building a seccomp.drop line if seccomp breaks a programm | 90 | |
57 | --------------------------------------------------------- | 91 | |
92 | What to do if seccomp breaks a program | ||
93 | -------------------------------------- | ||
58 | 94 | ||
59 | ``` | 95 | ``` |
60 | $ journalctl --grep=syscall --follow | 96 | $ journalctl --grep=syscall --follow |
61 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | 97 | <...> audit[…]: SECCOMP <...> syscall=161 <...> |
62 | $ firejail --debug-syscalls | grep 161 | 98 | $ firejail --debug-syscalls | grep 161 |
63 | 161 - chroot | 99 | 161 - chroot |
64 | ``` | 100 | ``` |
101 | Profile: `seccomp -> seccomp !chroot` | ||
65 | 102 | ||
66 | TODO: write a short explanation | 103 | Start `journalctl --grep=syscall --follow` in a terminal, then start the broken |
67 | TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible | 104 | program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. |
68 | 105 | Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You | |
69 | see also | 106 | will see something like `NUMBER - NAME`, because you now know the name of the |
70 | -------- | 107 | syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. |
71 | 108 | ||
72 | - contrib/syscalls.sh | 109 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. |
73 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||