Use new seccomp syntax from #2926 in more profiles

author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-08-26 09:59:10 +0200
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2019-08-30 21:01:10 +0200
commit: 569149a46e88924fa11b107d905cdc6b889934c3 (patch)
tree: 38687b70a367032336ed8f03006621edcef8216b /etc
parent: Use new seccomp syntax from #2926 (diff)
download: firejail-569149a46e88924fa11b107d905cdc6b889934c3.tar.gz
firejail-569149a46e88924fa11b107d905cdc6b889934c3.tar.zst
firejail-569149a46e88924fa11b107d905cdc6b889934c3.zip
10 files changed, 10 insertions, 10 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 904c784c6..ffc613f1e 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -47,7 +47,7 @@ notv
 nou2f
 novideo
 # protocol unix,inet,inet6,netlink
-# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 private-dev
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index f46987cc7..6f7638fa3 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 # x11 xorg
diff --git a/etc/brackets.profile b/etc/brackets.profile
index b7d560bbc..13a3bef79 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -27,7 +27,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!ioperm
 shell none
 private-cache
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 147b0de4b..4d92157d0 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -27,7 +27,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks clementine
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 private-dev
 private-tmp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 0b602c79a..e174cf2bf 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -51,7 +51,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!io_getevents,!io_submit,!io_submit,!ioprio_set
 # tracelog
 private-dev
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 0b5ebf705..6c5963793 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -31,7 +31,7 @@ novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks auto-updating of
 # MPD's database when files in music_directory are changed
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 #private-bin bash,mpd
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 80a10efce..88ed0cd81 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
 nou2f
 novideo
 # blacklisting of mbind system calls breaks old version
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
+seccomp !mbind
 protocol unix,inet,inet6,netlink
 shell none
 tracelog
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 64441483d..a0c9e8303 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 tracelog
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index c10be717b..6f9bfd201 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 # private-bin kbuildsycoca4,kdeinit4,skanlite
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 5703f932a..aa6902854 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -34,7 +34,7 @@ nosound
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 disable-mnt
 private-dev
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-08-26 09:59:10 +0200
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2019-08-30 21:01:10 +0200
commit	569149a46e88924fa11b107d905cdc6b889934c3 (patch)
tree	38687b70a367032336ed8f03006621edcef8216b /etc
parent	Use new seccomp syntax from #2926 (diff)
download	firejail-569149a46e88924fa11b107d905cdc6b889934c3.tar.gz firejail-569149a46e88924fa11b107d905cdc6b889934c3.tar.zst firejail-569149a46e88924fa11b107d905cdc6b889934c3.zip

diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 904c784c6..ffc613f1e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile
@@ -47,7 +47,7 @@ notv
47	nou2f	47	nou2f
48	novideo	48	novideo
49	# protocol unix,inet,inet6,netlink	49	# protocol unix,inet,inet6,netlink
50	# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice	50	# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
51	tracelog	51	tracelog
52		52
53	private-dev	53	private-dev


diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index f46987cc7..6f7638fa3 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile
@@ -39,7 +39,7 @@ nou2f
39	novideo	39	novideo
40	protocol unix	40	protocol unix
41	# blacklisting of ioprio_set system calls breaks baloo_file	41	# blacklisting of ioprio_set system calls breaks baloo_file
42	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice	42	seccomp !ioprio_set
43	shell none	43	shell none
44	# x11 xorg	44	# x11 xorg
45		45


diff --git a/etc/brackets.profile b/etc/brackets.profile index b7d560bbc..13a3bef79 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile
@@ -27,7 +27,7 @@ notv
27	nou2f	27	nou2f
28	novideo	28	novideo
29	protocol unix,inet,inet6,netlink	29	protocol unix,inet,inet6,netlink
30	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	30	seccomp !chroot,!ioperm
31	shell none	31	shell none
32		32
33	private-cache	33	private-cache


diff --git a/etc/clementine.profile b/etc/clementine.profile index 147b0de4b..4d92157d0 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile
@@ -27,7 +27,7 @@ nou2f
27	novideo	27	novideo
28	protocol unix,inet,inet6	28	protocol unix,inet,inet6
29	# blacklisting of ioprio_set system calls breaks clementine	29	# blacklisting of ioprio_set system calls breaks clementine
30	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice	30	seccomp !ioprio_set
31		31
32	private-dev	32	private-dev
33	private-tmp	33	private-tmp


diff --git a/etc/kmail.profile b/etc/kmail.profile index 0b602c79a..e174cf2bf 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile
@@ -51,7 +51,7 @@ nou2f
51	novideo	51	novideo
52	protocol unix,inet,inet6,netlink	52	protocol unix,inet,inet6,netlink
53	# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls	53	# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
54	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	54	seccomp !chroot,!io_getevents,!io_submit,!io_submit,!ioprio_set
55	# tracelog	55	# tracelog
56		56
57	private-dev	57	private-dev


diff --git a/etc/mpd.profile b/etc/mpd.profile index 0b5ebf705..6c5963793 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile
@@ -31,7 +31,7 @@ novideo
31	protocol unix,inet,inet6	31	protocol unix,inet,inet6
32	# blacklisting of ioprio_set system calls breaks auto-updating of	32	# blacklisting of ioprio_set system calls breaks auto-updating of
33	# MPD's database when files in music_directory are changed	33	# MPD's database when files in music_directory are changed
34	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice	34	seccomp !ioprio_set
35	shell none	35	shell none
36		36
37	#private-bin bash,mpd	37	#private-bin bash,mpd


diff --git a/etc/qgis.profile b/etc/qgis.profile index 80a10efce..88ed0cd81 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
45	nou2f	45	nou2f
46	novideo	46	novideo
47	# blacklisting of mbind system calls breaks old version	47	# blacklisting of mbind system calls breaks old version
48	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice	48	seccomp !mbind
49	protocol unix,inet,inet6,netlink	49	protocol unix,inet,inet6,netlink
50	shell none	50	shell none
51	tracelog	51	tracelog


diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 64441483d..a0c9e8303 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile
@@ -27,7 +27,7 @@ notv
27	# novideo	27	# novideo
28	protocol unix,inet,inet6,netlink	28	protocol unix,inet,inet6,netlink
29	# blacklisting of ioperm system calls breaks simple-scan	29	# blacklisting of ioperm system calls breaks simple-scan
30	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	30	seccomp !ioperm
31	shell none	31	shell none
32	tracelog	32	tracelog
33		33


diff --git a/etc/skanlite.profile b/etc/skanlite.profile index c10be717b..6f9bfd201 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile
@@ -27,7 +27,7 @@ notv
27	# novideo	27	# novideo
28	protocol unix,inet,inet6,netlink	28	protocol unix,inet,inet6,netlink
29	# blacklisting of ioperm system calls breaks skanlite	29	# blacklisting of ioperm system calls breaks skanlite
30	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	30	seccomp !ioperm
31	shell none	31	shell none
32		32
33	# private-bin kbuildsycoca4,kdeinit4,skanlite	33	# private-bin kbuildsycoca4,kdeinit4,skanlite


diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 5703f932a..aa6902854 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile
@@ -34,7 +34,7 @@ nosound
34	notv	34	notv
35	nou2f	35	nou2f
36	protocol unix,inet,inet6,netlink	36	protocol unix,inet,inet6,netlink
37	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	37	seccomp !chroot
38		38
39	disable-mnt	39	disable-mnt
40	private-dev	40	private-dev