diff options
author | netblue30 <netblue30@yahoo.com> | 2019-09-15 06:59:31 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-15 06:59:31 -0500 |
commit | 99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b (patch) | |
tree | aab0f8277a0ae1de922b8a9268b01428e8febd73 /etc | |
parent | Make sure that we are unprivileged before creating the trace log file. (diff) | |
parent | Fix #2899 (diff) | |
download | firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.gz firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.zst firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.zip |
Merge branch 'master' into fix-profile-builder
Diffstat (limited to 'etc')
36 files changed, 163 insertions, 105 deletions
diff --git a/etc/Viber.profile b/etc/Viber.profile index ecc500769..925e130de 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -28,12 +28,10 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin awk,bash,dig,sh,Viber | 35 | private-bin awk,bash,dig,sh,Viber |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
37 | private-tmp | 37 | private-tmp |
38 | |||
39 | env QTWEBENGINE_DISABLE_SANDBOX=1 | ||
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 904c784c6..ffc613f1e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -47,7 +47,7 @@ notv | |||
47 | nou2f | 47 | nou2f |
48 | novideo | 48 | novideo |
49 | # protocol unix,inet,inet6,netlink | 49 | # protocol unix,inet,inet6,netlink |
50 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 50 | # seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set |
51 | tracelog | 51 | tracelog |
52 | 52 | ||
53 | private-dev | 53 | private-dev |
diff --git a/etc/akregator.profile b/etc/akregator.profile index 466eff22d..34933f283 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -36,7 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | # chroot syscalls are needed for setting up the built-in sandbox | 38 | # chroot syscalls are needed for setting up the built-in sandbox |
39 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp !chroot |
40 | shell none | 40 | shell none |
41 | 41 | ||
42 | disable-mnt | 42 | disable-mnt |
diff --git a/etc/ar.profile b/etc/ar.profile new file mode 100644 index 000000000..6b1fb830c --- /dev/null +++ b/etc/ar.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for ar | ||
2 | # Description: Create, modify, and extract from archives | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ar.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | apparmor | ||
18 | caps.drop all | ||
19 | hostname ar | ||
20 | ipc-namespace | ||
21 | machine-id | ||
22 | net none | ||
23 | no3d | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | private-bin ar | ||
40 | private-cache | ||
41 | private-dev | ||
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index f46987cc7..6f7638fa3 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -39,7 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix | 40 | protocol unix |
41 | # blacklisting of ioprio_set system calls breaks baloo_file | 41 | # blacklisting of ioprio_set system calls breaks baloo_file |
42 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 42 | seccomp !ioprio_set |
43 | shell none | 43 | shell none |
44 | # x11 xorg | 44 | # x11 xorg |
45 | 45 | ||
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 5bc91dc74..8dc3847a0 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk | |||
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) | 16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | ignore seccomp.drop | ||
18 | seccomp | 17 | seccomp |
18 | ignore seccomp | ||
19 | 19 | ||
20 | #private-bin basilisk | 20 | #private-bin basilisk |
21 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 4f1b05c88..0de3bc480 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -42,7 +42,7 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6,netlink | 44 | protocol unix,inet,inet6,netlink |
45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp !chroot |
46 | shell none | 46 | shell none |
47 | 47 | ||
48 | disable-mnt | 48 | disable-mnt |
diff --git a/etc/brackets.profile b/etc/brackets.profile index b7d560bbc..13a3bef79 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
29 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !chroot,!ioperm |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | private-cache | 33 | private-cache |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 147b0de4b..4d92157d0 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -27,7 +27,7 @@ nou2f | |||
27 | novideo | 27 | novideo |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | # blacklisting of ioprio_set system calls breaks clementine | 29 | # blacklisting of ioprio_set system calls breaks clementine |
30 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 30 | seccomp !ioprio_set |
31 | 31 | ||
32 | private-dev | 32 | private-dev |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/code.profile b/etc/code.profile index 7ac4e1619..6f8a25211 100644 --- a/etc/code.profile +++ b/etc/code.profile | |||
@@ -18,7 +18,6 @@ include disable-passwdmgr.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | net none | ||
22 | netfilter | 21 | netfilter |
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
diff --git a/etc/falkon.profile b/etc/falkon.profile index ddcda6228..0024b6660 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -34,7 +34,7 @@ notv | |||
34 | nou2f | 34 | nou2f |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | # blacklisting of chroot system calls breaks falkon | 36 | # blacklisting of chroot system calls breaks falkon |
37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp !chroot |
38 | # tracelog | 38 | # tracelog |
39 | 39 | ||
40 | private-dev | 40 | private-dev |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 6ad4a9bc2..02d6199a0 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -46,7 +46,7 @@ notv | |||
46 | ?BROWSER_DISABLE_U2F: nou2f | 46 | ?BROWSER_DISABLE_U2F: nou2f |
47 | protocol unix,inet,inet6,netlink | 47 | protocol unix,inet,inet6,netlink |
48 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. | 48 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. |
49 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 49 | seccomp !chroot |
50 | shell none | 50 | shell none |
51 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. | 51 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. |
52 | #tracelog | 52 | #tracelog |
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index cbeb82465..30ca56094 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -58,6 +58,5 @@ tracelog | |||
58 | disable-mnt | 58 | disable-mnt |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow | ||
62 | writable-var | 61 | writable-var |
63 | 62 | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 6ef02ad47..3e1e0a2ce 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -29,7 +29,9 @@ machine-id | |||
29 | net none | 29 | net none |
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nodbus | 32 | # Breaks 'Lock database when session is locked or lid is closed' (#2899), |
33 | # you can safely uncomment it or add to keepassxc.local if you don't need this feature. | ||
34 | #nodbus | ||
33 | nogroups | 35 | nogroups |
34 | nonewprivs | 36 | nonewprivs |
35 | noroot | 37 | noroot |
@@ -46,8 +48,5 @@ private-dev | |||
46 | private-etc alternatives,fonts,ld.so.cache,machine-id | 48 | private-etc alternatives,fonts,ld.so.cache,machine-id |
47 | private-tmp | 49 | private-tmp |
48 | 50 | ||
49 | # 2.2.4 crashes on database open | ||
50 | # memory-deny-write-execute | ||
51 | |||
52 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 51 | # Mutex is stored in /tmp by default, which is broken by private-tmp |
53 | join-or-start keepassxc | 52 | join-or-start keepassxc |
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile index db8f7880c..8b7b12882 100644 --- a/etc/kiwix-desktop.profile +++ b/etc/kiwix-desktop.profile | |||
@@ -39,7 +39,7 @@ notv | |||
39 | nou2f | 39 | nou2f |
40 | novideo | 40 | novideo |
41 | protocol unix,inet,inet6,netlink | 41 | protocol unix,inet,inet6,netlink |
42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 42 | seccomp !chroot |
43 | shell none | 43 | shell none |
44 | 44 | ||
45 | disable-mnt | 45 | disable-mnt |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 0b602c79a..198b05a11 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -51,7 +51,7 @@ nou2f | |||
51 | novideo | 51 | novideo |
52 | protocol unix,inet,inet6,netlink | 52 | protocol unix,inet,inet6,netlink |
53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
55 | # tracelog | 55 | # tracelog |
56 | 56 | ||
57 | private-dev | 57 | private-dev |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 0b5ebf705..6c5963793 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -31,7 +31,7 @@ novideo | |||
31 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
32 | # blacklisting of ioprio_set system calls breaks auto-updating of | 32 | # blacklisting of ioprio_set system calls breaks auto-updating of |
33 | # MPD's database when files in music_directory are changed | 33 | # MPD's database when files in music_directory are changed |
34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 34 | seccomp !ioprio_set |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin bash,mpd | 37 | #private-bin bash,mpd |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 11464e6cf..acb2ce176 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon | |||
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) | 16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | ignore seccomp.drop | ||
18 | seccomp | 17 | seccomp |
18 | ignore seccomp | ||
19 | 19 | ||
20 | #private-bin palemoon | 20 | #private-bin palemoon |
21 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/qgis.profile b/etc/qgis.profile index 80a10efce..88ed0cd81 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile | |||
@@ -45,7 +45,7 @@ notv | |||
45 | nou2f | 45 | nou2f |
46 | novideo | 46 | novideo |
47 | # blacklisting of mbind system calls breaks old version | 47 | # blacklisting of mbind system calls breaks old version |
48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice | 48 | seccomp !mbind |
49 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
50 | shell none | 50 | shell none |
51 | tracelog | 51 | tracelog |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index abbd76aff..863f57ba4 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -22,7 +22,8 @@ include whitelist-var-common.inc | |||
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | machine-id | 24 | machine-id |
25 | nodbus | 25 | # needs D-Bus when started from a file manager |
26 | #nodbus | ||
26 | nodvd | 27 | nodvd |
27 | nogroups | 28 | nogroups |
28 | nonewprivs | 29 | nonewprivs |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 3f3270dd6..7aa71c848 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -21,7 +21,5 @@ mkdir ${HOME}/.config/qupzilla | |||
21 | whitelist ${HOME}/.cache/qupzilla | 21 | whitelist ${HOME}/.cache/qupzilla |
22 | whitelist ${HOME}/.config/qupzilla | 22 | whitelist ${HOME}/.config/qupzilla |
23 | 23 | ||
24 | # private-tmp - interferes with the opening of downloaded files | ||
25 | |||
26 | # Redirect | 24 | # Redirect |
27 | include falkon.profile | 25 | include falkon.profile |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index a7ba18292..95c189458 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -36,5 +36,5 @@ noroot | |||
36 | notv | 36 | notv |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | # blacklisting of chroot system calls breaks qt webengine | 38 | # blacklisting of chroot system calls breaks qt webengine |
39 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp !chroot |
40 | # tracelog | 40 | # tracelog |
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile index e6af4c2cb..4372fabe1 100644 --- a/etc/riot-desktop.profile +++ b/etc/riot-desktop.profile | |||
@@ -7,8 +7,7 @@ include riot-desktop.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | ignore seccomp | 10 | seccomp !chroot |
11 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
12 | 11 | ||
13 | # Redirect | 12 | # Redirect |
14 | include riot-web.profile | 13 | include riot-web.profile |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index b9a0fd149..fe29a6731 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -20,10 +20,8 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.config/dconf | ||
24 | mkdir ${HOME}/.gnupg | 23 | mkdir ${HOME}/.gnupg |
25 | mkdir ${HOME}/.ssh | 24 | mkdir ${HOME}/.ssh |
26 | whitelist ${HOME}/.config/dconf | ||
27 | whitelist ${HOME}/.gnupg | 25 | whitelist ${HOME}/.gnupg |
28 | whitelist ${HOME}/.ssh | 26 | whitelist ${HOME}/.ssh |
29 | whitelist /tmp/ssh-* | 27 | whitelist /tmp/ssh-* |
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 04696a918..f810a37ec 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile | |||
@@ -22,16 +22,12 @@ whitelist ${HOME}/.config/Signal | |||
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.keep sys_admin,sys_chroot |
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | 29 | notv |
32 | nou2f | 30 | nou2f |
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | 31 | shell none |
36 | 32 | ||
37 | disable-mnt | 33 | disable-mnt |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 64441483d..a0c9e8303 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | # novideo | 27 | # novideo |
28 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioperm system calls breaks simple-scan | 29 | # blacklisting of ioperm system calls breaks simple-scan |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !ioperm |
31 | shell none | 31 | shell none |
32 | tracelog | 32 | tracelog |
33 | 33 | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index c10be717b..6f9bfd201 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | # novideo | 27 | # novideo |
28 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioperm system calls breaks skanlite | 29 | # blacklisting of ioperm system calls breaks skanlite |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !ioperm |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | # private-bin kbuildsycoca4,kdeinit4,skanlite | 33 | # private-bin kbuildsycoca4,kdeinit4,skanlite |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 8a45f2465..341c25a95 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -16,16 +16,13 @@ include disable-exec.inc | |||
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | ||
19 | 20 | ||
20 | caps.drop all | 21 | caps.keep sys_admin,sys_chroot |
21 | netfilter | 22 | netfilter |
22 | nodvd | 23 | nodvd |
23 | nogroups | 24 | nogroups |
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | 25 | notv |
27 | protocol unix,inet,inet6,netlink | ||
28 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
29 | shell none | 26 | shell none |
30 | 27 | ||
31 | disable-mnt | 28 | disable-mnt |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 5703f932a..aa6902854 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -34,7 +34,7 @@ nosound | |||
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp !chroot |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | private-dev |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 1c2a2cd10..a8b5d109e 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -28,7 +28,7 @@ notv | |||
28 | nou2f | 28 | nou2f |
29 | novideo | 29 | novideo |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | # tracelog may cause issues, see github issue #1930 | 33 | # tracelog may cause issues, see github issue #1930 |
34 | #tracelog | 34 | #tracelog |
diff --git a/etc/tar.profile b/etc/tar.profile index cace89965..3fba96eee 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -40,7 +40,7 @@ tracelog | |||
40 | x11 none | 40 | x11 none |
41 | 41 | ||
42 | # support compressed archives | 42 | # support compressed archives |
43 | private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz | 43 | private-bin bash,bzip2,compress,firejail,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,group,localtime,passwd | 46 | private-etc alternatives,group,localtime,passwd |
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index b34d15731..c1c666f58 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile | |||
@@ -33,7 +33,7 @@ notv | |||
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 36 | seccomp !chroot |
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0d67e222f..10b5ee2ae 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -138,6 +138,7 @@ include globals.local | |||
138 | # - packet almost never | 138 | # - packet almost never |
139 | #protocol unix,inet,inet6,netlink,packet | 139 | #protocol unix,inet,inet6,netlink,packet |
140 | #seccomp | 140 | #seccomp |
141 | ##seccomp !chroot | ||
141 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 142 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
142 | #shell none | 143 | #shell none |
143 | #tracelog | 144 | #tracelog |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index bc45d9f9d..ea3b5a6b0 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -1,73 +1,107 @@ | |||
1 | Hints for writing seccomp.drop lines | 1 | Hints to write own seccomp filters |
2 | ==================================== | 2 | ================================== |
3 | |||
4 | |||
5 | The different seccomp commands | ||
6 | ------------------------------ | ||
7 | |||
8 | Always have a look at 'man 1 firejail'. | ||
9 | |||
10 | - seccomp | ||
11 | Blocks all syscalls in the default-group. | ||
12 | - The default-group is @default-nodebuggers, unless allow-debuggers is | ||
13 | specified, then @default is used. | ||
14 | - Listed syscalls and groups are also blocked. | ||
15 | - Exceptions are possible by putting a ! in before the name of a syscall. | ||
16 | - seccomp.block-secondary | ||
17 | Allows only native syscalls, all syscalls for other architectures are blocked. | ||
18 | - seccomp.drop | ||
19 | Blocks all listed syscalls. | ||
20 | - Exceptions are possible by putting a ! in before the name of a syscall. | ||
21 | - seccomp.keep | ||
22 | Allows only listed syscalls. | ||
23 | To write your own seccomp.keep line, see: | ||
24 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||
25 | - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh | ||
3 | 26 | ||
4 | Definition of groups | 27 | Definition of groups |
5 | -------------------- | 28 | -------------------- |
6 | 29 | ||
30 | @aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit | ||
31 | @basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev | ||
32 | @chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 | ||
7 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
8 | @module=delete_module,finit_module,init_module | ||
9 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
10 | @reboot=kexec_file_load,kexec_load,reboot | ||
11 | @swap=swapoff,swapon | ||
12 | |||
13 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | ||
14 | |||
15 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
16 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
17 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | 36 | @default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup |
18 | @resources=mbind,migrate_pages,move_pages,set_mempolicy | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
19 | |||
20 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | ||
21 | |||
22 | @default-nodebuggers=@default,personality,process_vm_readv,ptrace | ||
23 | |||
24 | @default-keep=execve,prctl | 38 | @default-keep=execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | ||
40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select | ||
41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget | ||
42 | @keyring=add_key,keyctl,request_key | ||
43 | @memlock=mlock,mlock2,mlockall,munlock,munlockall | ||
44 | @module=delete_module,finit_module,init_module | ||
45 | @mount=chroot,mount,pivot_root,umount,umount2 | ||
46 | @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair | ||
47 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | ||
48 | @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup | ||
49 | @process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid | ||
50 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
51 | @reboot=kexec_load,kexec_file_load,reboot | ||
52 | @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy | ||
53 | @setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32 | ||
54 | @signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend | ||
55 | @swap=swapon,swapoff | ||
56 | @sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs | ||
57 | @system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice | ||
58 | @timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times | ||
25 | 59 | ||
26 | Inheritance of groups | 60 | Inheritance of groups |
27 | --------------------- | 61 | --------------------- |
28 | 62 | ||
29 | +---------+----------------+---------------+ | 63 | +---------------+ |
30 | | @clock | @cpu-emulation | @default-keep | | 64 | | @default-keep | |
31 | | @module | @debug | | | 65 | | @mount | |
32 | | @raw-io | @obsolete | | | 66 | +---------------+ |
33 | | @reboot | @resources | | | 67 | |
34 | | @swap | | | | 68 | +----------------+ +---------+ +--------+ +--------------+ |
35 | +---------+----------------+---------------+ | 69 | | @cpu-emulation | | @clock | | @chown | | @aio | |
36 | : : | 70 | | @debug | | @module | +--------+ | @basic-io | |
37 | +-------------+ : | 71 | | @obsolete | | @raw-io | : : | @file-system | |
38 | | @privileged | : | 72 | +----------------+ | @reboot | : : | @io-event | |
39 | +-------------+ : | 73 | : | @swap | : : | @ipc | |
40 | : : | 74 | : +---------+ : : | @keyring | |
41 | +----------+ : | 75 | : : : : : | @memlock | |
42 | | @default |........: | 76 | : ..............: : : : | @network-io | |
43 | +----------+ | 77 | : : : ........: : | @process | |
44 | : | 78 | : : : : : | @resources | |
45 | +----------------------+ | 79 | +----------+ +-------------+ : | @setuid | |
46 | | @default-nodebuggers | | 80 | | @default | | @privileged | : | @signal | |
47 | +----------------------+ | 81 | +----------+ +-------------+ : | @sync | |
48 | 82 | : : : | @timer | | |
49 | common used seccomp.drop lines | 83 | : :........................... : +--------------+ |
50 | ------------------------------ | 84 | : : : : |
51 | 85 | +----------------------+ +-----------------+ | |
52 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 86 | | @default-nodebuggers | | @system-service | |
53 | 87 | +----------------------+ +-----------------+ | |
54 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 88 | |
55 | 89 | ||
56 | Building a seccomp.drop line if seccomp breaks a programm | 90 | What to do if seccomp breaks a program |
57 | --------------------------------------------------------- | 91 | -------------------------------------- |
58 | 92 | ||
59 | ``` | 93 | ``` |
60 | $ journalctl --grep=syscall --follow | 94 | $ journalctl --grep=syscall --follow |
61 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | 95 | <...> audit[…]: SECCOMP <...> syscall=161 <...> |
62 | $ firejail --debug-syscalls | grep 161 | 96 | $ firejail --debug-syscalls | grep 161 |
63 | 161 - chroot | 97 | 161 - chroot |
64 | ``` | 98 | ``` |
99 | Profile: `seccomp -> seccomp !chroot` | ||
65 | 100 | ||
66 | TODO: write a short explanation | 101 | Start `journalctl --grep=syscall --follow` in a terminal, then start the broken |
67 | TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible | 102 | program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. |
68 | 103 | Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You | |
69 | see also | 104 | will see something like `NUMBER - NAME`, because you now know the name of the |
70 | -------- | 105 | syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. |
71 | 106 | ||
72 | - contrib/syscalls.sh | 107 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. |
73 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 8485c0c4c..1183cd2f7 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -42,7 +42,7 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp !chroot |
46 | shell none | 46 | shell none |
47 | # tracelog may cause issues, see github issue #1930 | 47 | # tracelog may cause issues, see github issue #1930 |
48 | #tracelog | 48 | #tracelog |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9c1b7b92c..717c82379 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -20,10 +20,6 @@ whitelist ${HOME}/.local/share/icons | |||
20 | whitelist ${HOME}/.local/share/mime | 20 | whitelist ${HOME}/.local/share/mime |
21 | whitelist ${HOME}/.mime.types | 21 | whitelist ${HOME}/.mime.types |
22 | 22 | ||
23 | # dconf | ||
24 | mkdir ${HOME}/.config/dconf | ||
25 | whitelist ${HOME}/.config/dconf | ||
26 | |||
27 | # fonts | 23 | # fonts |
28 | whitelist ${HOME}/.cache/fontconfig | 24 | whitelist ${HOME}/.cache/fontconfig |
29 | whitelist ${HOME}/.config/fontconfig | 25 | whitelist ${HOME}/.config/fontconfig |