default seccomp filter update

author: netblue30 <netblue30@yahoo.com> 2016-02-08 10:33:18 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-08 10:33:18 -0500
commit: 3dbeb2f2559934eff1fd62d63430a5c7548b0934 (patch)
tree: c567faeeb212868ce515ef02f3e41f856e17cc87 /src/firejail/seccomp.c
parent: 0.9.38 released (diff)
download: firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.gz
firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.zst
firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.zip
1 files changed, 21 insertions, 0 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7a015963b..b0c960754 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -373,6 +373,10 @@ void seccomp_filter_32(void) {
                BLACKLIST(317), // move_pages
                BLACKLIST(316), // vmsplice
                BLACKLIST(61),  // chroot
+                BLACKLIST(243), // set_thread_area
+                BLACKLIST(88), // reboot
+                BLACKLIST(169), // nfsservctl
+                BLACKLIST(130), // get_kernel_syms
                RETURN_ALLOW
        };
@@ -562,6 +566,23 @@ int seccomp_filter_drop(int enforce_seccomp) {
 // 32bit
 //              filter_add_blacklist(SYS_personality, 0); // test wine
 //              filter_add_blacklist(SYS_set_thread_area, 0); // test wine
+// 0.9.39
+#ifdef SYS_set_thread_area
+                filter_add_blacklist(SYS_set_thread_area, 0);
+#endif
+#ifdef SYS_tuxcall
+                filter_add_blacklist(SYS_tuxcall, 0);
+#endif
+#ifdef SYS_reboot
+                filter_add_blacklist(SYS_reboot, 0);
+#endif
+#ifdef SYS_nfsservctl
+                filter_add_blacklist(SYS_nfsservctl, 0);
+#endif
+#ifdef SYS_get_kernel_syms
+                filter_add_blacklist(SYS_get_kernel_syms, 0);
+#endif
        }
        // default seccomp filter with additional drop list
author	netblue30 <netblue30@yahoo.com>	2016-02-08 10:33:18 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-08 10:33:18 -0500
commit	3dbeb2f2559934eff1fd62d63430a5c7548b0934 (patch)
tree	c567faeeb212868ce515ef02f3e41f856e17cc87 /src/firejail/seccomp.c
parent	0.9.38 released (diff)
download	firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.gz firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.zst firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.zip

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7a015963b..b0c960754 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -373,6 +373,10 @@ void seccomp_filter_32(void) {
373	BLACKLIST(317), // move_pages	373	BLACKLIST(317), // move_pages
374	BLACKLIST(316), // vmsplice	374	BLACKLIST(316), // vmsplice
375	BLACKLIST(61), // chroot	375	BLACKLIST(61), // chroot
		376	BLACKLIST(243), // set_thread_area
		377	BLACKLIST(88), // reboot
		378	BLACKLIST(169), // nfsservctl
		379	BLACKLIST(130), // get_kernel_syms
376	RETURN_ALLOW	380	RETURN_ALLOW
377	};	381	};
378		382
@@ -562,6 +566,23 @@ int seccomp_filter_drop(int enforce_seccomp) {
562	// 32bit	566	// 32bit
563	// filter_add_blacklist(SYS_personality, 0); // test wine	567	// filter_add_blacklist(SYS_personality, 0); // test wine
564	// filter_add_blacklist(SYS_set_thread_area, 0); // test wine	568	// filter_add_blacklist(SYS_set_thread_area, 0); // test wine
		569
		570	// 0.9.39
		571	#ifdef SYS_set_thread_area
		572	filter_add_blacklist(SYS_set_thread_area, 0);
		573	#endif
		574	#ifdef SYS_tuxcall
		575	filter_add_blacklist(SYS_tuxcall, 0);
		576	#endif
		577	#ifdef SYS_reboot
		578	filter_add_blacklist(SYS_reboot, 0);
		579	#endif
		580	#ifdef SYS_nfsservctl
		581	filter_add_blacklist(SYS_nfsservctl, 0);
		582	#endif
		583	#ifdef SYS_get_kernel_syms
		584	filter_add_blacklist(SYS_get_kernel_syms, 0);
		585	#endif
565	}	586	}
566		587
567	// default seccomp filter with additional drop list	588	// default seccomp filter with additional drop list