diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-08 10:33:18 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-08 10:33:18 -0500 |
commit | 3dbeb2f2559934eff1fd62d63430a5c7548b0934 (patch) | |
tree | c567faeeb212868ce515ef02f3e41f856e17cc87 /src/firejail/seccomp.c | |
parent | 0.9.38 released (diff) | |
download | firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.gz firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.tar.zst firejail-3dbeb2f2559934eff1fd62d63430a5c7548b0934.zip |
default seccomp filter update
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7a015963b..b0c960754 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -373,6 +373,10 @@ void seccomp_filter_32(void) { | |||
373 | BLACKLIST(317), // move_pages | 373 | BLACKLIST(317), // move_pages |
374 | BLACKLIST(316), // vmsplice | 374 | BLACKLIST(316), // vmsplice |
375 | BLACKLIST(61), // chroot | 375 | BLACKLIST(61), // chroot |
376 | BLACKLIST(243), // set_thread_area | ||
377 | BLACKLIST(88), // reboot | ||
378 | BLACKLIST(169), // nfsservctl | ||
379 | BLACKLIST(130), // get_kernel_syms | ||
376 | RETURN_ALLOW | 380 | RETURN_ALLOW |
377 | }; | 381 | }; |
378 | 382 | ||
@@ -562,6 +566,23 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
562 | // 32bit | 566 | // 32bit |
563 | // filter_add_blacklist(SYS_personality, 0); // test wine | 567 | // filter_add_blacklist(SYS_personality, 0); // test wine |
564 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine | 568 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine |
569 | |||
570 | // 0.9.39 | ||
571 | #ifdef SYS_set_thread_area | ||
572 | filter_add_blacklist(SYS_set_thread_area, 0); | ||
573 | #endif | ||
574 | #ifdef SYS_tuxcall | ||
575 | filter_add_blacklist(SYS_tuxcall, 0); | ||
576 | #endif | ||
577 | #ifdef SYS_reboot | ||
578 | filter_add_blacklist(SYS_reboot, 0); | ||
579 | #endif | ||
580 | #ifdef SYS_nfsservctl | ||
581 | filter_add_blacklist(SYS_nfsservctl, 0); | ||
582 | #endif | ||
583 | #ifdef SYS_get_kernel_syms | ||
584 | filter_add_blacklist(SYS_get_kernel_syms, 0); | ||
585 | #endif | ||
565 | } | 586 | } |
566 | 587 | ||
567 | // default seccomp filter with additional drop list | 588 | // default seccomp filter with additional drop list |