Seccomp: system call grouping and call numbers

author: Topi Miettinen <toiwoton@gmail.com> 2017-08-06 21:58:35 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-08-06 23:24:20 +0300
commit: 34ee8e03f58c4c51c3aa29f553e06570d0654db2 (patch)
tree: 05b191c778a7b871e339bdf6c6017606404a917e /src/fseccomp/seccomp.c
parent: private-lib fixes (diff)
download: firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.gz
firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.zst
firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.zip
1 files changed, 10 insertions, 307 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index a30a9e00b..a3db46aad 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -25,319 +25,24 @@
 #include <sys/types.h>
 static void add_default_list(int fd, int allow_debuggers) {
-#ifdef SYS_mount
+        int r;
-        filter_add_blacklist(fd, SYS_mount, 0);
+        if (!allow_debuggers)
-#endif
+                r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0);
-#ifdef SYS_umount2
+        else
-        filter_add_blacklist(fd, SYS_umount2, 0);
+                r = syscall_check_list("@default", filter_add_blacklist, fd, 0);
-#endif
-        if (!allow_debuggers) {
+        assert(r == 0);
-#ifdef SYS_ptrace
-                filter_add_blacklist(fd, SYS_ptrace, 0);
-#endif
-        }
-#ifdef SYS_kexec_load
-        filter_add_blacklist(fd, SYS_kexec_load, 0);
-#endif
-#ifdef SYS_kexec_file_load
-        filter_add_blacklist(fd, SYS_kexec_file_load, 0);
-#endif
-#ifdef SYS_open_by_handle_at
-        filter_add_blacklist(fd, SYS_open_by_handle_at, 0);
-#endif
-#ifdef SYS_name_to_handle_at
-        filter_add_blacklist(fd, SYS_name_to_handle_at, 0);
-#endif
-#ifdef SYS_init_module
-        filter_add_blacklist(fd, SYS_init_module, 0);
-#endif
-#ifdef SYS_finit_module
-        filter_add_blacklist(fd, SYS_finit_module, 0);
-#endif
-#ifdef SYS_create_module
-        filter_add_blacklist(fd, SYS_create_module, 0);
-#endif
-#ifdef SYS_delete_module
-        filter_add_blacklist(fd, SYS_delete_module, 0);
-#endif
-#ifdef SYS_iopl
-        filter_add_blacklist(fd, SYS_iopl, 0);
-#endif
-#ifdef  SYS_ioperm
-        filter_add_blacklist(fd, SYS_ioperm, 0);
-#endif
-#ifdef  SYS_ioprio_set
-        filter_add_blacklist(fd, SYS_ioprio_set, 0);
-#endif
-#ifdef SYS_ni_syscall
-        filter_add_blacklist(fd, SYS_ni_syscall, 0);
-#endif
-#ifdef SYS_swapon
-        filter_add_blacklist(fd, SYS_swapon, 0);
-#endif
-#ifdef SYS_swapoff
-        filter_add_blacklist(fd, SYS_swapoff, 0);
-#endif
-#ifdef SYS_syslog
-        filter_add_blacklist(fd, SYS_syslog, 0);
-#endif
-        if (!allow_debuggers) {
-#ifdef SYS_process_vm_readv
-                filter_add_blacklist(fd, SYS_process_vm_readv, 0);
-#endif
-        }
-#ifdef SYS_process_vm_writev
-        filter_add_blacklist(fd, SYS_process_vm_writev, 0);
-#endif
 //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension
 //              filter_add_blacklist(SYS_mknod, 0);
 //#endif
-#ifdef SYS_sysfs
-        filter_add_blacklist(fd, SYS_sysfs, 0);
-#endif
-#ifdef SYS__sysctl
-        filter_add_blacklist(fd, SYS__sysctl, 0);
-#endif
-#ifdef SYS_adjtimex
-        filter_add_blacklist(fd, SYS_adjtimex, 0);
-#endif
-#ifdef  SYS_clock_adjtime
-        filter_add_blacklist(fd, SYS_clock_adjtime, 0);
-#endif
-#ifdef SYS_lookup_dcookie
-        filter_add_blacklist(fd, SYS_lookup_dcookie, 0);
-#endif
-#ifdef  SYS_perf_event_open
-        filter_add_blacklist(fd, SYS_perf_event_open, 0);
-#endif
-#ifdef  SYS_fanotify_init
-        filter_add_blacklist(fd, SYS_fanotify_init, 0);
-#endif
-#ifdef SYS_kcmp
-        filter_add_blacklist(fd, SYS_kcmp, 0);
-#endif
-#ifdef SYS_add_key
-        filter_add_blacklist(fd, SYS_add_key, 0);
-#endif
-#ifdef SYS_request_key
-        filter_add_blacklist(fd, SYS_request_key, 0);
-#endif
-#ifdef SYS_keyctl
-        filter_add_blacklist(fd, SYS_keyctl, 0);
-#endif
-#ifdef SYS_uselib
-        filter_add_blacklist(fd, SYS_uselib, 0);
-#endif
-#ifdef SYS_acct
-        filter_add_blacklist(fd, SYS_acct, 0);
-#endif
-#ifdef SYS_modify_ldt
-        filter_add_blacklist(fd, SYS_modify_ldt, 0);
-#endif
-#ifdef SYS_pivot_root
-        filter_add_blacklist(fd, SYS_pivot_root, 0);
-#endif
-#ifdef SYS_io_setup
-        filter_add_blacklist(fd, SYS_io_setup, 0);
-#endif
-#ifdef SYS_io_destroy
-        filter_add_blacklist(fd, SYS_io_destroy, 0);
-#endif
-#ifdef SYS_io_getevents
-        filter_add_blacklist(fd, SYS_io_getevents, 0);
-#endif
-#ifdef SYS_io_submit
-        filter_add_blacklist(fd, SYS_io_submit, 0);
-#endif
-#ifdef SYS_io_cancel
-        filter_add_blacklist(fd, SYS_io_cancel, 0);
-#endif
-#ifdef SYS_remap_file_pages
-        filter_add_blacklist(fd, SYS_remap_file_pages, 0);
-#endif
-#ifdef SYS_mbind
-        filter_add_blacklist(fd, SYS_mbind, 0);
-#endif
 // breaking Firefox nightly when playing youtube videos
 // TODO: test again when firefox sandbox is finally released
 //#ifdef SYS_get_mempolicy
 //      filter_add_blacklist(fd, SYS_get_mempolicy, 0);
 //#endif
-#ifdef SYS_set_mempolicy
-        filter_add_blacklist(fd, SYS_set_mempolicy, 0);
-#endif
-#ifdef SYS_migrate_pages
-        filter_add_blacklist(fd, SYS_migrate_pages, 0);
-#endif
-#ifdef SYS_move_pages
-        filter_add_blacklist(fd, SYS_move_pages, 0);
-#endif
-#ifdef SYS_vmsplice
-        filter_add_blacklist(fd, SYS_vmsplice, 0);
-#endif
-#ifdef SYS_chroot
-        filter_add_blacklist(fd, SYS_chroot, 0);
-#endif
-#ifdef SYS_tuxcall
-        filter_add_blacklist(fd, SYS_tuxcall, 0);
-#endif
-#ifdef SYS_reboot
-        filter_add_blacklist(fd, SYS_reboot, 0);
-#endif
-#ifdef SYS_nfsservctl
-        filter_add_blacklist(fd, SYS_nfsservctl, 0);
-#endif
-#ifdef SYS_get_kernel_syms
-        filter_add_blacklist(fd, SYS_get_kernel_syms, 0);
-#endif
-// 0.9.45
-#ifdef SYS_bpf
-        filter_add_blacklist(fd, SYS_bpf, 0);
-#endif
-#ifdef SYS_clock_settime
-        filter_add_blacklist(fd, SYS_clock_settime, 0);
-#endif
-//#ifdef SYS_clone - in use by Firejail
-//      filter_add_blacklist(fd, SYS_clone, 0);
-//#endif
-#ifdef SYS_personality
-        filter_add_blacklist(fd, SYS_personality, 0);
-#endif
-#ifdef SYS_process_vm_writev
-        filter_add_blacklist(fd, SYS_process_vm_writev, 0);
-#endif
-#ifdef SYS_query_module
-        filter_add_blacklist(fd, SYS_query_module, 0);
-#endif
 //#ifdef SYS_quotactl - in use by Firefox
 //      filter_add_blacklist(fd, SYS_quotactl, 0);
 //#endif
-//#ifdef SYS_setns - in use by Firejail
-//      filter_add_blacklist(fd, SYS_setns, 0);
-//#endif
-#ifdef SYS_settimeofday
-        filter_add_blacklist(fd, SYS_settimeofday, 0);
-#endif
-#ifdef SYS_stime
-        filter_add_blacklist(fd, SYS_stime, 0);
-#endif
-#ifdef SYS_umount
-        filter_add_blacklist(fd, SYS_umount, 0);
-#endif
-//#ifdef SYS_unshare - in use by Firejail
-//      filter_add_blacklist(fd, SYS_unshare, 0);
-//#endif
-#ifdef SYS_userfaultfd
-        filter_add_blacklist(fd, SYS_userfaultfd, 0);
-#endif
-#ifdef SYS_ustat
-        filter_add_blacklist(fd, SYS_ustat, 0);
-#endif
-#ifdef SYS_vm86
-        filter_add_blacklist(fd, SYS_vm86, 0);
-#endif
-#ifdef SYS_vm86old
-        filter_add_blacklist(fd, SYS_vm86old, 0);
-#endif
-#ifdef SYS_afs_syscall
-        filter_add_blacklist(fd, SYS_afs_syscall, 0);
-#endif
-#ifdef SYS_bdflush
-        filter_add_blacklist(fd, SYS_bdflush, 0);
-#endif
-#ifdef SYS_break
-        filter_add_blacklist(fd, SYS_break, 0);
-#endif
-#ifdef SYS_ftime
-        filter_add_blacklist(fd, SYS_ftime, 0);
-#endif
-#ifdef SYS_getpmsg
-        filter_add_blacklist(fd, SYS_getpmsg, 0);
-#endif
-#ifdef SYS_gtty
-        filter_add_blacklist(fd, SYS_gtty, 0);
-#endif
-#ifdef SYS_lock
-        filter_add_blacklist(fd, SYS_lock, 0);
-#endif
-#ifdef SYS_mpx
-        filter_add_blacklist(fd, SYS_mpx, 0);
-#endif
-#ifdef SYS_pciconfig_iobase
-        filter_add_blacklist(fd, SYS_pciconfig_iobase, 0);
-#endif
-#ifdef SYS_pciconfig_read
-        filter_add_blacklist(fd, SYS_pciconfig_read, 0);
-#endif
-#ifdef SYS_pciconfig_write
-        filter_add_blacklist(fd, SYS_pciconfig_write, 0);
-#endif
-#ifdef SYS_prof
-        filter_add_blacklist(fd, SYS_prof, 0);
-#endif
-#ifdef SYS_profil
-        filter_add_blacklist(fd, SYS_profil, 0);
-#endif
-#ifdef SYS_putpmsg
-        filter_add_blacklist(fd, SYS_putpmsg, 0);
-#endif
-#ifdef SYS_rtas
-        filter_add_blacklist(fd, SYS_rtas, 0);
-#endif
-#ifdef SYS_s390_runtime_instr
-        filter_add_blacklist(fd, SYS_s390_runtime_instr, 0);
-#endif
-#ifdef SYS_s390_mmio_read
-        filter_add_blacklist(fd, SYS_s390_mmio_read, 0);
-#endif
-#ifdef SYS_s390_mmio_write
-        filter_add_blacklist(fd, SYS_s390_mmio_write, 0);
-#endif
-#ifdef SYS_security
-        filter_add_blacklist(fd, SYS_security, 0);
-#endif
-#ifdef SYS_setdomainname
-        filter_add_blacklist(fd, SYS_setdomainname, 0);
-#endif
-#ifdef SYS_sethostname
-        filter_add_blacklist(fd, SYS_sethostname, 0);
-#endif
-#ifdef SYS_sgetmask
-        filter_add_blacklist(fd, SYS_sgetmask, 0);
-#endif
-#ifdef SYS_ssetmask
-        filter_add_blacklist(fd, SYS_ssetmask, 0);
-#endif
-#ifdef SYS_stty
-        filter_add_blacklist(fd, SYS_stty, 0);
-#endif
-#ifdef SYS_subpage_prot
-        filter_add_blacklist(fd, SYS_subpage_prot, 0);
-#endif
-#ifdef SYS_switch_endian
-        filter_add_blacklist(fd, SYS_switch_endian, 0);
-#endif
-#ifdef SYS_sys_debug_setcontext
-        filter_add_blacklist(fd, SYS_sys_debug_setcontext, 0);
-#endif
-#ifdef SYS_ulimit
-        filter_add_blacklist(fd, SYS_ulimit, 0);
-#endif
-#ifdef SYS_vhangup
-        filter_add_blacklist(fd, SYS_vhangup, 0);
-#endif
-#ifdef SYS_vserver
-        filter_add_blacklist(fd, SYS_vserver, 0);
-#endif
 }
 // default list
@@ -418,12 +123,10 @@ void seccomp_keep(const char *fname, char *list) {
        // build filter
        filter_init(fd);
-        // these 4 syscalls are used by firejail after the seccomp filter is initialized
+        // these syscalls are used by firejail after the seccomp filter is initialized
-        filter_add_whitelist(fd, SYS_setuid, 0);
+        int r;
-        filter_add_whitelist(fd, SYS_setgid, 0);
+        r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0);
-        filter_add_whitelist(fd, SYS_setgroups, 0);
+        assert(r == 0);
-        filter_add_whitelist(fd, SYS_dup, 0);
-        filter_add_whitelist(fd, SYS_prctl, 0);
        if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
author	Topi Miettinen <toiwoton@gmail.com>	2017-08-06 21:58:35 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-08-06 23:24:20 +0300
commit	34ee8e03f58c4c51c3aa29f553e06570d0654db2 (patch)
tree	05b191c778a7b871e339bdf6c6017606404a917e /src/fseccomp/seccomp.c
parent	private-lib fixes (diff)
download	firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.gz firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.tar.zst firejail-34ee8e03f58c4c51c3aa29f553e06570d0654db2.zip

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index a30a9e00b..a3db46aad 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -25,319 +25,24 @@
25	#include <sys/types.h>	25	#include <sys/types.h>
26		26
27	static void add_default_list(int fd, int allow_debuggers) {	27	static void add_default_list(int fd, int allow_debuggers) {
28	#ifdef SYS_mount	28	int r;
29	filter_add_blacklist(fd, SYS_mount, 0);	29	if (!allow_debuggers)
30	#endif	30	r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0);
31	#ifdef SYS_umount2	31	else
32	filter_add_blacklist(fd, SYS_umount2, 0);	32	r = syscall_check_list("@default", filter_add_blacklist, fd, 0);
33	#endif
34		33
35	if (!allow_debuggers) {	34	assert(r == 0);
36	#ifdef SYS_ptrace
37	filter_add_blacklist(fd, SYS_ptrace, 0);
38	#endif
39	}
40
41	#ifdef SYS_kexec_load
42	filter_add_blacklist(fd, SYS_kexec_load, 0);
43	#endif
44	#ifdef SYS_kexec_file_load
45	filter_add_blacklist(fd, SYS_kexec_file_load, 0);
46	#endif
47	#ifdef SYS_open_by_handle_at
48	filter_add_blacklist(fd, SYS_open_by_handle_at, 0);
49	#endif
50	#ifdef SYS_name_to_handle_at
51	filter_add_blacklist(fd, SYS_name_to_handle_at, 0);
52	#endif
53	#ifdef SYS_init_module
54	filter_add_blacklist(fd, SYS_init_module, 0);
55	#endif
56	#ifdef SYS_finit_module
57	filter_add_blacklist(fd, SYS_finit_module, 0);
58	#endif
59	#ifdef SYS_create_module
60	filter_add_blacklist(fd, SYS_create_module, 0);
61	#endif
62	#ifdef SYS_delete_module
63	filter_add_blacklist(fd, SYS_delete_module, 0);
64	#endif
65	#ifdef SYS_iopl
66	filter_add_blacklist(fd, SYS_iopl, 0);
67	#endif
68	#ifdef SYS_ioperm
69	filter_add_blacklist(fd, SYS_ioperm, 0);
70	#endif
71	#ifdef SYS_ioprio_set
72	filter_add_blacklist(fd, SYS_ioprio_set, 0);
73	#endif
74	#ifdef SYS_ni_syscall
75	filter_add_blacklist(fd, SYS_ni_syscall, 0);
76	#endif
77	#ifdef SYS_swapon
78	filter_add_blacklist(fd, SYS_swapon, 0);
79	#endif
80	#ifdef SYS_swapoff
81	filter_add_blacklist(fd, SYS_swapoff, 0);
82	#endif
83	#ifdef SYS_syslog
84	filter_add_blacklist(fd, SYS_syslog, 0);
85	#endif
86
87	if (!allow_debuggers) {
88	#ifdef SYS_process_vm_readv
89	filter_add_blacklist(fd, SYS_process_vm_readv, 0);
90	#endif
91	}
92
93	#ifdef SYS_process_vm_writev
94	filter_add_blacklist(fd, SYS_process_vm_writev, 0);
95	#endif
96	//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension	35	//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension
97	// filter_add_blacklist(SYS_mknod, 0);	36	// filter_add_blacklist(SYS_mknod, 0);
98	//#endif	37	//#endif
99	#ifdef SYS_sysfs
100	filter_add_blacklist(fd, SYS_sysfs, 0);
101	#endif
102	#ifdef SYS__sysctl
103	filter_add_blacklist(fd, SYS__sysctl, 0);
104	#endif
105	#ifdef SYS_adjtimex
106	filter_add_blacklist(fd, SYS_adjtimex, 0);
107	#endif
108	#ifdef SYS_clock_adjtime
109	filter_add_blacklist(fd, SYS_clock_adjtime, 0);
110	#endif
111	#ifdef SYS_lookup_dcookie
112	filter_add_blacklist(fd, SYS_lookup_dcookie, 0);
113	#endif
114	#ifdef SYS_perf_event_open
115	filter_add_blacklist(fd, SYS_perf_event_open, 0);
116	#endif
117	#ifdef SYS_fanotify_init
118	filter_add_blacklist(fd, SYS_fanotify_init, 0);
119	#endif
120	#ifdef SYS_kcmp
121	filter_add_blacklist(fd, SYS_kcmp, 0);
122	#endif
123	#ifdef SYS_add_key
124	filter_add_blacklist(fd, SYS_add_key, 0);
125	#endif
126	#ifdef SYS_request_key
127	filter_add_blacklist(fd, SYS_request_key, 0);
128	#endif
129	#ifdef SYS_keyctl
130	filter_add_blacklist(fd, SYS_keyctl, 0);
131	#endif
132	#ifdef SYS_uselib
133	filter_add_blacklist(fd, SYS_uselib, 0);
134	#endif
135	#ifdef SYS_acct
136	filter_add_blacklist(fd, SYS_acct, 0);
137	#endif
138	#ifdef SYS_modify_ldt
139	filter_add_blacklist(fd, SYS_modify_ldt, 0);
140	#endif
141	#ifdef SYS_pivot_root
142	filter_add_blacklist(fd, SYS_pivot_root, 0);
143	#endif
144	#ifdef SYS_io_setup
145	filter_add_blacklist(fd, SYS_io_setup, 0);
146	#endif
147	#ifdef SYS_io_destroy
148	filter_add_blacklist(fd, SYS_io_destroy, 0);
149	#endif
150	#ifdef SYS_io_getevents
151	filter_add_blacklist(fd, SYS_io_getevents, 0);
152	#endif
153	#ifdef SYS_io_submit
154	filter_add_blacklist(fd, SYS_io_submit, 0);
155	#endif
156	#ifdef SYS_io_cancel
157	filter_add_blacklist(fd, SYS_io_cancel, 0);
158	#endif
159	#ifdef SYS_remap_file_pages
160	filter_add_blacklist(fd, SYS_remap_file_pages, 0);
161	#endif
162	#ifdef SYS_mbind
163	filter_add_blacklist(fd, SYS_mbind, 0);
164	#endif
165
166	// breaking Firefox nightly when playing youtube videos	38	// breaking Firefox nightly when playing youtube videos
167	// TODO: test again when firefox sandbox is finally released	39	// TODO: test again when firefox sandbox is finally released
168	//#ifdef SYS_get_mempolicy	40	//#ifdef SYS_get_mempolicy
169	// filter_add_blacklist(fd, SYS_get_mempolicy, 0);	41	// filter_add_blacklist(fd, SYS_get_mempolicy, 0);
170	//#endif	42	//#endif
171
172	#ifdef SYS_set_mempolicy
173	filter_add_blacklist(fd, SYS_set_mempolicy, 0);
174	#endif
175	#ifdef SYS_migrate_pages
176	filter_add_blacklist(fd, SYS_migrate_pages, 0);
177	#endif
178	#ifdef SYS_move_pages
179	filter_add_blacklist(fd, SYS_move_pages, 0);
180	#endif
181	#ifdef SYS_vmsplice
182	filter_add_blacklist(fd, SYS_vmsplice, 0);
183	#endif
184	#ifdef SYS_chroot
185	filter_add_blacklist(fd, SYS_chroot, 0);
186	#endif
187	#ifdef SYS_tuxcall
188	filter_add_blacklist(fd, SYS_tuxcall, 0);
189	#endif
190	#ifdef SYS_reboot
191	filter_add_blacklist(fd, SYS_reboot, 0);
192	#endif
193	#ifdef SYS_nfsservctl
194	filter_add_blacklist(fd, SYS_nfsservctl, 0);
195	#endif
196	#ifdef SYS_get_kernel_syms
197	filter_add_blacklist(fd, SYS_get_kernel_syms, 0);
198	#endif
199
200	// 0.9.45
201	#ifdef SYS_bpf
202	filter_add_blacklist(fd, SYS_bpf, 0);
203	#endif
204	#ifdef SYS_clock_settime
205	filter_add_blacklist(fd, SYS_clock_settime, 0);
206	#endif
207	//#ifdef SYS_clone - in use by Firejail
208	// filter_add_blacklist(fd, SYS_clone, 0);
209	//#endif
210	#ifdef SYS_personality
211	filter_add_blacklist(fd, SYS_personality, 0);
212	#endif
213	#ifdef SYS_process_vm_writev
214	filter_add_blacklist(fd, SYS_process_vm_writev, 0);
215	#endif
216	#ifdef SYS_query_module
217	filter_add_blacklist(fd, SYS_query_module, 0);
218	#endif
219	//#ifdef SYS_quotactl - in use by Firefox	43	//#ifdef SYS_quotactl - in use by Firefox
220	// filter_add_blacklist(fd, SYS_quotactl, 0);	44	// filter_add_blacklist(fd, SYS_quotactl, 0);
221	//#endif	45	//#endif
222	//#ifdef SYS_setns - in use by Firejail
223	// filter_add_blacklist(fd, SYS_setns, 0);
224	//#endif
225	#ifdef SYS_settimeofday
226	filter_add_blacklist(fd, SYS_settimeofday, 0);
227	#endif
228	#ifdef SYS_stime
229	filter_add_blacklist(fd, SYS_stime, 0);
230	#endif
231	#ifdef SYS_umount
232	filter_add_blacklist(fd, SYS_umount, 0);
233	#endif
234	//#ifdef SYS_unshare - in use by Firejail
235	// filter_add_blacklist(fd, SYS_unshare, 0);
236	//#endif
237	#ifdef SYS_userfaultfd
238	filter_add_blacklist(fd, SYS_userfaultfd, 0);
239	#endif
240	#ifdef SYS_ustat
241	filter_add_blacklist(fd, SYS_ustat, 0);
242	#endif
243	#ifdef SYS_vm86
244	filter_add_blacklist(fd, SYS_vm86, 0);
245	#endif
246	#ifdef SYS_vm86old
247	filter_add_blacklist(fd, SYS_vm86old, 0);
248	#endif
249
250	#ifdef SYS_afs_syscall
251	filter_add_blacklist(fd, SYS_afs_syscall, 0);
252	#endif
253	#ifdef SYS_bdflush
254	filter_add_blacklist(fd, SYS_bdflush, 0);
255	#endif
256	#ifdef SYS_break
257	filter_add_blacklist(fd, SYS_break, 0);
258	#endif
259	#ifdef SYS_ftime
260	filter_add_blacklist(fd, SYS_ftime, 0);
261	#endif
262	#ifdef SYS_getpmsg
263	filter_add_blacklist(fd, SYS_getpmsg, 0);
264	#endif
265	#ifdef SYS_gtty
266	filter_add_blacklist(fd, SYS_gtty, 0);
267	#endif
268	#ifdef SYS_lock
269	filter_add_blacklist(fd, SYS_lock, 0);
270	#endif
271	#ifdef SYS_mpx
272	filter_add_blacklist(fd, SYS_mpx, 0);
273	#endif
274	#ifdef SYS_pciconfig_iobase
275	filter_add_blacklist(fd, SYS_pciconfig_iobase, 0);
276	#endif
277	#ifdef SYS_pciconfig_read
278	filter_add_blacklist(fd, SYS_pciconfig_read, 0);
279	#endif
280	#ifdef SYS_pciconfig_write
281	filter_add_blacklist(fd, SYS_pciconfig_write, 0);
282	#endif
283	#ifdef SYS_prof
284	filter_add_blacklist(fd, SYS_prof, 0);
285	#endif
286	#ifdef SYS_profil
287	filter_add_blacklist(fd, SYS_profil, 0);
288	#endif
289	#ifdef SYS_putpmsg
290	filter_add_blacklist(fd, SYS_putpmsg, 0);
291	#endif
292	#ifdef SYS_rtas
293	filter_add_blacklist(fd, SYS_rtas, 0);
294	#endif
295	#ifdef SYS_s390_runtime_instr
296	filter_add_blacklist(fd, SYS_s390_runtime_instr, 0);
297	#endif
298	#ifdef SYS_s390_mmio_read
299	filter_add_blacklist(fd, SYS_s390_mmio_read, 0);
300	#endif
301	#ifdef SYS_s390_mmio_write
302	filter_add_blacklist(fd, SYS_s390_mmio_write, 0);
303	#endif
304	#ifdef SYS_security
305	filter_add_blacklist(fd, SYS_security, 0);
306	#endif
307	#ifdef SYS_setdomainname
308	filter_add_blacklist(fd, SYS_setdomainname, 0);
309	#endif
310	#ifdef SYS_sethostname
311	filter_add_blacklist(fd, SYS_sethostname, 0);
312	#endif
313	#ifdef SYS_sgetmask
314	filter_add_blacklist(fd, SYS_sgetmask, 0);
315	#endif
316	#ifdef SYS_ssetmask
317	filter_add_blacklist(fd, SYS_ssetmask, 0);
318	#endif
319	#ifdef SYS_stty
320	filter_add_blacklist(fd, SYS_stty, 0);
321	#endif
322	#ifdef SYS_subpage_prot
323	filter_add_blacklist(fd, SYS_subpage_prot, 0);
324	#endif
325	#ifdef SYS_switch_endian
326	filter_add_blacklist(fd, SYS_switch_endian, 0);
327	#endif
328	#ifdef SYS_sys_debug_setcontext
329	filter_add_blacklist(fd, SYS_sys_debug_setcontext, 0);
330	#endif
331	#ifdef SYS_ulimit
332	filter_add_blacklist(fd, SYS_ulimit, 0);
333	#endif
334	#ifdef SYS_vhangup
335	filter_add_blacklist(fd, SYS_vhangup, 0);
336	#endif
337	#ifdef SYS_vserver
338	filter_add_blacklist(fd, SYS_vserver, 0);
339	#endif
340
341	}	46	}
342		47
343	// default list	48	// default list
@@ -418,12 +123,10 @@ void seccomp_keep(const char fname, char list) {
418		123
419	// build filter	124	// build filter
420	filter_init(fd);	125	filter_init(fd);
421	// these 4 syscalls are used by firejail after the seccomp filter is initialized	126	// these syscalls are used by firejail after the seccomp filter is initialized
422	filter_add_whitelist(fd, SYS_setuid, 0);	127	int r;
423	filter_add_whitelist(fd, SYS_setgid, 0);	128	r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0);
424	filter_add_whitelist(fd, SYS_setgroups, 0);	129	assert(r == 0);
425	filter_add_whitelist(fd, SYS_dup, 0);
426	filter_add_whitelist(fd, SYS_prctl, 0);
427		130
428	if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {	131	if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
429	fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");	132	fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");