remove 64bit seccomp filter from 32bit architectures

author: netblue30 <netblue30@yahoo.com> 2018-05-06 11:22:35 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-05-06 11:22:35 -0400
commit: f905f046cc554f8ec2b800bcb9965b0f360cfd91 (patch)
tree: 789d465559540e25d5a97b52ca1a766db8ec14f5 /src/fseccomp/seccomp_secondary.c
parent: ark.profile: Add private-bin and private-etc (diff)
download: firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.gz
firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.zst
firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.zip
1 files changed, 0 insertions, 65 deletions
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index ebda1b938..e398f94d0 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) {
        close(dst);
 }
-void seccomp_secondary_64(const char *fname) {
-        // hardcoded syscall values
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE_64,
-                EXAMINE_SYSCALL,
-                BLACKLIST(165), // mount
-                BLACKLIST(166), // umount2
-// todo: implement --allow-debuggers
-                BLACKLIST(101), // ptrace
-                BLACKLIST(246), // kexec_load
-                BLACKLIST(304), // open_by_handle_at
-                BLACKLIST(303), // name_to_handle_at
-                BLACKLIST(174), // create_module
-                BLACKLIST(175), // init_module
-                BLACKLIST(313), // finit_module
-                BLACKLIST(176), // delete_module
-                BLACKLIST(172), // iopl
-                BLACKLIST(173), // ioperm
-                BLACKLIST(251), // ioprio_set
-                BLACKLIST(167), // swapon
-                BLACKLIST(168), // swapoff
-                BLACKLIST(103), // syslog
-                BLACKLIST(310), // process_vm_readv
-                BLACKLIST(311), // process_vm_writev
-                BLACKLIST(139), // sysfs
-                BLACKLIST(156), // _sysctl
-                BLACKLIST(159), // adjtimex
-                BLACKLIST(305), // clock_adjtime
-                BLACKLIST(212), // lookup_dcookie
-                BLACKLIST(298), // perf_event_open
-                BLACKLIST(300), // fanotify_init
-                BLACKLIST(312), // kcmp
-                BLACKLIST(248), // add_key
-                BLACKLIST(249), // request_key
-                BLACKLIST(250), // keyctl
-                BLACKLIST(134), // uselib
-                BLACKLIST(163), // acct
-                BLACKLIST(154), // modify_ldt
-                BLACKLIST(155), // pivot_root
-                BLACKLIST(206), // io_setup
-                BLACKLIST(207), // io_destroy
-                BLACKLIST(208), // io_getevents
-                BLACKLIST(209), // io_submit
-                BLACKLIST(210), // io_cancel
-                BLACKLIST(216), // remap_file_pages
-                BLACKLIST(237), // mbind
-// breaking Firefox nightly when playing youtube videos
-// TODO: test again when firefox sandbox is finally released
-//              BLACKLIST(239), // get_mempolicy
-                BLACKLIST(238), // set_mempolicy
-                BLACKLIST(256), // migrate_pages
-                BLACKLIST(279), // move_pages
-                BLACKLIST(278), // vmsplice
-                BLACKLIST(161), // chroot
-                BLACKLIST(184), // tuxcall
-                BLACKLIST(169), // reboot
-                BLACKLIST(180), // nfsservctl
-                BLACKLIST(177), // get_kernel_syms
-                RETURN_ALLOW
-        };
-        // save filter to file
-        write_filter(fname, sizeof(filter), filter);
-}
 // 32 bit arch filter installed on 64 bit architectures
 void seccomp_secondary_32(const char *fname) {
author	netblue30 <netblue30@yahoo.com>	2018-05-06 11:22:35 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-05-06 11:22:35 -0400
commit	f905f046cc554f8ec2b800bcb9965b0f360cfd91 (patch)
tree	789d465559540e25d5a97b52ca1a766db8ec14f5 /src/fseccomp/seccomp_secondary.c
parent	ark.profile: Add private-bin and private-etc (diff)
download	firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.gz firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.tar.zst firejail-f905f046cc554f8ec2b800bcb9965b0f360cfd91.zip

diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index ebda1b938..e398f94d0 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c
@@ -42,71 +42,6 @@ static void write_filter(const char fname, size_t size, const void filter) {
42	close(dst);	42	close(dst);
43	}	43	}
44		44
45	void seccomp_secondary_64(const char *fname) {
46	// hardcoded syscall values
47	struct sock_filter filter[] = {
48	VALIDATE_ARCHITECTURE_64,
49	EXAMINE_SYSCALL,
50	BLACKLIST(165), // mount
51	BLACKLIST(166), // umount2
52	// todo: implement --allow-debuggers
53	BLACKLIST(101), // ptrace
54	BLACKLIST(246), // kexec_load
55	BLACKLIST(304), // open_by_handle_at
56	BLACKLIST(303), // name_to_handle_at
57	BLACKLIST(174), // create_module
58	BLACKLIST(175), // init_module
59	BLACKLIST(313), // finit_module
60	BLACKLIST(176), // delete_module
61	BLACKLIST(172), // iopl
62	BLACKLIST(173), // ioperm
63	BLACKLIST(251), // ioprio_set
64	BLACKLIST(167), // swapon
65	BLACKLIST(168), // swapoff
66	BLACKLIST(103), // syslog
67	BLACKLIST(310), // process_vm_readv
68	BLACKLIST(311), // process_vm_writev
69	BLACKLIST(139), // sysfs
70	BLACKLIST(156), // _sysctl
71	BLACKLIST(159), // adjtimex
72	BLACKLIST(305), // clock_adjtime
73	BLACKLIST(212), // lookup_dcookie
74	BLACKLIST(298), // perf_event_open
75	BLACKLIST(300), // fanotify_init
76	BLACKLIST(312), // kcmp
77	BLACKLIST(248), // add_key
78	BLACKLIST(249), // request_key
79	BLACKLIST(250), // keyctl
80	BLACKLIST(134), // uselib
81	BLACKLIST(163), // acct
82	BLACKLIST(154), // modify_ldt
83	BLACKLIST(155), // pivot_root
84	BLACKLIST(206), // io_setup
85	BLACKLIST(207), // io_destroy
86	BLACKLIST(208), // io_getevents
87	BLACKLIST(209), // io_submit
88	BLACKLIST(210), // io_cancel
89	BLACKLIST(216), // remap_file_pages
90	BLACKLIST(237), // mbind
91	// breaking Firefox nightly when playing youtube videos
92	// TODO: test again when firefox sandbox is finally released
93	// BLACKLIST(239), // get_mempolicy
94	BLACKLIST(238), // set_mempolicy
95	BLACKLIST(256), // migrate_pages
96	BLACKLIST(279), // move_pages
97	BLACKLIST(278), // vmsplice
98	BLACKLIST(161), // chroot
99	BLACKLIST(184), // tuxcall
100	BLACKLIST(169), // reboot
101	BLACKLIST(180), // nfsservctl
102	BLACKLIST(177), // get_kernel_syms
103
104	RETURN_ALLOW
105	};
106
107	// save filter to file
108	write_filter(fname, sizeof(filter), filter);
109	}
110		45
111	// 32 bit arch filter installed on 64 bit architectures	46	// 32 bit arch filter installed on 64 bit architectures
112	void seccomp_secondary_32(const char *fname) {	47	void seccomp_secondary_32(const char *fname) {