diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2019-09-03 12:02:38 +0300 |
|---|---|---|
| committer |  Topi Miettinen <topimiettinen@users.noreply.github.com> | 2019-09-04 21:59:14 +0300 |
| commit | 3adae2e04bfc86c689db1c07055c7c2767674dfa (patch) | |
| tree | 6e5292a0fd713a4b90a6c32fed18a0b02175fc12 /src/fseccomp | |
| parent | fixup! Use new seccomp syntax from #2926 in more profiles (diff) | |
| download | firejail-3adae2e04bfc86c689db1c07055c7c2767674dfa.tar.gz firejail-3adae2e04bfc86c689db1c07055c7c2767674dfa.tar.zst firejail-3adae2e04bfc86c689db1c07055c7c2767674dfa.zip | |
Revert changes in #2928 to seccomp group @default
Reconstruct @default by not relying on the changed system call groups
@privileged and @resources.
Diffstat (limited to 'src/fseccomp')
| -rw-r--r-- | src/fseccomp/syscall.c | 49 |
1 files changed, 47 insertions, 2 deletions
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 5d83786bb..1683d3140 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
| @@ -201,11 +201,14 @@ static const SyscallGroupList sysgroups[] = { | |||
| 201 | #endif | 201 | #endif |
| 202 | }, | 202 | }, |
| 203 | { .name = "@default", .list = | 203 | { .name = "@default", .list = |
| 204 | "@clock," | ||
| 204 | "@cpu-emulation," | 205 | "@cpu-emulation," |
| 205 | "@debug," | 206 | "@debug," |
| 207 | "@module," | ||
| 206 | "@obsolete," | 208 | "@obsolete," |
| 207 | "@privileged," | 209 | "@raw-io," |
| 208 | "@resources," | 210 | "@reboot," |
| 211 | "@swap," | ||
| 209 | #ifdef SYS_open_by_handle_at | 212 | #ifdef SYS_open_by_handle_at |
| 210 | "open_by_handle_at," | 213 | "open_by_handle_at," |
| 211 | #endif | 214 | #endif |
| @@ -233,6 +236,15 @@ static const SyscallGroupList sysgroups[] = { | |||
| 233 | #ifdef SYS_request_key | 236 | #ifdef SYS_request_key |
| 234 | "request_key," | 237 | "request_key," |
| 235 | #endif | 238 | #endif |
| 239 | #ifdef SYS_mbind | ||
| 240 | "mbind," | ||
| 241 | #endif | ||
| 242 | #ifdef SYS_migrate_pages | ||
| 243 | "migrate_pages," | ||
| 244 | #endif | ||
| 245 | #ifdef SYS_move_pages | ||
| 246 | "move_pages," | ||
| 247 | #endif | ||
| 236 | #ifdef SYS_keyctl | 248 | #ifdef SYS_keyctl |
| 237 | "keyctl," | 249 | "keyctl," |
| 238 | #endif | 250 | #endif |
| @@ -254,6 +266,9 @@ static const SyscallGroupList sysgroups[] = { | |||
| 254 | #ifdef SYS_remap_file_pages | 266 | #ifdef SYS_remap_file_pages |
| 255 | "remap_file_pages," | 267 | "remap_file_pages," |
| 256 | #endif | 268 | #endif |
| 269 | #ifdef SYS_set_mempolicy | ||
| 270 | "set_mempolicy" | ||
| 271 | #endif | ||
| 257 | #ifdef SYS_vmsplice | 272 | #ifdef SYS_vmsplice |
| 258 | "vmsplice," | 273 | "vmsplice," |
| 259 | #endif | 274 | #endif |
| @@ -263,6 +278,36 @@ static const SyscallGroupList sysgroups[] = { | |||
| 263 | #ifdef SYS_userfaultfd | 278 | #ifdef SYS_userfaultfd |
| 264 | "userfaultfd," | 279 | "userfaultfd," |
| 265 | #endif | 280 | #endif |
| 281 | #ifdef SYS_acct | ||
| 282 | "acct," | ||
| 283 | #endif | ||
| 284 | #ifdef SYS_bpf | ||
| 285 | "bpf," | ||
| 286 | #endif | ||
| 287 | #ifdef SYS_chroot | ||
| 288 | "chroot," | ||
| 289 | #endif | ||
| 290 | #ifdef SYS_mount | ||
| 291 | "mount," | ||
| 292 | #endif | ||
| 293 | #ifdef SYS_nfsservctl | ||
| 294 | "nfsservctl," | ||
| 295 | #endif | ||
| 296 | #ifdef SYS_pivot_root | ||
| 297 | "pivot_root," | ||
| 298 | #endif | ||
| 299 | #ifdef SYS_setdomainname | ||
| 300 | "setdomainname," | ||
| 301 | #endif | ||
| 302 | #ifdef SYS_sethostname | ||
| 303 | "sethostname," | ||
| 304 | #endif | ||
| 305 | #ifdef SYS_umount2 | ||
| 306 | "umount2," | ||
| 307 | #endif | ||
| 308 | #ifdef SYS_vhangup | ||
| 309 | "vhangup" | ||
| 310 | #endif | ||
| 266 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem | 311 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem |
| 267 | // "mincore" | 312 | // "mincore" |
| 268 | //#endif | 313 | //#endif |