diff options
| author |  startx2017 <vradu.startx@yandex.com> | 2017-03-31 11:56:15 -0400 |
|---|---|---|
| committer | startx2017 <vradu.startx@yandex.com> | 2017-03-31 11:56:15 -0400 |
| commit | e6805b6bbbe8f43b4099dc344535741ba9af6bca (patch) | |
| tree | 77a6e78b92ae998eff87e0adc7772b28437a993b /src/fseccomp | |
| parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
| download | firejail-e6805b6bbbe8f43b4099dc344535741ba9af6bca.tar.gz firejail-e6805b6bbbe8f43b4099dc344535741ba9af6bca.tar.zst firejail-e6805b6bbbe8f43b4099dc344535741ba9af6bca.zip | |
add new syscalls in default seccomp filter
Diffstat (limited to 'src/fseccomp')
| -rw-r--r-- | src/fseccomp/seccomp.c | 60 |
1 files changed, 54 insertions, 6 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index f252e36b6..25a151a78 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
| @@ -90,12 +90,9 @@ static void add_default_list(int fd, int allow_debuggers) { | |||
| 90 | #ifdef SYS_process_vm_writev | 90 | #ifdef SYS_process_vm_writev |
| 91 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); | 91 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); |
| 92 | #endif | 92 | #endif |
| 93 | 93 | //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension | |
| 94 | // mknod removed in 0.9.29 - it brakes Zotero extension | 94 | // filter_add_blacklist(SYS_mknod, 0); |
| 95 | //#ifdef SYS_mknod | 95 | //#endif |
| 96 | // filter_add_blacklist(SYS_mknod, 0); | ||
| 97 | //#endif | ||
| 98 | |||
| 99 | #ifdef SYS_sysfs | 96 | #ifdef SYS_sysfs |
| 100 | filter_add_blacklist(fd, SYS_sysfs, 0); | 97 | filter_add_blacklist(fd, SYS_sysfs, 0); |
| 101 | #endif | 98 | #endif |
| @@ -192,6 +189,57 @@ static void add_default_list(int fd, int allow_debuggers) { | |||
| 192 | #ifdef SYS_get_kernel_syms | 189 | #ifdef SYS_get_kernel_syms |
| 193 | filter_add_blacklist(fd, SYS_get_kernel_syms, 0); | 190 | filter_add_blacklist(fd, SYS_get_kernel_syms, 0); |
| 194 | #endif | 191 | #endif |
| 192 | |||
| 193 | // 0.9.45 | ||
| 194 | #ifdef SYS_bpf | ||
| 195 | filter_add_blacklist(fd, SYS_bpf, 0); | ||
| 196 | #endif | ||
| 197 | #ifdef SYS_clock_settime | ||
| 198 | filter_add_blacklist(fd, SYS_clock_settime, 0); | ||
| 199 | #endif | ||
| 200 | //#ifdef SYS_clone - in use by Firejail | ||
| 201 | // filter_add_blacklist(fd, SYS_clone, 0); | ||
| 202 | //#endif | ||
| 203 | #ifdef SYS_personality | ||
| 204 | filter_add_blacklist(fd, SYS_personality, 0); | ||
| 205 | #endif | ||
| 206 | #ifdef SYS_process_vm_writev | ||
| 207 | filter_add_blacklist(fd, SYS_process_vm_writev, 0); | ||
| 208 | #endif | ||
| 209 | #ifdef SYS_query_module | ||
| 210 | filter_add_blacklist(fd, SYS_query_module, 0); | ||
| 211 | #endif | ||
| 212 | //#ifdef SYS_quotactl - in use by Firefox | ||
| 213 | // filter_add_blacklist(fd, SYS_quotactl, 0); | ||
| 214 | //#endif | ||
| 215 | //#ifdef SYS_setns - in use by Firejail | ||
| 216 | // filter_add_blacklist(fd, SYS_setns, 0); | ||
| 217 | //#endif | ||
| 218 | #ifdef SYS_settimeofday | ||
| 219 | filter_add_blacklist(fd, SYS_settimeofday, 0); | ||
| 220 | #endif | ||
| 221 | #ifdef SYS_stime | ||
| 222 | filter_add_blacklist(fd, SYS_stime, 0); | ||
| 223 | #endif | ||
| 224 | #ifdef SYS_umount | ||
| 225 | filter_add_blacklist(fd, SYS_umount, 0); | ||
| 226 | #endif | ||
| 227 | //#ifdef SYS_unshare - in use by Firejail | ||
| 228 | // filter_add_blacklist(fd, SYS_unshare, 0); | ||
| 229 | //#endif | ||
| 230 | #ifdef SYS_userfaultfd | ||
| 231 | filter_add_blacklist(fd, SYS_userfaultfd, 0); | ||
| 232 | #endif | ||
| 233 | #ifdef SYS_ustat | ||
| 234 | filter_add_blacklist(fd, SYS_ustat, 0); | ||
| 235 | #endif | ||
| 236 | #ifdef SYS_vm86 | ||
| 237 | filter_add_blacklist(fd, SYS_vm86, 0); | ||
| 238 | #endif | ||
| 239 | #ifdef SYS_vm86old | ||
| 240 | filter_add_blacklist(fd, SYS_vm86old, 0); | ||
| 241 | #endif | ||
| 242 | |||
| 195 | } | 243 | } |
| 196 | 244 | ||
| 197 | // default list | 245 | // default list |