Feature: switch/config option to block secondary architectures

Add a feature for a new (opt-in) command line switch and config file option to block secondary architectures entirely. Also block changing Linux execution domain with personality() system call for the primary architecture. Closes #1479
author: Topi Miettinen <toiwoton@gmail.com> 2017-08-19 23:22:38 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-08-19 23:33:11 +0300
commit: d01216de45884300c87e7d3ccb70e53ebb461449 (patch)
tree: 480519f5849df4c6048a7f62ec97f96e51174c3e /src/man/firejail-profile.txt
parent: Merge update after #1483 (diff)
download: firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.gz
firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.zst
firejail-d01216de45884300c87e7d3ccb70e53ebb461449.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 2a7d926b9..050c3d7e5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -310,6 +310,10 @@ Enable seccomp filter and blacklist the syscalls in the default list. See man 1
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
 .TP
+\fBseccomp.block-secondary
+Enable seccomp filter and filter system call architectures
+so that only the native architecture is allowed.
+.TP
 \fBseccomp.drop syscall,syscall,syscall
 Enable seccomp filter and blacklist  the system calls in the list.
 .TP
author	Topi Miettinen <toiwoton@gmail.com>	2017-08-19 23:22:38 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-08-19 23:33:11 +0300
commit	d01216de45884300c87e7d3ccb70e53ebb461449 (patch)
tree	480519f5849df4c6048a7f62ec97f96e51174c3e /src/man/firejail-profile.txt
parent	Merge update after #1483 (diff)
download	firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.gz firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.zst firejail-d01216de45884300c87e7d3ccb70e53ebb461449.zip

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 2a7d926b9..050c3d7e5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -310,6 +310,10 @@ Enable seccomp filter and blacklist the syscalls in the default list. See man 1
310	\fBseccomp syscall,syscall,syscall	310	\fBseccomp syscall,syscall,syscall
311	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.	311	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
312	.TP	312	.TP
		313	\fBseccomp.block-secondary
		314	Enable seccomp filter and filter system call architectures
		315	so that only the native architecture is allowed.
		316	.TP
313	\fBseccomp.drop syscall,syscall,syscall	317	\fBseccomp.drop syscall,syscall,syscall
314	Enable seccomp filter and blacklist the system calls in the list.	318	Enable seccomp filter and blacklist the system calls in the list.
315	.TP	319	.TP