Allow any syscall to be blacklisted (#1447)

Allow any syscall to be blacklisted with aid of LD_PRELOAD library, libpostexecseccomp.so. Closes: #1447
author: Topi Miettinen <toiwoton@gmail.com> 2017-08-13 14:07:31 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-08-13 17:31:07 +0300
commit: 63e9d849f662d1a494c6396d4a439cd4c91dfa7e (patch)
tree: 703cc8c9c0eb5b9e528f025961df7f322f797737 /src/man
parent: merges (diff)
download: firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.tar.gz
firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.tar.zst
firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.zip
1 files changed, 26 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2c8dca09a..be73429bc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1578,6 +1578,32 @@ $ rm testfile
 rm: cannot remove `testfile': Operation not permitted
 .br
+.br
+If the blocked system calls would also block Firejail from operating,
+they are handled by adding a preloaded library which performs seccomp
+system calls later.
+.br
+.br
+Example:
+.br
+.br
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+.br
+Parent pid 32751, child pid 32752
+.br
+Post-exec seccomp protector enabled
+.br
+list in: execve, check list: @default-keep prelist: (null), postlist: execve
+.br
+Child process initialized in 46.44 ms
+.br
+$ ls
+.br
+Bad system call
+.br
 .TP
 \fB\-\-seccomp.drop=syscall,syscall,syscall
 Enable seccomp filter, and blacklist the syscalls specified by the command.
author	Topi Miettinen <toiwoton@gmail.com>	2017-08-13 14:07:31 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-08-13 17:31:07 +0300
commit	63e9d849f662d1a494c6396d4a439cd4c91dfa7e (patch)
tree	703cc8c9c0eb5b9e528f025961df7f322f797737 /src/man
parent	merges (diff)
download	firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.tar.gz firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.tar.zst firejail-63e9d849f662d1a494c6396d4a439cd4c91dfa7e.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2c8dca09a..be73429bc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1578,6 +1578,32 @@ $ rm testfile
1578	rm: cannot remove `testfile': Operation not permitted	1578	rm: cannot remove `testfile': Operation not permitted
1579	.br	1579	.br
1580		1580
		1581	.br
		1582	If the blocked system calls would also block Firejail from operating,
		1583	they are handled by adding a preloaded library which performs seccomp
		1584	system calls later.
		1585	.br
		1586
		1587	.br
		1588	Example:
		1589	.br
		1590
		1591	.br
		1592	$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
		1593	.br
		1594	Parent pid 32751, child pid 32752
		1595	.br
		1596	Post-exec seccomp protector enabled
		1597	.br
		1598	list in: execve, check list: @default-keep prelist: (null), postlist: execve
		1599	.br
		1600	Child process initialized in 46.44 ms
		1601	.br
		1602	$ ls
		1603	.br
		1604	Bad system call
		1605	.br
		1606
1581	.TP	1607	.TP
1582	\fB\-\-seccomp.drop=syscall,syscall,syscall	1608	\fB\-\-seccomp.drop=syscall,syscall,syscall
1583	Enable seccomp filter, and blacklist the syscalls specified by the command.	1609	Enable seccomp filter, and blacklist the syscalls specified by the command.