aboutsummaryrefslogtreecommitdiffstats
path: root/src/man
diff options
context:
space:
mode:
authorLibravatar Topi Miettinen <toiwoton@gmail.com>2020-03-14 00:07:06 +0200
committerLibravatar Topi Miettinen <topimiettinen@users.noreply.github.com>2020-03-28 11:24:25 +0000
commit88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch)
tree6b4d2a805a2900755bfc857586a10948b3c8395e /src/man
parentAdded compatibility with BetterDiscord (#3300) (diff)
downloadfirejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/man')
-rw-r--r--src/man/firejail-profile.txt14
-rw-r--r--src/man/firejail.txt22
2 files changed, 30 insertions, 6 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9af25bf63..511194ff3 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -386,19 +386,31 @@ first argument to socket system call. Recognized values: \fBunix\fR,
386\fBseccomp 386\fBseccomp
387Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. 387Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
388.TP 388.TP
389\fBseccomp.32
390Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
391.TP
389\fBseccomp syscall,syscall,syscall 392\fBseccomp syscall,syscall,syscall
390Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. 393Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
391.TP 394.TP
395\fBseccomp.32 syscall,syscall,syscall
396Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
397.TP
392\fBseccomp.block-secondary 398\fBseccomp.block-secondary
393Enable seccomp filter and filter system call architectures 399Enable seccomp filter and filter system call architectures
394so that only the native architecture is allowed. 400so that only the native architecture is allowed.
395.TP 401.TP
396\fBseccomp.drop syscall,syscall,syscall 402\fBseccomp.drop syscall,syscall,syscall
397Enable seccomp filter and blacklist the system calls in the list. 403Enable seccomp filter and blacklist the system calls in the list.
404.TP
405\fBseccomp.32.drop syscall,syscall,syscall
406Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
398.TP 407.TP
399\fBseccomp.keep syscall,syscall,syscall 408\fBseccomp.keep syscall,syscall,syscall
400Enable seccomp filter and whitelist the system calls in the list. 409Enable seccomp filter and whitelist the system calls in the list.
401.TP 410.TP
411\fBseccomp.32.keep syscall,syscall,syscall
412Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
413.TP
402\fBx11 414\fBx11
403Enable X11 sandboxing. 415Enable X11 sandboxing.
404.TP 416.TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 926e9b2cc..13dcf09ee 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -35,7 +35,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree}
35Miscellaneous: 35Miscellaneous:
36.PP 36.PP
37.RS 37.RS
38firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version} 38firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
39.RE 39.RE
40.SH DESCRIPTION 40.SH DESCRIPTION
41Firejail is a SUID sandbox program that reduces the risk of security breaches by 41Firejail is a SUID sandbox program that reduces the risk of security breaches by
@@ -386,6 +386,10 @@ Example:
386.br 386.br
387$ firejail \-\-debug-syscalls 387$ firejail \-\-debug-syscalls
388.TP 388.TP
389\fB\-\-debug-syscalls32
390Print all recognized 32 bit system calls in the current Firejail software build and exit.
391.br
392.TP
389\fB\-\-debug-whitelists\fR 393\fB\-\-debug-whitelists\fR
390Debug whitelisting. 394Debug whitelisting.
391.br 395.br
@@ -1832,7 +1836,9 @@ Exceptions can be allowed with prefix !.
1832System architecture is strictly imposed only if flag 1836System architecture is strictly imposed only if flag
1833\-\-seccomp.block-secondary is used. The filter is applied at run time 1837\-\-seccomp.block-secondary is used. The filter is applied at run time
1834only if the correct architecture was detected. For the case of I386 1838only if the correct architecture was detected. For the case of I386
1835and AMD64 both 32-bit and 64-bit filters are installed. 1839and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
1840architecture, an additional filter for 32 bit system calls can be
1841installed with \-\-seccomp.32.
1836.br 1842.br
1837 1843
1838.br 1844.br
@@ -1881,7 +1887,8 @@ rm: cannot remove `testfile': Operation not permitted
1881.br 1887.br
1882If the blocked system calls would also block Firejail from operating, 1888If the blocked system calls would also block Firejail from operating,
1883they are handled by adding a preloaded library which performs seccomp 1889they are handled by adding a preloaded library which performs seccomp
1884system calls later. 1890system calls later. However, this is incompatible with 32 bit seccomp
1891filters.
1885.br 1892.br
1886 1893
1887.br 1894.br
@@ -1912,7 +1919,10 @@ domain with personality(2) system call.
1912 1919
1913.TP 1920.TP
1914\fB\-\-seccomp.drop=syscall,@group 1921\fB\-\-seccomp.drop=syscall,@group
1915Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. 1922Enable seccomp filter, and blacklist the syscalls or the syscall
1923groups specified by the command. On a 64 bit architecture, an
1924additional filter for 32 bit system calls can be installed with
1925\-\-seccomp.32.drop.
1916.br 1926.br
1917 1927
1918.br 1928.br
@@ -1950,7 +1960,9 @@ rm: cannot remove `testfile': Operation not permitted
1950\fB\-\-seccomp.keep=syscall,@group,!syscall2 1960\fB\-\-seccomp.keep=syscall,@group,!syscall2
1951Enable seccomp filter, blacklist all syscall not listed and "syscall2". 1961Enable seccomp filter, blacklist all syscall not listed and "syscall2".
1952The system calls needed by Firejail (group @default-keep: prctl, execve) 1962The system calls needed by Firejail (group @default-keep: prctl, execve)
1953are handled with the preload library. 1963are handled with the preload library. On a 64 bit architecture, an
1964additional filter for 32 bit system calls can be installed with
1965\-\-seccomp.32.keep.
1954.br 1966.br
1955 1967
1956.br 1968.br