diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-14 00:07:06 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-03-28 11:24:25 +0000 |
commit | 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch) | |
tree | 6b4d2a805a2900755bfc857586a10948b3c8395e /src/man | |
parent | Added compatibility with BetterDiscord (#3300) (diff) | |
download | firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip |
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 14 | ||||
-rw-r--r-- | src/man/firejail.txt | 22 |
2 files changed, 30 insertions, 6 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9af25bf63..511194ff3 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -386,19 +386,31 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
386 | \fBseccomp | 386 | \fBseccomp |
387 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. | 387 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
388 | .TP | 388 | .TP |
389 | \fBseccomp.32 | ||
390 | Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. | ||
391 | .TP | ||
389 | \fBseccomp syscall,syscall,syscall | 392 | \fBseccomp syscall,syscall,syscall |
390 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 393 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
391 | .TP | 394 | .TP |
395 | \fBseccomp.32 syscall,syscall,syscall | ||
396 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. | ||
397 | .TP | ||
392 | \fBseccomp.block-secondary | 398 | \fBseccomp.block-secondary |
393 | Enable seccomp filter and filter system call architectures | 399 | Enable seccomp filter and filter system call architectures |
394 | so that only the native architecture is allowed. | 400 | so that only the native architecture is allowed. |
395 | .TP | 401 | .TP |
396 | \fBseccomp.drop syscall,syscall,syscall | 402 | \fBseccomp.drop syscall,syscall,syscall |
397 | Enable seccomp filter and blacklist the system calls in the list. | 403 | Enable seccomp filter and blacklist the system calls in the list. |
404 | .TP | ||
405 | \fBseccomp.32.drop syscall,syscall,syscall | ||
406 | Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | ||
398 | .TP | 407 | .TP |
399 | \fBseccomp.keep syscall,syscall,syscall | 408 | \fBseccomp.keep syscall,syscall,syscall |
400 | Enable seccomp filter and whitelist the system calls in the list. | 409 | Enable seccomp filter and whitelist the system calls in the list. |
401 | .TP | 410 | .TP |
411 | \fBseccomp.32.keep syscall,syscall,syscall | ||
412 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | ||
413 | .TP | ||
402 | \fBx11 | 414 | \fBx11 |
403 | Enable X11 sandboxing. | 415 | Enable X11 sandboxing. |
404 | .TP | 416 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 926e9b2cc..13dcf09ee 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -35,7 +35,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree} | |||
35 | Miscellaneous: | 35 | Miscellaneous: |
36 | .PP | 36 | .PP |
37 | .RS | 37 | .RS |
38 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version} | 38 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} |
39 | .RE | 39 | .RE |
40 | .SH DESCRIPTION | 40 | .SH DESCRIPTION |
41 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 41 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
@@ -386,6 +386,10 @@ Example: | |||
386 | .br | 386 | .br |
387 | $ firejail \-\-debug-syscalls | 387 | $ firejail \-\-debug-syscalls |
388 | .TP | 388 | .TP |
389 | \fB\-\-debug-syscalls32 | ||
390 | Print all recognized 32 bit system calls in the current Firejail software build and exit. | ||
391 | .br | ||
392 | .TP | ||
389 | \fB\-\-debug-whitelists\fR | 393 | \fB\-\-debug-whitelists\fR |
390 | Debug whitelisting. | 394 | Debug whitelisting. |
391 | .br | 395 | .br |
@@ -1832,7 +1836,9 @@ Exceptions can be allowed with prefix !. | |||
1832 | System architecture is strictly imposed only if flag | 1836 | System architecture is strictly imposed only if flag |
1833 | \-\-seccomp.block-secondary is used. The filter is applied at run time | 1837 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
1834 | only if the correct architecture was detected. For the case of I386 | 1838 | only if the correct architecture was detected. For the case of I386 |
1835 | and AMD64 both 32-bit and 64-bit filters are installed. | 1839 | and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit |
1840 | architecture, an additional filter for 32 bit system calls can be | ||
1841 | installed with \-\-seccomp.32. | ||
1836 | .br | 1842 | .br |
1837 | 1843 | ||
1838 | .br | 1844 | .br |
@@ -1881,7 +1887,8 @@ rm: cannot remove `testfile': Operation not permitted | |||
1881 | .br | 1887 | .br |
1882 | If the blocked system calls would also block Firejail from operating, | 1888 | If the blocked system calls would also block Firejail from operating, |
1883 | they are handled by adding a preloaded library which performs seccomp | 1889 | they are handled by adding a preloaded library which performs seccomp |
1884 | system calls later. | 1890 | system calls later. However, this is incompatible with 32 bit seccomp |
1891 | filters. | ||
1885 | .br | 1892 | .br |
1886 | 1893 | ||
1887 | .br | 1894 | .br |
@@ -1912,7 +1919,10 @@ domain with personality(2) system call. | |||
1912 | 1919 | ||
1913 | .TP | 1920 | .TP |
1914 | \fB\-\-seccomp.drop=syscall,@group | 1921 | \fB\-\-seccomp.drop=syscall,@group |
1915 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. | 1922 | Enable seccomp filter, and blacklist the syscalls or the syscall |
1923 | groups specified by the command. On a 64 bit architecture, an | ||
1924 | additional filter for 32 bit system calls can be installed with | ||
1925 | \-\-seccomp.32.drop. | ||
1916 | .br | 1926 | .br |
1917 | 1927 | ||
1918 | .br | 1928 | .br |
@@ -1950,7 +1960,9 @@ rm: cannot remove `testfile': Operation not permitted | |||
1950 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 1960 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1951 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 1961 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
1952 | The system calls needed by Firejail (group @default-keep: prctl, execve) | 1962 | The system calls needed by Firejail (group @default-keep: prctl, execve) |
1953 | are handled with the preload library. | 1963 | are handled with the preload library. On a 64 bit architecture, an |
1964 | additional filter for 32 bit system calls can be installed with | ||
1965 | \-\-seccomp.32.keep. | ||
1954 | .br | 1966 | .br |
1955 | 1967 | ||
1956 | .br | 1968 | .br |