default seccomp filter update

3 files changed, 25 insertions, 13 deletions

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7a015963b..b0c960754 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -373,6 +373,10 @@ void seccomp_filter_32(void) {
                 BLACKLIST(317), // move_pages
                 BLACKLIST(316), // vmsplice
                 BLACKLIST(61),  // chroot
+                BLACKLIST(243), // set_thread_area
+                BLACKLIST(88), // reboot
+                BLACKLIST(169), // nfsservctl
+                BLACKLIST(130), // get_kernel_syms
                 RETURN_ALLOW
         };
 
@@ -562,6 +566,23 @@ int seccomp_filter_drop(int enforce_seccomp) {
 // 32bit
 //              filter_add_blacklist(SYS_personality, 0); // test wine
 //              filter_add_blacklist(SYS_set_thread_area, 0); // test wine
+
+// 0.9.39
+#ifdef SYS_set_thread_area
+                filter_add_blacklist(SYS_set_thread_area, 0);
+#endif
+#ifdef SYS_tuxcall
+                filter_add_blacklist(SYS_tuxcall, 0);
+#endif
+#ifdef SYS_reboot
+                filter_add_blacklist(SYS_reboot, 0);
+#endif
+#ifdef SYS_nfsservctl
+                filter_add_blacklist(SYS_nfsservctl, 0);
+#endif
+#ifdef SYS_get_kernel_syms
+                filter_add_blacklist(SYS_get_kernel_syms, 0);
+#endif
         }
 
         // default seccomp filter with additional drop list
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b773cc146..fa48c55cf 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -257,18 +257,7 @@ void usage(void) {
         printf("\t\trunning on the current host.\n\n");
 #endif  
 #ifdef HAVE_SECCOMP
-        printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n");
-        printf("\t\tlist. The default list is as follows: mount, umount2,\n");
-        printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n");
-        printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n");
-        printf("\t\tsyslog, process_vm_readv and process_vm_writev\n");
-        printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n");
-        printf("\t\tperf_event_open, fanotify_init, kcmp, add_key, request_key,\n");
-        printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n");
-        printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n");
-        printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n");
-        printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n");
-        printf("\t\tkexec_file_load, chroot.\n\n");
+        printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n");
         
         printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
         printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ee019a24f..bab596e96 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1112,7 +1112,9 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
+migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+set_thread_area, tuxcall, reboot, mfsservctl and get_kernel_syms. When running on AMD64 architecture,
+an equivalent 32-bit seccomp filter is also installed.
 .br
 
 .br