diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-07-25 13:13:04 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-07-25 13:22:25 +0300 |
commit | 42674a77233c7a716a2c0c00aee09ad6adc15c66 (patch) | |
tree | edfd5637a5c6ac546e07e865ec85d0c87114f213 /src | |
parent | Merge pull request #1397 from Panzerfather/master (diff) | |
download | firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.tar.gz firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.tar.zst firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.zip |
Block some obsolete or unusual syscalls
Diffstat (limited to 'src')
-rw-r--r-- | src/fseccomp/seccomp.c | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index c12edfd90..4f8de8c5e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -240,6 +240,97 @@ static void add_default_list(int fd, int allow_debuggers) { | |||
240 | filter_add_blacklist(fd, SYS_vm86old, 0); | 240 | filter_add_blacklist(fd, SYS_vm86old, 0); |
241 | #endif | 241 | #endif |
242 | 242 | ||
243 | #ifdef SYS_afs_syscall | ||
244 | filter_add_blacklist(fd, SYS_afs_syscall, 0); | ||
245 | #endif | ||
246 | #ifdef SYS_bdflush | ||
247 | filter_add_blacklist(fd, SYS_bdflush, 0); | ||
248 | #endif | ||
249 | #ifdef SYS_break | ||
250 | filter_add_blacklist(fd, SYS_break, 0); | ||
251 | #endif | ||
252 | #ifdef SYS_ftime | ||
253 | filter_add_blacklist(fd, SYS_ftime, 0); | ||
254 | #endif | ||
255 | #ifdef SYS_getpmsg | ||
256 | filter_add_blacklist(fd, SYS_getpmsg, 0); | ||
257 | #endif | ||
258 | #ifdef SYS_gtty | ||
259 | filter_add_blacklist(fd, SYS_gtty, 0); | ||
260 | #endif | ||
261 | #ifdef SYS_lock | ||
262 | filter_add_blacklist(fd, SYS_lock, 0); | ||
263 | #endif | ||
264 | #ifdef SYS_mpx | ||
265 | filter_add_blacklist(fd, SYS_mpx, 0); | ||
266 | #endif | ||
267 | #ifdef SYS_pciconfig_iobase | ||
268 | filter_add_blacklist(fd, SYS_pciconfig_iobase, 0); | ||
269 | #endif | ||
270 | #ifdef SYS_pciconfig_read | ||
271 | filter_add_blacklist(fd, SYS_pciconfig_read, 0); | ||
272 | #endif | ||
273 | #ifdef SYS_pciconfig_write | ||
274 | filter_add_blacklist(fd, SYS_pciconfig_write, 0); | ||
275 | #endif | ||
276 | #ifdef SYS_prof | ||
277 | filter_add_blacklist(fd, SYS_prof, 0); | ||
278 | #endif | ||
279 | #ifdef SYS_profil | ||
280 | filter_add_blacklist(fd, SYS_profil, 0); | ||
281 | #endif | ||
282 | #ifdef SYS_putpmsg | ||
283 | filter_add_blacklist(fd, SYS_putpmsg, 0); | ||
284 | #endif | ||
285 | #ifdef SYS_rtas | ||
286 | filter_add_blacklist(fd, SYS_rtas, 0); | ||
287 | #endif | ||
288 | #ifdef SYS_s390_runtime_instr | ||
289 | filter_add_blacklist(fd, SYS_s390_runtime_instr, 0); | ||
290 | #endif | ||
291 | #ifdef SYS_s390_mmio_read | ||
292 | filter_add_blacklist(fd, SYS_s390_mmio_read, 0); | ||
293 | #endif | ||
294 | #ifdef SYS_s390_mmio_write | ||
295 | filter_add_blacklist(fd, SYS_s390_mmio_write, 0); | ||
296 | #endif | ||
297 | #ifdef SYS_security | ||
298 | filter_add_blacklist(fd, SYS_security, 0); | ||
299 | #endif | ||
300 | #ifdef SYS_setdomainname | ||
301 | filter_add_blacklist(fd, SYS_setdomainname, 0); | ||
302 | #endif | ||
303 | #ifdef SYS_sethostname | ||
304 | filter_add_blacklist(fd, SYS_sethostname, 0); | ||
305 | #endif | ||
306 | #ifdef SYS_sgetmask | ||
307 | filter_add_blacklist(fd, SYS_sgetmask, 0); | ||
308 | #endif | ||
309 | #ifdef SYS_ssetmask | ||
310 | filter_add_blacklist(fd, SYS_ssetmask, 0); | ||
311 | #endif | ||
312 | #ifdef SYS_stty | ||
313 | filter_add_blacklist(fd, SYS_stty, 0); | ||
314 | #endif | ||
315 | #ifdef SYS_subpage_prot | ||
316 | filter_add_blacklist(fd, SYS_subpage_prot, 0); | ||
317 | #endif | ||
318 | #ifdef SYS_switch_endian | ||
319 | filter_add_blacklist(fd, SYS_switch_endian, 0); | ||
320 | #endif | ||
321 | #ifdef SYS_sys_debug_setcontext | ||
322 | filter_add_blacklist(fd, SYS_sys_debug_setcontext, 0); | ||
323 | #endif | ||
324 | #ifdef SYS_ulimit | ||
325 | filter_add_blacklist(fd, SYS_ulimit, 0); | ||
326 | #endif | ||
327 | #ifdef SYS_vhangup | ||
328 | filter_add_blacklist(fd, SYS_vhangup, 0); | ||
329 | #endif | ||
330 | #ifdef SYS_vserver | ||
331 | filter_add_blacklist(fd, SYS_vserver, 0); | ||
332 | #endif | ||
333 | |||
243 | } | 334 | } |
244 | 335 | ||
245 | // default list | 336 | // default list |