diff options
author | smitsohu <smitsohu@gmail.com> | 2023-05-09 12:22:33 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2023-05-09 12:22:33 +0200 |
commit | e55c3bf47bca1b3038a854491903c93b10e722c7 (patch) | |
tree | d70560027948e90cadaa42f74552722c6430aa67 /src | |
parent | build(deps): bump step-security/harden-runner from 2.3.1 to 2.4.0 (diff) | |
download | firejail-e55c3bf47bca1b3038a854491903c93b10e722c7.tar.gz firejail-e55c3bf47bca1b3038a854491903c93b10e722c7.tar.zst firejail-e55c3bf47bca1b3038a854491903c93b10e722c7.zip |
sbox: improve seccomp blacklist
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sbox.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index ce43b4832..59b74ec5c 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -132,6 +132,24 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
132 | #ifdef SYS_umount2 | 132 | #ifdef SYS_umount2 |
133 | BLACKLIST(SYS_umount2), | 133 | BLACKLIST(SYS_umount2), |
134 | #endif | 134 | #endif |
135 | #ifdef SYS_fsopen | ||
136 | BLACKLIST(SYS_fsopen), // mount syscalls introduced 2019 | ||
137 | #endif | ||
138 | #ifdef SYS_fsconfig | ||
139 | BLACKLIST(SYS_fsconfig), | ||
140 | #endif | ||
141 | #ifdef SYS_fsmount | ||
142 | BLACKLIST(SYS_fsmount), | ||
143 | #endif | ||
144 | #ifdef SYS_move_mount | ||
145 | BLACKLIST(SYS_move_mount), | ||
146 | #endif | ||
147 | #ifdef SYS_fspick | ||
148 | BLACKLIST(SYS_fspick), | ||
149 | #endif | ||
150 | #ifdef SYS_open_tree | ||
151 | BLACKLIST(SYS_open_tree), | ||
152 | #endif | ||
135 | #ifdef SYS_ptrace | 153 | #ifdef SYS_ptrace |
136 | BLACKLIST(SYS_ptrace), // trace processes | 154 | BLACKLIST(SYS_ptrace), // trace processes |
137 | #endif | 155 | #endif |
@@ -186,6 +204,9 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
186 | #ifdef SYS_syslog | 204 | #ifdef SYS_syslog |
187 | BLACKLIST(SYS_syslog), // kernel printk control | 205 | BLACKLIST(SYS_syslog), // kernel printk control |
188 | #endif | 206 | #endif |
207 | #ifdef SYS_personality | ||
208 | BLACKLIST(SYS_personality), // execution domain | ||
209 | #endif | ||
189 | RETURN_ALLOW | 210 | RETURN_ALLOW |
190 | }; | 211 | }; |
191 | 212 | ||