new syscalls added to default seccomp filter

author: netblue30 <netblue30@yahoo.com> 2015-10-15 12:26:49 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-10-15 12:26:49 -0400
commit: 0cd353a7b71db740ac02635aa09c20f531b8a53e (patch)
tree: c3f72138c68f3abf25b7741e1cfd32d1fc5819c7 /src
parent: --quiet (diff)
download: firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.tar.gz
firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.tar.zst
firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.zip
1 files changed, 82 insertions, 1 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 76e8fc81e..7366c1268 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -490,7 +490,7 @@ int seccomp_filter_drop(void) {
                filter_add_blacklist(SYS_process_vm_writev, 0);
 #endif
-// mknod removed in 0.9.29
+// mknod removed in 0.9.29 - it brakes Zotero extension
 //#ifdef SYS_mknod              
 //              filter_add_blacklist(SYS_mknod, 0);
 //#endif
@@ -520,6 +520,87 @@ int seccomp_filter_drop(void) {
 #ifdef SYS_kcmp
                filter_add_blacklist(SYS_kcmp, 0);
 #endif
+// 0.9.32
+#ifdef SYS_add_key
+                filter_add_blacklist(SYS_add_key, 0);
+#endif
+#ifdef SYS_request_key
+                filter_add_blacklist(SYS_request_key, 0);
+#endif
+#ifdef SYS_keyctl
+                filter_add_blacklist(SYS_keyctl, 0);
+#endif
+#ifdef SYS_uselib
+                filter_add_blacklist(SYS_uselib, 0);
+#endif
+#ifdef SYS_acct
+                filter_add_blacklist(SYS_acct, 0);
+#endif
+#ifdef SYS_modify_ldt
+                filter_add_blacklist(SYS_modify_ldt, 0);
+#endif
+        //#ifdef SYS_unshare
+        //              filter_add_blacklist(SYS_unshare, 0);
+        //#endif
+#ifdef SYS_pivot_root
+                filter_add_blacklist(SYS_pivot_root, 0);
+#endif
+        //#ifdef SYS_quotactl
+        //              filter_add_blacklist(SYS_quotactl, 0);
+        //#endif
+#ifdef SYS_io_setup
+                filter_add_blacklist(SYS_io_setup, 0);
+#endif
+#ifdef SYS_io_destroy
+                filter_add_blacklist(SYS_io_destroy, 0);
+#endif
+#ifdef SYS_io_getevents
+                filter_add_blacklist(SYS_io_getevents, 0);
+#endif
+#ifdef SYS_io_submit
+                filter_add_blacklist(SYS_io_submit, 0);
+#endif
+#ifdef SYS_io_cancel
+                filter_add_blacklist(SYS_io_cancel, 0);
+#endif
+#ifdef SYS_remap_file_pages
+                filter_add_blacklist(SYS_remap_file_pages, 0);
+#endif
+#ifdef SYS_mbind
+                filter_add_blacklist(SYS_mbind, 0);
+#endif
+#ifdef SYS_get_mempolicy
+                filter_add_blacklist(SYS_get_mempolicy, 0);
+#endif
+#ifdef SYS_set_mempolicy
+                filter_add_blacklist(SYS_set_mempolicy, 0);
+#endif
+#ifdef SYS_migrate_pages
+                filter_add_blacklist(SYS_migrate_pages, 0);
+#endif
+#ifdef SYS_move_pages
+                filter_add_blacklist(SYS_move_pages, 0);
+#endif
+#ifdef SYS_vmsplice
+                filter_add_blacklist(SYS_vmsplice, 0);
+#endif
+        //#ifdef SYS_set_robust_list
+        //              filter_add_blacklist(SYS_set_robust_list, 0);
+        //#endif
+        //#ifdef SYS_get_robust_list
+        //              filter_add_blacklist(SYS_get_robust_list, 0);
+        //#endif
+#ifdef SYS_perf_event_open
+                filter_add_blacklist(SYS_perf_event_open, 0);
+#endif
+ // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
+ //     SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
+// 32bit
+//              filter_add_blacklist(SYS_personality, 0); // test wine
+//              filter_add_blacklist(SYS_set_thread_area, 0); // test wine
        }
        // default seccomp filter with additional drop list
author	netblue30 <netblue30@yahoo.com>	2015-10-15 12:26:49 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-10-15 12:26:49 -0400
commit	0cd353a7b71db740ac02635aa09c20f531b8a53e (patch)
tree	c3f72138c68f3abf25b7741e1cfd32d1fc5819c7 /src
parent	--quiet (diff)
download	firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.tar.gz firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.tar.zst firejail-0cd353a7b71db740ac02635aa09c20f531b8a53e.zip

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 76e8fc81e..7366c1268 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -490,7 +490,7 @@ int seccomp_filter_drop(void) {
490	filter_add_blacklist(SYS_process_vm_writev, 0);	490	filter_add_blacklist(SYS_process_vm_writev, 0);
491	#endif	491	#endif
492		492
493	// mknod removed in 0.9.29	493	// mknod removed in 0.9.29 - it brakes Zotero extension
494	//#ifdef SYS_mknod	494	//#ifdef SYS_mknod
495	// filter_add_blacklist(SYS_mknod, 0);	495	// filter_add_blacklist(SYS_mknod, 0);
496	//#endif	496	//#endif
@@ -520,6 +520,87 @@ int seccomp_filter_drop(void) {
520	#ifdef SYS_kcmp	520	#ifdef SYS_kcmp
521	filter_add_blacklist(SYS_kcmp, 0);	521	filter_add_blacklist(SYS_kcmp, 0);
522	#endif	522	#endif
		523
		524	// 0.9.32
		525	#ifdef SYS_add_key
		526	filter_add_blacklist(SYS_add_key, 0);
		527	#endif
		528	#ifdef SYS_request_key
		529	filter_add_blacklist(SYS_request_key, 0);
		530	#endif
		531	#ifdef SYS_keyctl
		532	filter_add_blacklist(SYS_keyctl, 0);
		533	#endif
		534	#ifdef SYS_uselib
		535	filter_add_blacklist(SYS_uselib, 0);
		536	#endif
		537	#ifdef SYS_acct
		538	filter_add_blacklist(SYS_acct, 0);
		539	#endif
		540	#ifdef SYS_modify_ldt
		541	filter_add_blacklist(SYS_modify_ldt, 0);
		542	#endif
		543	//#ifdef SYS_unshare
		544	// filter_add_blacklist(SYS_unshare, 0);
		545	//#endif
		546	#ifdef SYS_pivot_root
		547	filter_add_blacklist(SYS_pivot_root, 0);
		548	#endif
		549	//#ifdef SYS_quotactl
		550	// filter_add_blacklist(SYS_quotactl, 0);
		551	//#endif
		552	#ifdef SYS_io_setup
		553	filter_add_blacklist(SYS_io_setup, 0);
		554	#endif
		555	#ifdef SYS_io_destroy
		556	filter_add_blacklist(SYS_io_destroy, 0);
		557	#endif
		558	#ifdef SYS_io_getevents
		559	filter_add_blacklist(SYS_io_getevents, 0);
		560	#endif
		561	#ifdef SYS_io_submit
		562	filter_add_blacklist(SYS_io_submit, 0);
		563	#endif
		564	#ifdef SYS_io_cancel
		565	filter_add_blacklist(SYS_io_cancel, 0);
		566	#endif
		567	#ifdef SYS_remap_file_pages
		568	filter_add_blacklist(SYS_remap_file_pages, 0);
		569	#endif
		570	#ifdef SYS_mbind
		571	filter_add_blacklist(SYS_mbind, 0);
		572	#endif
		573	#ifdef SYS_get_mempolicy
		574	filter_add_blacklist(SYS_get_mempolicy, 0);
		575	#endif
		576	#ifdef SYS_set_mempolicy
		577	filter_add_blacklist(SYS_set_mempolicy, 0);
		578	#endif
		579	#ifdef SYS_migrate_pages
		580	filter_add_blacklist(SYS_migrate_pages, 0);
		581	#endif
		582	#ifdef SYS_move_pages
		583	filter_add_blacklist(SYS_move_pages, 0);
		584	#endif
		585	#ifdef SYS_vmsplice
		586	filter_add_blacklist(SYS_vmsplice, 0);
		587	#endif
		588	//#ifdef SYS_set_robust_list
		589	// filter_add_blacklist(SYS_set_robust_list, 0);
		590	//#endif
		591	//#ifdef SYS_get_robust_list
		592	// filter_add_blacklist(SYS_get_robust_list, 0);
		593	//#endif
		594	#ifdef SYS_perf_event_open
		595	filter_add_blacklist(SYS_perf_event_open, 0);
		596	#endif
		597
		598	// CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
		599	// SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
		600
		601	// 32bit
		602	// filter_add_blacklist(SYS_personality, 0); // test wine
		603	// filter_add_blacklist(SYS_set_thread_area, 0); // test wine
523	}	604	}
524		605
525	// default seccomp filter with additional drop list	606	// default seccomp filter with additional drop list