get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break

playing youtube videos on Firefox Nightly - #1414
author: netblue30 <netblue30@yahoo.com> 2017-08-02 08:42:25 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-08-02 08:42:25 -0400
commit: 75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6 (patch)
tree: f955efbfb5dda44f7191f2bd8f60aa791718f096 /src
parent: x11/xpra support (diff)
download: firejail-75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6.tar.gz
firejail-75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6.tar.zst
firejail-75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6.zip
3 files changed, 14 insertions, 6 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 7d2ccbbce..a30a9e00b 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -162,9 +162,13 @@ static void add_default_list(int fd, int allow_debuggers) {
 #ifdef SYS_mbind
        filter_add_blacklist(fd, SYS_mbind, 0);
 #endif
-#ifdef SYS_get_mempolicy
-        filter_add_blacklist(fd, SYS_get_mempolicy, 0);
+// breaking Firefox nightly when playing youtube videos
-#endif
+// TODO: test again when firefox sandbox is finally released
+//#ifdef SYS_get_mempolicy
+//      filter_add_blacklist(fd, SYS_get_mempolicy, 0);
+//#endif
 #ifdef SYS_set_mempolicy
        filter_add_blacklist(fd, SYS_set_mempolicy, 0);
 #endif
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index 8270b7018..fceb2c3ec 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -67,7 +67,9 @@ void seccomp_secondary_64(const char *fname) {
                BLACKLIST(210), // io_cancel
                BLACKLIST(216), // remap_file_pages
                BLACKLIST(237), // mbind
-                BLACKLIST(239), // get_mempolicy
+// breaking Firefox nightly when playing youtube videos
+// TODO: test again when firefox sandbox is finally released
+//              BLACKLIST(239), // get_mempolicy
                BLACKLIST(238), // set_mempolicy
                BLACKLIST(256), // migrate_pages
                BLACKLIST(279), // move_pages
@@ -148,7 +150,9 @@ void seccomp_secondary_32(const char *fname) {
                BLACKLIST(249), // io_cancel
                BLACKLIST(257), // remap_file_pages
                BLACKLIST(274), // mbind
-                BLACKLIST(275), // get_mempolicy
+// breaking Firefox nightly when playing youtube videos
+// TODO: test again when firefox sandbox is finally released
+//              BLACKLIST(275), // get_mempolicy
                BLACKLIST(276), // set_mempolicy
                BLACKLIST(294), // migrate_pages
                BLACKLIST(317), // move_pages
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3a5e8560c..af2724aa9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1488,7 +1488,7 @@ iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
-remap_file_pages, mbind, get_mempolicy, set_mempolicy,
+remap_file_pages, mbind, set_mempolicy,
 migrate_pages, move_pages, vmsplice, chroot,
 tuxcall, reboot, mfsservctl, get_kernel_syms,
 bpf, clock_settime, personality, process_vm_writev, query_module,
author	netblue30 <netblue30@yahoo.com>	2017-08-02 08:42:25 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-08-02 08:42:25 -0400
commit	75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6 (patch)
tree	f955efbfb5dda44f7191f2bd8f60aa791718f096 /src
parent	x11/xpra support (diff)
download	firejail-75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6.tar.gz firejail-75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6.tar.zst firejail-75a75e87f75d5f2a2c1bf315b29b6a7a4b303de6.zip

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7d2ccbbce..a30a9e00b 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -162,9 +162,13 @@ static void add_default_list(int fd, int allow_debuggers) {
162	#ifdef SYS_mbind	162	#ifdef SYS_mbind
163	filter_add_blacklist(fd, SYS_mbind, 0);	163	filter_add_blacklist(fd, SYS_mbind, 0);
164	#endif	164	#endif
165	#ifdef SYS_get_mempolicy	165
166	filter_add_blacklist(fd, SYS_get_mempolicy, 0);	166	// breaking Firefox nightly when playing youtube videos
167	#endif	167	// TODO: test again when firefox sandbox is finally released
		168	//#ifdef SYS_get_mempolicy
		169	// filter_add_blacklist(fd, SYS_get_mempolicy, 0);
		170	//#endif
		171
168	#ifdef SYS_set_mempolicy	172	#ifdef SYS_set_mempolicy
169	filter_add_blacklist(fd, SYS_set_mempolicy, 0);	173	filter_add_blacklist(fd, SYS_set_mempolicy, 0);
170	#endif	174	#endif


diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index 8270b7018..fceb2c3ec 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c
@@ -67,7 +67,9 @@ void seccomp_secondary_64(const char *fname) {
67	BLACKLIST(210), // io_cancel	67	BLACKLIST(210), // io_cancel
68	BLACKLIST(216), // remap_file_pages	68	BLACKLIST(216), // remap_file_pages
69	BLACKLIST(237), // mbind	69	BLACKLIST(237), // mbind
70	BLACKLIST(239), // get_mempolicy	70	// breaking Firefox nightly when playing youtube videos
		71	// TODO: test again when firefox sandbox is finally released
		72	// BLACKLIST(239), // get_mempolicy
71	BLACKLIST(238), // set_mempolicy	73	BLACKLIST(238), // set_mempolicy
72	BLACKLIST(256), // migrate_pages	74	BLACKLIST(256), // migrate_pages
73	BLACKLIST(279), // move_pages	75	BLACKLIST(279), // move_pages
@@ -148,7 +150,9 @@ void seccomp_secondary_32(const char *fname) {
148	BLACKLIST(249), // io_cancel	150	BLACKLIST(249), // io_cancel
149	BLACKLIST(257), // remap_file_pages	151	BLACKLIST(257), // remap_file_pages
150	BLACKLIST(274), // mbind	152	BLACKLIST(274), // mbind
151	BLACKLIST(275), // get_mempolicy	153	// breaking Firefox nightly when playing youtube videos
		154	// TODO: test again when firefox sandbox is finally released
		155	// BLACKLIST(275), // get_mempolicy
152	BLACKLIST(276), // set_mempolicy	156	BLACKLIST(276), // set_mempolicy
153	BLACKLIST(294), // migrate_pages	157	BLACKLIST(294), // migrate_pages
154	BLACKLIST(317), // move_pages	158	BLACKLIST(317), // move_pages


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3a5e8560c..af2724aa9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1488,7 +1488,7 @@ iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_
1488	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,	1488	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
1489	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,	1489	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
1490	io_destroy, io_getevents, io_submit, io_cancel,	1490	io_destroy, io_getevents, io_submit, io_cancel,
1491	remap_file_pages, mbind, get_mempolicy, set_mempolicy,	1491	remap_file_pages, mbind, set_mempolicy,
1492	migrate_pages, move_pages, vmsplice, chroot,	1492	migrate_pages, move_pages, vmsplice, chroot,
1493	tuxcall, reboot, mfsservctl, get_kernel_syms,	1493	tuxcall, reboot, mfsservctl, get_kernel_syms,
1494	bpf, clock_settime, personality, process_vm_writev, query_module,	1494	bpf, clock_settime, personality, process_vm_writev, query_module,