Block some obsolete or unusual syscalls

author: Topi Miettinen <toiwoton@gmail.com> 2017-07-25 13:13:04 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-07-25 13:22:25 +0300
commit: 42674a77233c7a716a2c0c00aee09ad6adc15c66 (patch)
tree: edfd5637a5c6ac546e07e865ec85d0c87114f213 /src
parent: Merge pull request #1397 from Panzerfather/master (diff)
download: firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.tar.gz
firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.tar.zst
firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.zip
1 files changed, 91 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index c12edfd90..4f8de8c5e 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -240,6 +240,97 @@ static void add_default_list(int fd, int allow_debuggers) {
        filter_add_blacklist(fd, SYS_vm86old, 0);
 #endif
+#ifdef SYS_afs_syscall
+        filter_add_blacklist(fd, SYS_afs_syscall, 0);
+#endif
+#ifdef SYS_bdflush
+        filter_add_blacklist(fd, SYS_bdflush, 0);
+#endif
+#ifdef SYS_break
+        filter_add_blacklist(fd, SYS_break, 0);
+#endif
+#ifdef SYS_ftime
+        filter_add_blacklist(fd, SYS_ftime, 0);
+#endif
+#ifdef SYS_getpmsg
+        filter_add_blacklist(fd, SYS_getpmsg, 0);
+#endif
+#ifdef SYS_gtty
+        filter_add_blacklist(fd, SYS_gtty, 0);
+#endif
+#ifdef SYS_lock
+        filter_add_blacklist(fd, SYS_lock, 0);
+#endif
+#ifdef SYS_mpx
+        filter_add_blacklist(fd, SYS_mpx, 0);
+#endif
+#ifdef SYS_pciconfig_iobase
+        filter_add_blacklist(fd, SYS_pciconfig_iobase, 0);
+#endif
+#ifdef SYS_pciconfig_read
+        filter_add_blacklist(fd, SYS_pciconfig_read, 0);
+#endif
+#ifdef SYS_pciconfig_write
+        filter_add_blacklist(fd, SYS_pciconfig_write, 0);
+#endif
+#ifdef SYS_prof
+        filter_add_blacklist(fd, SYS_prof, 0);
+#endif
+#ifdef SYS_profil
+        filter_add_blacklist(fd, SYS_profil, 0);
+#endif
+#ifdef SYS_putpmsg
+        filter_add_blacklist(fd, SYS_putpmsg, 0);
+#endif
+#ifdef SYS_rtas
+        filter_add_blacklist(fd, SYS_rtas, 0);
+#endif
+#ifdef SYS_s390_runtime_instr
+        filter_add_blacklist(fd, SYS_s390_runtime_instr, 0);
+#endif
+#ifdef SYS_s390_mmio_read
+        filter_add_blacklist(fd, SYS_s390_mmio_read, 0);
+#endif
+#ifdef SYS_s390_mmio_write
+        filter_add_blacklist(fd, SYS_s390_mmio_write, 0);
+#endif
+#ifdef SYS_security
+        filter_add_blacklist(fd, SYS_security, 0);
+#endif
+#ifdef SYS_setdomainname
+        filter_add_blacklist(fd, SYS_setdomainname, 0);
+#endif
+#ifdef SYS_sethostname
+        filter_add_blacklist(fd, SYS_sethostname, 0);
+#endif
+#ifdef SYS_sgetmask
+        filter_add_blacklist(fd, SYS_sgetmask, 0);
+#endif
+#ifdef SYS_ssetmask
+        filter_add_blacklist(fd, SYS_ssetmask, 0);
+#endif
+#ifdef SYS_stty
+        filter_add_blacklist(fd, SYS_stty, 0);
+#endif
+#ifdef SYS_subpage_prot
+        filter_add_blacklist(fd, SYS_subpage_prot, 0);
+#endif
+#ifdef SYS_switch_endian
+        filter_add_blacklist(fd, SYS_switch_endian, 0);
+#endif
+#ifdef SYS_sys_debug_setcontext
+        filter_add_blacklist(fd, SYS_sys_debug_setcontext, 0);
+#endif
+#ifdef SYS_ulimit
+        filter_add_blacklist(fd, SYS_ulimit, 0);
+#endif
+#ifdef SYS_vhangup
+        filter_add_blacklist(fd, SYS_vhangup, 0);
+#endif
+#ifdef SYS_vserver
+        filter_add_blacklist(fd, SYS_vserver, 0);
+#endif
 }
 // default list
author	Topi Miettinen <toiwoton@gmail.com>	2017-07-25 13:13:04 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-07-25 13:22:25 +0300
commit	42674a77233c7a716a2c0c00aee09ad6adc15c66 (patch)
tree	edfd5637a5c6ac546e07e865ec85d0c87114f213 /src
parent	Merge pull request #1397 from Panzerfather/master (diff)
download	firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.tar.gz firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.tar.zst firejail-42674a77233c7a716a2c0c00aee09ad6adc15c66.zip

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index c12edfd90..4f8de8c5e 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -240,6 +240,97 @@ static void add_default_list(int fd, int allow_debuggers) {
240	filter_add_blacklist(fd, SYS_vm86old, 0);	240	filter_add_blacklist(fd, SYS_vm86old, 0);
241	#endif	241	#endif
242		242
		243	#ifdef SYS_afs_syscall
		244	filter_add_blacklist(fd, SYS_afs_syscall, 0);
		245	#endif
		246	#ifdef SYS_bdflush
		247	filter_add_blacklist(fd, SYS_bdflush, 0);
		248	#endif
		249	#ifdef SYS_break
		250	filter_add_blacklist(fd, SYS_break, 0);
		251	#endif
		252	#ifdef SYS_ftime
		253	filter_add_blacklist(fd, SYS_ftime, 0);
		254	#endif
		255	#ifdef SYS_getpmsg
		256	filter_add_blacklist(fd, SYS_getpmsg, 0);
		257	#endif
		258	#ifdef SYS_gtty
		259	filter_add_blacklist(fd, SYS_gtty, 0);
		260	#endif
		261	#ifdef SYS_lock
		262	filter_add_blacklist(fd, SYS_lock, 0);
		263	#endif
		264	#ifdef SYS_mpx
		265	filter_add_blacklist(fd, SYS_mpx, 0);
		266	#endif
		267	#ifdef SYS_pciconfig_iobase
		268	filter_add_blacklist(fd, SYS_pciconfig_iobase, 0);
		269	#endif
		270	#ifdef SYS_pciconfig_read
		271	filter_add_blacklist(fd, SYS_pciconfig_read, 0);
		272	#endif
		273	#ifdef SYS_pciconfig_write
		274	filter_add_blacklist(fd, SYS_pciconfig_write, 0);
		275	#endif
		276	#ifdef SYS_prof
		277	filter_add_blacklist(fd, SYS_prof, 0);
		278	#endif
		279	#ifdef SYS_profil
		280	filter_add_blacklist(fd, SYS_profil, 0);
		281	#endif
		282	#ifdef SYS_putpmsg
		283	filter_add_blacklist(fd, SYS_putpmsg, 0);
		284	#endif
		285	#ifdef SYS_rtas
		286	filter_add_blacklist(fd, SYS_rtas, 0);
		287	#endif
		288	#ifdef SYS_s390_runtime_instr
		289	filter_add_blacklist(fd, SYS_s390_runtime_instr, 0);
		290	#endif
		291	#ifdef SYS_s390_mmio_read
		292	filter_add_blacklist(fd, SYS_s390_mmio_read, 0);
		293	#endif
		294	#ifdef SYS_s390_mmio_write
		295	filter_add_blacklist(fd, SYS_s390_mmio_write, 0);
		296	#endif
		297	#ifdef SYS_security
		298	filter_add_blacklist(fd, SYS_security, 0);
		299	#endif
		300	#ifdef SYS_setdomainname
		301	filter_add_blacklist(fd, SYS_setdomainname, 0);
		302	#endif
		303	#ifdef SYS_sethostname
		304	filter_add_blacklist(fd, SYS_sethostname, 0);
		305	#endif
		306	#ifdef SYS_sgetmask
		307	filter_add_blacklist(fd, SYS_sgetmask, 0);
		308	#endif
		309	#ifdef SYS_ssetmask
		310	filter_add_blacklist(fd, SYS_ssetmask, 0);
		311	#endif
		312	#ifdef SYS_stty
		313	filter_add_blacklist(fd, SYS_stty, 0);
		314	#endif
		315	#ifdef SYS_subpage_prot
		316	filter_add_blacklist(fd, SYS_subpage_prot, 0);
		317	#endif
		318	#ifdef SYS_switch_endian
		319	filter_add_blacklist(fd, SYS_switch_endian, 0);
		320	#endif
		321	#ifdef SYS_sys_debug_setcontext
		322	filter_add_blacklist(fd, SYS_sys_debug_setcontext, 0);
		323	#endif
		324	#ifdef SYS_ulimit
		325	filter_add_blacklist(fd, SYS_ulimit, 0);
		326	#endif
		327	#ifdef SYS_vhangup
		328	filter_add_blacklist(fd, SYS_vhangup, 0);
		329	#endif
		330	#ifdef SYS_vserver
		331	filter_add_blacklist(fd, SYS_vserver, 0);
		332	#endif
		333
243	}	334	}
244		335
245	// default list	336	// default list