diff options
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 83 | ||||
-rw-r--r-- | todo | 134 |
4 files changed, 226 insertions, 11 deletions
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.32-rc1. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.32-rc2. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.32-rc1' | 583 | PACKAGE_VERSION='0.9.32-rc2' |
584 | PACKAGE_STRING='firejail 0.9.32-rc1' | 584 | PACKAGE_STRING='firejail 0.9.32-rc2' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://github.com/netblue30/firejail' | 586 | PACKAGE_URL='http://github.com/netblue30/firejail' |
587 | 587 | ||
@@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then | |||
1238 | # Omit some internal or obsolete options to make the list less imposing. | 1238 | # Omit some internal or obsolete options to make the list less imposing. |
1239 | # This message is too long to be a string in the A/UX 3.1 sh. | 1239 | # This message is too long to be a string in the A/UX 3.1 sh. |
1240 | cat <<_ACEOF | 1240 | cat <<_ACEOF |
1241 | \`configure' configures firejail 0.9.32-rc1 to adapt to many kinds of systems. | 1241 | \`configure' configures firejail 0.9.32-rc2 to adapt to many kinds of systems. |
1242 | 1242 | ||
1243 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1243 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1244 | 1244 | ||
@@ -1299,7 +1299,7 @@ fi | |||
1299 | 1299 | ||
1300 | if test -n "$ac_init_help"; then | 1300 | if test -n "$ac_init_help"; then |
1301 | case $ac_init_help in | 1301 | case $ac_init_help in |
1302 | short | recursive ) echo "Configuration of firejail 0.9.32-rc1:";; | 1302 | short | recursive ) echo "Configuration of firejail 0.9.32-rc2:";; |
1303 | esac | 1303 | esac |
1304 | cat <<\_ACEOF | 1304 | cat <<\_ACEOF |
1305 | 1305 | ||
@@ -1389,7 +1389,7 @@ fi | |||
1389 | test -n "$ac_init_help" && exit $ac_status | 1389 | test -n "$ac_init_help" && exit $ac_status |
1390 | if $ac_init_version; then | 1390 | if $ac_init_version; then |
1391 | cat <<\_ACEOF | 1391 | cat <<\_ACEOF |
1392 | firejail configure 0.9.32-rc1 | 1392 | firejail configure 0.9.32-rc2 |
1393 | generated by GNU Autoconf 2.69 | 1393 | generated by GNU Autoconf 2.69 |
1394 | 1394 | ||
1395 | Copyright (C) 2012 Free Software Foundation, Inc. | 1395 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF | |||
1691 | This file contains any messages produced by compilers while | 1691 | This file contains any messages produced by compilers while |
1692 | running configure, to aid debugging if configure makes a mistake. | 1692 | running configure, to aid debugging if configure makes a mistake. |
1693 | 1693 | ||
1694 | It was created by firejail $as_me 0.9.32-rc1, which was | 1694 | It was created by firejail $as_me 0.9.32-rc2, which was |
1695 | generated by GNU Autoconf 2.69. Invocation command line was | 1695 | generated by GNU Autoconf 2.69. Invocation command line was |
1696 | 1696 | ||
1697 | $ $0 $@ | 1697 | $ $0 $@ |
@@ -4102,7 +4102,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4102 | # report actual input values of CONFIG_FILES etc. instead of their | 4102 | # report actual input values of CONFIG_FILES etc. instead of their |
4103 | # values after options handling. | 4103 | # values after options handling. |
4104 | ac_log=" | 4104 | ac_log=" |
4105 | This file was extended by firejail $as_me 0.9.32-rc1, which was | 4105 | This file was extended by firejail $as_me 0.9.32-rc2, which was |
4106 | generated by GNU Autoconf 2.69. Invocation command line was | 4106 | generated by GNU Autoconf 2.69. Invocation command line was |
4107 | 4107 | ||
4108 | CONFIG_FILES = $CONFIG_FILES | 4108 | CONFIG_FILES = $CONFIG_FILES |
@@ -4156,7 +4156,7 @@ _ACEOF | |||
4156 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4156 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4157 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4157 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4158 | ac_cs_version="\\ | 4158 | ac_cs_version="\\ |
4159 | firejail config.status 0.9.32-rc1 | 4159 | firejail config.status 0.9.32-rc2 |
4160 | configured by $0, generated by GNU Autoconf 2.69, | 4160 | configured by $0, generated by GNU Autoconf 2.69, |
4161 | with options \\"\$ac_cs_config\\" | 4161 | with options \\"\$ac_cs_config\\" |
4162 | 4162 | ||
diff --git a/configure.ac b/configure.ac index 971951798..1f33dc35c 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.32-rc1, netblue30@yahoo.com, , http://github.com/netblue30/firejail) | 2 | AC_INIT(firejail, 0.9.32-rc2, netblue30@yahoo.com, , http://github.com/netblue30/firejail) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 76e8fc81e..7366c1268 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -490,7 +490,7 @@ int seccomp_filter_drop(void) { | |||
490 | filter_add_blacklist(SYS_process_vm_writev, 0); | 490 | filter_add_blacklist(SYS_process_vm_writev, 0); |
491 | #endif | 491 | #endif |
492 | 492 | ||
493 | // mknod removed in 0.9.29 | 493 | // mknod removed in 0.9.29 - it brakes Zotero extension |
494 | //#ifdef SYS_mknod | 494 | //#ifdef SYS_mknod |
495 | // filter_add_blacklist(SYS_mknod, 0); | 495 | // filter_add_blacklist(SYS_mknod, 0); |
496 | //#endif | 496 | //#endif |
@@ -520,6 +520,87 @@ int seccomp_filter_drop(void) { | |||
520 | #ifdef SYS_kcmp | 520 | #ifdef SYS_kcmp |
521 | filter_add_blacklist(SYS_kcmp, 0); | 521 | filter_add_blacklist(SYS_kcmp, 0); |
522 | #endif | 522 | #endif |
523 | |||
524 | // 0.9.32 | ||
525 | #ifdef SYS_add_key | ||
526 | filter_add_blacklist(SYS_add_key, 0); | ||
527 | #endif | ||
528 | #ifdef SYS_request_key | ||
529 | filter_add_blacklist(SYS_request_key, 0); | ||
530 | #endif | ||
531 | #ifdef SYS_keyctl | ||
532 | filter_add_blacklist(SYS_keyctl, 0); | ||
533 | #endif | ||
534 | #ifdef SYS_uselib | ||
535 | filter_add_blacklist(SYS_uselib, 0); | ||
536 | #endif | ||
537 | #ifdef SYS_acct | ||
538 | filter_add_blacklist(SYS_acct, 0); | ||
539 | #endif | ||
540 | #ifdef SYS_modify_ldt | ||
541 | filter_add_blacklist(SYS_modify_ldt, 0); | ||
542 | #endif | ||
543 | //#ifdef SYS_unshare | ||
544 | // filter_add_blacklist(SYS_unshare, 0); | ||
545 | //#endif | ||
546 | #ifdef SYS_pivot_root | ||
547 | filter_add_blacklist(SYS_pivot_root, 0); | ||
548 | #endif | ||
549 | //#ifdef SYS_quotactl | ||
550 | // filter_add_blacklist(SYS_quotactl, 0); | ||
551 | //#endif | ||
552 | #ifdef SYS_io_setup | ||
553 | filter_add_blacklist(SYS_io_setup, 0); | ||
554 | #endif | ||
555 | #ifdef SYS_io_destroy | ||
556 | filter_add_blacklist(SYS_io_destroy, 0); | ||
557 | #endif | ||
558 | #ifdef SYS_io_getevents | ||
559 | filter_add_blacklist(SYS_io_getevents, 0); | ||
560 | #endif | ||
561 | #ifdef SYS_io_submit | ||
562 | filter_add_blacklist(SYS_io_submit, 0); | ||
563 | #endif | ||
564 | #ifdef SYS_io_cancel | ||
565 | filter_add_blacklist(SYS_io_cancel, 0); | ||
566 | #endif | ||
567 | #ifdef SYS_remap_file_pages | ||
568 | filter_add_blacklist(SYS_remap_file_pages, 0); | ||
569 | #endif | ||
570 | #ifdef SYS_mbind | ||
571 | filter_add_blacklist(SYS_mbind, 0); | ||
572 | #endif | ||
573 | #ifdef SYS_get_mempolicy | ||
574 | filter_add_blacklist(SYS_get_mempolicy, 0); | ||
575 | #endif | ||
576 | #ifdef SYS_set_mempolicy | ||
577 | filter_add_blacklist(SYS_set_mempolicy, 0); | ||
578 | #endif | ||
579 | #ifdef SYS_migrate_pages | ||
580 | filter_add_blacklist(SYS_migrate_pages, 0); | ||
581 | #endif | ||
582 | #ifdef SYS_move_pages | ||
583 | filter_add_blacklist(SYS_move_pages, 0); | ||
584 | #endif | ||
585 | #ifdef SYS_vmsplice | ||
586 | filter_add_blacklist(SYS_vmsplice, 0); | ||
587 | #endif | ||
588 | //#ifdef SYS_set_robust_list | ||
589 | // filter_add_blacklist(SYS_set_robust_list, 0); | ||
590 | //#endif | ||
591 | //#ifdef SYS_get_robust_list | ||
592 | // filter_add_blacklist(SYS_get_robust_list, 0); | ||
593 | //#endif | ||
594 | #ifdef SYS_perf_event_open | ||
595 | filter_add_blacklist(SYS_perf_event_open, 0); | ||
596 | #endif | ||
597 | |||
598 | // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, | ||
599 | // SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); | ||
600 | |||
601 | // 32bit | ||
602 | // filter_add_blacklist(SYS_personality, 0); // test wine | ||
603 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine | ||
523 | } | 604 | } |
524 | 605 | ||
525 | // default seccomp filter with additional drop list | 606 | // default seccomp filter with additional drop list |
@@ -45,3 +45,137 @@ make[1]: *** [seccomp.o] Error 1 | |||
45 | 45 | ||
46 | 7. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) | 46 | 7. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) |
47 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, | 47 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, |
48 | |||
49 | 8. To investigate | ||
50 | void SupervisorMain::setupSeccomp() { | ||
51 | // Install a rudimentary seccomp blacklist. | ||
52 | // TODO(security): Change this to a whitelist. | ||
53 | |||
54 | scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); | ||
55 | if (ctx == nullptr) | ||
56 | KJ_FAIL_SYSCALL("seccomp_init", 0); // No real error code | ||
57 | KJ_DEFER(seccomp_release(ctx)); | ||
58 | |||
59 | #define CHECK_SECCOMP(call) \ | ||
60 | do { \ | ||
61 | if (auto result = (call)) { \ | ||
62 | KJ_FAIL_SYSCALL(#call, -result); \ | ||
63 | } \ | ||
64 | } while (0) | ||
65 | |||
66 | // Native code only for now, so there are no seccomp_arch_add calls. | ||
67 | |||
68 | // Redundant, but this is standard and harmless. | ||
69 | CHECK_SECCOMP(seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 1)); | ||
70 | |||
71 | // It's easy to inadvertently issue an x32 syscall (e.g. syscall(-1)). Such syscalls | ||
72 | // should fail, but there's no need to kill the issuer. | ||
73 | CHECK_SECCOMP(seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ERRNO(ENOSYS))); | ||
74 | |||
75 | #pragma GCC diagnostic push | ||
76 | #pragma GCC diagnostic ignored "-Wmissing-field-initializers" // SCMP_* macros produce these | ||
77 | // Disable some things that seem scary. | ||
78 | if (!devmode) { | ||
79 | // ptrace is scary | ||
80 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 0)); | ||
81 | } else { | ||
82 | // Try to be somewhat safe with ptrace in dev mode. Note that the ability to modify | ||
83 | // orig_ax using ptrace allows a complete seccomp bypass. | ||
84 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
85 | SCMP_A0(SCMP_CMP_EQ, PTRACE_POKEUSER))); | ||
86 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
87 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETREGS))); | ||
88 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
89 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETFPREGS))); | ||
90 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
91 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETREGSET))); | ||
92 | } | ||
93 | |||
94 | // Restrict the set of allowable network protocol families | ||
95 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
96 | SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1))); | ||
97 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
98 | SCMP_A0(SCMP_CMP_EQ, AF_AX25))); | ||
99 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
100 | SCMP_A0(SCMP_CMP_EQ, AF_IPX))); | ||
101 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
102 | SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK))); | ||
103 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
104 | SCMP_A0(SCMP_CMP_EQ, AF_NETROM))); | ||
105 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
106 | SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE))); | ||
107 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
108 | SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC))); | ||
109 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
110 | SCMP_A0(SCMP_CMP_EQ, AF_X25))); | ||
111 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
112 | SCMP_A0(SCMP_CMP_EQ, AF_ROSE))); | ||
113 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
114 | SCMP_A0(SCMP_CMP_EQ, AF_DECnet))); | ||
115 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
116 | SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI))); | ||
117 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
118 | SCMP_A0(SCMP_CMP_EQ, AF_SECURITY))); | ||
119 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
120 | SCMP_A0(SCMP_CMP_EQ, AF_KEY))); | ||
121 | #pragma GCC diagnostic pop | ||
122 | |||
123 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(add_key), 0)); | ||
124 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(request_key), 0)); | ||
125 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(keyctl), 0)); | ||
126 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(syslog), 0)); | ||
127 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(uselib), 0)); | ||
128 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(personality), 0)); | ||
129 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(acct), 0)); | ||
130 | |||
131 | // 16-bit code is unnecessary in the sandbox, and modify_ldt is a historic source | ||
132 | // of interesting information leaks. | ||
133 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(modify_ldt), 0)); | ||
134 | |||
135 | // Despite existing at a 64-bit syscall, set_thread_area is only useful | ||
136 | // for 32-bit programs. 64-bit programs use arch_prctl instead. | ||
137 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_thread_area), 0)); | ||
138 | |||
139 | // Disable namespaces. Nested sandboxing could be useful but the attack surface is large. | ||
140 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(unshare), 0)); | ||
141 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(mount), 0)); | ||
142 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(pivot_root), 0)); | ||
143 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(quotactl), 0)); | ||
144 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, | ||
145 | SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); | ||
146 | |||
147 | // AIO is scary. | ||
148 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_setup), 0)); | ||
149 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_destroy), 0)); | ||
150 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_getevents), 0)); | ||
151 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_submit), 0)); | ||
152 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_cancel), 0)); | ||
153 | |||
154 | // Scary vm syscalls | ||
155 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(remap_file_pages), 0)); | ||
156 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(mbind), 0)); | ||
157 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(get_mempolicy), 0)); | ||
158 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_mempolicy), 0)); | ||
159 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(migrate_pages), 0)); | ||
160 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(move_pages), 0)); | ||
161 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(vmsplice), 0)); | ||
162 | |||
163 | // Scary futex operations | ||
164 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_robust_list), 0)); | ||
165 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(get_robust_list), 0)); | ||
166 | |||
167 | // Utterly terrifying profiling operations | ||
168 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(perf_event_open), 0)); | ||
169 | |||
170 | // TOOD(someday): See if we can get away with turning off mincore, madvise, sysinfo etc. | ||
171 | |||
172 | // TODO(someday): Turn off POSIX message queues and other such esoteric features. | ||
173 | |||
174 | if (seccompDumpPfc) { | ||
175 | seccomp_export_pfc(ctx, 1); | ||
176 | } | ||
177 | |||
178 | CHECK_SECCOMP(seccomp_load(ctx)); | ||
179 | |||
180 | #undef CHECK_SECCOMP | ||
181 | } | ||