diff options
-rw-r--r-- | src/firejail/seccomp.c | 8 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
4 files changed, 8 insertions, 6 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index c03eb6848..d00a335c6 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -452,9 +452,11 @@ int seccomp_filter_drop(void) { | |||
452 | #ifdef SYS_process_vm_writev | 452 | #ifdef SYS_process_vm_writev |
453 | filter_add_blacklist(SYS_process_vm_writev); | 453 | filter_add_blacklist(SYS_process_vm_writev); |
454 | #endif | 454 | #endif |
455 | #ifdef SYS_mknod | 455 | |
456 | filter_add_blacklist(SYS_mknod); | 456 | // mknod removed in 0.9.29 |
457 | #endif | 457 | //#ifdef SYS_mknod |
458 | // filter_add_blacklist(SYS_mknod); | ||
459 | //#endif | ||
458 | 460 | ||
459 | // new syscalls in 0.9,23 | 461 | // new syscalls in 0.9,23 |
460 | #ifdef SYS_sysfs | 462 | #ifdef SYS_sysfs |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9aeb5895d..3afe5580f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -190,7 +190,7 @@ void usage(void) { | |||
190 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); | 190 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); |
191 | printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n"); | 191 | printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n"); |
192 | printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n"); | 192 | printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n"); |
193 | printf("\t\tmknode, syslog, process_vm_readv and process_vm_writev\n"); | 193 | printf("\t\tsyslog, process_vm_readv and process_vm_writev\n"); |
194 | printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n"); | 194 | printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n"); |
195 | printf("\t\tperf_event_open, fanotify_init and kcmp.\n\n"); | 195 | printf("\t\tperf_event_open, fanotify_init and kcmp.\n\n"); |
196 | 196 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4941d8b8b..7be5304c1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -106,7 +106,7 @@ Whitelist Linux capabilities filter. | |||
106 | \f\seccomp | 106 | \f\seccomp |
107 | Enable default seccomp filter. The default list is as follows: | 107 | Enable default seccomp filter. The default list is as follows: |
108 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, | 108 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, |
109 | iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, | 109 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev, |
110 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. | 110 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. |
111 | .TP | 111 | .TP |
112 | \f\seccomp syscall,syscall,syscall | 112 | \f\seccomp syscall,syscall,syscall |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3e399db72..0b7ed1434 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -742,7 +742,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
742 | \fB\-\-seccomp | 742 | \fB\-\-seccomp |
743 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: | 743 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: |
744 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, | 744 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, |
745 | iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, | 745 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev, |
746 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. | 746 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. |
747 | .br | 747 | .br |
748 | 748 | ||