diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/clementine.profile | 2 | ||||
-rw-r--r-- | etc/firefox-common.profile | 2 | ||||
-rw-r--r-- | etc/kmail.profile | 2 | ||||
-rw-r--r-- | etc/mpd.profile | 2 | ||||
-rw-r--r-- | etc/qutebrowser.profile | 2 | ||||
-rw-r--r-- | etc/torbrowser-launcher.profile | 2 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
9 files changed, 10 insertions, 11 deletions
@@ -7,7 +7,6 @@ firejail (0.9.58~rc1) baseline; urgency=low | |||
7 | for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F | 7 | for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F |
8 | * profile name support | 8 | * profile name support |
9 | * added explicit nonewprivs support to join option | 9 | * added explicit nonewprivs support to join option |
10 | * add mincore syscall to default seccomp list | ||
11 | * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms | 10 | * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms |
12 | * new profiles: devilspie, devilspie2, easystroke, github-desktop, min | 11 | * new profiles: devilspie, devilspie2, easystroke, github-desktop, min |
13 | * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat | 12 | * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 1cf478ead..147b0de4b 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -27,7 +27,7 @@ nou2f | |||
27 | novideo | 27 | novideo |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | # blacklisting of ioprio_set system calls breaks clementine | 29 | # blacklisting of ioprio_set system calls breaks clementine |
30 | seccomp.drop mincore,@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 30 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
31 | 31 | ||
32 | private-dev | 32 | private-dev |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 288afa8a2..ad8a0a0b7 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -40,7 +40,7 @@ noroot | |||
40 | notv | 40 | notv |
41 | ?BROWSER_DISABLE_U2F: nou2f | 41 | ?BROWSER_DISABLE_U2F: nou2f |
42 | protocol unix,inet,inet6,netlink | 42 | protocol unix,inet,inet6,netlink |
43 | seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 43 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
44 | shell none | 44 | shell none |
45 | #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930 | 45 | #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930 |
46 | #tracelog | 46 | #tracelog |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 85eb74998..1f8403ef1 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -50,7 +50,7 @@ nou2f | |||
50 | novideo | 50 | novideo |
51 | protocol unix,inet,inet6,netlink | 51 | protocol unix,inet,inet6,netlink |
52 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 52 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
53 | seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 53 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
54 | # tracelog | 54 | # tracelog |
55 | # writable-run-user is needed for signing and encrypting emails | 55 | # writable-run-user is needed for signing and encrypting emails |
56 | writable-run-user | 56 | writable-run-user |
diff --git a/etc/mpd.profile b/etc/mpd.profile index c532edeb2..e06b83aa9 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -30,7 +30,7 @@ novideo | |||
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | # blacklisting of ioprio_set system calls breaks auto-updating of | 31 | # blacklisting of ioprio_set system calls breaks auto-updating of |
32 | # MPD's database when files in music_directory are changed | 32 | # MPD's database when files in music_directory are changed |
33 | seccomp.drop mincore,@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 33 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | #private-bin mpd,bash | 36 | #private-bin mpd,bash |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 7193a04ed..ac9f9bfd9 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -41,5 +41,5 @@ noroot | |||
41 | notv | 41 | notv |
42 | protocol unix,inet,inet6,netlink | 42 | protocol unix,inet,inet6,netlink |
43 | # blacklisting of chroot system calls breaks qt webengine | 43 | # blacklisting of chroot system calls breaks qt webengine |
44 | seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 44 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
45 | # tracelog | 45 | # tracelog |
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index dd444103e..a9244683f 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -41,7 +41,7 @@ notv | |||
41 | nou2f | 41 | nou2f |
42 | novideo | 42 | novideo |
43 | protocol unix,inet,inet6 | 43 | protocol unix,inet,inet6 |
44 | seccomp.drop mincore,@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 44 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
45 | shell none | 45 | shell none |
46 | # tracelog may cause issues, see github issue #1930 | 46 | # tracelog may cause issues, see github issue #1930 |
47 | #tracelog | 47 | #tracelog |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index b17d86a0b..3f5fbbbfa 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -170,9 +170,9 @@ static const SyscallGroupList sysgroups[] = { | |||
170 | #ifdef SYS_userfaultfd | 170 | #ifdef SYS_userfaultfd |
171 | "userfaultfd," | 171 | "userfaultfd," |
172 | #endif | 172 | #endif |
173 | #ifdef SYS_mincore // 0.9.57 | 173 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem |
174 | "mincore" | 174 | // "mincore" |
175 | #endif | 175 | //#endif |
176 | }, | 176 | }, |
177 | { .name = "@default-nodebuggers", .list = | 177 | { .name = "@default-nodebuggers", .list = |
178 | "@default," | 178 | "@default," |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0d402ef36..2d0bd26d0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1700,7 +1700,7 @@ Enable seccomp filter and blacklist the syscalls in the default list (@default). | |||
1700 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, | 1700 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, |
1701 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, | 1701 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, |
1702 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, | 1702 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, |
1703 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, mincore, move_pages, mpx, | 1703 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, |
1704 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, | 1704 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, |
1705 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, | 1705 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, |
1706 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, | 1706 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, |