diff options
-rw-r--r-- | README.md | 3 | ||||
-rw-r--r-- | src/fseccomp/seccomp.c | 10 | ||||
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 8 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
4 files changed, 17 insertions, 6 deletions
@@ -140,6 +140,9 @@ pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read | |||
140 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, | 140 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, |
141 | ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default. | 141 | ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted by default. |
142 | 142 | ||
143 | get_mempolicy syscall was temporarily removed from the default seccomp list. It seems to break | ||
144 | playing youtube videos on Firefox Nightly. | ||
145 | |||
143 | 146 | ||
144 | 147 | ||
145 | ## New profiles: | 148 | ## New profiles: |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7d2ccbbce..a30a9e00b 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -162,9 +162,13 @@ static void add_default_list(int fd, int allow_debuggers) { | |||
162 | #ifdef SYS_mbind | 162 | #ifdef SYS_mbind |
163 | filter_add_blacklist(fd, SYS_mbind, 0); | 163 | filter_add_blacklist(fd, SYS_mbind, 0); |
164 | #endif | 164 | #endif |
165 | #ifdef SYS_get_mempolicy | 165 | |
166 | filter_add_blacklist(fd, SYS_get_mempolicy, 0); | 166 | // breaking Firefox nightly when playing youtube videos |
167 | #endif | 167 | // TODO: test again when firefox sandbox is finally released |
168 | //#ifdef SYS_get_mempolicy | ||
169 | // filter_add_blacklist(fd, SYS_get_mempolicy, 0); | ||
170 | //#endif | ||
171 | |||
168 | #ifdef SYS_set_mempolicy | 172 | #ifdef SYS_set_mempolicy |
169 | filter_add_blacklist(fd, SYS_set_mempolicy, 0); | 173 | filter_add_blacklist(fd, SYS_set_mempolicy, 0); |
170 | #endif | 174 | #endif |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index 8270b7018..fceb2c3ec 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -67,7 +67,9 @@ void seccomp_secondary_64(const char *fname) { | |||
67 | BLACKLIST(210), // io_cancel | 67 | BLACKLIST(210), // io_cancel |
68 | BLACKLIST(216), // remap_file_pages | 68 | BLACKLIST(216), // remap_file_pages |
69 | BLACKLIST(237), // mbind | 69 | BLACKLIST(237), // mbind |
70 | BLACKLIST(239), // get_mempolicy | 70 | // breaking Firefox nightly when playing youtube videos |
71 | // TODO: test again when firefox sandbox is finally released | ||
72 | // BLACKLIST(239), // get_mempolicy | ||
71 | BLACKLIST(238), // set_mempolicy | 73 | BLACKLIST(238), // set_mempolicy |
72 | BLACKLIST(256), // migrate_pages | 74 | BLACKLIST(256), // migrate_pages |
73 | BLACKLIST(279), // move_pages | 75 | BLACKLIST(279), // move_pages |
@@ -148,7 +150,9 @@ void seccomp_secondary_32(const char *fname) { | |||
148 | BLACKLIST(249), // io_cancel | 150 | BLACKLIST(249), // io_cancel |
149 | BLACKLIST(257), // remap_file_pages | 151 | BLACKLIST(257), // remap_file_pages |
150 | BLACKLIST(274), // mbind | 152 | BLACKLIST(274), // mbind |
151 | BLACKLIST(275), // get_mempolicy | 153 | // breaking Firefox nightly when playing youtube videos |
154 | // TODO: test again when firefox sandbox is finally released | ||
155 | // BLACKLIST(275), // get_mempolicy | ||
152 | BLACKLIST(276), // set_mempolicy | 156 | BLACKLIST(276), // set_mempolicy |
153 | BLACKLIST(294), // migrate_pages | 157 | BLACKLIST(294), // migrate_pages |
154 | BLACKLIST(317), // move_pages | 158 | BLACKLIST(317), // move_pages |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3a5e8560c..af2724aa9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1488,7 +1488,7 @@ iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_ | |||
1488 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | 1488 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, |
1489 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1489 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, |
1490 | io_destroy, io_getevents, io_submit, io_cancel, | 1490 | io_destroy, io_getevents, io_submit, io_cancel, |
1491 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | 1491 | remap_file_pages, mbind, set_mempolicy, |
1492 | migrate_pages, move_pages, vmsplice, chroot, | 1492 | migrate_pages, move_pages, vmsplice, chroot, |
1493 | tuxcall, reboot, mfsservctl, get_kernel_syms, | 1493 | tuxcall, reboot, mfsservctl, get_kernel_syms, |
1494 | bpf, clock_settime, personality, process_vm_writev, query_module, | 1494 | bpf, clock_settime, personality, process_vm_writev, query_module, |