2 files changed, 11 insertions, 31 deletions

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 5d6bc1de9..c313ec938 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -109,7 +109,7 @@ struct seccomp_data {
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
-#define ERRNO(syscall_nr, nr) \
+#define BLACKLIST_ERRNO(syscall_nr, nr) \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
 
@@ -290,7 +290,7 @@ static void filter_add_errno(int syscall, int arg) {
                 filter_realloc();
 
         struct sock_filter filter[] = {
-                ERRNO(syscall, arg)
+                BLACKLIST_ERRNO(syscall, arg)
         };
 #if 0
 {
diff --git a/todo b/todo
index c9003c4d7..4afd3205d 100644
--- a/todo
+++ b/todo
@@ -34,35 +34,7 @@ $
 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
 RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, 
 
-6. To investigate
-
-  // Restrict the set of allowable network protocol families
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_AX25)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_IPX)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_NETROM)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_X25)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_ROSE)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_DECnet)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_SECURITY)));
-  CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-     SCMP_A0(SCMP_CMP_EQ, AF_KEY)));
+6. add kexec_file_load to default seccomp filter
 
 7. Tests not working on Arch:
 profile_syntax.exp (profile syntax)
@@ -84,3 +56,11 @@ cat <&3
 c) A list of attacks
 http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
 
+9. protocol filter: AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, AF_PACKET
+
+ // Create a raw IP socket with UDP protocol
+sd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
+
+// open a raw ethernet socket
+s = socket(AF_PACKET, SOCK_DGRAM, htons(ETHERTYPE_IP));
+