10 files changed, 95 insertions, 58 deletions
diff --git a/RELNOTES b/RELNOTES
index f93237d43..788bfe407 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,8 +2,10 @@ firejail (0.9.41) baseline; urgency=low
  * work in progress...
  * AppImage support (--appimage)
  * Sandbox auditing support (--audit)
+  * Remove environment variable (--rmenv)
  * include /dev/snd in --private-dev
  * added mkfile profile command
+  * seccomp filter updated
  * compile time and run time support to disable whitelists
  * compile time support to disable global configuration file
  * some profiles have been converted to private-bin
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 54a6b0036..1a6236407 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -27,12 +27,27 @@ typedef struct env_t {
        struct env_t *next;
        char *name;
        char *value;
+        ENV_OP op;
 } Env;
 static Env *envlist = NULL;
 static void env_add(Env *env) {
-        env->next = envlist;
+        env->next = NULL;
-        envlist = env;
+        
+        // add the new entry at the end of the list
+        if (envlist == NULL) {
+                envlist = env;
+                return;
+        }
+        
+        Env *ptr = envlist;
+        while (1) {
+                if (ptr->next == NULL) {
+                        ptr->next = env;
+                        break;
+                }
+                ptr = ptr->next;
+        }
 }
 // load IBUS env variables
@@ -87,7 +102,7 @@ void env_ibus_load(void) {
                        if (arg_debug)
                                printf("%s\n", buf);
                        EUID_USER();
-                        env_store(buf);
+                        env_store(buf, SETENV);
                        EUID_ROOT();
                }
@@ -126,7 +141,7 @@ void env_defaults(void) {
 }
 // parse and store the environment setting 
-void env_store(const char *str) {
+void env_store(const char *str, ENV_OP op) {
        EUID_ASSERT();
        assert(str);
        
@@ -134,11 +149,13 @@ void env_store(const char *str) {
        if (*str == '\0')
                goto errexit;
        char *ptr = strchr(str, '=');
-        if (!ptr)
+        if (op == SETENV) {
-                goto errexit;
+                if (!ptr)
-        ptr++;
+                        goto errexit;
-        if (*ptr == '\0')
+                ptr++;
-                goto errexit;
+                if (*ptr == '\0')
+                        goto errexit;
+        }
        // build list entry
        Env *env = malloc(sizeof(Env));
@@ -148,10 +165,13 @@ void env_store(const char *str) {
        env->name = strdup(str);
        if (env->name == NULL)
                errExit("strdup");
-        char *ptr2 = strchr(env->name, '=');
+        if (op == SETENV) {
-        assert(ptr2);
+                char *ptr2 = strchr(env->name, '=');
-        *ptr2 = '\0';
+                assert(ptr2);
-        env->value = ptr2 + 1;
+                *ptr2 = '\0';
+                env->value = ptr2 + 1;
+        }
+        env->op = op;
        
        // add entry to the list
        env_add(env);
@@ -167,8 +187,13 @@ void env_apply(void) {
        Env *env = envlist;
        
        while (env) {
-                if (setenv(env->name, env->value, 1) < 0)
+                if (env->op == SETENV) {
-                        errExit("setenv");
+                        if (setenv(env->name, env->value, 1) < 0)
+                                errExit("setenv");
+                }
+                else if (env->op == RMENV) {
+                        unsetenv(env->name);
+                }
                env = env->next;
        }
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 3d0e9a51b..590646f23 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -493,7 +493,12 @@ int check_kernel_procs(void);
 void run_no_sandbox(int argc, char **argv);
 // env.c
-void env_store(const char *str);
+typedef enum {
+        SETENV = 0,
+        RMENV
+} ENV_OP;
+void env_store(const char *str, ENV_OP op);
 void env_apply(void);
 void env_defaults(void);
 void env_ibus_load(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b1dd7d32c..a0225be15 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1465,7 +1465,9 @@ int main(int argc, char **argv) {
                        arg_nonewprivs = 1;
                }
                else if (strncmp(argv[i], "--env=", 6) == 0)
-                        env_store(argv[i] + 6);
+                        env_store(argv[i] + 6, SETENV);
+                else if (strncmp(argv[i], "--rmenv=", 8) == 0)
+                        env_store(argv[i] + 8, RMENV);
                else if (strcmp(argv[i], "--nosound") == 0) {
                        arg_nosound = 1;
                }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index bb834bf19..1106ed84e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -457,7 +457,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        
        if (strncmp(ptr, "env ", 4) == 0) {
-                env_store(ptr + 4);
+                env_store(ptr + 4, SETENV);
+                return 0;
+        }
+        if (strncmp(ptr, "rmenv ", 6) == 0) {
+                env_store(ptr + 6, RMENV);
                return 0;
        }
        
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7108b5a05..efe24a211 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -334,12 +334,15 @@ void seccomp_filter_32(void) {
                BLACKLIST(52), // umount2
                BLACKLIST(26), // ptrace
                BLACKLIST(283), // kexec_load
+                BLACKLIST(341), // name_to_handle_at
                BLACKLIST(342), // open_by_handle_at
+                BLACKLIST(127), // create_module
                BLACKLIST(128), // init_module
                BLACKLIST(350), // finit_module
                BLACKLIST(129), // delete_module
                BLACKLIST(110), // iopl
                BLACKLIST(101), // ioperm
+                BLACKLIST(289), // ioprio_set
                BLACKLIST(87), // swapon
                BLACKLIST(115), // swapoff
                BLACKLIST(103), // syslog
@@ -376,6 +379,7 @@ void seccomp_filter_32(void) {
                BLACKLIST(88), // reboot
                BLACKLIST(169), // nfsservctl
                BLACKLIST(130), // get_kernel_syms
+                
                RETURN_ALLOW
        };
@@ -403,11 +407,14 @@ void seccomp_filter_64(void) {
                BLACKLIST(101), // ptrace
                BLACKLIST(246), // kexec_load
                BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(303), // name_to_handle_at
+                BLACKLIST(174), // create_module
                BLACKLIST(175), // init_module
                BLACKLIST(313), // finit_module
                BLACKLIST(176), // delete_module
                BLACKLIST(172), // iopl
                BLACKLIST(173), // ioperm
+                BLACKLIST(251), // ioprio_set
                BLACKLIST(167), // swapon
                BLACKLIST(168), // swapoff
                BLACKLIST(103), // syslog
@@ -445,6 +452,7 @@ void seccomp_filter_64(void) {
                BLACKLIST(169), // reboot
                BLACKLIST(180), // nfsservctl
                BLACKLIST(177), // get_kernel_syms
+                
                RETURN_ALLOW
        };
@@ -493,12 +501,18 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef SYS_open_by_handle_at            
                filter_add_blacklist(SYS_open_by_handle_at, 0);
 #endif
+#ifdef SYS_name_to_handle_at            
+                filter_add_blacklist(SYS_name_to_handle_at, 0);
+#endif
 #ifdef SYS_init_module          
                filter_add_blacklist(SYS_init_module, 0);
 #endif
 #ifdef SYS_finit_module // introduced in 2013
                filter_add_blacklist(SYS_finit_module, 0);
 #endif
+#ifdef SYS_create_module
+                filter_add_blacklist(SYS_create_module, 0);
+#endif
 #ifdef SYS_delete_module                
                filter_add_blacklist(SYS_delete_module, 0);
 #endif
@@ -508,6 +522,9 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef  SYS_ioperm      
                filter_add_blacklist(SYS_ioperm, 0);
 #endif
+#ifdef  SYS_ioprio_set  
+                filter_add_blacklist(SYS_ioprio_set, 0);
+#endif
 #ifdef SYS_ni_syscall // new io permissions call on arm devices
                filter_add_blacklist(SYS_ni_syscall, 0);
 #endif
@@ -648,6 +665,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef SYS_get_kernel_syms
                filter_add_blacklist(SYS_get_kernel_syms, 0);
 #endif
        }
        // default seccomp filter with additional drop list
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 1efc247b5..b67300618 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -208,6 +208,7 @@ void usage(void) {
        
        printf("    --quiet - turn off Firejail's output.\n\n");
        printf("    --read-only=dirname_or_filename - set directory or file read-only..\n\n");
+        printf("    --read-write=dirname_or_filename - set directory or file read-write..\n\n");
        printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
        printf("\tby a process.\n\n");
        printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
@@ -216,7 +217,7 @@ void usage(void) {
        printf("\tcreated for the real user ID of the calling process.\n\n");
        printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
        printf("\tfor a process.\n\n");
-        printf("    --read-write=dirname_or_filename - set directory or file read-write..\n\n");
+        printf("    --rmenv=name - remove environment variable in the new sandbox.\n\n");
 #ifdef HAVE_NETWORK     
        printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
        printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9c416b0f3..98fa17908 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -224,15 +224,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
 .TP
 \fBseccomp
-Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
+Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
-mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
-add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
-io_destroy, io_getevents, io_submit, io_cancel,
-remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
-tuxcall, reboot, mfsservctl and get_kernel_syms.
 .TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e915ab6cb..8d20cf36b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1172,6 +1172,15 @@ make the whitelist read-only. Example:
 $ firejail --whitelist=~/work --read-only=~ --read-only=~/work
 .TP
+\fB\-\-read-write=dirname_or_filename
+By default, the sandbox mounts system directories read-only.
+These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
+Use this option to mount read-write files or directories inside the system directories.
+This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
+cases the system directories are mounted read-write.
+.TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
 .TP
@@ -1185,13 +1194,14 @@ Set the maximum number of processes that can be created for the real user ID of
 Set the maximum number of pending signals for a process.
 .TP
-\fB\-\-read-write=dirname_or_filename
+\fB\-\-rmenv=name
-By default, the sandbox mounts system directories read-only.
+Remove environment variable in the new sandbox.
-These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
+.br
-Use this option to mount read-write files or directories inside the system directories.
-This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
+.br
-cases the system directories are mounted read-write.
+Example:
+.br
+$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
 .TP
 \fB\-\-scan
@@ -1206,8 +1216,8 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
+mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
+iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
diff --git a/todo b/todo
index 0a76cd850..88baff216 100644
--- a/todo
+++ b/todo
@@ -161,25 +161,3 @@ To disable Vsync
 $ vblank_mode=0 glxgears
-18. Add nosound in all profiles with private-dev (including server.profile)
-test hedgewars!
-19. new syscalls:
-create_module
-name_to_handle_at
-ioprio_set, 
-???
-146     - sched_get_priority_max
-147     - sched_get_priority_min
-204     - sched_getaffinity
-315     - sched_getattr
-143     - sched_getparam
-145     - sched_getscheduler
-148     - sched_rr_get_interval
-203     - sched_setaffinity
-314     - sched_setattr
-142     - sched_setparam
-144     - sched_setscheduler
-24      - sched_yield

diff --git a/RELNOTES b/RELNOTES index f93237d43..788bfe407 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -2,8 +2,10 @@ firejail (0.9.41) baseline; urgency=low
2	* work in progress...	2	* work in progress...
3	* AppImage support (--appimage)	3	* AppImage support (--appimage)
4	* Sandbox auditing support (--audit)	4	* Sandbox auditing support (--audit)
		5	* Remove environment variable (--rmenv)
5	* include /dev/snd in --private-dev	6	* include /dev/snd in --private-dev
6	* added mkfile profile command	7	* added mkfile profile command
		8	* seccomp filter updated
7	* compile time and run time support to disable whitelists	9	* compile time and run time support to disable whitelists
8	* compile time support to disable global configuration file	10	* compile time support to disable global configuration file
9	* some profiles have been converted to private-bin	11	* some profiles have been converted to private-bin


diff --git a/src/firejail/env.c b/src/firejail/env.c index 54a6b0036..1a6236407 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c
@@ -27,12 +27,27 @@ typedef struct env_t {
27	struct env_t *next;	27	struct env_t *next;
28	char *name;	28	char *name;
29	char *value;	29	char *value;
		30	ENV_OP op;
30	} Env;	31	} Env;
31	static Env *envlist = NULL;	32	static Env *envlist = NULL;
32		33
33	static void env_add(Env *env) {	34	static void env_add(Env *env) {
34	env->next = envlist;	35	env->next = NULL;
35	envlist = env;	36
		37	// add the new entry at the end of the list
		38	if (envlist == NULL) {
		39	envlist = env;
		40	return;
		41	}
		42
		43	Env *ptr = envlist;
		44	while (1) {
		45	if (ptr->next == NULL) {
		46	ptr->next = env;
		47	break;
		48	}
		49	ptr = ptr->next;
		50	}
36	}	51	}
37		52
38	// load IBUS env variables	53	// load IBUS env variables
@@ -87,7 +102,7 @@ void env_ibus_load(void) {
87	if (arg_debug)	102	if (arg_debug)
88	printf("%s\n", buf);	103	printf("%s\n", buf);
89	EUID_USER();	104	EUID_USER();
90	env_store(buf);	105	env_store(buf, SETENV);
91	EUID_ROOT();	106	EUID_ROOT();
92	}	107	}
93		108
@@ -126,7 +141,7 @@ void env_defaults(void) {
126	}	141	}
127		142
128	// parse and store the environment setting	143	// parse and store the environment setting
129	void env_store(const char *str) {	144	void env_store(const char *str, ENV_OP op) {
130	EUID_ASSERT();	145	EUID_ASSERT();
131	assert(str);	146	assert(str);
132		147
@@ -134,11 +149,13 @@ void env_store(const char *str) {
134	if (*str == '\0')	149	if (*str == '\0')
135	goto errexit;	150	goto errexit;
136	char *ptr = strchr(str, '=');	151	char *ptr = strchr(str, '=');
137	if (!ptr)	152	if (op == SETENV) {
138	goto errexit;	153	if (!ptr)
139	ptr++;	154	goto errexit;
140	if (*ptr == '\0')	155	ptr++;
141	goto errexit;	156	if (*ptr == '\0')
		157	goto errexit;
		158	}
142		159
143	// build list entry	160	// build list entry
144	Env *env = malloc(sizeof(Env));	161	Env *env = malloc(sizeof(Env));
@@ -148,10 +165,13 @@ void env_store(const char *str) {
148	env->name = strdup(str);	165	env->name = strdup(str);
149	if (env->name == NULL)	166	if (env->name == NULL)
150	errExit("strdup");	167	errExit("strdup");
151	char *ptr2 = strchr(env->name, '=');	168	if (op == SETENV) {
152	assert(ptr2);	169	char *ptr2 = strchr(env->name, '=');
153	*ptr2 = '\0';	170	assert(ptr2);
154	env->value = ptr2 + 1;	171	*ptr2 = '\0';
		172	env->value = ptr2 + 1;
		173	}
		174	env->op = op;
155		175
156	// add entry to the list	176	// add entry to the list
157	env_add(env);	177	env_add(env);
@@ -167,8 +187,13 @@ void env_apply(void) {
167	Env *env = envlist;	187	Env *env = envlist;
168		188
169	while (env) {	189	while (env) {
170	if (setenv(env->name, env->value, 1) < 0)	190	if (env->op == SETENV) {
171	errExit("setenv");	191	if (setenv(env->name, env->value, 1) < 0)
		192	errExit("setenv");
		193	}
		194	else if (env->op == RMENV) {
		195	unsetenv(env->name);
		196	}
172	env = env->next;	197	env = env->next;
173	}	198	}
174	}	199	}


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3d0e9a51b..590646f23 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -493,7 +493,12 @@ int check_kernel_procs(void);
493	void run_no_sandbox(int argc, char **argv);	493	void run_no_sandbox(int argc, char **argv);
494		494
495	// env.c	495	// env.c
496	void env_store(const char *str);	496	typedef enum {
		497	SETENV = 0,
		498	RMENV
		499	} ENV_OP;
		500
		501	void env_store(const char *str, ENV_OP op);
497	void env_apply(void);	502	void env_apply(void);
498	void env_defaults(void);	503	void env_defaults(void);
499	void env_ibus_load(void);	504	void env_ibus_load(void);


diff --git a/src/firejail/main.c b/src/firejail/main.c index b1dd7d32c..a0225be15 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1465,7 +1465,9 @@ int main(int argc, char **argv) {
1465	arg_nonewprivs = 1;	1465	arg_nonewprivs = 1;
1466	}	1466	}
1467	else if (strncmp(argv[i], "--env=", 6) == 0)	1467	else if (strncmp(argv[i], "--env=", 6) == 0)
1468	env_store(argv[i] + 6);	1468	env_store(argv[i] + 6, SETENV);
		1469	else if (strncmp(argv[i], "--rmenv=", 8) == 0)
		1470	env_store(argv[i] + 8, RMENV);
1469	else if (strcmp(argv[i], "--nosound") == 0) {	1471	else if (strcmp(argv[i], "--nosound") == 0) {
1470	arg_nosound = 1;	1472	arg_nosound = 1;
1471	}	1473	}


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index bb834bf19..1106ed84e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -457,7 +457,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
457	}	457	}
458		458
459	if (strncmp(ptr, "env ", 4) == 0) {	459	if (strncmp(ptr, "env ", 4) == 0) {
460	env_store(ptr + 4);	460	env_store(ptr + 4, SETENV);
		461	return 0;
		462	}
		463	if (strncmp(ptr, "rmenv ", 6) == 0) {
		464	env_store(ptr + 6, RMENV);
461	return 0;	465	return 0;
462	}	466	}
463		467


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7108b5a05..efe24a211 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -334,12 +334,15 @@ void seccomp_filter_32(void) {
334	BLACKLIST(52), // umount2	334	BLACKLIST(52), // umount2
335	BLACKLIST(26), // ptrace	335	BLACKLIST(26), // ptrace
336	BLACKLIST(283), // kexec_load	336	BLACKLIST(283), // kexec_load
		337	BLACKLIST(341), // name_to_handle_at
337	BLACKLIST(342), // open_by_handle_at	338	BLACKLIST(342), // open_by_handle_at
		339	BLACKLIST(127), // create_module
338	BLACKLIST(128), // init_module	340	BLACKLIST(128), // init_module
339	BLACKLIST(350), // finit_module	341	BLACKLIST(350), // finit_module
340	BLACKLIST(129), // delete_module	342	BLACKLIST(129), // delete_module
341	BLACKLIST(110), // iopl	343	BLACKLIST(110), // iopl
342	BLACKLIST(101), // ioperm	344	BLACKLIST(101), // ioperm
		345	BLACKLIST(289), // ioprio_set
343	BLACKLIST(87), // swapon	346	BLACKLIST(87), // swapon
344	BLACKLIST(115), // swapoff	347	BLACKLIST(115), // swapoff
345	BLACKLIST(103), // syslog	348	BLACKLIST(103), // syslog
@@ -376,6 +379,7 @@ void seccomp_filter_32(void) {
376	BLACKLIST(88), // reboot	379	BLACKLIST(88), // reboot
377	BLACKLIST(169), // nfsservctl	380	BLACKLIST(169), // nfsservctl
378	BLACKLIST(130), // get_kernel_syms	381	BLACKLIST(130), // get_kernel_syms
		382
379	RETURN_ALLOW	383	RETURN_ALLOW
380	};	384	};
381		385
@@ -403,11 +407,14 @@ void seccomp_filter_64(void) {
403	BLACKLIST(101), // ptrace	407	BLACKLIST(101), // ptrace
404	BLACKLIST(246), // kexec_load	408	BLACKLIST(246), // kexec_load
405	BLACKLIST(304), // open_by_handle_at	409	BLACKLIST(304), // open_by_handle_at
		410	BLACKLIST(303), // name_to_handle_at
		411	BLACKLIST(174), // create_module
406	BLACKLIST(175), // init_module	412	BLACKLIST(175), // init_module
407	BLACKLIST(313), // finit_module	413	BLACKLIST(313), // finit_module
408	BLACKLIST(176), // delete_module	414	BLACKLIST(176), // delete_module
409	BLACKLIST(172), // iopl	415	BLACKLIST(172), // iopl
410	BLACKLIST(173), // ioperm	416	BLACKLIST(173), // ioperm
		417	BLACKLIST(251), // ioprio_set
411	BLACKLIST(167), // swapon	418	BLACKLIST(167), // swapon
412	BLACKLIST(168), // swapoff	419	BLACKLIST(168), // swapoff
413	BLACKLIST(103), // syslog	420	BLACKLIST(103), // syslog
@@ -445,6 +452,7 @@ void seccomp_filter_64(void) {
445	BLACKLIST(169), // reboot	452	BLACKLIST(169), // reboot
446	BLACKLIST(180), // nfsservctl	453	BLACKLIST(180), // nfsservctl
447	BLACKLIST(177), // get_kernel_syms	454	BLACKLIST(177), // get_kernel_syms
		455
448	RETURN_ALLOW	456	RETURN_ALLOW
449	};	457	};
450		458
@@ -493,12 +501,18 @@ int seccomp_filter_drop(int enforce_seccomp) {
493	#ifdef SYS_open_by_handle_at	501	#ifdef SYS_open_by_handle_at
494	filter_add_blacklist(SYS_open_by_handle_at, 0);	502	filter_add_blacklist(SYS_open_by_handle_at, 0);
495	#endif	503	#endif
		504	#ifdef SYS_name_to_handle_at
		505	filter_add_blacklist(SYS_name_to_handle_at, 0);
		506	#endif
496	#ifdef SYS_init_module	507	#ifdef SYS_init_module
497	filter_add_blacklist(SYS_init_module, 0);	508	filter_add_blacklist(SYS_init_module, 0);
498	#endif	509	#endif
499	#ifdef SYS_finit_module // introduced in 2013	510	#ifdef SYS_finit_module // introduced in 2013
500	filter_add_blacklist(SYS_finit_module, 0);	511	filter_add_blacklist(SYS_finit_module, 0);
501	#endif	512	#endif
		513	#ifdef SYS_create_module
		514	filter_add_blacklist(SYS_create_module, 0);
		515	#endif
502	#ifdef SYS_delete_module	516	#ifdef SYS_delete_module
503	filter_add_blacklist(SYS_delete_module, 0);	517	filter_add_blacklist(SYS_delete_module, 0);
504	#endif	518	#endif
@@ -508,6 +522,9 @@ int seccomp_filter_drop(int enforce_seccomp) {
508	#ifdef SYS_ioperm	522	#ifdef SYS_ioperm
509	filter_add_blacklist(SYS_ioperm, 0);	523	filter_add_blacklist(SYS_ioperm, 0);
510	#endif	524	#endif
		525	#ifdef SYS_ioprio_set
		526	filter_add_blacklist(SYS_ioprio_set, 0);
		527	#endif
511	#ifdef SYS_ni_syscall // new io permissions call on arm devices	528	#ifdef SYS_ni_syscall // new io permissions call on arm devices
512	filter_add_blacklist(SYS_ni_syscall, 0);	529	filter_add_blacklist(SYS_ni_syscall, 0);
513	#endif	530	#endif
@@ -648,6 +665,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
648	#ifdef SYS_get_kernel_syms	665	#ifdef SYS_get_kernel_syms
649	filter_add_blacklist(SYS_get_kernel_syms, 0);	666	filter_add_blacklist(SYS_get_kernel_syms, 0);
650	#endif	667	#endif
		668
651	}	669	}
652		670
653	// default seccomp filter with additional drop list	671	// default seccomp filter with additional drop list


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1efc247b5..b67300618 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -208,6 +208,7 @@ void usage(void) {
208		208
209	printf(" --quiet - turn off Firejail's output.\n\n");	209	printf(" --quiet - turn off Firejail's output.\n\n");
210	printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n");	210	printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n");
		211	printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n");
211	printf(" --rlimit-fsize=number - set the maximum file size that can be created\n");	212	printf(" --rlimit-fsize=number - set the maximum file size that can be created\n");
212	printf("\tby a process.\n\n");	213	printf("\tby a process.\n\n");
213	printf(" --rlimit-nofile=number - set the maximum number of files that can be\n");	214	printf(" --rlimit-nofile=number - set the maximum number of files that can be\n");
@@ -216,7 +217,7 @@ void usage(void) {
216	printf("\tcreated for the real user ID of the calling process.\n\n");	217	printf("\tcreated for the real user ID of the calling process.\n\n");
217	printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");	218	printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n");
218	printf("\tfor a process.\n\n");	219	printf("\tfor a process.\n\n");
219	printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n");	220	printf(" --rmenv=name - remove environment variable in the new sandbox.\n\n");
220	#ifdef HAVE_NETWORK	221	#ifdef HAVE_NETWORK
221	printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");	222	printf(" --scan - ARP-scan all the networks from inside a network namespace.\n");
222	printf("\tThis makes it possible to detect macvlan kernel device drivers\n");	223	printf("\tThis makes it possible to detect macvlan kernel device drivers\n");


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9c416b0f3..98fa17908 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -224,15 +224,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
224	\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.	224	\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
225	.TP	225	.TP
226	\fBseccomp	226	\fBseccomp
227	Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:	227	Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
228	mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
229	iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
230	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
231	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
232	io_destroy, io_getevents, io_submit, io_cancel,
233	remap_file_pages, mbind, get_mempolicy, set_mempolicy,
234	migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
235	tuxcall, reboot, mfsservctl and get_kernel_syms.
236	.TP	228	.TP
237	\fBseccomp syscall,syscall,syscall	229	\fBseccomp syscall,syscall,syscall
238	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.	230	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e915ab6cb..8d20cf36b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1172,6 +1172,15 @@ make the whitelist read-only. Example:
1172	$ firejail --whitelist=~/work --read-only=~ --read-only=~/work	1172	$ firejail --whitelist=~/work --read-only=~ --read-only=~/work
1173		1173
1174	.TP	1174	.TP
		1175	\fB\-\-read-write=dirname_or_filename
		1176	By default, the sandbox mounts system directories read-only.
		1177	These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64.
		1178	Use this option to mount read-write files or directories inside the system directories.
		1179
		1180	This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
		1181	cases the system directories are mounted read-write.
		1182
		1183	.TP
1175	\fB\-\-rlimit-fsize=number	1184	\fB\-\-rlimit-fsize=number
1176	Set the maximum file size that can be created by a process.	1185	Set the maximum file size that can be created by a process.
1177	.TP	1186	.TP
@@ -1185,13 +1194,14 @@ Set the maximum number of processes that can be created for the real user ID of
1185	Set the maximum number of pending signals for a process.	1194	Set the maximum number of pending signals for a process.
1186		1195
1187	.TP	1196	.TP
1188	\fB\-\-read-write=dirname_or_filename	1197	\fB\-\-rmenv=name
1189	By default, the sandbox mounts system directories read-only.	1198	Remove environment variable in the new sandbox.
1190	These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64.	1199	.br
1191	Use this option to mount read-write files or directories inside the system directories.
1192		1200
1193	This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these	1201	.br
1194	cases the system directories are mounted read-write.	1202	Example:
		1203	.br
		1204	$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
1195		1205
1196	.TP	1206	.TP
1197	\fB\-\-scan	1207	\fB\-\-scan
@@ -1206,8 +1216,8 @@ $ firejail \-\-net=eth0 \-\-scan
1206	.TP	1216	.TP
1207	\fB\-\-seccomp	1217	\fB\-\-seccomp
1208	Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:	1218	Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
1209	mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,	1219	mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
1210	iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,	1220	iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
1211	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,	1221	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
1212	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,	1222	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
1213	io_destroy, io_getevents, io_submit, io_cancel,	1223	io_destroy, io_getevents, io_submit, io_cancel,


diff --git a/todo b/todo index 0a76cd850..88baff216 100644 --- a/todo +++ b/todo
@@ -161,25 +161,3 @@ To disable Vsync
161		161
162	$ vblank_mode=0 glxgears	162	$ vblank_mode=0 glxgears
163		163
164	18. Add nosound in all profiles with private-dev (including server.profile)
165	test hedgewars!
166
167	19. new syscalls:
168	create_module
169	name_to_handle_at
170	ioprio_set,
171
172	???
173	146 - sched_get_priority_max
174	147 - sched_get_priority_min
175	204 - sched_getaffinity
176	315 - sched_getattr
177	143 - sched_getparam
178	145 - sched_getscheduler
179	148 - sched_rr_get_interval
180	203 - sched_setaffinity
181	314 - sched_setattr
182	142 - sched_setparam
183	144 - sched_setscheduler
184	24 - sched_yield
185