diff options
-rw-r--r-- | etc/profile-m-z/server.profile | 12 | ||||
-rw-r--r-- | src/fnettrace/main.c | 2 | ||||
-rw-r--r-- | src/include/seccomp.h | 3 |
3 files changed, 14 insertions, 3 deletions
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 9e40796a6..f1cf0ca59 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -33,6 +33,9 @@ include globals.local | |||
33 | 33 | ||
34 | noblacklist /sbin | 34 | noblacklist /sbin |
35 | noblacklist /usr/sbin | 35 | noblacklist /usr/sbin |
36 | noblacklist /etc/init.d | ||
37 | noblacklist /var/lib/apt | ||
38 | noblacklist /var/cache/apt | ||
36 | # noblacklist /var/opt | 39 | # noblacklist /var/opt |
37 | 40 | ||
38 | blacklist /tmp/.X11-unix | 41 | blacklist /tmp/.X11-unix |
@@ -50,7 +53,9 @@ include disable-xdg.inc | |||
50 | # include whitelist-usr-share-common.inc | 53 | # include whitelist-usr-share-common.inc |
51 | # include whitelist-var-common.inc | 54 | # include whitelist-var-common.inc |
52 | 55 | ||
53 | apparmor | 56 | # people use to install servers all over the place! |
57 | # apparmor runs executable only from default system locations | ||
58 | # apparmor | ||
54 | caps | 59 | caps |
55 | # ipc-namespace | 60 | # ipc-namespace |
56 | machine-id | 61 | machine-id |
@@ -59,15 +64,16 @@ no3d | |||
59 | nodvd | 64 | nodvd |
60 | # nogroups | 65 | # nogroups |
61 | noinput | 66 | noinput |
62 | # nonewprivs | 67 | nonewprivs |
63 | # noroot | 68 | # noroot |
64 | nosound | 69 | nosound |
65 | notv | 70 | notv |
66 | nou2f | 71 | nou2f |
67 | novideo | 72 | novideo |
68 | # protocol unix,inet,inet6,netlink | 73 | protocol unix,inet,inet6,netlink,packet |
69 | seccomp | 74 | seccomp |
70 | # shell none | 75 | # shell none |
76 | tab # allow tab completion | ||
71 | 77 | ||
72 | disable-mnt | 78 | disable-mnt |
73 | private | 79 | private |
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index fd3cd5016..634d408a3 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c | |||
@@ -233,6 +233,8 @@ static inline const char *common_port(uint16_t port) { | |||
233 | return "(telnet)"; | 233 | return "(telnet)"; |
234 | else if (port == 25) | 234 | else if (port == 25) |
235 | return "(SMTP)"; | 235 | return "(SMTP)"; |
236 | else if (port == 43) | ||
237 | return "(WHOIS)"; | ||
236 | else if (port == 67) | 238 | else if (port == 67) |
237 | return "(DHCP)"; | 239 | return "(DHCP)"; |
238 | else if (port == 69) | 240 | else if (port == 69) |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 9dbe25bfa..503bf54ac 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -250,6 +250,9 @@ | |||
250 | #define RETURN_ALLOW \ | 250 | #define RETURN_ALLOW \ |
251 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 251 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
252 | 252 | ||
253 | #define RETURN_KILL \ | ||
254 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
255 | |||
253 | #define RETURN_ERRNO(nr) \ | 256 | #define RETURN_ERRNO(nr) \ |
254 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | 257 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) |
255 | 258 | ||