aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/templates/syscalls.txt14
-rw-r--r--src/lib/syscall.c52
2 files changed, 57 insertions, 9 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 827b075e5..c33e6d602 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -27,26 +27,26 @@ Always have a look at 'man 1 firejail'.
27Definition of groups 27Definition of groups
28-------------------- 28--------------------
29 29
30@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit 30@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit,io_uring_enter,io_uring_register,io_uring_setup
31@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev 31@basic-io=_llseek,close,close_range,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
32@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 32@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
33@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime 33@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
34@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old 34@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
35@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext 35@debug=lookup_dcookie,perf_event_open,pidfd_getfd,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
36@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup 36@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
37@default-nodebuggers=@default,ptrace,personality,process_vm_readv 37@default-nodebuggers=@default,ptrace,personality,process_vm_readv
38@default-keep=execveat,execve,prctl 38@default-keep=execveat,execve,prctl
39@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes 39@file-system=access,chdir,chmod,close,close_range,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,openat2,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
40@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select 40@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
41@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget 41@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_madvise,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
42@keyring=add_key,keyctl,request_key 42@keyring=add_key,keyctl,request_key
43@memlock=mlock,mlock2,mlockall,munlock,munlockall 43@memlock=mlock,mlock2,mlockall,munlock,munlockall
44@module=delete_module,finit_module,init_module 44@module=delete_module,finit_module,init_module
45@mount=chroot,mount,pivot_root,umount,umount2 45@mount=chroot,fsconfig,fsmount,fsopen,fspick,mount,move_mount,open_tree,pivot_root,umount,umount2
46@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair 46@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
47@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver 47@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
48@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup 48@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
49@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid 49@process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
50@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write 50@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
51@reboot=kexec_load,kexec_file_load,reboot 51@reboot=kexec_load,kexec_file_load,reboot
52@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy 52@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index a17f6423a..29cf6318f 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -92,7 +92,16 @@ static const SyscallGroupList sysgroups[] = {
92 "io_setup," 92 "io_setup,"
93#endif 93#endif
94#ifdef SYS_io_submit 94#ifdef SYS_io_submit
95 "io_submit" 95 "io_submit,"
96#endif
97#ifdef SYS_io_uring_enter
98 "io_uring_enter,"
99#endif
100#ifdef SYS_io_uring_register
101 "io_uring_register,"
102#endif
103#ifdef SYS_io_uring_setup
104 "io_uring_setup"
96#endif 105#endif
97 }, 106 },
98 { .name = "@basic-io", .list = 107 { .name = "@basic-io", .list =
@@ -102,6 +111,9 @@ static const SyscallGroupList sysgroups[] = {
102#ifdef SYS_close 111#ifdef SYS_close
103 "close," 112 "close,"
104#endif 113#endif
114#ifdef SYS_close_range
115 "close_range,"
116#endif
105#ifdef SYS_dup 117#ifdef SYS_dup
106 "dup," 118 "dup,"
107#endif 119#endif
@@ -212,6 +224,9 @@ static const SyscallGroupList sysgroups[] = {
212#ifdef SYS_perf_event_open 224#ifdef SYS_perf_event_open
213 "perf_event_open," 225 "perf_event_open,"
214#endif 226#endif
227#ifdef SYS_pidfd_getfd
228 "pidfd_getfd,"
229#endif
215#ifdef SYS_process_vm_writev 230#ifdef SYS_process_vm_writev
216 "process_vm_writev," 231 "process_vm_writev,"
217#endif 232#endif
@@ -290,7 +305,7 @@ static const SyscallGroupList sysgroups[] = {
290 "remap_file_pages," 305 "remap_file_pages,"
291#endif 306#endif
292#ifdef SYS_set_mempolicy 307#ifdef SYS_set_mempolicy
293 "set_mempolicy" 308 "set_mempolicy,"
294#endif 309#endif
295#ifdef SYS_vmsplice 310#ifdef SYS_vmsplice
296 "vmsplice," 311 "vmsplice,"
@@ -350,6 +365,9 @@ static const SyscallGroupList sysgroups[] = {
350#ifdef SYS_close 365#ifdef SYS_close
351 "close," 366 "close,"
352#endif 367#endif
368#ifdef SYS_close_range
369 "close_range,"
370#endif
353#ifdef SYS_creat 371#ifdef SYS_creat
354 "creat," 372 "creat,"
355#endif 373#endif
@@ -503,6 +521,9 @@ static const SyscallGroupList sysgroups[] = {
503#ifdef SYS_openat 521#ifdef SYS_openat
504 "openat," 522 "openat,"
505#endif 523#endif
524#ifdef SYS_openat2
525 "openat2,"
526#endif
506#ifdef SYS_readlink 527#ifdef SYS_readlink
507 "readlink," 528 "readlink,"
508#endif 529#endif
@@ -657,6 +678,9 @@ static const SyscallGroupList sysgroups[] = {
657#ifdef SYS_pipe2 678#ifdef SYS_pipe2
658 "pipe2," 679 "pipe2,"
659#endif 680#endif
681#ifdef SYS_process_madvise
682 "process_madvise,"
683#endif
660#ifdef SYS_process_vm_readv 684#ifdef SYS_process_vm_readv
661 "process_vm_readv," 685 "process_vm_readv,"
662#endif 686#endif
@@ -731,9 +755,27 @@ static const SyscallGroupList sysgroups[] = {
731#ifdef SYS_chroot 755#ifdef SYS_chroot
732 "chroot," 756 "chroot,"
733#endif 757#endif
758#ifdef SYS_fsconfig
759 "fsconfig,"
760#endif
761#ifdef SYS_fsmount
762 "fsmount,"
763#endif
764#ifdef SYS_fsopen
765 "fsopen,"
766#endif
767#ifdef SYS_fspick
768 "fspick,"
769#endif
734#ifdef SYS_mount 770#ifdef SYS_mount
735 "mount," 771 "mount,"
736#endif 772#endif
773#ifdef SYS_move_mount
774 "move_mount,"
775#endif
776#ifdef SYS_open_tree
777 "open_tree,"
778#endif
737#ifdef SYS_pivot_root 779#ifdef SYS_pivot_root
738 "pivot_root," 780 "pivot_root,"
739#endif 781#endif
@@ -985,6 +1027,9 @@ static const SyscallGroupList sysgroups[] = {
985#ifdef SYS_clone 1027#ifdef SYS_clone
986 "clone," 1028 "clone,"
987#endif 1029#endif
1030#ifdef SYS_clone3
1031 "clone3,"
1032#endif
988#ifdef SYS_execveat 1033#ifdef SYS_execveat
989 "execveat," 1034 "execveat,"
990#endif 1035#endif
@@ -997,6 +1042,9 @@ static const SyscallGroupList sysgroups[] = {
997#ifdef SYS_kill 1042#ifdef SYS_kill
998 "kill," 1043 "kill,"
999#endif 1044#endif
1045#ifdef SYS_pidfd_open
1046 "pidfd_open,"
1047#endif
1000#ifdef SYS_pidfd_send_signal 1048#ifdef SYS_pidfd_send_signal
1001 "pidfd_send_signal," 1049 "pidfd_send_signal,"
1002#endif 1050#endif
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-17 06:17:37 +0000