diff options
Diffstat (limited to 'etc/templates')
-rw-r--r-- | etc/templates/syscalls.txt | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 3992c984a..38f789923 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -89,18 +89,24 @@ Inheritance of groups | |||
89 | What to do if seccomp breaks a program | 89 | What to do if seccomp breaks a program |
90 | -------------------------------------- | 90 | -------------------------------------- |
91 | 91 | ||
92 | Start `journalctl --grep=SECCOMP --follow` in a terminal and run | ||
93 | `firejail --seccomp-error-action=log /path/to/program` in a second terminal. | ||
94 | Now switch back to the first terminal (where `journalctl` is running) and look | ||
95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you | ||
96 | have found them, you can stop `journalctl` (^C) and execute | ||
97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. | ||
98 | In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. | ||
99 | Now you can add a seccomp exception using `seccomp !NAME`. | ||
100 | |||
101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||
102 | |||
92 | ``` | 103 | ``` |
93 | $ journalctl --grep=syscall --follow | 104 | term1$ journalctl --grep=SECCOMP --follow |
94 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | 105 | term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop |
95 | $ firejail --debug-syscalls | grep 161 | 106 | term1$ (journalctl --grep=SECCOMP --follow) |
96 | 161 - chroot | 107 | audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ... |
108 | ^C | ||
109 | term1$ firejail --debug-syscalls | grep "^161[[:space:]]" | ||
110 | 161 - chroot | ||
97 | ``` | 111 | ``` |
98 | Profile: `seccomp -> seccomp !chroot` | 112 | Profile: `seccomp -> seccomp !chroot` |
99 | |||
100 | Start `journalctl --grep=syscall --follow` in a terminal, then start the broken | ||
101 | program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. | ||
102 | Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You | ||
103 | will see something like `NUMBER - NAME`, because you now know the name of the | ||
104 | syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. | ||
105 | |||
106 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||