diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 26 |
3 files changed, 29 insertions, 2 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index e1762719f..5fc65193a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -284,8 +284,7 @@ read-only ${HOME}/bin | |||
284 | read-only ${HOME}/.bin | 284 | read-only ${HOME}/.bin |
285 | read-only ${HOME}/.local/bin | 285 | read-only ${HOME}/.local/bin |
286 | read-only ${HOME}/.cargo/bin | 286 | read-only ${HOME}/.cargo/bin |
287 | blacklist ${HOME}/.cargo/registry | 287 | read-only ${HOME}/.cargo/env |
288 | blacklist ${HOME}/.cargo/config | ||
289 | 288 | ||
290 | # Write-protection for desktop entries | 289 | # Write-protection for desktop entries |
291 | read-only ${HOME}/.config/menus | 290 | read-only ${HOME}/.config/menus |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index d4808f413..260d317d1 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -52,6 +52,8 @@ blacklist ${HOME}/.bibletime | |||
52 | blacklist ${HOME}/.bitcoin | 52 | blacklist ${HOME}/.bitcoin |
53 | blacklist ${HOME}/.bogofilter | 53 | blacklist ${HOME}/.bogofilter |
54 | blacklist ${HOME}/.bzf | 54 | blacklist ${HOME}/.bzf |
55 | blacklist ${HOME}/.cargo/registry | ||
56 | blacklist ${HOME}/.cargo/config | ||
55 | blacklist ${HOME}/.claws-mail | 57 | blacklist ${HOME}/.claws-mail |
56 | blacklist ${HOME}/.cliqz | 58 | blacklist ${HOME}/.cliqz |
57 | blacklist ${HOME}/.clonk | 59 | blacklist ${HOME}/.clonk |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 30ad6feea..bc45d9f9d 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -1,6 +1,9 @@ | |||
1 | Hints for writing seccomp.drop lines | 1 | Hints for writing seccomp.drop lines |
2 | ==================================== | 2 | ==================================== |
3 | 3 | ||
4 | Definition of groups | ||
5 | -------------------- | ||
6 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 7 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
5 | @module=delete_module,finit_module,init_module | 8 | @module=delete_module,finit_module,init_module |
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | 9 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write |
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines | |||
20 | 23 | ||
21 | @default-keep=execve,prctl | 24 | @default-keep=execve,prctl |
22 | 25 | ||
26 | Inheritance of groups | ||
27 | --------------------- | ||
23 | 28 | ||
24 | +---------+----------------+---------------+ | 29 | +---------+----------------+---------------+ |
25 | | @clock | @cpu-emulation | @default-keep | | 30 | | @clock | @cpu-emulation | @default-keep | |
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines | |||
41 | | @default-nodebuggers | | 46 | | @default-nodebuggers | |
42 | +----------------------+ | 47 | +----------------------+ |
43 | 48 | ||
49 | common used seccomp.drop lines | ||
50 | ------------------------------ | ||
44 | 51 | ||
45 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 52 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
46 | 53 | ||
47 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
55 | |||
56 | Building a seccomp.drop line if seccomp breaks a programm | ||
57 | --------------------------------------------------------- | ||
58 | |||
59 | ``` | ||
60 | $ journalctl --grep=syscall --follow | ||
61 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | ||
62 | $ firejail --debug-syscalls | grep 161 | ||
63 | 161 - chroot | ||
64 | ``` | ||
65 | |||
66 | TODO: write a short explanation | ||
67 | TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible | ||
68 | |||
69 | see also | ||
70 | -------- | ||
71 | |||
72 | - contrib/syscalls.sh | ||
73 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||